Re: Bad user remote IP

Mon, 14 Aug 2023 00:18:35 -0700 

Ok. I'm sorry, my mistake.
There is real config: https://pastebin.com/FPhetEie
and there is this "empty" line:

        <Valve className="org.apache.catalina.valves.RemoteIpValve"/>




po 14. 8. 2023 v 0:11 odesílatel Michael Jumper <[email protected]> napsal:

> The file that you're checking ("/usr/local/tomcat/conf/server.xml") is
> not the server.xml used by the image. It's the server.xml that serves as
> the basis. A separate copy is made during startup, and it's that copy
> that's modified according to the environment variables provided:
>
>
> https://github.com/apache/guacamole-client/blob/bffc5fbdd5e2bb7a777f55c819a1d4d858829cb7/guacamole-docker/bin/start.sh#L1025-L1030
>
> - Mike
>
> On 8/13/2023 11:21 AM, Martin Vancl wrote:
> > My nginx proxy:
> > --------------------------------------
> > location / {
> >      proxy_pass http://127.0.0.1:8090/guacamole/
> > <http://127.0.0.1:8090/guacamole/>;
> >      proxy_http_version 1.1;
> >      proxy_set_header Upgrade $http_upgrade;
> >      proxy_set_header Connection 'upgrade';
> >      proxy_set_header Host $host;
> >      proxy_set_header X-Real-IP $remote_addr;
> >      proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
> >      proxy_set_header X-Forward-Proto http;
> >      proxy_set_header X-Nginx-Proxy true;
> >      proxy_buffering off;
> > }
> > --------------------------------------
> >
> > and part of my docker-compose.yml:
> >
> > --------------------------------------
> > image: guacamole/guacamole:1.5.3
> > ports:
> >    - "127.0.0.1:8090:8080"
> > environment:
> >    GUACD_HOSTNAME: guacd
> >    POSTGRES_HOSTNAME: postgres
> >    POSTGRES_DATABASE: ${POSTGRES_USER:-guacdb}
> >    POSTGRES_USER: ${POSTGRES_USER:-guacdb}
> >    POSTGRES_PASSWORD: secretPassword
> >    GUACAMOLE_HOME: /guac_extensions
> >    REMOTE_IP_VALVE_ENABLED: 'true'
> > volumes:
> >    - /opt/guacamole/guac_extensions:/guac_extensions
> > depends_on:
> >    - postgres
> >    - guacd
> > --------------------------------------
> >
> > But there is no "RemoteIpValve":
> > --------------------------------------
> >   # docker exec -ti guacamole_guac_1 sh -c "cat
> > /usr/local/tomcat/conf/server.xml | grep Valve"
> >       define subcomponents such as "Valves" at this level.
> >         so you may not define subcomponents such as "Valves" at this
> level.
> >          <Valve
> > className="org.apache.catalina.authenticator.SingleSignOn" />
> >          <Valve className="org.apache.catalina.valves.AccessLogValve"
> > directory="logs"
> > --------------------------------------
> >
> >
> > pá 11. 8. 2023 v 21:53 odesílatel Nick Couchman <[email protected]
> > <mailto:[email protected]>> napsal:
> >
> >     On Fri, Aug 11, 2023 at 10:49 AM Martin Vancl <[email protected]
> >     <mailto:[email protected]>> wrote:
> >      >
> >      > No. As I wrote:
> >      > > I just updated to version 1.5.3 (from 1.4.0), and the problem
> >     is still the same.
> >      > So now I'm using 1.5.3 in docker.
> >      >
> >      > I wrote about version 1.3.0 in the first email three years ago.
> >
> >     Ah, okay - sorry to have missed that. I tried this out with the 1.5.3
> >     container and adding the "-e REMOTE_IP_VALVE_ENABLED=true" option to
> >     the container creation command results in the following line being
> >     written to the server.xml file:
> >
> >     <Valve className="org.apache.catalina.valves.RemoteIpValve"/>
> >
> >     Can you confirm that you've created the container with that option
> and
> >     you're definitely not seeing that line??
> >
> >     There are additional properties that can be used to control the
> >     content of this line:
> >
> >     PROXY_ALLOWED_IPS_REGEX - The IP regex that should show up as valid
> >     proxy addresses to Tomcat.
> >     PROXY_IP_HEADER - The HTTP header to use for the remote ip.
> >     PROXY_PROTOCOL_HEADER - The HTTP header to use for the protocol.
> >     PROXY_BY_HEADER - The HTTP header to use for the IP of the proxy that
> >     forwarded the request.
> >
> >     -Nick
> >
> >     ---------------------------------------------------------------------
> >     To unsubscribe, e-mail: [email protected]
> >     <mailto:[email protected]>
> >     For additional commands, e-mail: [email protected]
> >     <mailto:[email protected]>
> >
> >
> >
> > --
> > S pozdravem
> > Ing. Martin Vancl
> >
> > e-mail: [email protected] <mailto:[email protected]>
> > web: www.vancl-it.cz <http://www.vancl-it.cz>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
>

-- 
S pozdravem
Ing. Martin Vancl

e-mail:  [email protected]
web:  www.vancl-it.cz

Reply via email to