Proper SSL/Encryption Setup Other Than for HTTPS?

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Proper SSL/Encryption Setup Other Than for HTTPS?

Guac 1.2.0
Nginx: 1.18.0
Tomcat: 9.0.37
(CentOS/RHEL 8.x)

I am not talking about HTTPS in relation to accessing the domain/ip via a
browser, this I have setup and working via Nginx.

I am asking about:

1) Encrpytion between guac client and guac server (guacd) via the guacd-ssl
property in
2) Encryption between Tomcat and Guac, via the server.xml file for tomcat in
a connector tag
2) Encryption for the MariaDB database via the mysql-ssl-* properties in (using MariaDB and MariaDB Connector J)

So the gist for above is basically whats the proper approach to each?

In more detail...

For #1: says:

"guacd-ssl...Note that if you enable this option, you must also configure
guacd to use SSL via command line options. These options are documented in
the manpage of guacd. You will need an SSL certificate and private key."

Would this mean its nessasary to modify the guacd service (when set to
enabled/auto start) to use certain switches in the commands used to launch

Whats the proper place to put the keys (import to JKS or place in dir, etc)?

Most importantly, how do you confirm this is working once configured?

For #2:
I know in server.xml I can have a connector set to use TLS/https, etc. Would
I do this on the connector entry for port 8080 (not encrypted by default) or
would I do this as another connector block using another port (like 8443)
and then modify my Ngix config proxy_pass parameters to use 8443 (Ex:
proxy_pass http://${GUAC_LAN_IP}:8443/guacamole/;)?

Again, how would I confirm communication was being encrypted properly after
setting this up?

For #3: says:

"mysql-ssl-mode...This property sets the SSL mode that the JDBC driver will
attempt to use when communicating with the remote MySQL server..."

My concern here is it states "remote" server. My MariaDB database for
guacamole is on the guacamole server, do these settings still apply then?

As with before, how can it be confirmed that encryption is working here?


Sent from:

To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]