I was able to find out the IP of my docker host but I wasn’t able to figure out the according IP for guacd.
Also I was not able to run a “univention-app shell” for guacd - is this even possible?
Okay, found out the correct IP myself and edited the hosts file accordingly
And thanks to your instructions above Guacamole is working now - at least for SSH.
For RDP-connections it still gives me an error (The remote desktop server is currently unreachable).
This was really a big step forward … thanks to the support given here, Guacamole is now working localy (including RDP connections).
What is still not working is to access Guacamole via my external IP or DNS name (502 Proxy Error). Currently access to Guacamole is only possible via my internal IP or local hostname
if you haven’t configured anything as you quoted, then the problem could be, that there
is no communication possible between your client and the server.
For better understanding:
Can you access UCS/Guacamole from your local network?
How do you access - by ip or by dns?
What do you mean with “external IP or DNS”? Public?
Can you access UCS with “external IP or DNS”?
Best regards
Thanks @lebernd for the hints posted here - didn’t find time to try them, yet
All of my other hosted services, like WordPress, Kopano or ownCloud are also reachable via my public IP or public DNS-names (e.g. https://remote.domain-name.de/).
In order to enable secure connections, I’m using a LetsEncrypt certificate.
Are the other services as WordPress or OwnCloud running as docker applications too?
If they are running native on the System (and I really think they do) this could explain why these services are working.
As you get a “502 Bad gateway”, from the communication point of view, at least you are accessing the destination (ucs-)host, but then something doesn’t work as it should.
Are you using the UCS-Firewall? (just guessing )
Added:
Could you check your Apache Logfiles while accessing from local network against them from accessing by pub-ip/dns (you are checking them from outside your LAN, right?)
in total I have 4 services running as a docker application:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
5014241cbd6b docker.software-univention.de/collabora:4.0.1.1 "/bin/sh -c 'bash ..." 4 weeks ago Up 4 weeks 0.0.0.0:9980->9980/tcp nervous_yalow
5410a67a9644 docker.software-univention.de/owncloud_appliance:10.0.10-1 "/usr/bin/entrypoi..." 5 weeks ago Up 4 weeks 0.0.0.0:40007->8080/tcp heuristic_galileo
a120fd92459a docker.software-univention.de/guacamole-guacamole:0.9.13-univention13 "/opt/guacamole/bi..." 6 weeks ago Up 4 days 0.0.0.0:40001->8080/tcp guacamole_guacamole_1
64269927899f docker.software-univention.de/guacamole-guacd:0.9.13-univention13 "/usr/local/sbin/g..." 6 weeks ago Up 4 days 4822/tcp guacamole_guacd_1
3a17a7345eac docker.software-univention.de/wordpress:4.9.4 "docker-entrypoint..." 10 months ago Up 2 weeks 0.0.0.0:40002->80/tcp, 0.0.0.0:40003->443/tcp sharp_williams
All of them were deployed via the UCS-Appcenter.
UCS-Firewall is enabled by default … I guess?!
When I try to access from outside (public DNS) I get this entry in Apache error.log:
[Sat Apr 06 08:16:49.560979 2019] [proxy_http:error] [pid 27496] (103)Software caused connection abort: [client 80.187.85.226:30770] AH01102: error reading status line from remote server 127.0.0.1:40001
[Sat Apr 06 08:16:49.561106 2019] [proxy:error] [pid 27496] [client 80.187.85.226:30770] AH00898: Error reading from remote server returned by /guacamole/
When I access from inside (local IP) I get this entry in Apache access.log:
first, sorry for my maybe weird questions - as I’m only using Guacamole and RADIUS as additional apps I falsely assumed, that only Guacamole runs as docker app.
About the firewall - I didn’t configure anything regarding firewall settings on the UCS (all default), but it looks like that it’s enabled by default - here they say:
In the default setting, all incoming ports are blocked by the UCS firewall.
univention-firewall is a set of rules for iptables.
In fact, there are IPTables rules defined (I guess they are auto-generated when installing an application). Specially the entries in the FORWARD Chain for the docker network (iptables -L -v -n):
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
172.17.0.3 is the ip-address of the guacamole web-interface-container
Could you check these rules? Maybe there is something what’s restricting the access to the reverse-proxy to your local subnet.
I’m really running out of ideas ,
possible that there’s something screwed up with the ReverseProxy config
Some information about Proxying Guacamole can be found here.
About the Apache Config may it’s worth a look here and here.
I just found out that something is messed up with the IPs used by the Docker container.
Regarding to the above information (Bridge, FW and NAT configuration) the correct IPs should be:
172.17.0.4 for guacd and
172.17.0.5 for guacamole
Running Hostname -I within the guacamole-shell gives me:
172.17.0.5 172.18.0.3
If by “within guacamole shell” you mean something like: docker exec -it guacamole_guacd_1 /bin/bash
or docker exec -it guacamole_guacamole_1 /bin/bash
my output of them looks like:
The command hostname -I displays all network addresses of the host, so there seems to be a miss-configuration or something.
What does the output of an ip addr show looks like (from inside of your guacamole-shells - specially the one from guacamole)
makes me think: do you use letsencrypt on these? I think those dockers are prepared to copy the certificates into the container… while guacamole most probably isn’t.
Could be?
Just as I’m still awake
Thinking still and already earlier - it has to do with the apache setting as it is working from the local network.
About the “SSL thing”. In case of Guacamole the SSL/TLS connection should (AFAIK) terminate on the UCS-Host (Apache as Reverse Proxy). From there on the connection is not encrypted further:
What I want to say is, that the all the ssl-setup (including certificates) for this is done on the UCS-Host, none should be required inside any (guacamole) container.
Does a remote connection to the UCS-Server on Port 40001 work? Do you have the possibility to test it?
i.e. http://your-public.dns:40001/guacamole/
If yes, then it really seems to be a problem with the Apache ReverseProxy setting or mod_proxy config.
Could you check the loaded apache modules (for proxying) by (example from my ucs-host):
Well as I’ve said - late thoughts… seeing the morning light, I don’t think so as the proxy connections are all unencrypted. So encryption is on the host.
Nevertheless, in nextcloud you would have a check inside the container on ‘trusted domains’ where you will have to enter each trusted domain. I’m not familiar with the tomcat-server running inside guacamole but perhaps there is also domainname-check.
If these thoughts are true - then I would perhaps try first the following:
univention-app shell guacamole
root@xyz:/usr/local/tomcat# ping your.fancy.domain.name'
??? and it that fails, something like - or perhaps better with a text-editor (which you will have to install first)
root@xyz:/usr/local/tomcat# echo 'remote-host-ip-address your.fancy.domain.name' >> /etc/hosts
try again the ping command
)