On Wed, 15 Apr 2020 at 6:03 AM, Steve Williams < st...@williamsitconsulting.com> wrote:
> Hi, > > For a R&D project, I am trying to get guacamole working to be able to > access systems on my home network remotely. > > Guacamole (I believe) needs to run under something like tomcat to serve > up the java war file & application. > > I really don't want to have Tomcat exposed to the Internet without some > kind of authentication in front of it. > > I was thinking of running Tomcat bound to localhost and using pf to > redirect to it, but that doesn't add any security. > > So, I was thinking of using some form of authpf to open up pf rules when > I needed to access systems remotely. > > But, I don't want to open up Tomcat to the world when I'm using > guacamole, so is it possible to have authpf tweak pf rules so that the > originating IP address of the ssh session would be the only one that > could access Tomcat? > > Is there something better that could be done? > > I was thinking even httpd in front of tomcat with httpd authentication, > but that doesn't seem to make sense to me at a high level. > > I was looking at relayd but it doesn't seen to have any authentication > mechanism built in. > > Does anyone have some inspiration on how to provide a level of security > before packets even hit Tomcat? I suggest a VPN or Tomcat client cert auth on a non standard high port ( to reduce the noise from standard scans ). — Ram
