guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From M D Barber <>
Subject Re: Proxy'ing guacamole
Date Wed, 04 Jul 2018 17:28:27 GMT
Cheers Nick, much clearer,
seems the simplest solution for me is the latter as only technical 
users, I have already sorted the encryption so assigning it a high port 
to avoid casual scans and accidental connections will be a two minute job.
many thanks..

Nick Couchman wrote:
> On Wed, Jul 4, 2018 at 4:02 AM M D Barber < 
> <>> wrote:
>     I have read in the guacamole docs about tomcat not being able to
>     freely
>     de/elevate it's privileges as and when required
>     with regards to set tcp port and hence the need to consider using a
>     proxy such as apache or nginx,
> Yes, Tomcat would have to be run as root to run on standard ports 
> (80/443, anything below 1024), which is bad.  So, generally speaking 
> you want to run Tomcat as a non-privileged user and run it on a higher 
> port (8080 is standard, 8443 for Tomcat native SSL/TLS) and then use 
> some other means to redirect connections from the standard ports to 
> Tomcat.  Using a reverse proxy server, like Nginx or httpd, is pretty 
> common practice.
> It is worth noting that a recent change in the Linux kernel allows 
> non-privileged users to open lower ports with some sysctl settings, 
> but that's on really recent kernels.
> �
>     for me this has
>     raised a couple of questions, that I can't find or am blind to :)
>     1. if this is a major issue and tomcat is considered a security risk
>     because of it, is it maybe justification to consider use of a
>     different
>     container?
> No, I wouldn't say that Tomcat is a security risk - running Tomcat as 
> root is a security risk, and running unpatched versions of Tomcat or 
> Tomcat with unpatched versions of Java is a security risk, but recent 
> versions of Java with recent versions of Tomcat as a non-privileged 
> user should be fine.  I believe most of the Java application servers 
> (Tomcat, Jetty, JBOSS, etc.) fall under the same restrictions, so 
> simply switching to a different Java application server doesn't 
> necessarily give you any advantage over Tomcat.  Tomcat is very 
> widely-used for Java applications, and running it as an unprivileged 
> user behind a reverse-proxy is an acceptable practice.
> �
>     2. If simply not running anything on standard ports and forcing
>     users to
>     enter the fqdn+port number at say, 5000 is this an issue for
>     guacamole or
>     has anyone come across any issues with tomcat?
> This is perfectly acceptable, as well, and should work fine, it just 
> comes with a couple of things to be aware of:
> - Tomcat, by default, does not have encryption enabled and listens on 
> unencrypted port 8080.  You can set up the encrypted connector for 
> Tomcat and assign it a port, but it seems like most people just use a 
> reverse proxy, instead.
> - One of the reasons to use standard ports is that people don't have 
> to remember the ports.  8080 has become pretty common, but 8443 for 
> encrypted traffic is less common, so it's a little harder for people 
> to remember that they need to do 
> https://server.example.local:8443/guacamole in order to get to the 
> page, rather than just https://server.example.local/guacamole.� If you 
> choose to run it on some other port (5000, for instance), that's even 
> less common and less usual for people, and they're more likely to 
> forget and have to ask you to remind them where they should go.
> -Nick

This email has been checked for viruses by Avast antivirus software.

View raw message