Per von Zweigbergk created GUACAMOLE-2040:
---------------------------------------------
Summary: Better documentation for PROXY_ALLOWED_IPS_REGEX in the
context of IPv6
Key: GUACAMOLE-2040
URL: https://issues.apache.org/jira/browse/GUACAMOLE-2040
Project: Guacamole
Issue Type: Improvement
Components: guacamole-manual
Reporter: Per von Zweigbergk
I have Guacamole running behind a reverse proxy that talks to Guacamole over
IPv6. For client IPs to be correctly attributed, the Remote IP valve needs to
be configured appropriately to recognize the reverse proxy's IP address.
There's a good clue for how to do that in the documentation for Installing
Guacamole with Docker:
{quote}PROXY_ALLOWED_IPS_REGEX
A regular expression matching only the IP addresses that should be trusted
to send proxy headers, corresponding to the internalProxies attribute of
RemoteIpValve. Proxy headers from other addresses will be ignored. The regular
expression must conform to the format accepted by Java’s Pattern class, which
is largely compatible with Perl.
If omitted, Tomcat’s default which matches private IPv4 and IPv6 addresses
will be used.
{quote}
However, what this does not document is a bit of an excentricity when it comes
to how IPv6 addresses are represented. Tomcat does not collapse runs of zeroes
using ::. If your reverse proxy has the IP address 2001:db8::1 for example,
Tomcat will genereate the string 2001:db8:0:0:0:0:0:1, which is what you have
to match against.
This is documented in the Tomcat documentation here:
[https://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Remote_Address_Valve/Introduction]
{quote}Note: There is a caveat when using this valve with IPv6 addresses.
Format of the IP address that this valve is processing depends on the API that
was used to obtain it. If the address was obtained from Java socket using
Inet6Address class, its format will be x:x:x:x:x:x:x:x. That is, the IP address
for localhost will be 0:0:0:0:0:0:0:1 instead of the more widely used ::1.
Consult your access logs for the actual value.
{quote}
It would be good if this fact were in fact documented in the Guacamole
documentation.
In addition, the "Proxying Guacamole" manual page does not at any point mention
that these are regular expressions at all, so in this case it was good that the
Docker-specific documentation mentioned this. (But at least in this case, there
was a link to the appropriate Tomcat documentation, which is how I figured this
out to start with!)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
