[
https://issues.apache.org/jira/browse/GUACAMOLE-1659?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17576302#comment-17576302
]
Nick Couchman commented on GUACAMOLE-1659:
------------------------------------------
[~ehammer99]: At this point I'll just say a couple of things about this. First,
that this has been asked and answered several times, both here and on mailing
lists. In the past we've resisted adding this functionality because Guacamole
was focused on Remote Desktop protocols, and HTTP(S) proxying is different from
Remote Desktop. Well, can be. The tide may be turning on the opinion of whether
or not this should be included, but no change has been made in that direction
thus far.
Second, I'll say that, while doable, it is not a trivial task. We're not really
talking about HTTP(S) proxy functionality - that is already completely doable
through many other available software packages (Squid, Apache httpd, nginx,
etc.), and, while having it in a central place might be nice, I don't think
making Guacamole into just another HTTP(S) (reverse) proxy is worthwhile. What
we're talking about is translating HTTP(S) pages into the Guacamole protocol.
This would require that Guacamole use some sort of headless browser component
to render the pages (there are a couple of good open source ones out there) and
then turn them into the Guacamole protocol streams that would be required for
graphical web pages, plus all of the other components like keyboard and mouse
strokes, forms, clickable links, etc. It is likely doable, but, at least in my
view, quite complex.
> Add HTTP Reverse Proxy Functionality
> ------------------------------------
>
> Key: GUACAMOLE-1659
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1659
> Project: Guacamole
> Issue Type: New Feature
> Components: guacamole, guacamole-client, guacamole-server, Website
> Reporter: Jason Mac
> Priority: Minor
> Labels: features
>
> Guacamole being a "Proxy" of sorts to allow the management of internal
> services and devices, its a reasonable jump to compare it directly to a "Jump
> Host".
> Currently, if one were to utilize Guacamole as a privileged access manager to
> all internal services, one would have to setup and manager a separate HTTP
> reverse proxy in order to authenticate, log, and monitor user access to
> management *web* interfaces. If there are dozens, maybe even hundreds of
> management interfaces that must be mediated then the use of a reverse proxy
> becomes cumbersome. Plus, a reverse proxy isn't really designed as a
> management mediating tool, so naturally it is not optimized for such a
> workflow.
> An alternative would be yet another Jump Host that has a full desktop and
> browser to then connect to the web management interfaces. This would be even
> more excessive than a reverse proxy installed along side Guacamole.
> Additionally, with the need to have full mediation of management activities,
> the use of 2 services or even 2+ devices, one for web management access, and
> the other for all other services (Guac), is not only unnecessarily complex,
> but also more work for users that need to SSH into backend servers and also
> visit corresponding web management interfaces, as an example. This also
> complicates the implementation of federated authentication, as now the
> authentication must be setup of the reverse proxy (and the numerous backend
> hosts) and Guacamole.
> The user interface could be very similar to all the other protocols, where
> there is a specific connection profile made to connect into some backend
> host. It could have much of the options as any reverse proxy, backend
> connection IP/Port, protocol, hostname, authentication headers, ect. This
> could provide a single pane of mediated management to users without the need
> for full management desktops or complex reverse proxies.
>
> *I think it would be extremely useful to integrate a HTTP reverse proxy into
> Guacamole with the easy connection, logging, monitoring, and UI that
> Guacamole provides.*
>
> Just some background of what led me to this:
> I have a Jump Host that mediates all connections between VPN users and the
> management of various network services. Much of those management interfaces
> are web based (web apps are the future...). Deploying Guacamole was a
> no-brainer for SSH and RDP access, but in order to monitor and log VPN client
> connections to these web management interfaces, I had to come up with a
> solution. Unfortunately that solution was an NGINX reverse proxy with about
> 30 server blocks for various sub-domains pointing to the various backend web
> management interfaces. Add to my frustration, setting up Authelia for
> authentication was a pain with all those server blocks. So then I thought to
> myself... why shouldn't Guacamole also handle this?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
