On 2020-04-14, Steve Williams <st...@williamsitconsulting.com> wrote: > Guacamole (I believe) needs to run under something like tomcat to serve > up the java war file & application.
I looked at this before - it also requires guacamole-server to be built (written in C), it requires mutexes shared between different processes (pthread_mutexattr_setpshared(foo, PTHREAD_PROCESS_SHARED) which isn't supported in OpenBSD's thread library. But what you can do is run guacamole elsewhere and have a reverse http proxy running on OpenBSD doing http auth and feeding connections across. > So, I was thinking of using some form of authpf to open up pf rules when > I needed to access systems remotely. > > But, I don't want to open up Tomcat to the world when I'm using > guacamole, so is it possible to have authpf tweak pf rules so that the > originating IP address of the ssh session would be the only one that > could access Tomcat? That is exactly what authpf normally does anyway. > I was thinking even httpd in front of tomcat with httpd authentication, > but that doesn't seem to make sense to me at a high level. > > I was looking at relayd but it doesn't seen to have any authentication > mechanism built in. httpd can't proxy connections to another http server. relayd can but as you say doesn't have a way to add http authentication. You can do this with nginx, haproxy or Apache httpd though.
