HTTP protocol

[Vieri <re...@yahoo.com.INVALID>]

Hi again,

I know the Guacamole devs don't want to implement a "VPN-like" web portal to access other protocols such as HTTP/HTTPS and FTP (discussed before), but I'd like to know if anyone here has any thoughts/experience regarding a guacamole-like portal such as:

https://help.fortinet.com/fmgr/50hlp/56/5-6-2/FMG-FAZ/1300_VPN_Manager/1200_SSL_VPN/0410_Pre%20defined%20bookmarks.htmPredefined bookmarks

This commercial product offers basically the same features as Guacamole (except for the fact that telnet, vnc and rdp require a plug-in which I dislike) with the added support for HTTP/HTTPS and FTP services. 

I'm struggling to keep using open-source projects whenever possible, but not everyone is on my side :-(. I'd like to keep using Guacamole (because it simply works great), and for that I'd need to argue why. The only missing piece for me is really HTTP, and I'm wondering how this commercial product is implementing it. As previously commented in this thread, it's hard to imagine that it's implemented as "HTML to image rendering" (but possible). It may also be simply a reverse proxy setup (which could be implemented with other open-source projects), but it doesn't seem to be. Does anyone have experience with this or similar products (regarding HTTP)?

I am trying to make a custom extension where I add URLs to my guacamole portal which simply point to Apache HTTPS reverse proxies. However, I'm not sure this solution competes effectively with the commercial product I've cited.

Any ideas are very welcome.

Vieri

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org

Re: HTTP protocol

[Nick Couchman <vn...@apache.org>]

On Tue, Jan 7, 2020 at 3:15 AM Vieri <re...@yahoo.com.invalid> wrote:

>
>
> On Sunday, January 5, 2020, 4:16:46 PM GMT+1, Nick Couchman <
> vnick@apache.org> wrote:
> >
> > Mostly that Guacamole is designed to be a web-based remote desktop
> client, not a full VPN client, and we're interested in keeping the
> > scope contained.
>
> Understandable. However, I'm still not sure how the commercial product I
> mentioned earlier does it. Even though the provider mentions "SSL-VPN" in
> its on-line guide, I doubt it can be a "real" VPN client as it would imply
> admin privs on the client (supposedly, nothing is supposed to be run as
> root/admin). So that's why I'm wondering (cannot confirm it yet) if the
> provider has implemented some sort of HTML to image rendering, or if it's
> "merely" a redirection to a reverse proxy.


Obviously it's hard to know exactly what the commercial product is using -
could be something open source (happens quite frequently), but also could
be something the wrote themselves.  And, no, there is no VPN Client - that
is, indeed, the point of such web-based "SSL VPN" portals - that you don't
have to have the client.


> If that were the case then I already have my Apache HTTP service
> configured for reverse proxy (I also have a few Squid instances for other
> HTTP services). So sure, I could merely "extend" Guacamole to display URL
> connection objects when the user logs in, alongside RDP, telnet, ssh and
> VNC connections. The problem I'm facing is that for some reason I don't
> fully share, I am asked to create a single portal and a single URL, eg.
> https://guac.domain.org/ from which the users can then connect to
> whichever internal service. Since I've managed to configure fully
> functional reverse proxies with Apache HTTP (but had redirection issues
> with Squid), I would need to use at least a different port or domain. I
> guess what I really need to do is learn how to configure a reverse proxy
> with Apache Tomcat and try to use the same port for that. It would look
> something like this:
>
> https://guac.domain.org/proxy1 -> internal HTTP service 1
>
> https://guac.domain.org/proxy2 -> internal HTTP service 2
>
> https://guac.domain.org/proxy3 -> internal HTTP service 3
>
> and so no.
> And of course, https://guac.domain.org/ would have to be the guacamole
> web client.
>

I think you've recently figured out how to do this :-).  You should also be
able to configure something like Nginx such that you could do:

https://guac.domain.org/proxy?uri=https%3A%2F%2Fmy.super.secret.server.local%2Fpath

Obviously if you provide that kind of functionality you want to be very
careful that 1) you're authenticating users properly, and 2) that you limit
what URLs and paths people can try to access from that server such that
sensitive sites, data, etc., are not exposed outside the boundaries of your
network.


>
>  I'm new to Apache Tomcat so I guess I have a lot of homework to do.
>
> > First, i share your desire to do as much as possible with Open Source
> software, and I routinely have to fight the battle of why to stick
> > with open source rather than spending money on a commercial product.
>
> It's not just a question of money. It is also because OSS is extremely
> flexible, and usually adapts faster and better. Customization is the key.
> Sure, development can be a bit chaotic sometimes (à la freerdp lib...), but
> I guess that's part of the fun.
>
>
I totally agree.

-Nick

Re: HTTP protocol

[Vieri <re...@yahoo.com.INVALID>]

On Sunday, January 5, 2020, 4:16:46 PM GMT+1, Nick Couchman <vn...@apache.org> wrote: 
>
> Mostly that Guacamole is designed to be a web-based remote desktop client, not a full VPN client, and we're interested in keeping the 
> scope contained.

Understandable. However, I'm still not sure how the commercial product I mentioned earlier does it. Even though the provider mentions "SSL-VPN" in its on-line guide, I doubt it can be a "real" VPN client as it would imply admin privs on the client (supposedly, nothing is supposed to be run as root/admin). So that's why I'm wondering (cannot confirm it yet) if the provider has implemented some sort of HTML to image rendering, or if it's "merely" a redirection to a reverse proxy. If that were the case then I already have my Apache HTTP service configured for reverse proxy (I also have a few Squid instances for other HTTP services). So sure, I could merely "extend" Guacamole to display URL connection objects when the user logs in, alongside RDP, telnet, ssh and VNC connections. The problem I'm facing is that for some reason I don't fully share, I am asked to create a single portal and a single URL, eg. https://guac.domain.org/ from which the users can then connect to whichever internal service. Since I've managed to configure fully functional reverse proxies with Apache HTTP (but had redirection issues with Squid), I would need to use at least a different port or domain. I guess what I really need to do is learn how to configure a reverse proxy with Apache Tomcat and try to use the same port for that. It would look something like this:

https://guac.domain.org/proxy1 -> internal HTTP service 1

https://guac.domain.org/proxy2 -> internal HTTP service 2

https://guac.domain.org/proxy3 -> internal HTTP service 3

and so no.
And of course, https://guac.domain.org/ would have to be the guacamole web client.

 I'm new to Apache Tomcat so I guess I have a lot of homework to do.

> First, i share your desire to do as much as possible with Open Source software, and I routinely have to fight the battle of why to stick 
> with open source rather than spending money on a commercial product. 

It's not just a question of money. It is also because OSS is extremely flexible, and usually adapts faster and better. Customization is the key. Sure, development can be a bit chaotic sometimes (à la freerdp lib...), but I guess that's part of the fun.

Big thanks for the support.

Vieri

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org

Re: HTTP protocol

[Nick Couchman <vn...@apache.org>]

On Sun, Jan 5, 2020 at 6:54 AM Vieri <re...@yahoo.com.invalid> wrote:

> Hi again,
>
> I know the Guacamole devs don't want to implement a "VPN-like" web portal
> to access other protocols such as HTTP/HTTPS and FTP (discussed before)...


Mostly that Guacamole is designed to be a web-based remote desktop client,
not a full VPN client, and we're interested in keeping the scope contained.


> ...but I'd like to know if anyone here has any thoughts/experience
> regarding a guacamole-like portal such as:
>
>
> https://help.fortinet.com/fmgr/50hlp/56/5-6-2/FMG-FAZ/1300_VPN_Manager/1200_SSL_VPN/0410_Pre%20defined%20bookmarks.htm
>
> This commercial product offers basically the same features as Guacamole
> (except for the fact that telnet, vnc and rdp require a plug-in which I
> dislike) with the added support for HTTP/HTTPS and FTP services.
>
> I'm struggling to keep using open-source projects whenever possible, but
> not everyone is on my side :-(. I'd like to keep using Guacamole (because
> it simply works great), and for that I'd need to argue why. The only
> missing piece for me is really HTTP, and I'm wondering how this commercial
> product is implementing it. As previously commented in this thread, it's
> hard to imagine that it's implemented as "HTML to image rendering" (but
> possible). It may also be simply a reverse proxy setup (which could be
> implemented with other open-source projects), but it doesn't seem to be.
> Does anyone have experience with this or similar products (regarding HTTP)?
>
>
First, i share your desire to do as much as possible with Open Source
software, and I routinely have to fight the battle of why to stick with
open source rather than spending money on a commercial product.  I'm always
happy to help architect solutions that leverage open source software, even
if they're outside the scope of this project.

Regarding the ability to have an HTTP(S) portal implemented alongside
Guacamole, I think this is possible using one of a couple of different
options.  In doing some past research on this, I believe Nginx had some
ability to configure itself as a Reverse Proxy that can use parameters to
allow access for particular site.  Squid may also have the capability to do
some of these things.  I've never personally configured or implemented it,
but I believe it's possible.

Tying it all together into a single solution is going to take some work - I
don't know of anything out there, today, that has it all built in, but all
of the components are there and it just needs to be collected into a single
solution.  It will probably take some development work to bring it all
together, but I think it's possible.  Implementing a portal of sorts that
will bring it into a single view and allow you to publish URLs that can
then be reverse-proxied back through a portal into something else.

-Nick

Re: HTTP protocol

[Vieri <re...@yahoo.com.INVALID>]

On Sunday, January 5, 2020, 12:54:46 PM GMT+1, Vieri <re...@yahoo.com.invalid> wrote: 
>
> https://help.fortinet.com/fmgr/50hlp/56/5-6-2/FMG-FAZ/1300_VPN_Manager/1200_SSL_VPN/0410_Pre%20defined%20bookmarks.htmPredefined bookmarks

Sorry, the correct link is:
https://help.fortinet.com/fmgr/50hlp/56/5-6-2/FMG-FAZ/1300_VPN_Manager/1200_SSL_VPN/0410_Pre%20defined%20bookmarks.htm

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org