Proxy'ing guacamole

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Proxy'ing guacamole

mbarber
I have read in the guacamole docs about tomcat not being able to freely
de/elevate it's privileges as and when required
with regards to set tcp port and hence the need to consider using a
proxy such as apache or nginx, for me this has
raised a couple of questions, that I can't find or am blind to :)
1. if this is a major issue and tomcat is considered a security risk
because of it, is it maybe justification to consider use of a different
container?
2. If simply not running anything on standard ports and forcing users to
enter the fqdn+port number at say, 5000 is this an issue for guacamole or
has anyone come across any issues with tomcat?

regards
mdb

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

Reply | Threaded
Open this post in threaded view
|

Re: Proxy'ing guacamole

vnick
On Wed, Jul 4, 2018 at 4:02 AM M D Barber <[hidden email]> wrote:
I have read in the guacamole docs about tomcat not being able to freely
de/elevate it's privileges as and when required
with regards to set tcp port and hence the need to consider using a
proxy such as apache or nginx,

Yes, Tomcat would have to be run as root to run on standard ports (80/443, anything below 1024), which is bad.  So, generally speaking you want to run Tomcat as a non-privileged user and run it on a higher port (8080 is standard, 8443 for Tomcat native SSL/TLS) and then use some other means to redirect connections from the standard ports to Tomcat.  Using a reverse proxy server, like Nginx or httpd, is pretty common practice.

It is worth noting that a recent change in the Linux kernel allows non-privileged users to open lower ports with some sysctl settings, but that's on really recent kernels.
 
for me this has
raised a couple of questions, that I can't find or am blind to :)
1. if this is a major issue and tomcat is considered a security risk
because of it, is it maybe justification to consider use of a different
container?

No, I wouldn't say that Tomcat is a security risk - running Tomcat as root is a security risk, and running unpatched versions of Tomcat or Tomcat with unpatched versions of Java is a security risk, but recent versions of Java with recent versions of Tomcat as a non-privileged user should be fine.  I believe most of the Java application servers (Tomcat, Jetty, JBOSS, etc.) fall under the same restrictions, so simply switching to a different Java application server doesn't necessarily give you any advantage over Tomcat.  Tomcat is very widely-used for Java applications, and running it as an unprivileged user behind a reverse-proxy is an acceptable practice.
 
2. If simply not running anything on standard ports and forcing users to
enter the fqdn+port number at say, 5000 is this an issue for guacamole or
has anyone come across any issues with tomcat?


This is perfectly acceptable, as well, and should work fine, it just comes with a couple of things to be aware of:
- Tomcat, by default, does not have encryption enabled and listens on unencrypted port 8080.  You can set up the encrypted connector for Tomcat and assign it a port, but it seems like most people just use a reverse proxy, instead.
- One of the reasons to use standard ports is that people don't have to remember the ports.  8080 has become pretty common, but 8443 for encrypted traffic is less common, so it's a little harder for people to remember that they need to do https://server.example.local:8443/guacamole in order to get to the page, rather than just https://server.example.local/guacamole.  If you choose to run it on some other port (5000, for instance), that's even less common and less usual for people, and they're more likely to forget and have to ask you to remind them where they should go.

-Nick
Reply | Threaded
Open this post in threaded view
|

Re: Proxy'ing guacamole

mbarber
Cheers Nick, much clearer,
seems the simplest solution for me is the latter as only technical users, I have already sorted the encryption so assigning it a high port to avoid casual scans and accidental connections will be a two minute job.
many thanks..
david


Nick Couchman wrote:
On Wed, Jul 4, 2018 at 4:02 AM M D Barber <[hidden email]> wrote:
I have read in the guacamole docs about tomcat not being able to freely
de/elevate it's privileges as and when required
with regards to set tcp port and hence the need to consider using a
proxy such as apache or nginx,

Yes, Tomcat would have to be run as root to run on standard ports (80/443, anything below 1024), which is bad.  So, generally speaking you want to run Tomcat as a non-privileged user and run it on a higher port (8080 is standard, 8443 for Tomcat native SSL/TLS) and then use some other means to redirect connections from the standard ports to Tomcat.  Using a reverse proxy server, like Nginx or httpd, is pretty common practice.

It is worth noting that a recent change in the Linux kernel allows non-privileged users to open lower ports with some sysctl settings, but that's on really recent kernels.
 
for me this has
raised a couple of questions, that I can't find or am blind to :)
1. if this is a major issue and tomcat is considered a security risk
because of it, is it maybe justification to consider use of a different
container?

No, I wouldn't say that Tomcat is a security risk - running Tomcat as root is a security risk, and running unpatched versions of Tomcat or Tomcat with unpatched versions of Java is a security risk, but recent versions of Java with recent versions of Tomcat as a non-privileged user should be fine.  I believe most of the Java application servers (Tomcat, Jetty, JBOSS, etc.) fall under the same restrictions, so simply switching to a different Java application server doesn't necessarily give you any advantage over Tomcat.  Tomcat is very widely-used for Java applications, and running it as an unprivileged user behind a reverse-proxy is an acceptable practice.
 
2. If simply not running anything on standard ports and forcing users to
enter the fqdn+port number at say, 5000 is this an issue for guacamole or
has anyone come across any issues with tomcat?


This is perfectly acceptable, as well, and should work fine, it just comes with a couple of things to be aware of:
- Tomcat, by default, does not have encryption enabled and listens on unencrypted port 8080.  You can set up the encrypted connector for Tomcat and assign it a port, but it seems like most people just use a reverse proxy, instead.
- One of the reasons to use standard ports is that people don't have to remember the ports.  8080 has become pretty common, but 8443 for encrypted traffic is less common, so it's a little harder for people to remember that they need to do https://server.example.local:8443/guacamole in order to get to the page, rather than just https://server.example.local/guacamole.  If you choose to run it on some other port (5000, for instance), that's even less common and less usual for people, and they're more likely to forget and have to ask you to remind them where they should go.

-Nick


Virus-free. www.avast.com