Static URL for a connection

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Static URL for a connection

Yang Yang-2
Hello,

Is it possible to get a static URL for each connection?

With default setting, users can access a connection with https://guacamole_client_addr_and_port/guacamole/#/client/encoded_connection_id. I put guacamole client behind a proxy, and using auth header for authentication, I want to offer some customers access to a few connections directly while not allowing them to access the client portal.

Is there any solution available? Could you help to tell what I should do?

Thanks,
Yang
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Static URL for a connection

vnick
On Mon, Dec 9, 2019 at 5:22 AM Yang Yang <[hidden email]> wrote:
Hello,

Is it possible to get a static URL for each connection?

With default setting, users can access a connection with https://guacamole_client_addr_and_port/guacamole/#/client/encoded_connection_id. I put guacamole client behind a proxy, and using auth header for authentication, I want to offer some customers access to a few connections directly while not allowing them to access the client portal.


Maybe you could let us know why it is that you don't want customers to be able to access the "client portal" - by which, I'm assuming you mean, the Guacamole home page?

All of the connection URLs are generated based on the connection data - the "encoded_connection_id" you mention will always be the same for a given connection, so you can provide users those URLs, and it will take them straight to the connection.  However, it will not prevent them from going to the home page.

I would recommend that you use the Header authentication module in combination with the JDBC module and assign permissions such that users are only able to see the connections that they are allowed to access.  Then, even if they can get to the home page, it shouldn't matter, as they'll only be able to see the connections that you want them to see.

-Nick
Reply | Threaded
Open this post in threaded view
|

Re: Static URL for a connection

Yang Yang-2
Hi Nick,

I am working to build a portal for users, with all connections categorized and presented in our own style. Also, as you suggested, I am using the Header authentication module in combination with the JDBC module; however, rather than getting all end users registered to guacamole client, I am looking to access guacamole with a dedicated account for all end users. I have a proxy (nginx) in front of the guacamole client, and the proxy set the authentication header for all end users.

Ideally, I am looking to change the anchor for clients (/#/client/<encoded_connection_id>) to a query string (?client=encoded_connection_id), so that I can handle the URL with nginx. Is this possible? If not, can I just remove the home module?

Thanks,
Yang

On Dec 10, 2019, at 06:19, Nick Couchman <[hidden email]> wrote:

On Mon, Dec 9, 2019 at 5:22 AM Yang Yang <[hidden email]> wrote:
Hello,

Is it possible to get a static URL for each connection?

With default setting, users can access a connection with https://guacamole_client_addr_and_port/guacamole/#/client/encoded_connection_id. I put guacamole client behind a proxy, and using auth header for authentication, I want to offer some customers access to a few connections directly while not allowing them to access the client portal.


Maybe you could let us know why it is that you don't want customers to be able to access the "client portal" - by which, I'm assuming you mean, the Guacamole home page?

All of the connection URLs are generated based on the connection data - the "encoded_connection_id" you mention will always be the same for a given connection, so you can provide users those URLs, and it will take them straight to the connection.  However, it will not prevent them from going to the home page.

I would recommend that you use the Header authentication module in combination with the JDBC module and assign permissions such that users are only able to see the connections that they are allowed to access.  Then, even if they can get to the home page, it shouldn't matter, as they'll only be able to see the connections that you want them to see.

-Nick

Reply | Threaded
Open this post in threaded view
|

Re: Static URL for a connection

Mike Jumper-3
On Mon, Dec 9, 2019 at 5:44 PM Yang Yang <[hidden email]> wrote:
Hi Nick,

I am working to build a portal for users, with all connections categorized and presented in our own style. Also, as you suggested, I am using the Header authentication module in combination with the JDBC module; however, rather than getting all end users registered to guacamole client, I am looking to access guacamole with a dedicated account for all end users. I have a proxy (nginx) in front of the guacamole client, and the proxy set the authentication header for all end users.

I wouldn't recommend doing what you have in mind. Users should have access only to the connections they are specifically allowed to access, with that authorization validated by Guacamole. What you describe would bypass that by considering each user to be identical, and users would be able to access the resources of other users. Attempting to hide the home screen while hoping that users will not guess / attempt to guess other connections is not a secure approach.

Ideally, I am looking to change the anchor for clients (/#/client/<encoded_connection_id>) to a query string (?client=encoded_connection_id), so that I can handle the URL with nginx. Is this possible?

You should let Guacamole handle the authorization that it is designed to handle rather than try to write around it and move things elsewhere. Options would be writing your own extension which dynamically pulls the connections available to each user by querying whatever internal system you already have in place, writing your own application which does only what you need (see below), or using an extension which allows you to push the contents of user sessions. I wrote an example accomplishing the latter some time ago as part of my day job:


If not, can I just remove the home module?

 You can write your own web application powered by the same core APIs:


Again, I strongly caution against what you've described and suggest you rethink your approach. The basis of what you're doing equates to disabling authentication and authorization, which is something you should never do:


- Mike

Reply | Threaded
Open this post in threaded view
|

Re: Static URL for a connection

Yang Yang-2
Thank you very much for the guidance! It is very helpful, and I will rethink about my original approach.

Thanks,
Yang 

On Dec 10, 2019, at 09:56, Mike Jumper <[hidden email]> wrote:

On Mon, Dec 9, 2019 at 5:44 PM Yang Yang <[hidden email]> wrote:
Hi Nick,

I am working to build a portal for users, with all connections categorized and presented in our own style. Also, as you suggested, I am using the Header authentication module in combination with the JDBC module; however, rather than getting all end users registered to guacamole client, I am looking to access guacamole with a dedicated account for all end users. I have a proxy (nginx) in front of the guacamole client, and the proxy set the authentication header for all end users.

I wouldn't recommend doing what you have in mind. Users should have access only to the connections they are specifically allowed to access, with that authorization validated by Guacamole. What you describe would bypass that by considering each user to be identical, and users would be able to access the resources of other users. Attempting to hide the home screen while hoping that users will not guess / attempt to guess other connections is not a secure approach.

Ideally, I am looking to change the anchor for clients (/#/client/<encoded_connection_id>) to a query string (?client=encoded_connection_id), so that I can handle the URL with nginx. Is this possible?

You should let Guacamole handle the authorization that it is designed to handle rather than try to write around it and move things elsewhere. Options would be writing your own extension which dynamically pulls the connections available to each user by querying whatever internal system you already have in place, writing your own application which does only what you need (see below), or using an extension which allows you to push the contents of user sessions. I wrote an example accomplishing the latter some time ago as part of my day job:


If not, can I just remove the home module?

 You can write your own web application powered by the same core APIs:


Again, I strongly caution against what you've described and suggest you rethink your approach. The basis of what you're doing equates to disabling authentication and authorization, which is something you should never do:


- Mike