Hi,
For a R&D project, I am trying to get guacamole working to be able to
access systems on my home network remotely.
Guacamole (I believe) needs to run under something like tomcat to serve
up the java war file & application.
I really don't want to have Tomcat exposed to the Internet without some
kind of authentication in front of it.
I was thinking of running Tomcat bound to localhost and using pf to
redirect to it, but that doesn't add any security.
So, I was thinking of using some form of authpf to open up pf rules when
I needed to access systems remotely.
But, I don't want to open up Tomcat to the world when I'm using
guacamole, so is it possible to have authpf tweak pf rules so that the
originating IP address of the ssh session would be the only one that
could access Tomcat?
Is there something better that could be done?
I was thinking even httpd in front of tomcat with httpd authentication,
but that doesn't seem to make sense to me at a high level.
I was looking at relayd but it doesn't seen to have any authentication
mechanism built in.
Does anyone have some inspiration on how to provide a level of security
before packets even hit Tomcat?
Thanks,
Steve Williams
