guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Couchman <nick.couch...@yahoo.com>
Subject Re: how to use guacamole-auth-header?
Date Thu, 24 Aug 2017 12:49:44 GMT
Take a look at the following page:
http://guacamole.incubator.apache.org/doc/gug/header-auth.html

Basically, you do the following:- Install the extension into your Guacamole extensions directory-
If you want a header other than REMOTE_USER to be used for authentication, edit the guacamole.properties
file and use the http-auth-header option to specify the header you want to use.- Reload the
Guacamole client (restart Tomcat or redeploy the guacamole.war file)- Configure your application
server (Tomcat, JBoss, etc.) or web server, if you're using a reverse proxy (Apache, Nginx),
to authenticate the URL where Guacamole is running (e.g. http://yourserver.example.com/guacamole)
For example, I am using Apache HTTPD as a reverse proxy in front of Guacamole, so I configure
Apache like so:
<Location /guacamole>
    AuthType Basic    AuthName Guacamole    AuthUserFile /etc/httpd/guacamole.users 
  Require valid-user</Location>
By default Apache HTTPD uses the REMOTE_USER header for this type of login, so there's nothing
else to configure here or in guacamole.properties - just load the extension.  With Apache
HTTPD you can use many different backends for this type of authentication - LDAP, Digest,
Kerberos, CAS, etc.  There are also ways to configure Nginx, Tomcat, and JBoss to do this,
but I've not done those before, so I can't provide specific instructions.
Also, please be very careful with this - as the manual page says, you must make absolutely
certain that your web server and/or proxy server is configured to sanitize whatever header
you use (e.g. REMOTE_USER) such that someone cannot bypass authentication by specifying that
header, or inject something malicious into that header.  HTTP Header Authentication (in general)
is very basic, and it's very easy to configure it in an insecure way.
-Nick

On Sunday, August 6, 2017, 9:41:53 PM EDT, 张建平 <zhangjianping@hikvision.com> wrote:

<!--#yiv6575964344 _filtered #yiv6575964344 {font-family:宋体;panose-1:2 1 6 0 3 1 1
1 1 1;} _filtered #yiv6575964344 {font-family:"Cambria Math";panose-1:2 4 5 3 5 4 6 3 2 4;}
_filtered #yiv6575964344 {font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;} _filtered #yiv6575964344
{panose-1:2 1 6 0 3 1 1 1 1 1;}#yiv6575964344 #yiv6575964344 p.yiv6575964344MsoNormal, #yiv6575964344
li.yiv6575964344MsoNormal, #yiv6575964344 div.yiv6575964344MsoNormal {margin:0cm;margin-bottom:.0001pt;text-align:justify;text-justify:inter-ideograph;font-size:10.5pt;font-family:"Calibri",
"sans-serif";}#yiv6575964344 a:link, #yiv6575964344 span.yiv6575964344MsoHyperlink {color:blue;text-decoration:underline;}#yiv6575964344
a:visited, #yiv6575964344 span.yiv6575964344MsoHyperlinkFollowed {color:purple;text-decoration:underline;}#yiv6575964344
span.yiv6575964344EmailStyle17 {font-family:"Calibri", "sans-serif";color:windowtext;}#yiv6575964344
.yiv6575964344MsoChpDefault {}#yiv6575964344 _filtered #yiv6575964344 {margin:72.0pt 90.0pt
72.0pt 90.0pt;}#yiv6575964344 div.yiv6575964344WordSection1 {}-->
How  to  use  guacamole-auth-header ?
  
CONFIDENTIALITY NOTICE:
This electronic message is intended to be viewed only by the individual or entity to whom
it is addressed. It may contain information that is privileged, confidential and exempt from
disclosure under applicable law. Any dissemination, distribution or copying of this communication
is strictly prohibited without our prior permission. If the reader of this message is not
the intended recipient, or the employee or agent responsible for delivering the message to
the intended recipient, or if you have received this communication in error, please notify
us immediately by return e-mail and delete the original message and any copies of it from
your computer system. For further information about Hikvision company. please see our website
atwww.hikvision.com



Mime
View raw message