On 14/04/2020 4:13 p.m., Sriram Narayanan wrote:
On Wed, 15 Apr 2020 at 6:03 AM, Steve Williams
<st...@williamsitconsulting.com
<mailto:st...@williamsitconsulting.com>> wrote:
Hi,
For a R&D project, I am trying to get guacamole working to be able to
access systems on my home network remotely.
Guacamole (I believe) needs to run under something like tomcat to
serve
up the java war file & application.
I really don't want to have Tomcat exposed to the Internet without
some
kind of authentication in front of it.
I was thinking of running Tomcat bound to localhost and using pf to
redirect to it, but that doesn't add any security.
So, I was thinking of using some form of authpf to open up pf
rules when
I needed to access systems remotely.
But, I don't want to open up Tomcat to the world when I'm using
guacamole, so is it possible to have authpf tweak pf rules so that
the
originating IP address of the ssh session would be the only one that
could access Tomcat?
Is there something better that could be done?
I was thinking even httpd in front of tomcat with httpd
authentication,
but that doesn't seem to make sense to me at a high level.
I was looking at relayd but it doesn't seen to have any
authentication
mechanism built in.
Does anyone have some inspiration on how to provide a level of
security
before packets even hit Tomcat?
I suggest a VPN or Tomcat client cert auth on a non standard high port
( to reduce the noise from standard scans ).
— Ram
Hi,
The VPN doesn't work as I won't always have my own computer with me. I
am mobile, so sometimes a client's office where the network is locked
down and I cannot use my own laptop.
For similar reasons using a non standard high port, won't necessarily
work from a client's office. Additionally, I am trying to not expose
Tomcat directly to the Internet and I don't really believe in security
through obscurity (non standard high port).
Thanks for the input!
Cheers,
Steve W.
