guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Couchman <>
Subject Re: Proxy'ing guacamole
Date Wed, 04 Jul 2018 13:59:19 GMT
On Wed, Jul 4, 2018 at 4:02 AM M D Barber <> wrote:

> I have read in the guacamole docs about tomcat not being able to freely
> de/elevate it's privileges as and when required
> with regards to set tcp port and hence the need to consider using a
> proxy such as apache or nginx,

Yes, Tomcat would have to be run as root to run on standard ports (80/443,
anything below 1024), which is bad.  So, generally speaking you want to run
Tomcat as a non-privileged user and run it on a higher port (8080 is
standard, 8443 for Tomcat native SSL/TLS) and then use some other means to
redirect connections from the standard ports to Tomcat.  Using a reverse
proxy server, like Nginx or httpd, is pretty common practice.

It is worth noting that a recent change in the Linux kernel allows
non-privileged users to open lower ports with some sysctl settings, but
that's on really recent kernels.

> for me this has
> raised a couple of questions, that I can't find or am blind to :)
> 1. if this is a major issue and tomcat is considered a security risk
> because of it, is it maybe justification to consider use of a different
> container?

No, I wouldn't say that Tomcat is a security risk - running Tomcat as root
is a security risk, and running unpatched versions of Tomcat or Tomcat with
unpatched versions of Java is a security risk, but recent versions of Java
with recent versions of Tomcat as a non-privileged user should be fine.  I
believe most of the Java application servers (Tomcat, Jetty, JBOSS, etc.)
fall under the same restrictions, so simply switching to a different Java
application server doesn't necessarily give you any advantage over Tomcat.
Tomcat is very widely-used for Java applications, and running it as an
unprivileged user behind a reverse-proxy is an acceptable practice.

> 2. If simply not running anything on standard ports and forcing users to
> enter the fqdn+port number at say, 5000 is this an issue for guacamole or
> has anyone come across any issues with tomcat?
This is perfectly acceptable, as well, and should work fine, it just comes
with a couple of things to be aware of:
- Tomcat, by default, does not have encryption enabled and listens on
unencrypted port 8080.  You can set up the encrypted connector for Tomcat
and assign it a port, but it seems like most people just use a reverse
proxy, instead.
- One of the reasons to use standard ports is that people don't have to
remember the ports.  8080 has become pretty common, but 8443 for encrypted
traffic is less common, so it's a little harder for people to remember that
they need to do https://server.example.local:8443/guacamole in order to get
to the page, rather than just https://server.example.local/guacamole.  If
you choose to run it on some other port (5000, for instance), that's even
less common and less usual for people, and they're more likely to forget
and have to ask you to remind them where they should go.


View raw message