Hi, I guess the reverse proxy setting is working, and blocking file transfers of all users, below is the apache settings used in the virtual host config file.
*<LocationMatch "(/streams/.*)">Require all denied</LocationMatch>* Although clipboard is not blocked from this, but it blocks file transfers. Hope in future guacamole properties settings allow some variables like below *enable-drive: false* *enable-printing:false* *disable-upload:true* On Sat, Sep 16, 2023 at 9:58 PM khmadhu <[email protected]> wrote: > Hi Nick, > > Thanks for the suggestions, blocking requests at the reverse proxy side > sounds good for now, I use Apache as a reverse proxy, and the log shows a > few paths as below when I press ctrl+alt+shift while in a rdp connection. > > /api/session/data/quickconnect/activeConnections > /api/session/data/mysql-shared/activeConnections > /api/session/data/mysql/activeConnections > > When I upload a file successfully I get the below path. > > /api/session/tunnels/bsdfd339d-6178-3851-a477-afhdfg721c7f3/streams/1/image.png?token=B1fghfghfghfgh........ > > This looks like a general API path, so not sure. > > I also tried setting below in guacamole.properties file but didn't help. > > > > *enable-drive: falseenable-printing:falsedisable-upload:true* > > > On Sat, Sep 16, 2023 at 7:21 PM Nick Couchman <[email protected]> wrote: > >> On Fri, Sep 15, 2023 at 6:35 AM khmadhu <[email protected]> wrote: >> >>> Hi, >>> >>> I am looking for an option to disable ALL file transfers like shared >>> drives / SFTP, for all default users in a connection group, even though if >>> user have the option to create connections, the file transfer options must >>> be disabled, is that possible?, how can we achieve this?. >>> >> >> There's no configuration option you can set to disable this globally - >> basically, if you give users the ability to create connections, you're >> giving them administrative privileges to the system, and that includes all >> of the capabilities of any of the connections, including file transfer. If >> you don't want people to be able to create connections with file transfer >> capability, you probably shouldn't give them the ability to create >> connections - there may be other things they can do (saving credentials, >> for example) that you may not want done. >> >> I can think of a couple of theoretical ways to accomplish this, but >> without having tried either of them, I don't know exactly how they would >> work: >> * Run guacd in a container or chroot jail, where the user account running >> guacd does not have write access to any part of the filesystem, including >> /tmp (normally world-writable). >> * Run guacd inside a filesystem that has quotas enabled and set, and >> restrict the quota for the user account to essentially nothing. This would >> also have to factor in places that are normally world-writable, like /tmp, >> /var/tmp, etc. >> * Use a reverse proxy or web application firewall to restrict access to >> the REST API endpoints that handle file transfers. I don't know what these >> are off the top of my head, but, since everything in Guacamole is done via >> the REST API, there is an API endpoint responsible for it, and it should be >> possible to block it, either in your proxy configuration (Nginx, Apache >> httpd, Traefik, etc.) or with a WAF. >> >> -Nick >> >> > > > -- > Thanks & Regards > Madhusudan > 9844117475 > Bengaluru-12. > -- Thanks & Regards Madhusudan 9844117475 Bengaluru-12.
