On 12/20/22 01:47, Dan Nessett wrote:
I am attempting to get guacamole working with apache. I have been working with
the guacamole users, but they now tell me that I have an apache2 configuration
problem. So, I am trying to get some help from apache2 users.
The set up I have is a small network behind a firewall/NAT router (running pfsense). HTTPS
requests go to an external address and non-standard port that the router converts using NAT
to an internal address and standard port for HTTPS (443). The local machine servicing
requests to this internal address/port pair runs SSLH, which is a SSH/HTTPS protocol
multiplexor. The SSLH daemon parses the first part of each protocol packet and decides to
forward it to either the sshd daemon or the installed apache web server. In the latter case
it sends to port 4443, on which apache is listening. I know this works, since I can login
to the machine via ssh from an external address and HTTPS requests to the configured
virtual machine display properly, e.g., https://<machine dns name>:<external port
that NAT translates to 443>/phpinfo.php
The problem occurs when I attempt to access guacamole with an HTTPS request of:
https://<machine dns name>:<external port that NAT translates to
443>/guacamole. This does not work. The file 000-default.conf in
/etc/apache/sites-enabled is:
Your virtualhost configuration says it's expecting port 4443, yet your
explanation above says the NAT translates this to 443. This suggests you
have a typo either in your virtualhost config or your explanation. The
port number in the virtualhost directive should, as far as I am aware,
correspond to the port you are listening on, not the original port
before NAT happens.
# Comment out the port 80 virtual host block
<IfDefine IgnoreBlockComment>
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port
that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
</VirtualHost>
</IfDefine>
<VirtualHost *:4443>
ServerName <machine dns name>
DocumentRoot /mnt/raid5/webserver/sites/MOserver
Header always unset X-Frame-Options
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Location /guacamole/>
Order allow,deny
Allow from all
ProxyPass http://127.0.0.1:8080/guacamole/ flushpackets=on
ProxyPassReverse http://127.0.0.1:8080/guacamole/
</Location>
<Location /websocket-tunnel>
Order allow,deny
Allow from all
#Require all granted
ProxyPass ws://127.0.0.1:8080/guacamole/websocket-tunnel
ProxyPassReverse ws://127.0.0.1:8080/guacamole/websocket-tunnel
</Location>
SSLEngine on
SSLCertificateFile /root/.acme.sh/*.mountolive.com/fullchain.cer
SSLCertificateKeyFile
/root/.acme.sh/*.mountolive.com/*.mountolive.com.key
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
Since web page URLs work properly, the only thing I can imagine is causing a problem
are the two <Location> blocks that contain ProxyPass and ProxyPassReverse
entries. I am completely unfamilar with these and would appreciate some help with the
apache2 configuration that is supposed to enable guacamole communication.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
