On Wed, Nov 1, 2023 at 4:30 AM Henning Reich <[email protected]> wrote:
> Tldr: "ERROR_PAGE_UNAVAILABLE" on iOS Safari, if guacamole is behind > a reverse proxy with client certificate authentication (even without > validation) > > Hi, I have a problem where I am stuck. I ran guacamole on a Ubuntu > 22.04 Container and followed the installation manual (with Mariadb for > user authentication). Works all as expected. > Then I add nginx as a reverse proxy in front of tomcat. Enabling SSL > and still, all works fine. > At last, I add: > > ssl_client_certificate /root/ca.crt; > ssl_verify_client optional; > > to the nginx config. > On my Linux Chromium and Windows Edge, it still works fine. But if I > try to connect from my iPhone (iOS Safari), I get the > "ERROR_PAGE_UNAVAILABLE" error. Could not see any hint in > nginx/tomcat9 logs. > If I use iOS Chrome (there is no client certificate), it works too (as > long as I did not verify the client cert) > You may need to bump up error logging on the Guacamole Client side, through the logback.xml file, to get an idea of what's happening. Also, I'm not sure how feasible it is to get a debug console on the Safari browser on iOS and see what the JavaScript console is saying? The fact that you're having the issue only on Safari on IOS is puzzling, because even Chrome on IOS uses Apple's WebKit rendering engine, rather than the Chrome engine, which is a requirement for any browser running on IOS. So it's odd that you'd see any difference at all. > > Maybe useful information, maybe not. I had some client certificate > related trouble with the nextcloud iOS app too. If I enabled client > certificate authentication, the iOS App ``detect" on every usage of a > certificate changes (Server Cert --> client Cert --> Server Cert --> > Client Cert). > I'm not sure I understand what you're trying to say, here? The certificates shouldn't be changing - the server has a certificate, the client has a certificate, and they exchange these when they do the TLS handshake at the beginning of the connection, but they aren't changing certificates? > Maybe, there is some "flapping" in the guacamole-client too? > I would think if there were "flapping" you wouldn't see the "ERROR_PAGE_UNAVAILABLE" issue, you'd see constant re-loading or something like that? However, for nextcloud I disabled client authentication on the proxy > side, but for guacamole, I would prefer to use it. > > I also tried haproxy instead nginx, but got the same behaviour. Can > anybody give me some advice, to track down this issue? Or may it be a > "bug". > I think some more information is required. If it is a bug, I'm not sure how it's a Guacamole-related bug, when you've already confirmed that every other browser - including Chrome using WebKit on IOS - functions as expected? Seems something peculiar to Safari?? -Nick
