# KCM Version 2.12.0

## Features & Improvements

**KCM-83**: The `kcm-setup.run` script now allows administrators to directly configure their deployment to use KSM for retrieval of secrets, rather than requiring manual editing of docker-compose.yml after installation. Additional prompts are presented that allow the administrator to provide a KSM one-time token or a base64-encoded KSM configuration during setup.

**KCM-226**: The `keeper/guacamole-ssl-nginx` image can be configured to require SSL/TLS client authentication by specifying the `CLIENT_CERTIFICATE_FILE` environment variable. A user will only be able to connect to NGINX using their browser if their browser has access to a private key that is signed by this certificate.

This variable is similar to the `CERTIFICATE_FILE` environment variable in that it points to a file within the container, but in this case it controls the certificate used to authenticate the client’s private key.

Additional environment variables are also available to tweak SSL/TLS auth behavior further:

| **Variable**              | **Description**                                                                                                                                                              | **Default Value** |
| ------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------- |
| `ADDITIONAL_PROXY_CONFIG` | Arbitrary, additional NGINX configuration statements that should be included within the `location` block that configures NGINX to proxy Guacamole.                           |                   |
| `SSL_VERIFY_CLIENT`       | Controls how and whether NGINX requires and verifies the certificate presented by the client (browser), as provided by NGINX `ssl_verify_client` directive.                  | on                |
| `SSL_VERIFY_DEPTH`        | Controls how deep NGINX will follow through the client’s certificate chain when attempting to validate their certificate, as provided by NGINX `ssl_verify_depth` directive. | 1                 |

**KCM-227**: Multiple Hostnames/Configurations for SSL Termination

The `keeper/guacamole-ssl-nginx` image is specifically intended to provide SSL termination for the Guacamole image provided by Keeper for KCM. Historically, this image supported only a single hostname and configuration:

```
ssl:
        image: keeper/guacamole-ssl-nginx:2
        restart: unless-stopped
        ports:
            - "80:80"
            - "443:443"
        environment:
            SELF_SIGNED: "Y"
            ACCEPT_EULA: "Y"
            CONTENT_TYPE_OPTIONS: "Y"
            CONTENT_SECURITY_POLICY: "Y"
            GUACAMOLE_HOSTNAME: "guacamole"
            SSL_HOSTNAME: "example.net"
```

As KCM 2.12.0, the `keeper/guacamole-ssl-nginx` image can be used with multiple hostnames and configurations via a special `SERVERS` environment variable that accepts YAML (or JSON).

The `SERVERS` variable must contain a YAML (or JSON) array of objects, where each object contains the name/value pairs of environment variables that should apply to that additional configuration. **Any variable that is not specified is inherited from the top-level environment.** For example:

```
    ssl:
        image: keeper/guacamole-ssl-nginx:2
        restart: unless-stopped
        ports:
            - "80:80"
            - "443:443"
        environment:
            SELF_SIGNED: "Y"
            ACCEPT_EULA: "Y"
            CONTENT_TYPE_OPTIONS: "Y"
            CONTENT_SECURITY_POLICY: "Y"
            GUACAMOLE_HOSTNAME: "guacamole"
            
            SERVERS: |
               - SSL_HOSTNAME: "example.net"
               - SSL_HOSTNAME: "*.example.net"
```

The above configuration would result in an NGINX instance that handles both `example.net` and `*.example.net` hostnames equivalently. Both will get their own self-signed certificates because `SELF_SIGNED` is set to `Y`.

A more complex example:

```
    ssl:
        image: keeper/guacamole-ssl-nginx:2
        restart: unless-stopped
        ports:
            - "80:80"
            - "443:443"
        environment:
            ACCEPT_EULA: "Y"
            CONTENT_TYPE_OPTIONS: "Y"
            CONTENT_SECURITY_POLICY: "Y"
            GUACAMOLE_HOSTNAME: "guacamole"
            
            SERVERS: |
               - SSL_HOSTNAME: "example.net"
                 LETSENCRYPT_ACCEPT_TOS: "Y"
                 LETSENCRYPT_EMAIL=your.email@example.net

               - SSL_HOSTNAME: "*.example.net"
                 SELF_SIGNED: "Y"
```

The above configuration would result in an NGINX instance that generates and uses a self-signed certificate for `*.example.net`, but obtains a certificate for `example.net` from Let’s Encrypt.

{% hint style="warning" %}
**IMPORTANT:** The value of `SERVERS` *must* be a string, hence the `|` symbol within the above examples. If this symbol is omitted, then the YAML that follows is parsed as an object, and validation of the `docker-compose.yml` will fail, as all Docker environment variables must be strings.
{% endhint %}

{% hint style="info" %}
**NOTE:** NGINX will use the first server as the default for any request that does not match any configured hostname. If any server declared in `SERVERS` should have this behavior, it must be the first server listed.
{% endhint %}

## Bug Fixes

* **KCM-223**: When joining a shared connection, the joining client appears to hang (does not receive a copy of the current display) until something changes graphically within the session.
* **KCM-213**: When changing the User Time Zone setting to a specific time zone and then going back to clear that time zone, it doesn’t clear the time zone but instead changes it back to the time zone that was set previously.