able to access the UCS-Host (and other services such OwnCloud…) from local network
able to access the UCS-Host (and other services such OwnCloud…) from remote network(s)
able to access the Guacamole App from local network
He is not
able to access the Guacamole App from remote network(s)
The other web-apps (OC,Collabora,…) and the usage of the UCS-WebU won’t require any ReverseProxying - that’s why I evaluated it differently.
now, he maybe check the remote-connectivity of the guacamole app by using the native URI and Port ( http://your-public.dns:40001/guacamole/).
If this works, then I would say the only difference would be the ReverseProxy * thing*
I opend port 40001 on the router/FW and a did a connection test to external IP/Hostname (http://public.dns:40001/guacamole/ - This is working, wow
This is working for http only - https gives me a “ERR_CONNECTION_CLOSED” and is not working at all (yet).
in that case I’m sorry for my wrong posting. I don’t use one of those additional apps, so I couldn’t check it for myself but you’re right - there’s even a ReverseProxy config entry for the UCS-Portal.
after first sight, a difference in your configs are the presence or missing of a trailing slash (differnce between i.e. owncloud and guacamole config entry) .
That it works only in HTTP (over this port) is normal as the server your (now) talking to directly - is plain HTTP.
This is a reason for reverse proxying services (in general - in this case the usage of a or multiple dockerized app/s on a single port may be another good reason). The HTTPS connections should end on the Proxy (Apache), which handles the further communication with the guacamole-service in HTTP.
Last thoughts for today: perhaps time to call apache
You find some posts regarding your error message searching the web.
[proxy_http:error] [pid 16890] (103)Software caused connection abort: [client 80.187.85.226:17071] AH01102: error reading status line from remote server 127.0.0.1:40001
Besides default-ssl.conf and 000-default.conf there is another relevant conf file under /etc/apache2/sites-enabled. For the handling of my public DNS names the relevant file is univention-letsencrypt.conf.
After correcting the corresponding entrys for Guacamole (changed https to http), everything is working now.
dWc and lebernd thx alot one more time for your support!
just as an explanation: univention-app shell … is a wrapper around calling docker exec … -ti /bin/bash with the ID belonging to the app’s container. That ID in turn is stored in the UCR variable appcenter/apps/…/container.
If you ever want to run something within an app’s Docker container, I highly recommend univention-app shell … over manually looking up the container name/ID — especially as container names aren’t stable; they can and do change between installations.
Keep in mind that your modifications to the files in /etc/apache2/sites-available will be overwritten each time the file is recreated from its template. That’s what the scary-looking text at the front of the file tries to tell you.
A slightly better way to go about things is to modify the template the file is generated from, /etc/univention/templates/files/etc/apache2/sites-available/univention-letsencrypt.conf, and then to re-generate the file with ucr commit /etc/apache2/sites-available/univention-letsencrypt.conf. That way you only have to keep up to date with changes to the template itself, which shouldn’t happen too often (check by running univention-check-templates after each update). Due to how the templates generates the entries, this isn’t as straight-forward as one might like, though.
The best option would be to file a bug for this problem. Each app declares how the web server inside the Docker container can be reached (unencrypted only = HTTP, encrypted only = HTTPS or both), and the Let’s Encrypt template uses that information in order to create its reverse proxy entry. That information seems to be wrong for Guacamole.
