Thanks Lorenzo! ________________________________ From: MAURIZI Lorenzo <[email protected]> Sent: Thursday, October 26, 2023 15:52 To: [email protected] <[email protected]> Subject: R: Bad user remote IP
Hello, you should start from official Guacamole documentation about setting the Remote IP Valve: https://guacamole.apache.org/doc/gug/reverse-proxy.html#setting-up-the-remote-ip-valve taking into account that the internalProxies property must be set as a regular expression, as indicated in tomcat documentation here: https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valves/RemoteIpValve.html I think that the guacamole documentation should be changed to take this information into account, as the shown example seems to be incorrect: <Valve className="org.apache.catalina.valves.RemoteIpValve" internalProxies="127.0.0.1" remoteIpHeader="x-forwarded-for" remoteIpProxiesHeader="x-forwarded-by" protocolHeader="x-forwarded-proto" /> because in regular expression, the dot is “any character except newline”, while in this case the correct syntax would be internalProxies="127\.0\.0\.1" to match the literal dot and the exact 127.0.0.1 IP address Best regards. Lorenzo Da: Prakhar Jalan <[email protected]> Inviato: giovedì 26 ottobre 2023 11:56 A: [email protected] Oggetto: Re: Bad user remote IP Hello, I am facing the same issue. Could you please provide the exact steps to log the ACTUAL IP of the user? Thanks a ton! Prakhar ________________________________ From: Maciej Konigsman <[email protected]<mailto:[email protected]>> Sent: Wednesday, October 25, 2023 18:21 To: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> Subject: Re: Bad user remote IP Thanks for your help. It works with the following internalProxies="127\.\d+\.\d+\.\d+|10\.\d+\.\d+\.\d+" 127... - for nginx running on the same server as Guacamole 10... - AWS private network On Wed, 25 Oct 2023 at 13:25, Henri Alves de Godoy <[email protected]<mailto:[email protected]>> wrote: Hi all, the remote ip registration only worked when I put the options below in server.xml ------- <Valve className="org.apache.catalina.valves.RemoteIpValve" internalProxies="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" remoteIpHeader="x-forwarded-for" remoteIpProxiesHeader="x-forwarded-by" protocolHeader="x-forwarded-proto" /> <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log." suffix=".txt" pattern="combined" requestAttributesEnabled="true" /> ---------- Att, Henri. Em qua., 25 de out. de 2023 às 08:16, Nick Couchman <[email protected]<mailto:[email protected]>> escreveu: On Wed, Oct 25, 2023 at 6:19 AM Maciej Konigsman <[email protected]<mailto:[email protected]>> wrote: Valve config <Valve className="org.apache.catalina.valves.RemoteIpValve" internalProxies="127.0.0.1" remoteIpHeader="x-forwarded-for" remoteIpProxiesHeader="x-forwarded-by" protocolHeader="x-forwarded-proto" /> What private subnet applies to your ELB? ELB is in the same subnet as the EC2 instance where Guacamole is installed. Presumably the ELB is not running on the localhost (127.0.0.1), so I suspect that you need the actual IP address(es) and/or subnets of the ELB placed into the "internalProxies" property in this valve. -Nick -- [https://ci3.googleusercontent.com/mail-sig/AIorK4xJTI4fOwTRhNqwzPDuuVtXRma-AtZlVMXEBX8smzlKDm1b6O7MmBLRqUMlR7HmEqRCaiKlXCY]
