On Wed, May 28, 2025 at 12:52 AM Roberto Torres <robe...@prohard.com.br>
wrote:

> Hey Philip
>
> Look for Kasm workspaces.
>
> Em qua., 28 de mai. de 2025, 01:43, Philip Hoflack <
> philip.hofl...@gmail.com> escreveu:
>
>> Hi Nick,
>>
>> Ok, all clear,  thanks for the link, and the suggestion.
>>
>> Since the question pops up now and then; then what's the next best, most
>> guacamole like solution? There is a real need to expose these websites
>> through a system that has authentication, and gives the end user an
>> overview of what connections are available to him. (I would prefer to not
>> have a VM with a browser for this).
>>
>>
A reverse proxy with some form of authentication SSO is probably the
quickest/easiest, if not the most elegant.


> I've found the following 2 candidates so far:
>> - nginx proxy manager (NPM): probably no SSO possible, but seems to list
>> connections and has user management
>> - fossorial pangolin: has SSO support, but it seems a much more complex
>> solution compared to NPM
>>
>>
I believe there are some ways to integrate Nginx, in general, with SSO. I'm
not sure about Nginx Proxy Manager, but I wouldn't be surprised if it is
doable.


> PS: I'm afraid this question will continue to pop up: maybe one could
>> consider to implement it without the recording feature? And thus without
>> rendering the website in a browser engine on the server? The need to manage
>> connections is a real need, and since guacamole already had SSO extensions
>> and a concept of connections that would allow to have it all in one place.
>> It would also be easier to explain to the end user that he only needs
>> guacamole instead of a website for this and another one for that...
>> For example say you have an SSH connection in guacamole: adding a cups
>> web ui connection to the same server would be possible.
>>
>>
The recording is not the roadblock, here - in fact, recording is reasonably
easy once the implementation is done. Guacamole isn't just a web
interface/management system - while it has those components, the core, and
what makes it do what it does really well is the underlying "Guacamole
Protocol." The "Guacamole Server" (guacd) translates between all of the
other remote protocols that it supports - RDP, VNC, SSH, Telnet, Kubernetes
- and the Guacamole Protocol. The Guacamole Client (running in Tomcat)
facilitates connection between the end clients (Web Browsers) and guacd
over either HTTP or WebSocket "tunnels" so that the browsers can speak the
Guacamole Protocol to guacd, and provides the access control, a nice
management interface, etc.

All that to say that the rendering of the website in a browser engine on
the server must be done one way or the other, whether recording is enabled
or not, because that's how connections are made between guacd and the
browser-based client.

The logical next questions are:
* Well, couldn't you make guacd capable of tunneling the traffic without
using the Guacamole Protocol? And, sure, you could add some sort of SSL/TLS
or SSH tunneling capabilities to guacd, but why? There are plenty of other
products out there that already do this, why reinvent the wheel?
* Is there any way to allow Guacamole Client to manage connections that
don't use guacd at all, just to provide a central place where "Connections"
can be configured and made available to users? And, again, the answer to
this is "yes", you could - in fact, you could use Guacamole's extension
framework to provide links to some other system (like Nginx Proxy Manager,
or perhaps some other tunneling or VPN client) alongside the Guacamole
connections. But, IMHO, it isn't something to integrate into the core
Guacamole project.

-Nick

>

Reply via email to