You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@guacamole.apache.org by StephenDart <st...@gmail.com> on 2018/02/01 12:06:53 UTC

guacamole behind haproxy

Has anyone got a successful config for haproxy to enable guacamole
I have a haproxy instance doing ssl offload and reverse proxy, passsing
/guacamole to the server at x.x.x.x:8080/guacamole
I can get to the login page and login successfully, but when presenting a
session, it will produce a 404 after the session is created and a few tunnel
reads, then the session will disconnect.

If directly connected to the guacamole server (bypassing haproxy), i can
successfully get a session and it is maintained, so something within haproxy
is I presume timing the session out. 
Does anyone run haproxy in front of guacamole and have a config they can
share or suggest what options are required to allow guacamole to work
successfully?

I have tried using 0.9.13 and 0.9.14 of guacamole
Haproxy i have tried 1.6 and 1.7
with options: 
http-server-close
timeout tunnel 3600s
timeout connect 300s
timeout client 300s


200 https://DOMAIN/guacamole/tunnel?connect
200
https://DOMAIN/guacamole/tunnel?read:3b0980ce-262f-4c21-a30e-76e7a2ad4f94:0
200
https://DOMAIN/guacamole/api/session/tunnels/3b0980ce-262f-4c21-a30e-76e7a2ad4f94/activeConnection/connection/sharingProfiles?token=9861B2605E85032EFA752E4EDAEC47DA8C3570E07FF9D3CD6AD92B2C2AF07309
200
https://DOMAIN/guacamole/tunnel?read:3b0980ce-262f-4c21-a30e-76e7a2ad4f94:1
*404
https://DOMAIN/guacamole/tunnel?write:3b0980ce-262f-4c21-a30e-76e7a2ad4f94*
200 https://DOMAIN/guacamole/api/tokens






--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

答复: guacamole behind haproxy

Posted by zhangbin <zh...@iat.one>.

Here's my ajax request method:

         

 

var gua;

 

function getGuacamole(){

    var ajaxURL = "http://10.128.0.211:8080/apis/api/tokens";

         var userparams = {

                   "username":"guacadmin",

                   "password":"guacadmin"

         };

         

    $.ajax({

        type:"POST",

        url:ajaxURL,

        headers:{

                            "Access-Control-Allow-Headers":"X-Requested-With",

                            "Access-Control-Allow-Methods":"GET,POST,OPTIONS",

                            "Access-Control-Allow-Origin":"*",

                            "ACCEPT":"application/json, text/plain, */*",

           "Content-Type":"application/x-www-form-urlencoded"

        },

        data:JSON.stringify(userparams),

        dataType:"JSON",

        success: function(data){

            //console.log(data);

           

        },

        error: function(data){

            

        }

    })

 

}

 

发件人: Nick Couchman [mailto:vnick@apache.org] 
发送时间: 当前系统时间为：2018年2月3日 12:14
收件人: user@guacamole.apache.org
主题: Re: guacamole behind haproxy

 

On Fri, Feb 2, 2018 at 3:42 AM, StephenDart <stephen.dart@gmail.com <ma...@gmail.com> > wrote:

Will post the config when i am back home, but actually there is only one
backend so sticky sessions arent a problem, there is only one possible in
the config to go to.
Any traffic for /guacamole will go to a single server.

I think there must be something regarding how haproxy maybe waits for a
session to complete, I had hoped that the http-server-close may have helped
but it doesnt appear to.

 

This really shouldn't impact the API at all - at least, you shouldn't see any 404 errors or anything like that.  I'm not sure about the actual connection stream, though.

 

Two things come to mind:

- Some sort of incompatibility in how HAProxy handles WebSocket traffic, particularly if it is trying to establish it and then dropping it.  I'm not sure off the top of my head if HAProxy supports, doesn't support, or is ignorant of the use of WebSocket.

- A parameter is being dropped from one of the API or tunnel calls, like the token, somewhere along the way - perhaps in HAProxy somewhere.

 

-Nick

Re: guacamole behind haproxy

Posted by Nick Couchman <vn...@apache.org>.

On Fri, Feb 2, 2018 at 3:42 AM, StephenDart <st...@gmail.com> wrote:

> Will post the config when i am back home, but actually there is only one
> backend so sticky sessions arent a problem, there is only one possible in
> the config to go to.
> Any traffic for /guacamole will go to a single server.
>
> I think there must be something regarding how haproxy maybe waits for a
> session to complete, I had hoped that the http-server-close may have helped
> but it doesnt appear to.
>

This really shouldn't impact the API at all - at least, you shouldn't see
any 404 errors or anything like that.  I'm not sure about the actual
connection stream, though.

Two things come to mind:
- Some sort of incompatibility in how HAProxy handles WebSocket traffic,
particularly if it is trying to establish it and then dropping it.  I'm not
sure off the top of my head if HAProxy supports, doesn't support, or is
ignorant of the use of WebSocket.
- A parameter is being dropped from one of the API or tunnel calls, like
the token, somewhere along the way - perhaps in HAProxy somewhere.

-Nick

Re: guacamole behind haproxy

Posted by StephenDart <st...@gmail.com>.

Will post the config when i am back home, but actually there is only one
backend so sticky sessions arent a problem, there is only one possible in
the config to go to.
Any traffic for /guacamole will go to a single server. 

I think there must be something regarding how haproxy maybe waits for a
session to complete, I had hoped that the http-server-close may have helped
but it doesnt appear to.

If anyone has any other ideas let me know. 



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: guacamole behind haproxy

Posted by Nick Couchman <vn...@apache.org>.

On Thu, Feb 1, 2018 at 7:06 AM, StephenDart <st...@gmail.com> wrote:

> Has anyone got a successful config for haproxy to enable guacamole
> I have a haproxy instance doing ssl offload and reverse proxy, passsing
> /guacamole to the server at x.x.x.x:8080/guacamole
> I can get to the login page and login successfully, but when presenting a
> session, it will produce a 404 after the session is created and a few
> tunnel
> reads, then the session will disconnect.
>
> If directly connected to the guacamole server (bypassing haproxy), i can
> successfully get a session and it is maintained, so something within
> haproxy
> is I presume timing the session out.
> Does anyone run haproxy in front of guacamole and have a config they can
> share or suggest what options are required to allow guacamole to work
> successfully?
>
> I have tried using 0.9.13 and 0.9.14 of guacamole
> Haproxy i have tried 1.6 and 1.7
> with options:
> http-server-close
> timeout tunnel 3600s
> timeout connect 300s
> timeout client 300s
>

You might want to post your full HAProxy configuration; however, it's
important to keep in mind that HTTP is a stateless protocol.  So, no matter
what your timeout options, here, if you don't configure HAProxy for
persistence or session stickiness, each HTTP connection that the web
browser makes has the potential to get redirected to a different back-end
server.  This is likely the reason that you're seeing weird behavior, like
the 404 errors and such, because the initial request gets forwarded to one
back-end server, then the follow-up requests move on to other servers.

This is probably more a question for the HAProxy forums, but I believe
HAProxy supports hash tables of various types that can (attempt to) keep
track of the client and make sure that the requests from the client go on
to the same back-end server.  Because Guacamole Client does not currently
implement any session tracking across multiple Tomcat instances or servers,
you'll need to configure HAProxy appropriately.

-Nick