Guacamole on Caddy Reverse Proxy


(Jack Elbar) #1

Would appreciate it if anybody can provide some insight. I tried looking on the forums and found a few threads, however none of the fixes worked for me.

I have guacamole set up internally at 192.168.2.3:8080

I can access the Guacamole GUI perfectly and the address of the direct connection is: http://192.168.2.3:8080/guacamole/#/client/c/1

When I try to set this up in Caddyfile, I get a 502 error.

My file looks like this:

desktop.mysite.com {
proxy / http://192.168.2.3:8080/guacamole {
header_upstream X-Real-IP {remote}
header_upstream Host {host}
header_downstream X-Real-IP {remote}
header_downstream Host {host}
insecure_skip_verify
websocket
transparent
}
}

When I go to https://desktop.mysite.com, I get the following:


(Toby Allen) #2

If you could provide more info that would be great.

  • is guacamole on http or https if https use proxy / https://… if http remove insecure_skip_verify

  • Is caddy alright? Can you set up a basic test site

    mysite.com:80 {
    root /myroot/
    browse
    }

  • Is guacamole getting the request?

  • log requests to caddy
    mysit.com {
    log / logfile.log “{common}”

    }


(Jack Elbar) #3

Thank you for your reply @tobya

Caddy works great otherwise. I have a bunch of other things running through my reverse proxy that work. Guac is just the one that’s been giving me a hard time.

It’s using https–I access my other serves by going to https://shows.mysite.com for example.

Would you like me to post the logs from the Caddy container?


(Jack Elbar) #4

I checked the Caddy logs and did notice an error I hadn’t seen before:

2018/02/04 17:03:28 [timeouts] failed to get certificate: acme: Error 400 - urn:acme:error:malformed - Error creating new authz :: DNS name does not have enough labels

All of my other setups work fine though (I have around 10), so I’m not sure if this is contributing to the issue. I also changed the http to https, but that didn’t do anything either.


(Matt Holt) #5

Is what you posted above your entire unredacted Caddyfile?


(Toby Allen) #6

Is the cert it fails to get the one that’s causing the 503 error?


(Jack Elbar) #7

@matt, this is the entire Caddyfile: https://hastebin.com/usizizabiw.cs (everything there works, except the last one (desktop = guacamole).

@tobya, I’m not sure to be honest. How could I check?

This is the latest log output of Caddy (192.168.2.1 = my router):


(Matthew Fay) #8

I would investigate the connection between the Caddy host and the Guacamole host as the possible culprit.

My Guacamole instance works with the following Caddyfile:

guacamole.whitestrake.net {
  proxy / guacamole:8080/guacamole {
    transparent
    websocket
  }
}
It's networked to Caddy via Docker Compose.
version: '3'

services:
  guacamole:
    image: guacamole/guacamole:latest
    depends_on:
      - guacd
      - guacdb
    environment:
      GUACD_HOSTNAME: guacd
      POSTGRES_HOSTNAME: guacdb
      POSTGRES_USER: guac
      POSTGRES_DATABASE: guac
      POSTGRES_PASSWORD: [snip]
    restart: unless-stopped

  guacd:
    image: guacamole/guacd:latest
    restart: unless-stopped

  guacdb:
    image: postgres:latest
    environment:
      POSTGRES_DB: guac
      POSTGRES_USER: guac
      POSTGRES_PASSWORD: [snip]
    volumes:
      - ./db:/var/lib/postgresql/data
      - ./initdb.sql:/docker-entrypoint-initdb.d/initdb.sql
    restart: unless-stopped

(Jack Elbar) #9

Thank you all for your help! I got this to work by tinkering around with unRAID. It turns out it wouldn’t work on the same IP as unRAID (presumably something else was occupying 8080 without me know). So what I did to fix the issue was use the br0 interface and assign Guacamole to 192.168.2.14 instead of the default 192.168.2.3. Works great! I hope this fixes the issue for anybody else that runs into the same problem.

I do have another question however. Would it be possible to bypass the login screen and go directly into the VM? I tried adding this to Caddyfile " proxy / http://192.168.2.14:8080/#/client/c/1 (this link goes directly to the VM when I’m logged in locally). Then I realized there’s the Guac front end I need to bypass. Any ideas?


(Matthew Fay) #10

I haven’t done it myself, but this looks like exactly what you’re after!

Guacamole normally enforces authentication, requiring all users to have a corresponding set of credentials. If you would rather just type in your server’s URL and gain access to your computer, you can do this with the “noauth” extension.

https://guacamole.apache.org/doc/0.9.1/gug/noauth.html

Pretty scary putting remote access to your computer on the open internet, though!


(system) #11

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.