Can Nethserver be used as a reverse proxy for other services?

greavette · October 17, 2017, 5:26pm

I have to admit my knowledge of reverse proxy is very limited here. So no I haven’t tried this from the guacamole howto. And I will add or ask why I would need too? My understanding is that I can use reverse proxy module from Nethserver and easily point to my http:// guacamole local website and enforce https using the ssl certificate from my Nethserver. So in my understanding I don’t need to do anything on guacamole.

But if you are saying that I do need to make changes to guacamole to use reverse proxy on Nethserver, please confirm because this was not my understanding. In the end I’ll make the changes I need to make where I need to make them.

The end result is this:

I will not be adding my ssl certificate to my guacamole server. It’s not that I don’t want too, but that I’ve tried and couldn’t make it work.
From what I’ve learned about reverse proxy and Nethserver today…I don’t need to add my ssl certificate to my guacamole server. I can use the Nethserver reverse proxy instead and through the reverse proxy I will be able to connect to my guacamole server using my Nethserver ssl certificate.

Please correct me if I’ve misunderstood any of how this can be setup using Nethserver.

Thanks!

filippo_carletti · October 17, 2017, 5:37pm

Correct. It’s a common proxy usage scenario: ssl between client and proxy on the internet and plain http in lan between proxy and internal server.
The client connects to proxy, so the certificate has to be valid for proxy (read: CN should be that of proxy).

edi · October 17, 2017, 5:52pm

Sorry, i’ll explain what i meant

You don’t need to do anything on guacamole server

I pointed to the guacamole howto simply because it contains a section related to the reverse proxy, which could be used as an example

In the howto the setup is slightly different: guacamole is hosted on the same machine and the reverse proxy is just there to change the url to what you need it to be and to provide https to guacamole (which runs on tomcat) through apache

I think you could try with adding this file to your nethserver acting as a reverse proxy, from command line:

vi /etc/httpd/conf.d/guacamole_reverse.conf

and paste the content above changing the parts related to the FQDN with your guacamole server local ip address

SSLProxyEngine on
# ProxyPass: guacamole
# Description:
    ProxyPass       /guacamole/     http://10.101.243.10:8080/guacamole/ flushpackets=on
    ProxyPassReverse        /guacamole/     http://10.101.243.10:8080/guacamole/

<Location />
    SSLRequireSSL
</Location>

ProxyPass /guacamole/ ws://10.101.243.10:8080/guacamole/websocket-tunnel
ProxyPassReverse /guacamole/ ws://10.101.243.10:8080/guacamole/websocket-tunnel
<Location /websocket-tunnel>

</Location>

then restart apache and try to connect to https://nethserverIP/guacamole/

It should redirect to guacamole login page

Absolutely me neither ! The above is just where i would try to start from to make it work, not the way it has to be done !

greavette · October 17, 2017, 7:25pm

Hello @edi, your help is greatly appreciated here. Although I would prefer to use the reverse proxy fields on the Nethserver page I’ll give this a try. Perhaps I can ask @giacomo or @davidep to give the details on how I populate the fields on revere proxy in Nethserver so that I may point to my Guacamole server using my Nethserver ssl cert.
I access my Guacamole server using the following address: http://10.101.243.10:8080/guacamole
My nethserver uses the following address: https://nethserver.company.ca:980

My end result is to be able to access my Guacamole Server like the following:
https://nethserver.company.ca/guacamole

How do I do this in the reverse proxy GUI?

But to try Davide’s suggestion I did the following:

I’ve created a new file on my nethserver as you’ve suggested - /etc/httpd/conf.d/guacamole_reverse.conf

And I’ve populated this file with your example (updating the IP Address to my actual Guacamole Server IP). I then restarted my Nethserver and tried connecting to guacamole using my nethserver name:

https://nethserver.company.ca/guacamole/

I’m getting a 404 not found when I do this. Have I done this correctly.

greavette · October 18, 2017, 5:58pm

Another question for you @edi, how do you restart Apache on Nethserver? I’ve created a guacamole_reverse.conf file as you’ve suggested and updated it as per your suggestion. I didn’t know how to restart just Apache on Nethserver so I rebooted my Nethserver but I’m not able to access my guacamole using my nethserver address:

https://nethserver.company.ca/guacamole

Do you have any other suggestions on what I may be doing wrong in the guacamole_reverse.conf file I created that wouldn’t allow this reverse proxy to work?

@dev_team, could provide some details for me on how I can use reverse proxy so that my guacamole server can use our Nethserver SSL certificate?

Thank you.

greavette · October 18, 2017, 6:31pm

Ok…chalk this up to user error. I’ve got the reverse proxy working and not surprisingly it’s very simple.

here’s what I did. My guacamole server which doesn’t live on my nethserver is accessed via http://10.101.243.10:8080/guacamole.

In the Nethserver reverse proxy module I created the following:

Name: guacamole
Target URL: http://10.101.243.10:8080/guacamole
I checked the box for Require SSL encrypted connection.

And that’s it! I can now access my guacamole server using my nethserver ssl cert:
https://nethserver.company.ca/guacamole

Works great!