SSL Termination with Apache
How to manually configure Keeper Connection Manager SSL termination using Apache
SSL termination is the recommended method of encrypting communication between users’ browsers and Guacamole, and involves configuring a reverse proxy like Nginx or Apache to handle strictly the SSL/TLS portion of the conversation with the Tomcat instance hosting Guacamole, handling encrypted HTTP externally while passing unencrypted HTTP to Tomcat internally.
If Apache has been configured for SSL/TLS, there should be a
<VirtualHost>section within this configuration that defines the certificate and private key used by Apache, and which requires Apache to listen on the standard HTTPS port (443). To proxy Guacamole through Apache such that Guacamole communication is encrypted, two additional
<Location>sections will need to be added within this
Allow from all
ProxyPass http://HOSTNAME:8080/ flushpackets=on
Allow from all
where “HOSTNAME” is the hostname or IP address of the internal Guacamole server.
<Location>sections configure proxying of the HTTP and WebSocket protocols respectively. Apache handles the HTTP and WebSocket protocols separately, and thus requires separate configuration for the portion of the web application which uses WebSocket. Both sections are required for Guacamole to work correctly behind Apache, and the mod_proxy_wstunnel module must be installed and enabled.
Of particular importance is the
flushpackets=onoption within the ProxyPass directive used for HTTP in front of Guacamole. This option disables buffering of packets sent to/from Guacamole. By default, Apache will buffer communication between itself and the browser, effectively disrupting the stream of events and updates required for remote desktop. Without disabling buffering, the Guacamole connection will at best be slow, and at worst not function at all.
After the above changes have been made, Apache must be reloaded to force rereading of its configuration files:
$ sudo systemctl reload httpd
If you are using SELinux (the default on both CentOS and RHEL), you must also configure SELinux to allow HTTPD implementations like Apache to establish network connections:
$ sudo setsebool -P httpd_can_network_connect 1
If Guacamole is not accessible through Apache after the service has been reloaded, check the Apache logs and/or journalctl to verify that the syntax of your configuration changes is correct. Such errors will result in Apache refusing to reload its configuration, or refusing to start up entirely. If you do not see any errors from Apache, verify that you have configured SELinux to allow Apache to connect to the network and check the SELinux audit logs (
/var/log/audit/audit.log) for AVC denials.
For the client address sent by Apache via "
X-Forwarded-For" to be correctly trusted as the true client address, you will need to add a "
RemoteIpValve" entry within
/etc/tomcat/server.xml. If this is not specified, the client address will be logged as the address of the internal proxy, which is not usually desirable.
Using the provided example server.xml
Editing server.xml manually
The easiest way to add the required entry is to copy the example
server.xmlfile provided with the
kcmpackage, replacing the old
$ sudo cp /opt/keeper/share/guacamole/server.xml /etc/tomcat/
The example server.xml file defines:
- A single HTTP connector listening on port 8080.
RemoteIpValvewith all settings at their default values.
By default, the
RemoteIpValvewill trust "
X-Forwarded-For" from all private networks (
169.254.0.0/16, and both IPv4 and IPv6 localhost). If you need this range to be narrowed, or if you have already made manual edits to
server.xml, you will need to make these changes manually.
server.xmlmanually (rather than using the example
<Valve>which trusts "
X-Forwarded-For" from most common private addresses would be specified as:
<Valve>must be added within the relevant
<Host>section. In most cases, the easiest place to add this is simply toward the end of the
If needed, this can be narrowed by providing your own value for the
internalProxiesattribute specifies a regular expression which matches the IP addresses of any proxies whose "
X-Forwarded-For" headers should be trusted. For example, to trust only "
X-Forwarded-For" received from localhost:
Applying the updated Tomcat configuration
Once an appropriate
RemoteIpValvehas been specified, Tomcat must be restarted to force rereading of
$ sudo systemctl restart tomcat