Giters

abesnier / docker-guacamole

A self-contained guacamole docker container for x64. Remotely connect over SSH, RDP or VNC using HTML5.

Home Page:https://hub.docker.com/r/abesnier/guacamole

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Passing client ip to tomcat - Cloudflare tunnel

amaurib opened this issue · comments

commented

Hi,

More than reporting a bug, what i would like to ask is how do I pass the client public ip address to tomcat server when using cloudflare tunnel as reverse proxy. I have added the variable REMOTE_IP_VALVE_ENABLED: "true" to my compose file but that didn't do anything... Guacamole keeps logging the cloudflared tunnel container ip...

version: "3"
services:
  guacamole:
      image: abesnier/guacamole
      container_name: guacamole
      volumes:
        - postgres:/config
        - /home/guacamole/branding.jar:/config/guacamole/extensions/guacamole-branding-1.5.2.jar
      ports:
        - 8082:8080
      environment:
        USE_DEFAULT_BRANDING: N
        REMOTE_IP_VALVE_ENABLED: true
volumes:
  postgres:
    driver: local
commented

Got to show the client IP on the Dashboard.

I Had to modify the tomcat configuration to allow it to see the real ip address of the client.
/usr/local/tomcat/conf/server.xml

Add the following code inside the <Host> section

<Valve className="org.apache.catalina.valves.RemoteIpValve"
            internalProxies="172.25.0.3" 
            remoteIpHeader="x-forwarded-for"
            remoteIpProxiesHeader="x-forwarded-by"
            protocolHeader="x-forwarded-proto" />

docker compose file now looks like this.

version: "3"
services:
  guacamole:
      image: abesnier/guacamole
      container_name: guacamole
      volumes:
        - postgres:/config
        - /home/guacamole/branding.jar:/config/guacamole/extensions/guacamole-branding-1.5.2.jar
        - /home/guacamole/server.xml:/usr/local/tomcat/conf/server.xml
      ports:
        - 8082:8080
      environment:
        USE_DEFAULT_BRANDING: N
        REMOTE_IP_VALVE_ENABLED: true

volumes:
  postgres:
    driver: local
commented

well, that was the easiest issue ever raised ! I did not even had time to read it fully and find documentation.

I'll add a section in the readme, as I know this question is asked regularly on the Guacamole mailing list.

Cheers

commented

Coming back on this subject, let me add some points:

  • the REMOTE_IP_VALVE_ENABLED environment variable is not used in my image. This is specific to the official guacamole client docker image.

  • the modifications of the server.conf can be tricky if you are using a reverse proxy. It is not easy to get the proper internalProxies value, as docker ip address can change every time you restart a container. I find it easier to just not fill this item, and let Tomcat work it out. Omitting this item will allow most private network IP ranges to be recognized as an authorized proxy (10/8, 192.168/16, 169.254/16, 127/8, 100.64/10, 172.16/12, and ::1). Actually, just adding <Valve className="org.apache.catalina.valves.RemoteIpValve" /> will work with most configurations because of default values.