[
https://issues.apache.org/jira/browse/GUACAMOLE-2040?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Nick Couchman updated GUACAMOLE-2040:
-------------------------------------
Component/s: Documentation
> Better documentation for PROXY_ALLOWED_IPS_REGEX in the context of IPv6
> -----------------------------------------------------------------------
>
> Key: GUACAMOLE-2040
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-2040
> Project: Guacamole
> Issue Type: Improvement
> Components: Documentation, guacamole-manual
> Reporter: Per von Zweigbergk
> Priority: Minor
>
> I have Guacamole running behind a reverse proxy that talks to Guacamole over
> IPv6. For client IPs to be correctly attributed, the Remote IP valve needs to
> be configured appropriately to recognize the reverse proxy's IP address.
> There's a good clue for how to do that in the documentation for Installing
> Guacamole with Docker:
> {quote}PROXY_ALLOWED_IPS_REGEX
> A regular expression matching only the IP addresses that should be
> trusted to send proxy headers, corresponding to the internalProxies attribute
> of RemoteIpValve. Proxy headers from other addresses will be ignored. The
> regular expression must conform to the format accepted by Java’s Pattern
> class, which is largely compatible with Perl.
> If omitted, Tomcat’s default which matches private IPv4 and IPv6
> addresses will be used.
> {quote}
> However, what this does not document is a bit of an excentricity when it
> comes to how IPv6 addresses are represented. Tomcat does not collapse runs of
> zeroes using ::. If your reverse proxy has the IP address 2001:db8::1 for
> example, Tomcat will genereate the string 2001:db8:0:0:0:0:0:1, which is what
> you have to match against.
> This is documented in the Tomcat documentation here:
> [https://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Remote_Address_Valve/Introduction]
> {quote}Note: There is a caveat when using this valve with IPv6 addresses.
> Format of the IP address that this valve is processing depends on the API
> that was used to obtain it. If the address was obtained from Java socket
> using Inet6Address class, its format will be x:x:x:x:x:x:x:x. That is, the IP
> address for localhost will be 0:0:0:0:0:0:0:1 instead of the more widely used
> ::1. Consult your access logs for the actual value.
> {quote}
> It would be good if this fact were in fact documented in the Guacamole
> documentation.
> In addition, the "Proxying Guacamole" manual page does not at any point
> mention that these are regular expressions at all, so in this case it was
> good that the Docker-specific documentation mentioned this. (But at least in
> this case, there was a link to the appropriate Tomcat documentation, which is
> how I figured this out to start with!)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
