On Wednesday, February 28, 2024 12:14 CST, Don Murdoch GSE BTHb <[email protected]> wrote: Hi. I have gotten Guac setup on a PC w/ VMware workstation, using Ver 1.5.3 and also on a server at work. Just to get the feel of all of the parts. Now moving on to how I’d like to productionalize this using vmware / proxmox I am pretty sure I have a “network” and “network routing issue” – I am sure my problem is getting guacd to “talk outside its hosting docker container management engine”. For our intended production use, I haven’t gotten things right. My thought process is to use a docker network so that the MySQL server can be completely isolated on the host, idea being I don’t want a port exposed, just want guacamole / guacd to be able to talk to it. To that end, I have guacd on 192.168.10.3, mysql on 192.168.10.2, guacamole on 192.168.10.4. (the 192.168.10 is different from actual, the host IP is the same). I have used the cmd line parameter “-ip 192.168.10.X”, and then used the ENV varibs on the guacamole start up so guacamole (web) can see the other two. The host itself is on 10.120.33.X, and I can get to 10.120.33.X:8080 – so I have reachability to the guacamole web UI, can login, etc. When I define a target that is on 10.120.33.X – like the SSH port for the guac container host, or a RDP target for Windows on 10.120.33.X, I get the “reconnect” message, and the Logs option tells me that the target does not respond, connection time out. As I am reading errors, it certainly looks like a routing issue, the guacd container doesn’t know how to get outside of Docker. So the question is: If the host is on 10.120.33.X and it has a default gateway to other segments, how do I isolate to the extent possible guacd and mysql, while still allowing guacd to talk out (and what is the corresponding command line parameter?) -- Don M -> www.blueteamhandbook.com Author. Don, I'm running the guac stack under a docker-compose configuration using docker networks to isolate the services. I assume that's what you're trying to affect, but I'm confused with the different IP allocations you list as in my configuration docker handles addressing for the containers.
Anyway, if it helps here is the article I followed to deploy my stack with Caddy SSL reverse proxy, MariaDB, SSO et'al. The only service directly accessible is the Caddy reverse proxy. - This link takes you to the specific docker-compose.yaml section and if you're not using Okta SAML you can ignore all of that. https://nathancatania.com/posts/deploy-guacamole-ssl-saml/#3-create-the-docker-compose-file -- In your service, Aaron Meyer
