how to use guacamole-auth-header?

[张建平 <zh...@hikvision.com>]

How  to  use  guacamole-auth-header ?

________________________________
CONFIDENTIALITY NOTICE:

This electronic message is intended to be viewed only by the individual or entity to whom it is addressed. It may contain information that is privileged, confidential and exempt from disclosure under applicable law. Any dissemination, distribution or copying of this communication is strictly prohibited without our prior permission. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering the message to the intended recipient, or if you have received this communication in error, please notify us immediately by return e-mail and delete the original message and any copies of it from your computer system. For further information about Hikvision company. please see our website at www.hikvision.com<http://www.hikvision.com>

Re: how to use guacamole-auth-header?

[Nick Couchman <ni...@yahoo.com>]

Take a look at the following page:
http://guacamole.incubator.apache.org/doc/gug/header-auth.html

Basically, you do the following:- Install the extension into your Guacamole extensions directory- If you want a header other than REMOTE_USER to be used for authentication, edit the guacamole.properties file and use the http-auth-header option to specify the header you want to use.- Reload the Guacamole client (restart Tomcat or redeploy the guacamole.war file)- Configure your application server (Tomcat, JBoss, etc.) or web server, if you're using a reverse proxy (Apache, Nginx), to authenticate the URL where Guacamole is running (e.g. http://yourserver.example.com/guacamole)
For example, I am using Apache HTTPD as a reverse proxy in front of Guacamole, so I configure Apache like so:
<Location /guacamole>
    AuthType Basic    AuthName Guacamole    AuthUserFile /etc/httpd/guacamole.users    Require valid-user</Location>
By default Apache HTTPD uses the REMOTE_USER header for this type of login, so there's nothing else to configure here or in guacamole.properties - just load the extension.  With Apache HTTPD you can use many different backends for this type of authentication - LDAP, Digest, Kerberos, CAS, etc.  There are also ways to configure Nginx, Tomcat, and JBoss to do this, but I've not done those before, so I can't provide specific instructions.
Also, please be very careful with this - as the manual page says, you must make absolutely certain that your web server and/or proxy server is configured to sanitize whatever header you use (e.g. REMOTE_USER) such that someone cannot bypass authentication by specifying that header, or inject something malicious into that header.  HTTP Header Authentication (in general) is very basic, and it's very easy to configure it in an insecure way.
-Nick

On Sunday, August 6, 2017, 9:41:53 PM EDT, 张建平 <zh...@hikvision.com> wrote:

<!--#yiv6575964344 _filtered #yiv6575964344 {font-family:宋体;panose-1:2 1 6 0 3 1 1 1 1 1;} _filtered #yiv6575964344 {font-family:"Cambria Math";panose-1:2 4 5 3 5 4 6 3 2 4;} _filtered #yiv6575964344 {font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;} _filtered #yiv6575964344 {panose-1:2 1 6 0 3 1 1 1 1 1;}#yiv6575964344 #yiv6575964344 p.yiv6575964344MsoNormal, #yiv6575964344 li.yiv6575964344MsoNormal, #yiv6575964344 div.yiv6575964344MsoNormal {margin:0cm;margin-bottom:.0001pt;text-align:justify;text-justify:inter-ideograph;font-size:10.5pt;font-family:"Calibri", "sans-serif";}#yiv6575964344 a:link, #yiv6575964344 span.yiv6575964344MsoHyperlink {color:blue;text-decoration:underline;}#yiv6575964344 a:visited, #yiv6575964344 span.yiv6575964344MsoHyperlinkFollowed {color:purple;text-decoration:underline;}#yiv6575964344 span.yiv6575964344EmailStyle17 {font-family:"Calibri", "sans-serif";color:windowtext;}#yiv6575964344 .yiv6575964344MsoChpDefault {}#yiv6575964344 _filtered #yiv6575964344 {margin:72.0pt 90.0pt 72.0pt 90.0pt;}#yiv6575964344 div.yiv6575964344WordSection1 {}-->
How  to  use  guacamole-auth-header ?
  
CONFIDENTIALITY NOTICE:
This electronic message is intended to be viewed only by the individual or entity to whom it is addressed. It may contain information that is privileged, confidential and exempt from disclosure under applicable law. Any dissemination, distribution or copying of this communication is strictly prohibited without our prior permission. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering the message to the intended recipient, or if you have received this communication in error, please notify us immediately by return e-mail and delete the original message and any copies of it from your computer system. For further information about Hikvision company. please see our website atwww.hikvision.com