mod_proxy_wstunnel/proxy_tunnel

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

mod_proxy_wstunnel/proxy_tunnel

paulr4444
Thank you for taking a look.

I can't seem to get wstunnel to work with https. proxy_tunnel is enabled.

/var/log/tomcat8/catalina.out




My setup is apache proxy to guacamole with https.

apache all port 80 traffic redirects to port 443.

443 is then proxy to tomcat8 8443. Port 8080 on tomcat8 is disabled.

I was following https://guacamole.apache.org/doc/gug/proxying-guacamole.html
and I don't think i missed anything.

Any thoughts?

Apache conf



tomcat8 conf 443 and reverse proxy.



Thanks

Paul





--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: mod_proxy_wstunnel/proxy_tunnel

vnick
On Thu, Dec 5, 2019 at 6:01 PM paulr4444 <[hidden email]> wrote:
Thank you for taking a look.

I can't seem to get wstunnel to work with https. proxy_tunnel is enabled.


Have you confirmed that WS is working correctly if connect directly to Tomcat, without the proxy layer?
 
/var/log/tomcat8/catalina.out



If you pasted something in here, it didn't come through.  Maybe put the log entries in a pastebin and post that link??
 


My setup is apache proxy to guacamole with https.

apache all port 80 traffic redirects to port 443.

443 is then proxy to tomcat8 8443. Port 8080 on tomcat8 is disabled.

I was following https://guacamole.apache.org/doc/gug/proxying-guacamole.html
and I don't think i missed anything.

Any thoughts?


If you open the browser developer console and monitor network traffic during the connection, can you see what error comes up when it tries to connect to the WSS tunnel?
 
Apache conf



Images don't tend to come through - you're much better off pasting in text or putting in pastebin.

-Nick
Reply | Threaded
Open this post in threaded view
|

Re: mod_proxy_wstunnel/proxy_tunnel

paulr4444
Odd that my text wasn't there. I used the raw text tags to display it
originally, the text is below.

I found the cause but wanted to update the post to keep it whole. Nothing
worse than finding a thread with the same issue you're having just to see it
end with "It's working now, thanks." and no information about the solution.
:)

After following your suggestion to connect to the site directly without the
proxy, I couldn't connect. Under the connection protocol for port 8443 I had
set the address to 127.0.0.1 to limit 8443 connection to only the local
host. I didn't want anyone to be able to bypass the proxy server and limit
the ports our vulnerability scanner would scan. Basally I forgot I made that
change. I changed address to the IP of the server and now connections are
being made.

I'd still like to lock it down but if i can't, then i can't. Next on my list
is getting communication to guacd to use ssl.

Thank you for your help.

Paul


Missing text from original post.

/var/log/tomcat8/catalina.out

05:25:41.637 [https-openssl-nio-127.0.0.1-8443-exec-7] INFO
o.a.g.tunnel.TunnelRequestService - User "proy" connected to connection
"30".
05:25:41.638 [https-openssl-nio-127.0.0.1-8443-exec-7] INFO
o.a.g.t.h.RestrictedGuacamoleHTTPTunnelServlet - Using HTTP tunnel (not
WebSocket). Performance may be sub-optimal.
05:26:05.327 [https-openssl-nio-127.0.0.1-8443-exec-1] INFO
o.a.g.tunnel.TunnelRequestService - User "proy" disconnected from connection
"30". Duration: 23689 milliseconds
05:26:05.334 [https-openssl-nio-127.0.0.1-8443-exec-1] ERROR
o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request failed: Connection
to guacd timed out.

My setup is apache proxy to guacamole with https.
apache all port 80 traffic redirects to port 443.

<VirtualHost *:443>
    ServerName mgmt03

    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>

    SSLEngine on
    SSLProxyEngine On

    SSLCertificateFile      /etc/ssl/certs/mgmt03.crt
    SSLCertificateKeyFile /etc/ssl/private/mgmt03.key

    ProxyRequests Off
    ProxyPreserveHost On
#    ProxyPass / https://localhost:8443/
#    ProxyPassReverse / https://localhost:8443/

<Location />
    Order allow,deny
    Allow from all
    ProxyPass https://localhost:8443/guacamole/ flushpackets=on
    ProxyPassReverse https://localhost:8443/guacamole/
    ProxyPassReverseCookiePath /guacamole/ /
</Location>


<Location /websocket-tunnel>
    Order allow,deny
    Allow from all
    ProxyPass ws://localhost:8443/guacamole/websocket-tunnel
    ProxyPassReverse ws://localhost:8443/guacamole/websocket-tunnel
</Location>


<Location /phpmyadmin/>
    ProxyPass !
</Location>

</VirtualHost>

tomcat8 conf 443 and reverse proxy

   <Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
                address="127.0.0.1"
                maxThreads="150" SSLEnabled="true"
                compression="on" scheme="https" secure="true"
                keystoreFile="conf/ssl.guac.keystore"
                keystoreType="JCEKS"
                keystorePass="XXXXXXXXXXXX"
                truststoreFile="conf/ssl.guac.truststore"
                truststorePass="XXXXXXXXXXXX"
                truststoreType="JCEKS"
                SSLVerifyClient= "none" sslProtocol="TLS"
sslEnabledProtocols="TLSv1.2,TLSv1.1"
                URIEncoding="UTF-8"
   />



   <Valve className="org.apache.catalina.valves.RemoteIpValve"
               internalProxies="127.0.0.1"
               remoteIpHeader="x-forwarded-for"
               remoteIpProxiesHeader="x-forwarded-by"
               protocolHeader="x-forwarded-proto" />



Broswer in developer mode tunnel error

Error during WebSocket handshake: Unexpected response code: 400



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: mod_proxy_wstunnel/proxy_tunnel

vnick
<VirtualHost *:443>
    ServerName mgmt03

    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>

    SSLEngine on
    SSLProxyEngine On

    SSLCertificateFile      /etc/ssl/certs/mgmt03.crt
    SSLCertificateKeyFile /etc/ssl/private/mgmt03.key

    ProxyRequests Off
    ProxyPreserveHost On
#    ProxyPass / https://localhost:8443/
#    ProxyPassReverse / https://localhost:8443/

<Location />
    Order allow,deny
    Allow from all
    ProxyPass https://localhost:8443/guacamole/ flushpackets=on
    ProxyPassReverse https://localhost:8443/guacamole/
    ProxyPassReverseCookiePath /guacamole/ /
</Location>


<Location /websocket-tunnel>
    Order allow,deny
    Allow from all
    ProxyPass ws://localhost:8443/guacamole/websocket-tunnel
    ProxyPassReverse ws://localhost:8443/guacamole/websocket-tunnel
</Location>


I believe your issue is here.  For proxying secure WebSocket traffic, this should be "wss://localhost:8443" (etc.), not "ws://localhost:8443".  You could also just use unencrypted to the regular Tomcat port (8080) since it's all on the localhost there, and, so long as you limit access to your localhost, there's not really any reason to encrypt traffic like that, staying on the same system and that you're proxying through Apache httpd.

-Nick
Reply | Threaded
Open this post in threaded view
|

Re: mod_proxy_wstunnel/proxy_tunnel

paulr4444
I caught this in developer mode yesterday. My settings were pulled from the
chapter 4 documentation which has a type-o. Below is under apache in chapter
4.

Proxying the WebSocket tunnel
Apache will not automatically proxy WebSocket connections, but you can proxy
them separately with Apache 2.4.5 and later using mod_proxy_wstunnel. After
enabling mod_proxy_wstunnel a secondary Location section can be added which
explicitly proxies the Guacamole WebSocket tunnel, located at
/guacamole/websocket-tunnel:

<Location /guacamole/websocket-tunnel>
    Order allow,deny
    Allow from all
    ProxyPass ws://HOSTNAME:8080/guacamole/websocket-tunnel
    ProxyPassReverse ws://HOSTNAME:8080/guacamole/websocket-tunnel
</Location>

Next on my list is getting the remote host to log correctly when using the
proxy server. Currently it is logging the IP of the sever not the connecting
host when using the proxy. I'll create another post if i can't figure it
out.

Thank you for your help and work on this project.

Paul

Thanks fo ryour help



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: mod_proxy_wstunnel/proxy_tunnel

vnick
On Tue, Dec 10, 2019 at 11:10 AM paulr4444 <[hidden email]> wrote:
I caught this in developer mode yesterday. My settings were pulled from the
chapter 4 documentation which has a type-o. Below is under apache in chapter
4.


Where's the typo?  It looks fine to me - the example you posted below is using port 8080 (non-encrypted), which should be ws:// (not wss://).  You were using port 8443 (encrypted), which should be wss://.
 
Proxying the WebSocket tunnel
Apache will not automatically proxy WebSocket connections, but you can proxy
them separately with Apache 2.4.5 and later using mod_proxy_wstunnel. After
enabling mod_proxy_wstunnel a secondary Location section can be added which
explicitly proxies the Guacamole WebSocket tunnel, located at
/guacamole/websocket-tunnel:

<Location /guacamole/websocket-tunnel>
    Order allow,deny
    Allow from all
    ProxyPass ws://HOSTNAME:8080/guacamole/websocket-tunnel
    ProxyPassReverse ws://HOSTNAME:8080/guacamole/websocket-tunnel
</Location>

Next on my list is getting the remote host to log correctly when using the
proxy server. Currently it is logging the IP of the sever not the connecting
host when using the proxy. I'll create another post if i can't figure it
out.


There are instructions for that, here:


-Nick