Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id E4F372004A1 for ; Thu, 24 Aug 2017 14:49:58 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id E349716ADA7; Thu, 24 Aug 2017 12:49:58 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id DC7DD16ADA5 for ; Thu, 24 Aug 2017 14:49:57 +0200 (CEST) Received: (qmail 9363 invoked by uid 500); 24 Aug 2017 12:49:56 -0000 Mailing-List: contact user-help@guacamole.incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@guacamole.incubator.apache.org Delivered-To: mailing list user@guacamole.incubator.apache.org Received: (qmail 9353 invoked by uid 99); 24 Aug 2017 12:49:56 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 24 Aug 2017 12:49:56 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 316F6C0334 for ; Thu, 24 Aug 2017 12:49:56 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 3.494 X-Spam-Level: *** X-Spam-Status: No, score=3.494 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FORGED_MUA_MOZILLA=1.596, HTML_MESSAGE=2, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd4-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id ieLwwVXmc8wy for ; Thu, 24 Aug 2017 12:49:53 +0000 (UTC) Received: from sonic313-10.consmr.mail.ne1.yahoo.com (sonic313-10.consmr.mail.ne1.yahoo.com [66.163.185.33]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 6F35E5FDBC for ; Thu, 24 Aug 2017 12:49:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1503578987; bh=OpYZ1q+QsAq8dPY8ZZuBejjGGL/G6GYt+rQtXb7FBHU=; h=Date:From:To:In-Reply-To:References:Subject:From:Subject; b=ObFNL5Vb5tSjbSqtFSttxJuislaAU0Gd/rjeb4FGzi9EORXQHkF3b4p+dLSjpVPHHr3JVQEstCYEfrWlG9KpwfgCxq1nrt7S1Iu3oNln1/PTckG7TkoruRE+ytgr5Jebs3MBUAzwo6KvxlhJqmFbrvNO32lAYP/juReQ9lWCX0BAFZj7g8xtg5iynpFFr+sGYZ40lIbE0lQpiVT7xmwnnrFfyER+2vJ7xUIJze+t4d6/RDEjN3KvXaPaYfXOSSOEf8DTo+JsXEv20FG7aBR6bQLrXgaxFS+iPZyZ0TUIuvhnR47V1JRbO6c2zQFaHbOZvEVjNaTdVXKhAW29qZOV8g== X-YMail-OSG: 8V1ev4EVM1lM.vb8LS4cy473J56Y2VidR9cku9AQONmmMeJ6z.m_QSbG4xNgqJU TRkG89na6COlAbVCOrrc3ooVziih5sMjsPXMFi41JE0gGlg.8SM4SjaSaoraT0Wil3qY9IRxkRoy yvjhhFPj_KMjNSEYLaoFsgJtcf0bHQ2xmTK25ZqwjbClbbe_SgPY0xzJxrb4qzhmX2pSpfMA265L YGjyrYt.1b9RdGJQC7D25hfRF1oekwSErLHa8jrtvhuQHiFb6sq7NzL.7KsAEeiELyzn2T5toMnP xKjzTN.vSmcvtTgTpBBPkzClDKt.W9w7slpWrinuoXuHSLQkNGGj_2eX04Jyjw4FUfaNtHSbZk4Z rB_yjgKDlw6qgyouD_TiYjRPcWjhn9phk1wtvAf338vbvpCpUM7XzzcDC0x7Qj.HEt7Gz5q7_5O7 JrKjAbsA2NPWeznAJkoJXDYBlDa2yvvU.3.QwwInuqCJ4sQ-- Received: from sonic.gate.mail.ne1.yahoo.com by sonic313.consmr.mail.ne1.yahoo.com with HTTP; Thu, 24 Aug 2017 12:49:47 +0000 Date: Thu, 24 Aug 2017 12:49:44 +0000 (UTC) From: Nick Couchman To: Message-ID: <2057407894.1340305.1503578984974@mail.yahoo.com> In-Reply-To: <7a6d11cfa96f4fa58b015c2f10cf24a1@hikvision.com> References: <7a6d11cfa96f4fa58b015c2f10cf24a1@hikvision.com> Subject: Re: how to use guacamole-auth-header? MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_1340304_1160298589.1503578984971" X-Mailer: WebService/1.1.10451 YMailNorrin Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.101 Safari/537.36 archived-at: Thu, 24 Aug 2017 12:49:59 -0000 ------=_Part_1340304_1160298589.1503578984971 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Take a look at the following page: http://guacamole.incubator.apache.org/doc/gug/header-auth.html Basically, you do the following:- Install the extension into your Guacamole= extensions directory- If you want a header other than REMOTE_USER to be us= ed for authentication, edit the guacamole.properties file and use the http-= auth-header option to specify the header you want to use.- Reload the Guaca= mole client (restart Tomcat or redeploy the guacamole.war file)- Configure = your application server (Tomcat, JBoss, etc.) or web server, if you're usin= g a reverse proxy (Apache, Nginx), to authenticate the URL where Guacamole = is running (e.g. http://yourserver.example.com/guacamole) For example, I am using Apache HTTPD as a reverse proxy in front of Guacamo= le, so I configure Apache like so: =C2=A0 =C2=A0 AuthType Basic=C2=A0 =C2=A0 AuthName Guacamole=C2=A0 =C2=A0 A= uthUserFile /etc/httpd/guacamole.users=C2=A0 =C2=A0 Require valid-user By default Apache HTTPD uses the REMOTE_USER header for this type of login,= so there's nothing else to configure here or in guacamole.properties - jus= t load the extension. =C2=A0With Apache HTTPD you can use many different ba= ckends for this type of authentication - LDAP, Digest, Kerberos, CAS, etc. = =C2=A0There are also ways to configure Nginx, Tomcat, and JBoss to do this,= but I've not done those before, so I can't provide specific instructions. Also, please be very careful with this - as the manual page says, you must = make absolutely certain that your web server and/or proxy server is configu= red to sanitize whatever header you use (e.g. REMOTE_USER) such that someon= e cannot bypass authentication by specifying that header, or inject somethi= ng malicious into that header. =C2=A0HTTP Header Authentication (in general= ) is very basic, and it's very easy to configure it in an insecure way. -Nick On Sunday, August 6, 2017, 9:41:53 PM EDT, =E5=BC=A0=E5=BB=BA=E5=B9=B3 wrote: How =C2=A0to =C2=A0use =C2=A0guacamole-auth-header ? =C2=A0 CONFIDENTIALITY NOTICE: This electronic message is intended to be viewed only by the individual or = entity to whom it is addressed. It may contain information that is privileg= ed, confidential and exempt from disclosure under applicable law. Any disse= mination, distribution or copying of this communication is strictly prohibi= ted without our prior permission. If the reader of this message is not the = intended recipient, or the employee or agent responsible for delivering the= message to the intended recipient, or if you have received this communicat= ion in error, please notify us immediately by return e-mail and delete the = original message and any copies of it from your computer system. For furthe= r information about Hikvision company. please see our website atwww.hikvisi= on.com ------=_Part_1340304_1160298589.1503578984971 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Take a look at the following page:

=

Basicall= y, you do the following:
- Install the extension into your Guacam= ole extensions directory
- If you want a header other than REMOTE= _USER to be used for authentication, edit the guacamole.properties file and= use the http-auth-header option to specify the header you want to use.
- Reload the Guacamole client (restart Tomcat or redeploy the guacam= ole.war file)
- Configure your application server (Tomcat, JBoss,= etc.) or web server, if you're using a reverse proxy (Apache, Nginx), to a= uthenticate the URL where Guacamole is running (e.g. http://yo= urserver.example.com/guacamole)

For example, I= am using Apache HTTPD as a reverse proxy in front of Guacamole, so I confi= gure Apache like so:

<Location /guacamole>    AuthType Basic
    AuthName Guacamole
    AuthUserFile /etc/httpd/guacamole.users
&n= bsp;   Require valid-user
</Location>

By default Apache HTTPD uses the REMOTE_USER header for this type = of login, so there's nothing else to configure here or in guacamole.propert= ies - just load the extension.  With Apache HTTPD you can use many dif= ferent backends for this type of authentication - LDAP, Digest, Kerberos, C= AS, etc.  There are also ways to configure Nginx, Tomcat, and JBoss to= do this, but I've not done those before, so I can't provide specific instr= uctions.

Also, please be very careful with this - = as the manual page says, you must make absolutely certain that your web ser= ver and/or proxy server is configured to sanitize whatever header you use (= e.g. REMOTE_USER) such that someone cannot bypass authentication by specify= ing that header, or inject something malicious into that header.  HTTP= Header Authentication (in general) is very basic, and it's very easy to co= nfigure it in an insecure way.

-Nick


On Sunday, August 6, 2017, 9:= 41:53 PM EDT, =E5=BC=A0=E5=BB=BA=E5=B9=B3 <zhangjianping@hikvision.com&g= t; wrote:


=20 =20

How  to  = ;use  guacamole-auth-header ?

=20
 
CONFIDENTIALITY NOTICE:

This electronic message is intended to be viewed only by the individual or = entity to whom it is addressed. It may contain information that is privileg= ed, confidential and exempt from disclosure under applicable law. Any disse= mination, distribution or copying of this communication is strictly prohibited without our prior permission.= If the reader of this message is not the intended recipient, or the employ= ee or agent responsible for delivering the message to the intended recipien= t, or if you have received this communication in error, please notify us immediately by return e-mail and = delete the original message and any copies of it from your computer system.= For further information about Hikvision company. please see our website at www= .hikvision.com

------=_Part_1340304_1160298589.1503578984971--