You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by wouterve <wo...@avr.be> on 2017/12/20 14:43:56 UTC
unable to use websocket - HTTP tunnel instead
Hi,
This is a continuation from my previous post
<http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/Performance-issues-guacamole-0-9-13-td2339.html>
as it was getting a little messy.
So here is my problem:
Guacamole is not using websocket but http-tunnel instead eventhough I have
set up a proxy with Apache.
Here is the output from /var/lib/tomcat7/logs/catalina.out:
> 16:19:18.001 [http-bio-8080-exec-10] INFO
> o.a.g.r.auth.AuthenticationService - User "vaneenw" successfully
> authenticated from 192.168.217.184.
> Wed Dec 20 16:19:18 CET 2017 WARN: Establishing SSL connection without
> server's identity verification is not recommended. According to MySQL
> 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be
> established by default if explicit option isn't set. For compliance with
> existing applications not using SSL the verifyServerCertificate property
> is set to 'false'. You need either to explicitly disable SSL by setting
> useSSL=false, or set useSSL=true and provide truststore for server
> certificate verification.
> 16:19:18.351 [http-bio-8080-exec-13] INFO
> o.a.g.tunnel.TunnelRequestService - User "vaneenw" connected to connection
> "1".
> 16:19:18.354 [http-bio-8080-exec-13] INFO
> o.a.g.tunnel.TunnelRequestService - User "vaneenw" disconnected from
> connection "1". Duration: 3 milliseconds
> 16:19:18.552 [http-bio-8080-exec-7] INFO
> o.a.g.tunnel.TunnelRequestService - User "vaneenw" connected to connection
> "1".
> 16:19:18.552 [http-bio-8080-exec-7] INFO
> o.a.g.t.h.RestrictedGuacamoleHTTPTunnelServlet - Using HTTP tunnel (not
> WebSocket). Performance may be sub-optimal.
With Apache, I have done the following configuration:
1-enable mod_proxy & mod_proxy_wstunnel
> sudo a2enmod proxy_wstunnel (this also enables mod_proxy..)
> sudo a2enmod proxy_http
> sudo a2enmod headers
> sudo a2enmod rewrite
> sudo a2enmod proxy_html
> sudo a2enmod deflate
(I'm not sure whether the other mods beside the first one are really
necessary but doesn't harm to enable too much it seems to me..)
Then I've changed my apache virtual host file:
/etc/apache2/sites-enabled/000-default.conf
(as desbribed by the guacamole documentation
<https://guacamole.apache.org/doc/gug/proxying-guacamole.html>
> <VirtualHost *:80>
> ServerName name
>
> ServerAdmin webmaster@localhost
> DocumentRoot /var/www/html
> ProxyRequests on
> <Proxy *=""/>
> Order allow,deny
> Allow from all
> </Proxy>
>
> <Location /guacamole/>
> Order allow,deny
> Allow from all
> ProxyPass http://localhost:8080/guacamole/ flushpackets=on
> ProxyPassReverse http://localhost:8080/guacamole/
> </Location>
>
> <Location /guacamole/websocket-tunnel>
> Order allow,deny
> Allow from all
> ProxyPass ws://localhost:8080/guacamole/websocket-tunnel
> ProxyPassReverse ws://localhost:8080/guacamole/websocket-tunnel
> </Location>
>
> </VirtualHost>
(note: once websocket is working I will adapt the <proxy> config so that
only local requests are accepted)
Thus far, I haven't succeeded in establishing connection with guacomole
through websocket which results in very laggy response from the remote
computer..
Only exception is when I log into guacamole from the server itself, then I
have a websocket and optimal performance so problem is within proxying I
guess.
I have to add I don't use SSL certificates (use port 80) as can also be
found in the tomcat log (see above). Could this also have to do something
with it?
Can someone help me with configuration please?
kind regards,
wouter
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: unable to use websocket - HTTP tunnel instead
Posted by Mike Jumper <mi...@guac-dev.org>.
On Wed, Feb 14, 2018 at 4:45 AM, wouterve <wo...@avr.be> wrote:
> ...
> In the new hostfile, i placed only the information regarding the websocket
> AND changed the port to 8080 (forgot this before)
>
> <VirtualHost *:8080>
> ServerName name
>
>
I'm not sure I see why you would want Apache to listen on port 8080, as
normally you would use Apache to proxy Tomcat over to a standard port,
ideally with SSL/TLS enabled. If Tomcat is already listening on port 8080
(presumably on all interfaces), Apache will not be able to do so. Are you
sure that you aren't actually connecting directly to Tomcat, and Apache is
simply failing to start up entirely?
ProxyRequests on
> <Proxy *=""/>
> Order allow,deny
> Allow from all
> </Proxy>
>
This will result in Apache acting as a forward proxy, allowing external
users to leverage your server to connect via HTTP to other arbitrary web
servers. Is this intentional?
For SSL/TLS termination, the typical use case for using Apache or Nginx in
front of Guacamole, you would want a reverse proxy configuration, not a
forward proxy.
- Mike
Re: unable to use websocket - HTTP tunnel instead
Posted by wouterve <wo...@avr.be>.
Hi,
sry for late reply, haven't had much time to spend on this project lately.
@jonathan hunter:
the order of <location> is important indeed as the documentation points out:
> Important
> The Location section for /guacamole/websocket-tunnel must be placed after
> the Location section for the rest of Guacamole.
> Apache evaluates all Location sections, giving priority to the last
> section that matches. If the /guacamole/websocket-tunnel section comes
> first, the section for /guacamole/ will match instead, and WebSocket will
> not be proxied correctly.
source <http://guacamole.apache.org/doc/gug/proxying-guacamole.html>
anyway, in the meantime I solved this problem. I created a new host file
"guacamole.conf" under the /etc/apache2/sites-enabled , moved the default
000-default.conf.
In the new hostfile, i placed only the information regarding the websocket
AND changed the port to 8080 (forgot this before)
<VirtualHost *:8080>
ServerName name
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ProxyRequests on
<Proxy *=""/>
Order allow,deny
Allow from all
</Proxy>
<Location /guacamole/>
Order allow,deny
Allow from all
ProxyPass http://localhost:8080/guacamole/ flushpackets=on
ProxyPassReverse http://localhost:8080/guacamole/
</Location>
<Location /guacamole/websocket-tunnel>
Order allow,deny
Allow from all
ProxyPass ws://localhost:8080/guacamole/websocket-tunnel
ProxyPassReverse ws://localhost:8080/guacamole/websocket-tunnel
</Location>
</VirtualHost>
and now everything works over websocket :-)
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: unable to use websocket - HTTP tunnel instead
Posted by Nick Couchman <vn...@apache.org>.
On Sun, Dec 31, 2017 at 9:50 AM, Jonathan Hunter <jm...@gmail.com>
wrote:
> Just a thought - does the order of the <Location> directives in apache's
> config make a difference? I had something very similar when getting mine
> working (see my other thread about printing not working over HTTP, only via
> web socket)
>
This also sparked a memory from an experience that I had - I actually had
trouble getting Apache's WebSocket proxy module to deal correctly with
multiple WS(S) applications. I was using both Guacamole and GateOne on the
same server, with Apache proxying to both, and had all sorts of trouble
getting it to work correctly. If I got Guacamole, proxied to Tomcat to
work, then GateOne would fail. If I got GateOne, proxied to its own
Python/Twisted web server to work, Guacamole had issues. I finally figured
out that there appears to be a limitation in Apache HTTPD's WebSocket proxy
module that limits you to basically proxying to a single WebSocket
backend. I could be misrepresenting that, and maybe I was just missing
some configuration somewhere, but I ended up switching over to nginx for
proxying to the different backends on that system, as the configuration was
dead-simple and it worked with multiple WSS:// backends.
I'm a huge fan of Apache HTTPD, so I'm not saying not to use that, just
that I hit a corner case where I wasn't able to find the solution with that
and ended up using nginx.
-Nick
Re: unable to use websocket - HTTP tunnel instead
Posted by Jonathan Hunter <jm...@gmail.com>.
Just a thought - does the order of the <Location> directives in apache's
config make a difference? I had something very similar when getting mine
working (see my other thread about printing not working over HTTP, only via
web socket)
FWIW, my working Apache config pretty much boils down to just this below,
and works fine. I don't use <Location> for the reverse proxy (although I do
use it to set/unset HTTP authentication headers)
# sudo a2enmod proxy_wstunnel
ProxyPass /access/websocket-tunnel
ws://server:1234/guacamole/websocket-tunnel
ProxyPass /access/ http://server:1234/guacamole/
# sudo a2enmod authnz_ldap
# sudo a2enmod headers
<Location /access/>
AuthName "Remote Access"
AuthBasicProvider ldap
AuthType Basic
[...]
require ldap-group CN=mygroup,OU=myou,DC=mydc
[...]
</Location>
I didn't need ProxyPassReverse, or indeed anything else.
On 20 December 2017 at 14:43, wouterve <wo...@avr.be> wrote:
> Hi,
> This is a continuation from my previous post
> <http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
> Performance-issues-guacamole-0-9-13-td2339.html>
> as it was getting a little messy.
> So here is my problem:
>
> Guacamole is not using websocket but http-tunnel instead eventhough I have
> set up a proxy with Apache.
>
> Here is the output from /var/lib/tomcat7/logs/catalina.out:
>
>
> > 16:19:18.001 [http-bio-8080-exec-10] INFO
> > o.a.g.r.auth.AuthenticationService - User "vaneenw" successfully
> > authenticated from 192.168.217.184.
> > Wed Dec 20 16:19:18 CET 2017 WARN: Establishing SSL connection without
> > server's identity verification is not recommended. According to MySQL
> > 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be
> > established by default if explicit option isn't set. For compliance with
> > existing applications not using SSL the verifyServerCertificate property
> > is set to 'false'. You need either to explicitly disable SSL by setting
> > useSSL=false, or set useSSL=true and provide truststore for server
> > certificate verification.
> > 16:19:18.351 [http-bio-8080-exec-13] INFO
> > o.a.g.tunnel.TunnelRequestService - User "vaneenw" connected to
> connection
> > "1".
> > 16:19:18.354 [http-bio-8080-exec-13] INFO
> > o.a.g.tunnel.TunnelRequestService - User "vaneenw" disconnected from
> > connection "1". Duration: 3 milliseconds
> > 16:19:18.552 [http-bio-8080-exec-7] INFO
> > o.a.g.tunnel.TunnelRequestService - User "vaneenw" connected to
> connection
> > "1".
> > 16:19:18.552 [http-bio-8080-exec-7] INFO
> > o.a.g.t.h.RestrictedGuacamoleHTTPTunnelServlet - Using HTTP tunnel (not
> > WebSocket). Performance may be sub-optimal.
>
> With Apache, I have done the following configuration:
>
> 1-enable mod_proxy & mod_proxy_wstunnel
>
>
> > sudo a2enmod proxy_wstunnel (this also enables mod_proxy..)
> > sudo a2enmod proxy_http
> > sudo a2enmod headers
> > sudo a2enmod rewrite
> > sudo a2enmod proxy_html
> > sudo a2enmod deflate
>
> (I'm not sure whether the other mods beside the first one are really
> necessary but doesn't harm to enable too much it seems to me..)
>
>
> Then I've changed my apache virtual host file:
> /etc/apache2/sites-enabled/000-default.conf
> (as desbribed by the guacamole documentation
> <https://guacamole.apache.org/doc/gug/proxying-guacamole.html>
>
>
> > <VirtualHost *:80>
> > ServerName name
> >
> > ServerAdmin webmaster@localhost
> > DocumentRoot /var/www/html
> > ProxyRequests on
> > <Proxy *=""/>
> > Order allow,deny
> > Allow from all
> > </Proxy>
> >
> > <Location /guacamole/>
> > Order allow,deny
> > Allow from all
> > ProxyPass http://localhost:8080/guacamole/ flushpackets=on
> > ProxyPassReverse http://localhost:8080/guacamole/
> > </Location>
> >
> > <Location /guacamole/websocket-tunnel>
> > Order allow,deny
> > Allow from all
> > ProxyPass ws://localhost:8080/guacamole/websocket-tunnel
> > ProxyPassReverse ws://localhost:8080/guacamole/websocket-tunnel
> > </Location>
> >
> > </VirtualHost>
>
>
> (note: once websocket is working I will adapt the <proxy> config so that
> only local requests are accepted)
>
> Thus far, I haven't succeeded in establishing connection with guacomole
> through websocket which results in very laggy response from the remote
> computer..
> Only exception is when I log into guacamole from the server itself, then I
> have a websocket and optimal performance so problem is within proxying I
> guess.
>
> I have to add I don't use SSL certificates (use port 80) as can also be
> found in the tomcat log (see above). Could this also have to do something
> with it?
>
> Can someone help me with configuration please?
>
> kind regards,
>
> wouter
>
>
>
>
>
> --
> Sent from: http://apache-guacamole-general-user-mailing-list.
> 2363388.n4.nabble.com/
>
--
"If we knew what it was we were doing, it would not be called research,
would it?"
- Albert Einstein
Re: unable to use websocket - HTTP tunnel instead
Posted by wouterve <wo...@avr.be>.
For your interest; here is the output from WS debugger from chrome:
Request
URL:ws://192.168.217.115:8080/guacamole/websocket-tunnel?token=4DCC454D12B7F3C94527AF58561DB49EF5737345164CA56BAAA7D21AEBAB9786&GUAC_DATA_SOURCE=mysql&GUAC_ID=1&GUAC_TYPE=c&GUAC_WIDTH=1045&GUAC_HEIGHT=769&GUAC_DPI=96&GUAC_AUDIO=audio%2FL8&GUAC_AUDIO=audio%2FL16&GUAC_IMAGE=image%2Fjpeg&GUAC_IMAGE=image%2Fpng&GUAC_IMAGE=image%2Fwebp
Request Method:GET
Status Code:101 Switching Protocols
Response Headers
view source
Connection:upgrade
Date:Thu, 21 Dec 2017 12:38:05 GMT
Sec-WebSocket-Accept:MJ0SgWjjAr0f9XlSx6tNumRP2wE=
Sec-WebSocket-Extensions:permessage-deflate;client_max_window_bits=15
Sec-WebSocket-Protocol:guacamole
Server:Apache-Coyote/1.1
Upgrade:websocket
Request Headers
view source
Accept-Encoding:gzip, deflate
Accept-Language:en-US,en;q=0.8,nl;q=0.6
Cache-Control:no-cache
Connection:Upgrade
Cookie:JSESSIONID=3A1DB9BABE30D26F0E1A1699CAC85780;
GUAC_AUTH=%7B%22authToken%22%3A%224DCC454D12B7F3C94527AF58561DB49EF5737345164CA56BAAA7D21AEBAB9786%22%2C%22username%22%3A%22guacadmin%22%2C%22dataSource%22%3A%22mysql%22%2C%22availableDataSources%22%3A%5B%22mysql%22%2C%22mysql-shared%22%5D%7D
Host:192.168.217.115:8080
Origin:http://192.168.217.115:8080
Pragma:no-cache
Sec-WebSocket-Extensions:permessage-deflate; client_max_window_bits
Sec-WebSocket-Key:QJSq7pjXyRxIYdk3zQQA6g==
Sec-WebSocket-Protocol:guacamole
Sec-WebSocket-Version:13
Upgrade:websocket
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36
Query String Parameters
view source
view URL encoded
token:4DCC454D12B7F3C94527AF58561DB49EF5737345164CA56BAAA7D21AEBAB9786
GUAC_DATA_SOURCE:mysql
GUAC_ID:1
GUAC_TYPE:c
GUAC_WIDTH:1045
GUAC_HEIGHT:769
GUAC_DPI:96
GUAC_AUDIO:audio/L8
GUAC_AUDIO:audio/L16
GUAC_IMAGE:image/jpeg
GUAC_IMAGE:image/png
GUAC_IMAGE:image/webp
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/