You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@guacamole.apache.org by "Alex B." <ap...@gmail.com> on 2021/07/07 17:53:04 UTC

Support - HTTP Fallback is not working correctly in some cases

Hi,

I´m trying to run Guacamole on some restricted network. On the normal
network it is working well, but on restricted network (there is general
problem with using Websockets). I´m not able to see any picture (connection
is established, because Windows 10 on the other site will be locked after
connection).

I´m using reverse proxy to disable any WS communication (I have a rule
to send location /websocket-tunnel to 404).

I tried to compare "ok" state and this state. Only what I find is the
response code from Websocket connection to
'ws://<server>:<port>/websocket-tunnel'. In both cases this call failed,
but in "ok" state it will fail without any message, but in second case, it
will fail with message: Error during WebSocket handshake: Unexpected
response code: 500.

I tried to redirect all 500 codes to 404, but without success.

Can you please help me with this? I don´t know if it is an application
error (bug), or if my setup is wrong or if Guacamole cannot be used on
"WebSocket restricted" networks at all...

Thanks

Alex.

Re: Support - HTTP Fallback is not working correctly in some cases

Posted by Mike Jumper <mi...@glyptodon.com>.

On Thu, Jul 8, 2021, 01:21 Alex B. <ap...@gmail.com> wrote:

> Can be. My problem is that I need to use Guacamole on a network where some
> part of the websocket protocol is prohibited. I know that Guacamole can
> work only with HTTP, but it looks like some part of WS needs to be used
> (and is blocked on the restricted network). Using 404 is working well on an
> unrestricted network , but when I'm on the restricted network, then I don´t
> get 404, but 500.
>

Architecturally, no, WebSocket is definitely not required. WebSocket is
tried first, and HTTP is used if this fails. It's that simple.

For failover to HTTP to not occur, WebSocket would have to initially work -
enough for Guacamole to move forward with using it. If WebSocket fails
outright, HTTP is used.

- Mike

Re: Support - HTTP Fallback is not working correctly in some cases

Posted by Nick Couchman <vn...@apache.org>.

On Thu, Jul 8, 2021 at 4:21 AM Alex B. <ap...@gmail.com> wrote:

> Can be. My problem is that I need to use Guacamole on a network where some
> part of the websocket protocol is prohibited. I know that Guacamole can
> work only with HTTP, but it looks like some part of WS needs to be used
> (and is blocked on the restricted network). Using 404 is working well on an
> unrestricted network , but when I'm on the restricted network, then I don´t
> get 404, but 500.
>
>>
>>
The fact that you're continuing to receive 500 error messages means that
something else is going on. It could be an error from the Tomcat server
that is being passed through the proxy, it could be the proxy, or, given
the fact that you've said this is a "restricted network", it could be that
some other firewall is interfering with the communication and generating
the HTTP 500 errors. You'll need to look carefully at the logs and
determine why these errors are occuring - it would be better to solve that
issue, first, and then deal with making sure that WS support is properly
disabled.

-Nick

Re: Support - HTTP Fallback is not working correctly in some cases

Posted by "Alex B." <ap...@gmail.com>.

Can be. My problem is that I need to use Guacamole on a network where some
part of the websocket protocol is prohibited. I know that Guacamole can
work only with HTTP, but it looks like some part of WS needs to be used
(and is blocked on the restricted network). Using 404 is working well on an
unrestricted network , but when I'm on the restricted network, then I don´t
get 404, but 500.


čt 8. 7. 2021 v 10:11 odesílatel Christoph Weber <Ch...@xpecto.com>
napsal:

>
> > thanks for the quick reply, but I want to achieve the opposite -> I need
> to force Guacamole to not use websocket.
>
> I'm not sure, but as websocket upgrade requires a response code of 101 to
> work, and a test with a server not supporting websockets just returns 200,
> maybe returning 200 instead of 404 will work.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
> For additional commands, e-mail: user-help@guacamole.apache.org
>

AW: Support - HTTP Fallback is not working correctly in some cases

Posted by Christoph Weber <Ch...@xpecto.com>.

> thanks for the quick reply, but I want to achieve the opposite -> I need to force Guacamole to not use websocket.

I'm not sure, but as websocket upgrade requires a response code of 101 to work, and a test with a server not supporting websockets just returns 200, maybe returning 200 instead of 404 will work.


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org

Re: Support - HTTP Fallback is not working correctly in some cases

Posted by "Alex B." <ap...@gmail.com>.

Hi Christoph,

thanks for the quick reply, but I want to achieve the opposite -> I need to
force Guacamole to not use websocket.

Alex.

čt 8. 7. 2021 v 8:53 odesílatel Christoph Weber <Ch...@xpecto.com>
napsal:

> > Please see full nginx.conf. I do it like that:
> >        location /websocket-tunnel {
> >            return 404;
> >            error_page 500 501 502 503 504 505 506 507 508 509 510 511
> 598 599 = /404.html;
> >            proxy_buffering off;
> >        }
>
> Hi alex,
>
> I think you must also set the connection upgrade headers for this location
> when using websockets - like this:
>             proxy_set_header Upgrade $http_upgrade;
>             proxy_set_header Connection $connection_upgrade;
>
> regards
>  christoph
>

AW: Support - HTTP Fallback is not working correctly in some cases

Posted by Christoph Weber <Ch...@xpecto.com>.

> Please see full nginx.conf. I do it like that:
>        location /websocket-tunnel {
>            return 404;
>            error_page 500 501 502 503 504 505 506 507 508 509 510 511 598 599 = /404.html;
>            proxy_buffering off;
>        }

Hi alex,

I think you must also set the connection upgrade headers for this location when using websockets - like this:
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade;

regards
 christoph

Re: Support - HTTP Fallback is not working correctly in some cases

Posted by "Alex B." <ap...@gmail.com>.

Hi Nick,

thanks for reply. I will try to answer your questions:


>
> Hi,
>>
>> I´m trying to run Guacamole on some restricted network. On the normal
>> network it is working well, but on restricted network (there is general
>> problem with using Websockets). I´m not able to see any picture (connection
>> is established, because Windows 10 on the other site will be locked after
>> connection).
>>
>> I´m using reverse proxy to disable any WS communication (I have a rule
>> to send location /websocket-tunnel to 404).
>>
>
> Can you provide more detail on how you're doing this? Depending on your
> reverse proxy, simply configuring a location that sends /websocket-tunnel
> to a 404 not found error may not actually be achieving what you think it is
> achieving - you may be rediecting http://server/guacamole/webscoket-tunnel
> rather than wss://server/guacamole/websocket-tunnel.
>

Please see full nginx.conf. I do it like that:
        location /websocket-tunnel {
            return 404;
            error_page 500 501 502 503 504 505 506 507 508 509 510 511 598
599 = /404.html;
            proxy_buffering off;
        }



>
>
>>
>> I tried to compare "ok" state and this state. Only what I find is the
>> response code from Websocket connection to
>> 'ws://<server>:<port>/websocket-tunnel'. In both cases this call failed,
>> but in "ok" state it will fail without any message, but in second case, it
>> will fail with message: Error during WebSocket handshake: Unexpected
>> response code: 500.
>>
>
> I'm not sure what you mean when you say you compared it?
>

I tried to compare two different networks and result of same action. When I
try to connect to RDP, I will get following results:

Restricted network:
[image: image.png]

Not restricted network:
[image: image.png]


>
>
>>
>> I tried to redirect all 500 codes to 404, but without success.
>>
>
> This is a Bad Idea, and will both 1) not achieve what you want, and 2)
> cause misleading issues in the future.
>

Agree with you. In this stage is not production state and I´m trying lot of
options to get it work. This setting is not working neither.


>
>
>>
>> Can you please help me with this? I don´t know if it is an application
>> error (bug), or if my setup is wrong or if Guacamole cannot be used on
>> "WebSocket restricted" networks at all...
>>
>>
> Guacamole can certainly be configured to work without WSS, we just need
> more detail on how you've tried to go about this in order to help you.
>
>
All my effort is based on this article:
https://jira.glyptodon.com/browse/GUAC-1474. In this article is
recommended to redirect Websocket to 404. Unfortunately, I´m not able to
find any other article, where is described how to run Guacamole without WSS.



> -Nick
>
>>
Thanks in advance

Alex.

Re: Support - HTTP Fallback is not working correctly in some cases

Posted by Nick Couchman <vn...@apache.org>.

On Wed, Jul 7, 2021 at 1:53 PM Alex B. <ap...@gmail.com> wrote:

> Hi,
>
> I´m trying to run Guacamole on some restricted network. On the normal
> network it is working well, but on restricted network (there is general
> problem with using Websockets). I´m not able to see any picture (connection
> is established, because Windows 10 on the other site will be locked after
> connection).
>
> I´m using reverse proxy to disable any WS communication (I have a rule
> to send location /websocket-tunnel to 404).
>

Can you provide more detail on how you're doing this? Depending on your
reverse proxy, simply configuring a location that sends /websocket-tunnel
to a 404 not found error may not actually be achieving what you think it is
achieving - you may be rediecting http://server/guacamole/webscoket-tunnel
rather than wss://server/guacamole/websocket-tunnel.


>
> I tried to compare "ok" state and this state. Only what I find is the
> response code from Websocket connection to
> 'ws://<server>:<port>/websocket-tunnel'. In both cases this call failed,
> but in "ok" state it will fail without any message, but in second case, it
> will fail with message: Error during WebSocket handshake: Unexpected
> response code: 500.
>

I'm not sure what you mean when you say you compared it?


>
> I tried to redirect all 500 codes to 404, but without success.
>

This is a Bad Idea, and will both 1) not achieve what you want, and 2)
cause misleading issues in the future.


>
> Can you please help me with this? I don´t know if it is an application
> error (bug), or if my setup is wrong or if Guacamole cannot be used on
> "WebSocket restricted" networks at all...
>
>
Guacamole can certainly be configured to work without WSS, we just need
more detail on how you've tried to go about this in order to help you.

-Nick

>