On Thu, Nov 21, 2024 at 9:43 AM Anakien Skywalker <njuhaand...@gmail.com> wrote:
> Hello, > > > > I went through architecture and as far as I understand, guacamole BE sends > kind of request to guacd to make connection to the remote client (for > example VNC). > > > > Guacamole Webserver can be secured with different options (in our case > reverse proxy + LDAP). But what prevents another “not secured” client to > connect to guacd and request connection to some remote client? The guacd > can be accessible from only internal network (where guacamole server is > hosted). But still guacd is vulnerable if there is access to the same > network? > > > > I did not find in documentation the correct way to make everything secure. > So, the question is: > > How to make guacd recognize valid guacamole server requests? > Yes, you need to properly protect the guacd port from unauthorized use. There are a couple of ways, currently, to do this: * Network restrictions/firewalls - Depending on how and where you run guacd, you can make sure that it is only accessible from the host/container where your trusted Guacamole Client is running. You can use a combination of network ACLs and/or host-based firewalls (nft/iptbales/ufw) to accomplish this. * Run guacd locally on the same system where Guacamole Client runs and make sure that it is only listening on the local interface (lo/127.0.0.1/etc.). * Use either stunnel or openssh to tunnel the Guacamole Client -> guacd connection. This is the method that I prefer at the moment, because it allows for me to protect the guacd system, not only with encryption, but also with varying layers of authentication. Depending on which direction you establish the tunnel, you can have either the Guacamole Client system/container authenticate to the gaucd system/container, or have the guacd system/container authenticate to the Guacamole Client container, or mutual authentication. There's also a Jira request outstanding for setting up mutual TLS authentication in Guacamole, which would allow for something like the final scenario I described to be done natively within Guacamole. This hasn't been done, yet, but it is definitely doable, and probably the preferable long-term route. See: https://issues.apache.org/jira/browse/GUACAMOLE-28. -Nick
