Guacamole Problem

guacamole
german

#21

Hi dWc,

both “docker network inspect guacamole_default” and “docker network inspect bridge” as well does not have any options configured.

docker network inspect bridge
[
{
“Name”: “bridge”,
“Id”: “260b334b18a5c3f7061efadbf623af5e937b2d0361f452a8365874c8bc9a6752”,
“Created”: “2019-03-08T11:39:02.057674856+01:00”,
“Scope”: “local”,
“Driver”: “bridge”,
“EnableIPv6”: false,
“IPAM”: {
“Driver”: “default”,
“Options”: null,
“Config”: [

Do I need to edit the config file first as shown above in your last post? Where is the config file located?

@lebernd: What is the content of your hosts file now?

thx and best reagrds
Thomas


#22

I just added a line in guacamole /etc/hosts

docker.ip.of.guacd        guacd

#23

Hi, thx for your quick reply.

I was able to find out the IP of my docker host but I wasn’t able to figure out the according IP for guacd.
Also I was not able to run a “univention-app shell” for guacd - is this even possible?

Do you have another hint for me?


#24

Okay, found out the correct IP myself and edited the hosts file accordingly :slight_smile:

And thanks to your instructions above Guacamole is working now - at least for SSH.
For RDP-connections it still gives me an error (The remote desktop server is currently unreachable).


#25

This was really a big step forward … thanks to the support given here, Guacamole is now working localy (including RDP connections).

What is still not working is to access Guacamole via my external IP or DNS name (502 Proxy Error). Currently access to Guacamole is only possible via my internal IP or local hostname :frowning:

default-ssl.conf and 000-default.conf both looks like:
ProxyPass /guacamole/ http://127.0.0.1:40001/guacamole/ retry=0
ProxyPassReverse /guacamole/ http://127.0.0.1:40001/guacamole/

What else can I check?


#26

Hello,

@tpfann
I’m an absolute docker newbie (most infos comes from here), so maybe I’m wrong, but
about the docker network bridge options:

        "Options": {
            "com.docker.network.bridge.default_bridge": "true",
            "com.docker.network.bridge.enable_icc": "true",
            "com.docker.network.bridge.enable_ip_masquerade": "true",
            "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
            "com.docker.network.bridge.name": "docker0",
            "com.docker.network.driver.mtu": "1500"

if you haven’t configured anything as you quoted, then the problem could be, that there
is no communication possible between your client and the server.
For better understanding:

  • Can you access UCS/Guacamole from your local network?
  • How do you access - by ip or by dns?
  • What do you mean with “external IP or DNS”? Public?
  • Can you access UCS with “external IP or DNS”?

Best regards

Thanks @lebernd for the hints posted here - didn’t find time to try them, yet :smile:


#27

Hello dWc,

thx for your feedback!

Yes - Gucamole can be accessed by using local IP or local hostname (e.g. https://192.168.0.x/guacamole/#/ or https://UCS-Server-Name/guacamole/#/)

All of my other hosted services, like WordPress, Kopano or ownCloud are also reachable via my public IP or public DNS-names (e.g. https://remote.domain-name.de/).

In order to enable secure connections, I’m using a LetsEncrypt certificate.

Best regards
Thomas


#28

Hello Thomas,

Are the other services as WordPress or OwnCloud running as docker applications too?
If they are running native on the System (and I really think they do) this could explain why these services are working.
As you get a “502 Bad gateway”, from the communication point of view, at least you are accessing the destination (ucs-)host, but then something doesn’t work as it should.
Are you using the UCS-Firewall? (just guessing :grinning:)

Added:
Could you check your Apache Logfiles while accessing from local network against them from accessing by pub-ip/dns (you are checking them from outside your LAN, right?)

Best regards


#29

Hello dWc,

in total I have 4 services running as a docker application:

CONTAINER ID        IMAGE                                                                   COMMAND                  CREATED             STATUS              PORTS                                           NAMES
5014241cbd6b        docker.software-univention.de/collabora:4.0.1.1                         "/bin/sh -c 'bash ..."   4 weeks ago         Up 4 weeks          0.0.0.0:9980->9980/tcp                          nervous_yalow
5410a67a9644        docker.software-univention.de/owncloud_appliance:10.0.10-1              "/usr/bin/entrypoi..."   5 weeks ago         Up 4 weeks          0.0.0.0:40007->8080/tcp                         heuristic_galileo
a120fd92459a        docker.software-univention.de/guacamole-guacamole:0.9.13-univention13   "/opt/guacamole/bi..."   6 weeks ago         Up 4 days           0.0.0.0:40001->8080/tcp                         guacamole_guacamole_1
64269927899f        docker.software-univention.de/guacamole-guacd:0.9.13-univention13       "/usr/local/sbin/g..."   6 weeks ago         Up 4 days           4822/tcp                                        guacamole_guacd_1
3a17a7345eac        docker.software-univention.de/wordpress:4.9.4                           "docker-entrypoint..."   10 months ago       Up 2 weeks          0.0.0.0:40002->80/tcp, 0.0.0.0:40003->443/tcp   sharp_williams

All of them were deployed via the UCS-Appcenter.
UCS-Firewall is enabled by default … I guess?!

When I try to access from outside (public DNS) I get this entry in Apache error.log:

[Sat Apr 06 08:16:49.560979 2019] [proxy_http:error] [pid 27496] (103)Software caused connection abort: [client 80.187.85.226:30770] AH01102: error reading status line from remote server 127.0.0.1:40001
[Sat Apr 06 08:16:49.561106 2019] [proxy:error] [pid 27496] [client 80.187.85.226:30770] AH00898: Error reading from remote server returned by /guacamole/

When I access from inside (local IP) I get this entry in Apache access.log:

192.168.0.42 - - [06/Apr/2019:08:26:58 +0200] "GET /guacamole/ HTTP/1.1" 200 5712 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36"
192.168.0.42 - - [06/Apr/2019:08:26:58 +0200] "GET /guacamole/app.css?v=0.9.13-incubating HTTP/1.1" 200 8365 "https://192.168.0.3/guacamole/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36"
192.168.0.42 - - [06/Apr/2019:08:26:58 +0200] "GET /guacamole/api/languages HTTP/1.1" 200 402 "https://192.168.0.3/guacamole/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36"
192.168.0.42 - - [06/Apr/2019:08:26:58 +0200] "POST /guacamole/api/tokens HTTP/1.1" 403 520 "https://192.168.0.3/guacamole/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36"
192.168.0.42 - - [06/Apr/2019:08:26:58 +0200] "GET /guacamole/translations/en.json HTTP/1.1" 200 31675 "https://192.168.0.3/guacamole/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36"
192.168.0.42 - - [06/Apr/2019:08:26:58 +0200] "GET /guacamole/translations/de.json HTTP/1.1" 200 35904 "https://192.168.0.3/guacamole/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36"
192.168.0.42 - - [06/Apr/2019:08:26:58 +0200] "GET /guacamole/images/logo-64.png HTTP/1.1" 200 5615 "https://192.168.0.3/guacamole/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36"
192.168.0.42 - - [06/Apr/2019:08:26:58 +0200] "GET /guacamole/api/patches HTTP/1.1" 200 460 "https://192.168.0.3/guacamole/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36"

thx and best regards,
Thomas


#30

Hello tpfann,

first, sorry for my maybe weird questions - as I’m only using Guacamole and RADIUS as additional apps I falsely assumed, that only Guacamole runs as docker app.

About the firewall - I didn’t configure anything regarding firewall settings on the UCS (all default), but it looks like that it’s enabled by default - here they say:

In the default setting, all incoming ports are blocked by the UCS firewall.
univention-firewall is a set of rules for iptables. 

In fact, there are IPTables rules defined (I guess they are auto-generated when installing an application). Specially the entries in the FORWARD Chain for the docker network (iptables -L -v -n):

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER-ISOLATION  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0

and the NAT entries (iptables -L -v -n -t nat):

Chain POSTROUTING (policy ACCEPT 26731 packets, 2076K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0
    0     0 MASQUERADE  tcp  --  *      *       172.17.0.3           172.17.0.3           tcp dpt:8080

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0
    0     0 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:40001 to:172.17.0.3:8080

172.17.0.3 is the ip-address of the guacamole web-interface-container
Could you check these rules? Maybe there is something what’s restricting the access to the reverse-proxy to your local subnet.

For explanation: The ReverseProxy configuration for Guacamole is required as the app should be accessible through default-ssl port (443).
i.e. https://ucs-host.your-domain/guacamole
and not
http://ucs-host.your-domain:40001/guacamole

Best regards


#31

Hello dWc,

thanks alot for spending all these efforts and having a look at my Guacamole issues :slight_smile:

iptables -L -v -n (looks identical to yours):

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 5952 1264K DOCKER-ISOLATION  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 3350  784K DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
 3262  775K ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
 2602  479K ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
    5   300 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0

iptables -L -v -n -t nat (here are some differences):

Chain POSTROUTING (policy ACCEPT 83270 packets, 8593K bytes)
 pkts bytes target     prot opt in     out     source               destination
 1164 86056 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0
    0     0 MASQUERADE  tcp  --  *      *       172.17.0.1           172.17.0.1           tcp dpt:9980
    0     0 MASQUERADE  tcp  --  *      *       172.17.0.2           172.17.0.2           tcp dpt:8080
    0     0 MASQUERADE  tcp  --  *      *       172.17.0.5           172.17.0.5           tcp dpt:8080
    0     0 MASQUERADE  tcp  --  *      *       172.17.0.3           172.17.0.3           tcp dpt:443
    0     0 MASQUERADE  tcp  --  *      *       172.17.0.3           172.17.0.3           tcp dpt:80

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
 9348  561K RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0
    0     0 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:9980 to:172.17.0.1:9980
    0     0 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:40007 to:172.17.0.2:8080
    **5   260 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:40001 to:172.17.0.5:8080**
    0     0 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:40003 to:172.17.0.3:443
    0     0 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:40002 to:172.17.0.3:80

In my understanding (I did a mapping between “docker network inspect bridge” and “docker ps”):

  • 172.17.0.1:9980 belongs to Collabora
  • 172.17.0.2:40007 belongs to ownCloud
  • 172.17.0.3:40002 and 40003 belongs to WordPress
  • 172.17.0.4:4822 belongs to guacd
  • 172.17.0.5:40001 belongs to guacamole

Assuming that 172.17.0.5 belongs to Guacamole the above FW and NAT rules seems to be okay - right?

Best regards
Thomas


#32

Hello again,

no problem :smile:
You correctly assume, your iptables rules looks okay.
Could you increase the LogLevel of the Apache-Server:
/etc/apache2/apache2.conf

#LogLevel warn
LogLevel debug

Maybe there’s more helpfull information

Best regards


#33

Hello dWc,

Information in Apache error.log remains the same after setting loglevel to debug:

[Sat Apr 06 15:36:32.100441 2019] [proxy_http:error] [pid 16890] (103)Software caused connection abort: [client 80.187.85.226:17071] AH01102: error reading status line from remote server 127.0.0.1:40001
[Sat Apr 06 15:36:32.100566 2019] [proxy:error] [pid 16890] [client 80.187.85.226:17071] AH00898: Error reading from remote server returned by /guacamole/

Best regards
Thomas


#34

Re-Hi,

I’m really running out of ideas :smile:,
possible that there’s something screwed up with the ReverseProxy config
Some information about Proxying Guacamole can be found here.
About the Apache Config may it’s worth a look here and here.

…just guessing, but maybe it helps :smile:

Good luck and best regards


#35

Thanks alot anyway dWc for your support!

I just found out that something is messed up with the IPs used by the Docker container.
Regarding to the above information (Bridge, FW and NAT configuration) the correct IPs should be:
172.17.0.4 for guacd and
172.17.0.5 for guacamole

Running Hostname -I within the guacamole-shell gives me:
172.17.0.5 172.18.0.3

I’m wondering how and where this can be changed …

Best regards
Thomas


#36

Hello,

If by “within guacamole shell” you mean something like:
docker exec -it guacamole_guacd_1 /bin/bash
or
docker exec -it guacamole_guacamole_1 /bin/bash
my output of them looks like:

# docker exec -it guacamole_guacd_1 /bin/bash
[root@guacd /]# hostname -I
172.17.0.2 172.18.0.2

and

# docker exec -it guacamole_guacamole_1 /bin/bash
root@0eb95cd2453a:/usr/local/tomcat# hostname -I
172.17.0.3 172.18.0.3

The command hostname -I displays all network addresses of the host, so there seems to be a miss-configuration or something.
What does the output of an ip addr show looks like (from inside of your guacamole-shells - specially the one from guacamole)

Best regards


#37

Hi @tpfann;

makes me think: do you use letsencrypt on these? I think those dockers are prepared to copy the certificates into the container… while guacamole most probably isn’t.

Could be?

Just as I’m still awake :crazy_face:

Thinking still and already earlier - it has to do with the apache setting as it is working from the local network.


#38

Hello dWc,

within guacamole shell I ment “univention-app shell guacamole

docker exec -it guacamole_guacd_1 /bin/bash and then hostename -I gives me:
172.17.0.4 172.18.0.2

docker exec -it guacamole_guacamole_1 /bin/bash and then hostename -I gives me:
172.17.0.5 172.18.0.3

So comparing this output to your post it seems to be okay. Sorry for confusion …

Hi lebernd

Yes, all other services are using a LetsEncrypt certificate. Is there a way to copy and enable the certificate manually?

Best regards
Thomas


#39

Hello @tpfann,

About the “SSL thing”. In case of Guacamole the SSL/TLS connection should (AFAIK) terminate on the UCS-Host (Apache as Reverse Proxy). From there on the connection is not encrypted further:

ProxyPass /guacamole/ http://127.0.0.1:40001/guacamole/ retry=0
ProxyPassReverse /guacamole/ http://127.0.0.1:40001/guacamole/

What I want to say is, that the all the ssl-setup (including certificates) for this is done on the UCS-Host, none should be required inside any (guacamole) container.

Does a remote connection to the UCS-Server on Port 40001 work? Do you have the possibility to test it?
i.e. http://your-public.dns:40001/guacamole/
If yes, then it really seems to be a problem with the Apache ReverseProxy setting or mod_proxy config.

Could you check the loaded apache modules (for proxying) by (example from my ucs-host):

# apachectl -M | grep proxy
 proxy_module (shared)
 proxy_connect_module (shared)
 proxy_http_module (shared)

maybe check:

# apachectl -M | grep headers
 headers_module (shared)
...
and
...
# apachectl -M | grep rewrite
 rewrite_module (shared)

as well

Does it make any difference (i.e. in the apache error logs) if you use https://your-domain.here/guacamole instead of https://your-domain.here/guacamole/ (the difference is only the trailing slash)

Best regards


#40

even if it works through the other ip-address?

Well as I’ve said - late thoughts… seeing the morning light, I don’t think so as the proxy connections are all unencrypted. So encryption is on the host.

Nevertheless, in nextcloud you would have a check inside the container on ‘trusted domains’ where you will have to enter each trusted domain. I’m not familiar with the tomcat-server running inside guacamole but perhaps there is also domainname-check.

If these thoughts are true - then I would perhaps try first the following:

univention-app shell guacamole
root@xyz:/usr/local/tomcat# ping your.fancy.domain.name'
??? and it that fails, something like - or perhaps better with a text-editor (which you will have to install first)
root@xyz:/usr/local/tomcat# echo 'remote-host-ip-address    your.fancy.domain.name' >> /etc/hosts
try again the ping command

and test if that works.