guacd endpoint for health check?

["Sky..." <sk...@gmail.com>]

I am trying to put guacd behind AWS application load balancer, but the load
balancer requires heath check.  Is there an endpoint url I can use for the
health check?

Re: Administrative action logging

[Mike Jumper <mj...@apache.org>]

On Thu, Jan 9, 2020 at 6:53 PM Adam Woodland <ad...@adamwoodland.com> wrote:

> Hi,
>
> Using 1.0.0, under Ubuntu 18.04.
>
> I'm looking at auditing administrative actions in Guacamole and I'm trying
> to find what is logged when an [account|group|connected] is
> [created|modified|deleted] on the portal.
>

Administrative actions are not currently logged. I recommend opening an
issue in JIRA to request this if your use case requires such logging, as
it's definitely something that could be done.

https://issues.apache.org/jira/browse/GUACAMOLE/

- Mike

Administrative action logging

[Adam Woodland <ad...@adamwoodland.com>]

Hi,

Using 1.0.0, under Ubuntu 18.04.

I'm looking at auditing administrative actions in Guacamole and I'm trying
to find what is logged when an [account|group|connected] is
[created|modified|deleted] on the portal.

catalina.out is recording logins ok and guacd is recording those users
connecting through to end devices, so I can log those centrally.

Just can't find any admin logging to send centrally.

Any locations I've missed?

Thanks,
Adam

Re: guacd endpoint for health check?

[Mike Jumper <mj...@apache.org>]

On Thu, Jan 9, 2020, 18:59 Sky... <sk...@gmail.com> wrote:

> I should have explain my setup.  I'm not trying to load balance guacd.  I
> need to manage servers in multiple isolated virtual networks.  All my
> servers are in private subnet on AWS and front by AWS application load
> balancer.  I want to deploy 1 guacamole client and 1 guacd per virtual
> network.  Right now I deploy guacd in a public subnet and have access list
> to allow only guacamole client IP to access it.
>

You should always keep guacd on a private network and limit access to only
the subnet of the server(s) hosting Tomcat, yes. You should never allow
public access to guacd.

I want further secure this by putting guacd in a private subnet and front
> by an application load balancer so there is less attack surface.  Is this
> possible?
>

You can put Tomcat behind an application balancer. You cannot put guacd
behind an application balancer because it is not a web application. It
doesn't speak HTTP.

- Mike

Re: guacd endpoint for health check?

["Sky..." <sk...@gmail.com>]

I should have explain my setup.  I'm not trying to load balance guacd.  I
need to manage servers in multiple isolated virtual networks.  All my
servers are in private subnet on AWS and front by AWS application load
balancer.  I want to deploy 1 guacamole client and 1 guacd per virtual
network.  Right now I deploy guacd in a public subnet and have access list
to allow only guacamole client IP to access it.  I want further secure this
by putting guacd in a private subnet and front by an application load
balancer so there is less attack surface.  Is this possible?

On Thu, Jan 9, 2020 at 6:06 PM Mike Jumper <mj...@apache.org> wrote:

> On Thu, Jan 9, 2020, 18:01 Sky... <sk...@gmail.com> wrote:
>
>> I am trying to put guacd behind AWS application load balancer, but the
>> load balancer requires heath check.  Is there an endpoint url I can use for
>> the health check?
>>
>
> No. guacd is not a web application and cannot be placed behind an
> application load balancer.
>
> If you wish to balance guacd, you will need to use a TCP load balancer.
>
> - Mike
>
>

Re: guacd endpoint for health check?

[Mike Jumper <mj...@apache.org>]

On Thu, Jan 9, 2020, 18:01 Sky... <sk...@gmail.com> wrote:

> I am trying to put guacd behind AWS application load balancer, but the
> load balancer requires heath check.  Is there an endpoint url I can use for
> the health check?
>

No. guacd is not a web application and cannot be placed behind an
application load balancer.

If you wish to balance guacd, you will need to use a TCP load balancer.

- Mike