I am having trouble configuring Guacamole with Apache. The set up I have is a
small network behind a firewall/NAT router (running pfsense). HTTPS requests go
to an external address and non-standard port that the router converts using NAT
to an internal address and standard port for HTTPS (443). The local machine
servicing requests to this internal address/port pair runs SSLH, which is a
SSH/HTTPS protocol multiplexor. The SSLH daemon parses the first part of each
protocol packet and decides to forward it to either the sshd daemon or the
installed apache web server. In the latter case it sends to port 4443, on which
apache is listening. I know this works, since I can login to the machine via
ssh from an external address and HTTPS requests to the configured virtual
machine display properly.
The problem occurs when I attempt to access guacamole with an HTTPS request of:
https://<machine dns name>:<external port that NAT translates to
443>/guacamole. This does not work. The file 000-default.conf in
/etc/apache/sites-enabled is:
# Comment out the port 80 virtual host block
<IfDefine IgnoreBlockComment>
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port
that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
</VirtualHost>
</IfDefine>
<VirtualHost localhost:4443>
ServerName server
DocumentRoot /mnt/raid5/webserver/sites/MOserver
Header always unset X-Frame-Options
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Location /guacamole/>
Order allow,deny
Allow from all
ProxyPass http://127.0.0.1:4822/guacamole/ flushpackets=on
ProxyPassReverse http://127.0.0.1:4822/guacamole/
</Location>
<Location /websocket-tunnel>
Order allow,deny
Allow from all
#Require all granted
ProxyPass ws://127.0.0.1:4822/guacamole/websocket-tunnel
ProxyPassReverse ws://127.0.0.1:4822/guacamole/websocket-tunnel
</Location>
SSLEngine on
SSLCertificateFile /root/.acme.sh/*.mountolive.com/fullchain.cer
SSLCertificateKeyFile
/root/.acme.sh/*.mountolive.com/*.mountolive.com.key
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
I tried to follow the instructions here:
https://guacamole.apache.org/doc/0.9.7/gug/proxying-guacamole.html#apache
However, the port suggested for guacamole listening (8080) is used by Tomcat,
so I changed it to 4822, which is the default port for guacamole.
The configuration file for guacamole is:
# MySQL properties
mysql-hostname: 127.0.0.1
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: guacamole_user
mysql-password: xxxxxxxxxx
Before sending a request to guacamole, this is the listening profile of the
machine:
dnessett@Mount:/etc/apache2/sites-enabled$ sudo lsof -i -P -n | grep LISTEN
systemd-r 819 systemd-resolve 13u IPv4 18298 0t0 TCP 127.0.0.53:53
(LISTEN)
sslh 970 sslh 3u IPv4 24819 0t0 TCP *:443 (LISTEN)
vsftpd 979 root 3u IPv6 24699 0t0 TCP *:21 (LISTEN)
sslh 1094 sslh 3u IPv4 24819 0t0 TCP *:443 (LISTEN)
java 1095 tomcat 41u IPv6 30012 0t0 TCP *:8080 (LISTEN)
sshd 1115 root 3u IPv4 27938 0t0 TCP *:22 (LISTEN)
sshd 1115 root 4u IPv6 27940 0t0 TCP *:22 (LISTEN)
mysqld 1117 mysql 33u IPv4 23476 0t0 TCP 127.0.0.1:3306
(LISTEN)
apache2 1156 root 4u IPv6 24859 0t0 TCP *:4443 (LISTEN)
guacd 1350 root 4u IPv4 23482 0t0 TCP 127.0.0.1:4822
(LISTEN)
apache2 1831 www-data 4u IPv6 24859 0t0 TCP *:4443 (LISTEN)
apache2 1833 www-data 4u IPv6 24859 0t0 TCP *:4443 (LISTEN)
apache2 1834 www-data 4u IPv6 24859 0t0 TCP *:4443 (LISTEN)
apache2 1835 www-data 4u IPv6 24859 0t0 TCP *:4443 (LISTEN)
apache2 1836 www-data 4u IPv6 24859 0t0 TCP *:4443 (LISTEN)
cupsd 1845 root 6u IPv6 33375 0t0 TCP [::1]:631
(LISTEN)
cupsd 1845 root 7u IPv4 33376 0t0 TCP 127.0.0.1:631
(LISTEN)
dnessett@Mount:/etc/apache2/sites-enabled$
As is clear, tomcat is listening on 8080, apache is listening on 4443, sslh is
listening on 443 and guacamole is listening on 4822.
The apache2 status is:
dnessett@Mount:/etc/apache2/sites-enabled$ sudo systemctl status apache2
● apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset:
enabled)
Drop-In: /lib/systemd/system/apache2.service.d
└─apache2-systemd.conf
Active: active (running) since Sun 2022-12-18 13:26:17 MST; 21min ago
Process: 1827 ExecReload=/usr/sbin/apachectl graceful (code=exited,
status=0/SUCCESS)
Process: 971 ExecStart=/usr/sbin/apachectl start (code=exited,
status=0/SUCCESS)
Main PID: 1156 (apache2)
Tasks: 6 (limit: 4915)
CGroup: /system.slice/apache2.service
├─1156 /usr/sbin/apache2 -k start
├─1831 /usr/sbin/apache2 -k start
├─1833 /usr/sbin/apache2 -k start
├─1834 /usr/sbin/apache2 -k start
├─1835 /usr/sbin/apache2 -k start
└─1836 /usr/sbin/apache2 -k start
Dec 18 13:26:12 Mount systemd[1]: Starting The Apache HTTP Server...
Dec 18 13:26:17 Mount systemd[1]: Started The Apache HTTP Server.
Dec 18 13:31:13 Mount systemd[1]: Reloading The Apache HTTP Server.
Dec 18 13:31:13 Mount systemd[1]: Reloaded The Apache HTTP Server.
And guacamole status is:
dnessett@Mount:/etc/apache2/sites-enabled$ sudo systemctl status guacd
● guacd.service - LSB: Guacamole proxy daemon
Loaded: loaded (/etc/init.d/guacd; generated)
Active: active (running) since Sun 2022-12-18 13:26:20 MST; 22min ago
Docs: man:systemd-sysv-generator(8)
Process: 1330 ExecStart=/etc/init.d/guacd start (code=exited,
status=0/SUCCESS)
Tasks: 1 (limit: 4915)
CGroup: /system.slice/guacd.service
└─1350 /usr/local/sbin/guacd -p /var/run/guacd.pid
Dec 18 13:26:19 Mount systemd[1]: Starting LSB: Guacamole proxy daemon...
Dec 18 13:26:20 Mount guacd[1332]: Guacamole proxy daemon (guacd) version 1.3.0
started
Dec 18 13:26:20 Mount guacd[1330]: Starting guacd: guacd[1332]: INFO:
Guacamole proxy daemon (guacd) version 1.3.0 started
Dec 18 13:26:20 Mount guacd[1330]: SUCCESS
Dec 18 13:26:20 Mount guacd[1350]: Listening on host 127.0.0.1, port 4822
Dec 18 13:26:20 Mount systemd[1]: Started LSB: Guacamole proxy daemon.
I started tcpdump and then sent the following URL to the apache server (through
sslh):
https://<external machine dns name>:22553/guacamole
<https://server.mountolive.com:22553/guacamole> (22553 is the port that NAT
translates to 4430
The tcpdump result was:
dnessett@Mount:~$ !2387
sudo tcpdump -i lo
[sudo] password for dnessett:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
13:52:00.506283 IP localhost.52746 > localhost.4443: Flags [S], seq 3330538823,
win 65495, options [mss 65495,sackOK,TS val 2893776088 ecr 0,nop,wscale 7],
length 0
13:52:00.506297 IP localhost.4443 > localhost.52746: Flags [S.], seq
1284121790, ack 3330538824, win 65483, options [mss 65495,sackOK,TS val
2893776088 ecr 2893776088,nop,wscale 7], length 0
13:52:00.506310 IP localhost.52746 > localhost.4443: Flags [.], ack 1, win 512,
options [nop,nop,TS val 2893776088 ecr 2893776088], length 0
13:52:00.506461 IP localhost.52748 > localhost.4443: Flags [S], seq 2774947261,
win 65495, options [mss 65495,sackOK,TS val 2893776088 ecr 0,nop,wscale 7],
length 0
13:52:00.507463 IP localhost.44102 > localhost.domain: 189+ [1au] PTR?
1.1.168.192.in-addr.arpa. (53)
13:52:00.507504 IP localhost.domain > localhost.49765: 15030 1/0/1 PTR
pfSense.localdomain. (86)
13:52:00.507708 IP localhost.domain > localhost.44102: 189 1/0/1 PTR
pfSense.localdomain. (86)
13:52:00.507862 IP localhost.40055 > localhost.domain: 17111+ [1au] PTR?
53.0.0.127.in-addr.arpa. (52)
13:52:00.508152 IP localhost.51341 > localhost.domain: 39632+ [1au] PTR?
27.1.168.192.in-addr.arpa. (54)
13:52:00.508335 IP localhost.51907 > localhost.domain: 8297+ [1au] PTR?
27.1.168.192.in-addr.arpa. (54)
13:52:00.508560 IP localhost.domain > localhost.51341: 39632 2/0/1 PTR Mount.,
PTR Mount.local. (98)
13:52:00.508866 IP localhost.domain > localhost.51907: 8297 2/0/1 PTR Mount.,
PTR Mount.local. (98)
13:52:00.509201 IP localhost.52746 > localhost.4443: Flags [P.], seq 1:518, ack
1, win 512, options [nop,nop,TS val 2893776091 ecr 2893776088], length 517
13:52:00.509231 IP localhost.4443 > localhost.52746: Flags [.], ack 518, win
508, options [nop,nop,TS val 2893776091 ecr 2893776091], length 0
13:52:00.509504 IP localhost.52748 > localhost.4443: Flags [P.], seq
2774947262:2774947779, ack 252338501, win 512, options [nop,nop,TS val
2893776091 ecr 2893776088], length 517
13:52:00.509541 IP localhost.4443 > localhost.52748: Flags [.], ack 517, win
508, options [nop,nop,TS val 2893776091 ecr 2893776091], length 0
13:52:00.511236 IP localhost.4443 > localhost.52746: Flags [P.], seq 1:257, ack
518, win 512, options [nop,nop,TS val 2893776093 ecr 2893776091], length 256
13:52:00.511248 IP localhost.52746 > localhost.4443: Flags [.], ack 257, win
510, options [nop,nop,TS val 2893776093 ecr 2893776093], length 0
13:52:00.511558 IP localhost.4443 > localhost.52748: Flags [P.], seq 1:257, ack
517, win 512, options [nop,nop,TS val 2893776093 ecr 2893776091], length 256
13:52:00.511572 IP localhost.52748 > localhost.4443: Flags [.], ack 257, win
510, options [nop,nop,TS val 2893776093 ecr 2893776093], length 0
13:52:00.519467 IP localhost.52748 > localhost.4443: Flags [P.], seq 517:597,
ack 257, win 512, options [nop,nop,TS val 2893776101 ecr 2893776093], length 80
13:52:00.519474 IP localhost.52746 > localhost.4443: Flags [P.], seq 518:1370,
ack 257, win 512, options [nop,nop,TS val 2893776101 ecr 2893776093], length 852
13:52:00.519681 IP localhost.4443 > localhost.52748: Flags [P.], seq 257:336,
ack 597, win 512, options [nop,nop,TS val 2893776101 ecr 2893776101], length 79
13:52:00.519724 IP localhost.4443 > localhost.52746: Flags [P.], seq 257:336,
ack 1370, win 512, options [nop,nop,TS val 2893776101 ecr 2893776101], length 79
13:52:00.520139 IP localhost.4443 > localhost.52746: Flags [P.], seq 336:894,
ack 1370, win 512, options [nop,nop,TS val 2893776102 ecr 2893776101], length
558
13:52:00.520158 IP localhost.52746 > localhost.4443: Flags [.], ack 894, win
512, options [nop,nop,TS val 2893776102 ecr 2893776101], length 0
13:52:00.553688 IP localhost.52746 > localhost.4443: Flags [P.], seq 1370:2143,
ack 894, win 512, options [nop,nop,TS val 2893776135 ecr 2893776101], length 773
13:52:00.562965 IP localhost.52748 > localhost.4443: Flags [.], ack 336, win
512, options [nop,nop,TS val 2893776145 ecr 2893776101], length 0
13:52:00.572809 IP localhost.4443 > localhost.52746: Flags [P.], seq 894:17548,
ack 2143, win 512, options [nop,nop,TS val 2893776154 ecr 2893776135], length
16654
13:52:00.614946 IP localhost.52746 > localhost.4443: Flags [.], ack 17548, win
512, options [nop,nop,TS val 2893776197 ecr 2893776154], length 0
13:52:05.577989 IP localhost.4443 > localhost.52746: Flags [P.], seq
17548:17572, ack 2143, win 512, options [nop,nop,TS val 2893781160 ecr
2893776197], length 24
13:52:05.578013 IP localhost.52746 > localhost.4443: Flags [.], ack 17572, win
512, options [nop,nop,TS val 2893781160 ecr 2893781160], length 0
13:52:05.578095 IP localhost.4443 > localhost.52746: Flags [F.], seq 17572, ack
2143, win 512, options [nop,nop,TS val 2893781160 ecr 2893781160], length 0
13:52:05.578155 IP localhost.52746 > localhost.4443: Flags [F.], seq 2143, ack
17573, win 512, options [nop,nop,TS val 2893781160 ecr 2893781160], length 0
13:52:05.578193 IP localhost.4443 > localhost.52746: Flags [.], ack 2144, win
512, options [nop,nop,TS val 2893781160 ecr 2893781160], length 0
^C
35 packets captured
78 packets received by filter
8 packets dropped by kernel
dnessett@Mount:~$
As is apparent, the apache server (listening on 4443) is sending traffic to
localhost.52748, not to localhost:4822. This leads me to believe that the
Virtual Host in the apache configuration is improperly configured, but, as I
said, I was just following the suggested configuration specified by the
guacamole tutorial.
If anyone can see the mistake, I would greatly appreciate some help in
rectifying it.
