HTTP protocol

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

HTTP protocol

Vieri-2
Hi,

I was wondering if Guacamole could also support the HTTP protocol. The idea is that a user can connect to the Guacamole portal, and from there connect to an internal HTTP server whose communication would be tunneled through Guacamole (HTTPS).

I know this is usually the job of a reverse proxy, but it's not always trivial.
In my case, the "internal HTTP server" sends HTTP redirects to the client (to non-HTTPS urls), and this breaks  the reverse proxy user experience...

I find the Guacamole UI to be simple and easy. I was wondering if it were easy to add support for HTTP.

Thanks,

Vieri

Reply | Threaded
Open this post in threaded view
|

Re: HTTP protocol

vnick
On Mon, Dec 2, 2019 at 9:36 AM Vieri <[hidden email]> wrote:
Hi,

I was wondering if Guacamole could also support the HTTP protocol. The idea is that a user can connect to the Guacamole portal, and from there connect to an internal HTTP server whose communication would be tunneled through Guacamole (HTTPS).

It possibly *could* be done; however, this has been discussed in the past, and it has been determined that such support is out of scope for this project.  Guacamole is a client-less remote desktop gateway, but is not designed to be a complete VPN/Gateway solution.  See:

 

I know this is usually the job of a reverse proxy, but it's not always trivial.
In my case, the "internal HTTP server" sends HTTP redirects to the client (to non-HTTPS urls), and this breaks  the reverse proxy user experience...


Yes, and Guacamole can be used in conjunction with such solutions to create an overall client-less VPN/gateway solution, but itself does not support HTTP(S), nor is it something we are open to putting into the project.
 
I find the Guacamole UI to be simple and easy. I was wondering if it were easy to add support for HTTP.

We appreciate that :-).  Adding support for HTTP(S) might be doable, however it isn't as straight-forward as it seems.  It would involve considerable work on the guacd side to attempt to render the web pages and then send images of those pages across.  Doing this in a way that gives people the look and feel, and interaction, they expect from a web page would be challenging.  Furthermore, you'd likely run into some issues with differences in rendering as expected based on the difference between guacd attempting to do that with a library vs. the browser on the user screen.  Again, doable - maybe - but not easy, and, out of scope.

The alternative to doing that rendering in guacd is just to have the Guacamole system tunnel the HTTP(S) connection over the HTTP(S) connection used for the other Guacamole traffic.  However, if you're going to do this, why not just use one of the existing reverse proxy configurations out there?  Guacamole can certainly be part of such a solution to handle the remote desktop protocols, but you'll need to find something else to do the HTTP(S) tunneling.

-Nick
Reply | Threaded
Open this post in threaded view
|

Re: HTTP protocol

Vieri-2

On Tuesday, December 3, 2019, 1:19:48 AM GMT+1, Nick Couchman <[hidden email]> wrote:
>
> Adding support for HTTP(S) might be doable, however it isn't as straight-forward as it seems.  It would involve considerable work on the
> guacd side to attempt to render the web pages and then send images of those pages across.

I understand this must be very complex.

> The alternative to doing that rendering in guacd is just to have the Guacamole system tunnel the HTTP(S) connection over the HTTP(S)
> connection used for the other Guacamole traffic.  However, if you're going to do this, why not just use one of the existing reverse proxy
> configurations out there?  Guacamole can certainly be part of such a solution to handle the remote desktop protocols, but you'll need to
> find something else to do the HTTP(S) tunneling.

Sure, I could use Squid as a reverse proxy. However, it would be "neat" to force users to log into the Guacamole portal so that they can see their usual services as icons (ssh, telnet, vnc, rdp) but also some internal HTTP(S) services. These HTTP(S) services could be full-fledged reverse proxies (eg. Squid) that forward to internal peers. So, not being an expert in HTTP proxying, could Guacamole "simply tunnel" HTTP requests/replies to and from clients and whatever reverse proxies are in the private network? Or would it only allow a redirection (or, simply put, an href link that would require opening firewalled ports or hosts)?

Thanks,

Vieri

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: HTTP protocol

vnick

On Tue, Dec 3, 2019 at 5:27 AM Vieri <[hidden email]> wrote:
Sure, I could use Squid as a reverse proxy. However, it would be "neat" to force users to log into the Guacamole portal so that they can see their usual services as icons (ssh, telnet, vnc, rdp) but also some internal HTTP(S) services. These HTTP(S) services could be full-fledged reverse proxies (eg. Squid) that forward to internal peers. So, not being an expert in HTTP proxying, could Guacamole "simply tunnel" HTTP requests/replies to and from clients and whatever reverse proxies are in the private network? Or would it only allow a redirection (or, simply put, an href link that would require opening firewalled ports or hosts)?


Yes, I understand what you are trying to do by creating a central location for a sort of VPN or remote access gateway.  Again, while Guacamole can be a part of such a solution, we (the project) has determined that we do not intend to take the Guacamole project in that direction.  You are certainly welcome to take the code yourself and customize it however you like - either modifying the Guacamole Client code to do this, or using the Guacamole Common code to build your own remote gateway platform.

-Nick
Reply | Threaded
Open this post in threaded view
|

Re: HTTP protocol

Vieri-2

On Tuesday, December 3, 2019, 9:45:04 PM GMT+1, Nick Couchman <[hidden email]> wrote:
>
> Yes, I understand what you are trying to do by creating a central location for a sort of VPN or remote access gateway.  Again, while
> Guacamole can be a part of such a solution, we (the project) has determined that we do not intend to take the Guacamole project in that
> direction.  You are certainly welcome to take the code yourself and customize it however you like - either modifying the Guacamole Client
> code to do this, or using the Guacamole Common code to build your own remote gateway platform.

In the simplest of solutions, the Guacamole Client would merely show extra connections as href links. That would only require creating an extra "http object" alongside the already existing VNC, RDP, SSH, TELNET objects. In other words, one would create the http, vnc, rdp, etc., definitions in LDAP, MySQL, plain text file, and once the user logs into Guacamole, he/she would see these connections.
From a firewall/VPN point of view, this solution is awful as it does not tunnel the connection, but on the other hand user experience is improved.
So this first modification isn't really a VPN or remote access gateway... It's just a way of adding more objects/connection types, but without the image rendering.
So it should be a piece of cake... If it's not useful to the rest of the community then I'll try to do as you suggest and customize the Guacamole Client code.

Thanks for the great project!

Vieri

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: HTTP protocol

vnick
In the simplest of solutions, the Guacamole Client would merely show extra connections as href links. That would only require creating an extra "http object" alongside the already existing VNC, RDP, SSH, TELNET objects. In other words, one would create the http, vnc, rdp, etc., definitions in LDAP, MySQL, plain text file, and once the user logs into Guacamole, he/she would see these connections.
From a firewall/VPN point of view, this solution is awful as it does not tunnel the connection, but on the other hand user experience is improved.
So this first modification isn't really a VPN or remote access gateway... It's just a way of adding more objects/connection types, but without the image rendering.
So it should be a piece of cake... If it's not useful to the rest of the community then I'll try to do as you suggest and customize the Guacamole Client code.


This is something you could implement within a custom extension using the ability to modify the user interface and decorate database items within the environment.  You can see the following page for more information on extending Guacamole through custom authentication modules.


-Nick