Can Nethserver be used as a reverse proxy for other services?

You are welcome.

No, AFAIK there’s no module.

So 2-5 clients is for sure no problem for apache. I’d try with Nethserver apache reverse proxy module, you can still setup nginx if apache does not fit your needs.

1 Like

Excellent! Much appreciated @mrmarkuz. I’m sure I’ll be back with more questions. :slight_smile:

1 Like

Just for info, guacamole and apache reverse proxy configuration:

https://guacamole.incubator.apache.org/doc/gug/proxying-guacamole.html#apache

Ok @mrmarkuz, here comes a dumb question for you. :slight_smile:

I had thought I setup Guacamole on a separate server, then I use my Nethsever reverse proxy to point to my Guacamole server. But the link you provided suggests that I would make changes on my Guacamole server? Perhaps I’m misunderstanding how I do this.

More information for you…

Nethserver is my small office domain (but is only a domain for a small number of Windows machines…Guacamole is not a member of the domain). controller but Nethserver is not my main firewall, DNS or DHCP server. We have an Untangle router as our gateway to our office. The Untangle Server is our main firewall, DHCP and DNS server. In order to use Nethserver as my reverse proxy for my Guacamole virtual machine does my Guacamole server need to be on the domain and does Nethserver need to be my main firewall server for our office?

I don’t really know Guacamole, sorry. But there is a thread:

https://community.nethserver.org/t/guacamole-package/2030/27

Haha there are no dumb questions.

I think both will work but you may try it with your existing Guacamole server first. I just found the link when googling about apache and guacamole. I thought you can use it to have the correct parameters when configuring the Nethserver apache reverse proxy module.

Same domain should not be needed. If your Nethserver is behind Untangle, you may port forward www to your Nethserver, which will reverse proxy to Guacamole.
But I do not know Guacamole, so maybe it needs some “special” configuration I don’t know.

1 Like

I would consider 1K clients many :slight_smile:

You will surely have no problems event with hundreds of client with Apache. We have it in productions on dozens of applications :slight_smile:

2 Likes

I use apache proxypass and it works well. I have a writeup on it somewhere on here, but its pretty simple, you do need to use ssh though. I need to learn nginx as I still live in an apache world :smiley: just make sure apache is looking for the conf files in sites-enables and sites-available and plop the server you want to reverse proxy there, reboot apache service and it works good. Plus of that is you can use the server cert for any proxied sites on the network unless you want to set up certs for each proxy in which case you can do that to. Nethserver reverse proxy doesnt really work for anything but the most basic things so you will need to download winscp and putty and do it manually.

What can be improved in your opinion?
We use it in many situations without real problems.

Example: I have a freenas server at 192.168.10.10 and a nextcloud server at 192.168.10.6, plex at 1.5, etc. I want to proxy nas.mydomain.com to 192.168.10.10, plex.mydomain.com to 192.168.1.5, cloud.mydomain.com to 192.168.10.6. The built in gui does not let you do any of that, and thats a typical use case I think. I can to a mydomain.com/PROXYPASSURL just cannot do PROXYPASSURL.mydomain.com. Also I host multiple domains on my nethserver, each with its own proxypass sites, there is no way to manage each domain from what I gather its global across all domains.

1 Like

Hi All,

I’d like to clarify something. My investigation into using reverse proxy from Nethserver was to find a way to provide an SSL connection to my Guacamole server. I had a lot of trouble and failed getting my domains SSL Cert installed/working on my Guacamole server. So I had thought that using reverse proxy from Nethserver would assist me.

My thought (and perhaps this is my misunderstanding) was that I when I use reverse proxy from Nethserver and point to my Guacamole server. I’m assuming my Guacamole server does not need to have our SSL certificate installed and my Guacamole will instead use my certificate from my Nethserver.

Is this an incorrect assumption? When using reverse proxy do I need to still have an SSL certificate installed on my Guacamole server?

Thanks in advance for any advice you can provide me.

Yes.

No, unless you want to secure communications between the proxy and Guacamole server :slight_smile:

1 Like

Thanks very much @giacomo, as always this forum is so very helpful!

This is what I was hoping to hear.

So I’ve installed the reverse proxy module now. Here is what I need to create then:

My Guacamole server address is http://10.101.243.10:8080/guacamole

How do I create a reverse proxy entry in Nethserver that will allow me to use an https connection to my guacamole server? There are two fields on the reverse proxy server screen that I believe is all I would need, Name and Target URL and I would enable the require SSL encrypted connection checkbox. Could someone provide me an example of what I should put into those fields that would allow my connection to guacamole to use the certificate from my Nethserver? It’s unclear to me what I put in here.

Thank you.

Hey @greavette,
have you tried with something similar to this section from the guacamole howto

Setup the reverse proxy
vi /etc/httpd/conf.d/guacamole_reverse.conf

SSLProxyEngine on
# ProxyPass: guacamole
# Description:
ProxyPass       /path/to/guacamole/      http://FQDN:8080/guacamole/ flushpackets=on
ProxyPassReverse        /path/to/guacamole/      http://FQDN:8080/guacamole/

    <Location />
	SSLRequireSSL
</Location>

ProxyPass /path/to/guacamole/ ws://FQDN:8080/guacamole/websocket-tunnel
ProxyPassReverse /path/to/guacamole/ ws://FQDN:8080/guacamole/websocket-tunnel
<Location /websocket-tunnel>

</Location>

then
systemctl restart httpd.service

More info about proxying from guacamole website

1 Like

Hi @edi,

I have to admit my knowledge of reverse proxy is very limited here. So no I haven’t tried this from the guacamole howto. And I will add or ask why I would need too? My understanding is that I can use reverse proxy module from Nethserver and easily point to my http:// guacamole local website and enforce https using the ssl certificate from my Nethserver. So in my understanding I don’t need to do anything on guacamole.

But if you are saying that I do need to make changes to guacamole to use reverse proxy on Nethserver, please confirm because this was not my understanding. In the end I’ll make the changes I need to make where I need to make them.

The end result is this:

  • I will not be adding my ssl certificate to my guacamole server. It’s not that I don’t want too, but that I’ve tried and couldn’t make it work.
  • From what I’ve learned about reverse proxy and Nethserver today…I don’t need to add my ssl certificate to my guacamole server. I can use the Nethserver reverse proxy instead and through the reverse proxy I will be able to connect to my guacamole server using my Nethserver ssl certificate.

Please correct me if I’ve misunderstood any of how this can be setup using Nethserver.

Thanks!

Correct. It’s a common proxy usage scenario: ssl between client and proxy on the internet and plain http in lan between proxy and internal server.
The client connects to proxy, so the certificate has to be valid for proxy (read: CN should be that of proxy).

1 Like

Sorry, i’ll explain what i meant

You don’t need to do anything on guacamole server

I pointed to the guacamole howto simply because it contains a section related to the reverse proxy, which could be used as an example

In the howto the setup is slightly different: guacamole is hosted on the same machine and the reverse proxy is just there to change the url to what you need it to be and to provide https to guacamole (which runs on tomcat) through apache

I think you could try with adding this file to your nethserver acting as a reverse proxy, from command line:

vi /etc/httpd/conf.d/guacamole_reverse.conf

and paste the content above changing the parts related to the FQDN with your guacamole server local ip address

SSLProxyEngine on
# ProxyPass: guacamole
# Description:
    ProxyPass       /guacamole/     http://10.101.243.10:8080/guacamole/ flushpackets=on
    ProxyPassReverse        /guacamole/     http://10.101.243.10:8080/guacamole/

<Location />
    SSLRequireSSL
</Location>

ProxyPass /guacamole/ ws://10.101.243.10:8080/guacamole/websocket-tunnel
ProxyPassReverse /guacamole/ ws://10.101.243.10:8080/guacamole/websocket-tunnel
<Location /websocket-tunnel>

</Location>

then restart apache and try to connect to https://nethserverIP/guacamole/

It should redirect to guacamole login page

Absolutely me neither ! The above is just where i would try to start from to make it work, not the way it has to be done ! :slight_smile:

3 Likes

Hello @edi, your help is greatly appreciated here. Although I would prefer to use the reverse proxy fields on the Nethserver page I’ll give this a try. Perhaps I can ask @giacomo or @davidep to give the details on how I populate the fields on revere proxy in Nethserver so that I may point to my Guacamole server using my Nethserver ssl cert.
I access my Guacamole server using the following address: http://10.101.243.10:8080/guacamole
My nethserver uses the following address: https://nethserver.company.ca:980

My end result is to be able to access my Guacamole Server like the following:
https://nethserver.company.ca/guacamole

How do I do this in the reverse proxy GUI?

But to try Davide’s suggestion I did the following:

I’ve created a new file on my nethserver as you’ve suggested - /etc/httpd/conf.d/guacamole_reverse.conf

And I’ve populated this file with your example (updating the IP Address to my actual Guacamole Server IP). I then restarted my Nethserver and tried connecting to guacamole using my nethserver name:

https://nethserver.company.ca/guacamole/

I’m getting a 404 not found when I do this. Have I done this correctly.

Another question for you @edi, how do you restart Apache on Nethserver? I’ve created a guacamole_reverse.conf file as you’ve suggested and updated it as per your suggestion. I didn’t know how to restart just Apache on Nethserver so I rebooted my Nethserver but I’m not able to access my guacamole using my nethserver address:

https://nethserver.company.ca/guacamole

Do you have any other suggestions on what I may be doing wrong in the guacamole_reverse.conf file I created that wouldn’t allow this reverse proxy to work?

@dev_team, could provide some details for me on how I can use reverse proxy so that my guacamole server can use our Nethserver SSL certificate?

Thank you.

Ok…chalk this up to user error. I’ve got the reverse proxy working and not surprisingly it’s very simple.

here’s what I did. My guacamole server which doesn’t live on my nethserver is accessed via http://10.101.243.10:8080/guacamole.

In the Nethserver reverse proxy module I created the following:

Name: guacamole
Target URL: http://10.101.243.10:8080/guacamole
I checked the box for Require SSL encrypted connection.

And that’s it! I can now access my guacamole server using my nethserver ssl cert:
https://nethserver.company.ca/guacamole

Works great!

2 Likes