guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Barkdoll <mabarkd...@gmail.com>
Subject Re: Connection Error: Balancing Connection Group
Date Wed, 08 May 2019 16:22:18 GMT
> I believe this is all documented in the page I mentioned, above, which
includes the proxiesHeaders you mention, there.

You're right I didn't realize proxiesHeader defaults to "x-forwarded-by" in
tomcat's server.xml, so my problem was with the static ip address being
required.  I'll just need to use an ip range when HA work is more polished
to deploy this out to our private cloud.  You're all doing really great
work and I'm very excited about the direction the project is taking
hopefully at my university we can switch to thin clients in some places due
to everyone's hard work.

Is there anything I can maybe do to help diagnose the issue further?  I say
that with almost complete certainty that you'll finish this before the fact
that it would take me like a month or two to figure out a lot of the
underlying structure of your java code and C code :)  I really love this
project though and wouldn't mind trying to help in some sad way.

E.g., try to document a use case with docker swarm, kubernetes, maybe
demonstrate a use case with a thin client, etc..

Michael Barkdoll


On Wed, May 8, 2019 at 10:12 AM Nick Couchman <vnick@apache.org> wrote:

> On Wed, May 8, 2019 at 10:44 AM Michael Barkdoll <mabarkdoll@gmail.com>
> wrote:
>
>> Alright, first sorry for all the noise on this thread.  I believe I have
>> uncovered a bug and I'm going to proceed with opening a bug report.
>>
>
> No worries at all - that's what the mailing list is for!
>
>
>>
>> Concerning the reverse proxy, I think I now have a better understanding
>> into my issues, I was a bit new to load-balancers so I'm sure this made
>> some peoples ears bleed... I think I now at least have the reverse proxy
>> working properly.
>>
>> Concerning client remote ip not being provided from the nginx reverse
>> proxy to the tomcat instance my issue was that :
>>
>>    1. tomcat's server.xml might require hard coded ip addresses for the
>>    RemoteIpValue internalProxies field for load balancing.
>>    Note: I am able to specify a range of ip addresses with some wildcard
>>    syntax to support multiple nginx reverse proxy load balancers.
>>
>>
> Yes, you do have to specify the IP address(es) of the Nginx proxy servers
> that are going to be talking to Tomcat.  I can't remember what the valid
> syntax is for that field, but I would imagine it supports both ranges and
> individual IPs.  There is some documentation on it, here:
>
>
> http://guacamole.apache.org/doc/gug/proxying-guacamole.html#tomcat-remote-ip
>
>
>>
>>    1. My tomcat cataline.out warning about remoteIpProxiesHeader was due
>>    to that value being for an Apache reverse proxy server not an nginx.
>>    The documentation could be made more clear here on the apache
>>    guacamole website.  I might try to open something to request it to be
>>    changed.
>>    Also, I modified the server.xml values to something more appropriate
>>    for nginx reverse proxy load balancing below.
>>    Most Notable: I added a proxiesHeader="x-forwarded-by" to "hold the
>>    list of proxies that have been processed in the incoming remoteIpHeader"
>>    source:
>>    https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valves/RemoteIpValve.html
>>
>>
> I believe this is all documented in the page I mentioned, above, which
> includes the proxiesHeaders you mention, there.  If the documentation can
> be made more clear we'd be glad for that feedback, or a pull request to
> clean it up.
>
>
>>
>>    1. The trustedProxies="nginx" is likely optional, nginx dns resolves
>>    to my nginx reverse proxy so I added it just in case the 10.0.0.0/8
>>    didn't catch it.
>>
>>
>> My server.xml addition:
>>         <Valve className="org.apache.catalina.valves.RemoteIpValve"
>>                internalProxies="10\.\d{1,3}\.\d{1,3}\.\d{1,3}"
>>                remoteIpHeader="x-forwarded-for"
>>                *proxiesHeader="x-forwarded-by"*
>>                trustedProxies="nginx"
>>                protocolHeader="x-forwarded-proto" />
>>
>> The following has the conflcting apache server.xml addition:
>> https://guacamole.apache.org/doc/gug/proxying-guacamole.html
>> <Valve className="org.apache.catalina.valves.RemoteIpValve"
>>                internalProxies="127.0.0.1"
>>                remoteIpHeader="x-forwarded-for"
>>                *remoteIpProxiesHeader="x-forwarded-by"*
>>                protocolHeader="x-forwarded-proto" />
>>
>>
>> My goal was to have multiple nginx reverse proxy load balancers and
>> multiple tomcat guacamole-client containers running, but it looks like that
>> isn't support inside the apache guacamole-client side.  I'm basing that
>> assumption on the fact that when my nginx reverse proxy sent some clients
>> to one tomcat server and some to another, when a client opened a connection
>> to a connection group that was of type balancing they both were connected
>> to the same vm.  So, from my point of view I'm thinking they're not
>> programmed to support multiple instances of guacamole-client running in a
>> balancing connection group, if someone can verify that it would be
>> appreciated.
>>
>
> Yeah, there is definitely some work to be done on the Guacamole side for
> full HA support.  You *can* point multiple Nginx servers at multiple Tomcat
> systems running Guacamole client; however, Guacamole Client currently does
> not have a way to synchronize client sessions across multiple instances of
> Guacamole Client, so there's no way to have it such that one Guacamole
> Client session will show the remote connections from the others.  I started
> working on this a few months ago but didn't make much progress.  Maybe I'll
> dig that work back up...
>
>
>>
>> Therefore, I've now switched to only using one apache guacamole-client
>> tomcat instance behind the nginx reverse proxy.
>>
>
> Probably a good idea until we sort out what might be going on, here :-).
>
>
>>
>> *Possible bug:*
>> However, I still have the same issue that I was previously describing
>> with users test, test2, test3 and connection group cg1 and virtual machines
>> with xrdp connections called s1, s2.
>>
>> Essentially,
>>
>> test can connect get a session with cg1's s1.
>> test2 can connect get a session with cg1's s2.
>> test2 can disconnect from cg1's s2.
>> test3 can connect get a session with cg1's s2.
>> test2 can disconnect from cg1's s2.
>> test2 can connect get a session with cg1's s2.
>>
>> Now if test closes the session with cg's s1, test3 is unable to use it
>> unless the logout and back in to the guacamole instance.  Since, I only
>> have one guacamole instance and the remote ip address are now populating in
>> the tomcat instance, I believe this is indeed a bug.
>>
>> Here is the catalina.out with debugging enabled:
>> https://gist.github.com/michaelbarkdoll/9e9f46974a0870ea6d6200cc5c1229c5
>>
>> Screenshot of Remote host being provided properly.
>> [image: Selection_999(2259).png]
>>
>> Here are all of my updated configuration files:
>>
>> https://github.com/michaelbarkdoll/guacamole-reverse-proxy-nginx/blob/master/nginx.conf
>>
>> https://github.com/michaelbarkdoll/guacamole-client/blob/jira/234/server.xml
>>
>>
> Cool - I'll try to take a look at the log entries and see if I can spot
> anything.  It sounds like maybe there's some sort of timeout issue with the
> connect/disconnect where the active session is kept open for longer than it
> actually needs to be, or something along those lines.  We'll see.
>
> -Nick
>

Mime
View raw message