Uploaded image for project: 'Guacamole'
  1. Guacamole
  2. GUACAMOLE-1659

Add HTTP Reverse Proxy Functionality




      Guacamole being a "Proxy" of sorts to allow the management of internal services and devices, its a reasonable jump to compare it directly to a "Jump Host".

      Currently, if one were to utilize Guacamole as a privileged access manager to all internal services, one would have to setup and manager a separate HTTP reverse proxy in order to authenticate, log, and monitor user access to management web interfaces. If there are dozens, maybe even hundreds of management interfaces that must be mediated then the use of a reverse proxy becomes cumbersome. Plus, a reverse proxy isn't really designed as a management mediating tool, so naturally it is not optimized for such a workflow.

      An alternative would be yet another Jump Host that has a full desktop and browser to then connect to the web management interfaces. This would be even more excessive than a reverse proxy installed along side Guacamole.

      Additionally, with the need to have full mediation of management activities, the use of 2 services or even 2+ devices, one for web management access, and the other for all other services (Guac), is not only unnecessarily complex, but also more work for users that need to SSH into backend servers and also visit corresponding web management interfaces, as an example. This also complicates the implementation of federated authentication, as now the authentication must be setup of the reverse proxy (and the numerous backend hosts) and Guacamole.

      The user interface could be very similar to all the other protocols, where there is a specific connection profile made to connect into some backend host. It could have much of the options as any reverse proxy, backend connection IP/Port, protocol, hostname, authentication headers, ect. This could provide a single pane of mediated management to users without the need for full management desktops or complex reverse proxies. 


      I think it would be extremely useful to integrate a HTTP reverse proxy into Guacamole with the easy connection, logging, monitoring, and UI that Guacamole provides. 


      Just some background of what led me to this:

      I have a Jump Host that mediates all connections between VPN users and the management of various network services. Much of those management interfaces are web based (web apps are the future...). Deploying Guacamole was a no-brainer for SSH and RDP access, but in order to monitor and log VPN client connections to these web management interfaces, I had to come up with a solution. Unfortunately that solution was an NGINX reverse proxy with about 30 server blocks for various sub-domains pointing to the various backend web management interfaces. Add to my frustration, setting up Authelia for authentication was a pain with all those server blocks. So then I thought to myself... why shouldn't Guacamole also handle this? 




            Unassigned Unassigned
            ehammer99 Jason Mac
            1 Vote for this issue
            5 Start watching this issue