Guacamole on Caddy Reverse Proxy

scopefield · February 3, 2018, 5:45am

Would appreciate it if anybody can provide some insight. I tried looking on the forums and found a few threads, however none of the fixes worked for me.

I have guacamole set up internally at 192.168.2.3:8080

I can access the Guacamole GUI perfectly and the address of the direct connection is: http://192.168.2.3:8080/guacamole/#/client/c/1

When I try to set this up in Caddyfile, I get a 502 error.

My file looks like this:

desktop.mysite.com {
proxy / http://192.168.2.3:8080/guacamole {
header_upstream X-Real-IP {remote}
header_upstream Host {host}
header_downstream X-Real-IP {remote}
header_downstream Host {host}
insecure_skip_verify
websocket
transparent
}
}

When I go to https://desktop.mysite.com, I get the following:

tobya · February 4, 2018, 9:47am

If you could provide more info that would be great.

is guacamole on http or https if https use proxy / https://… if http remove insecure_skip_verify
Is caddy alright? Can you set up a basic test site

mysite.com:80 {
root /myroot/
browse
}
Is guacamole getting the request?
log requests to caddy
mysit.com {
log / logfile.log “{common}”

}

scopefield · February 4, 2018, 5:00pm

Thank you for your reply @tobya

Caddy works great otherwise. I have a bunch of other things running through my reverse proxy that work. Guac is just the one that’s been giving me a hard time.

It’s using https–I access my other serves by going to https://shows.mysite.com for example.

Would you like me to post the logs from the Caddy container?

scopefield · February 4, 2018, 5:11pm

I checked the Caddy logs and did notice an error I hadn’t seen before:

2018/02/04 17:03:28 [timeouts] failed to get certificate: acme: Error 400 - urn:acme:error:malformed - Error creating new authz :: DNS name does not have enough labels

All of my other setups work fine though (I have around 10), so I’m not sure if this is contributing to the issue. I also changed the http to https, but that didn’t do anything either.

matt · February 4, 2018, 6:30pm

Is what you posted above your entire unredacted Caddyfile?

tobya · February 4, 2018, 8:15pm

Is the cert it fails to get the one that’s causing the 503 error?

scopefield · February 5, 2018, 12:00am

@matt, this is the entire Caddyfile: hastebin (everything there works, except the last one (desktop = guacamole).

@tobya, I’m not sure to be honest. How could I check?

This is the latest log output of Caddy (192.168.2.1 = my router):

Whitestrake · February 5, 2018, 1:00am

I would investigate the connection between the Caddy host and the Guacamole host as the possible culprit.

My Guacamole instance works with the following Caddyfile:

guacamole.whitestrake.net {
  proxy / guacamole:8080/guacamole {
    transparent
    websocket
  }
}

It's networked to Caddy via Docker Compose.

version: '3'

services:
  guacamole:
    image: guacamole/guacamole:latest
    depends_on:
      - guacd
      - guacdb
    environment:
      GUACD_HOSTNAME: guacd
      POSTGRES_HOSTNAME: guacdb
      POSTGRES_USER: guac
      POSTGRES_DATABASE: guac
      POSTGRES_PASSWORD: [snip]
    restart: unless-stopped

  guacd:
    image: guacamole/guacd:latest
    restart: unless-stopped

  guacdb:
    image: postgres:latest
    environment:
      POSTGRES_DB: guac
      POSTGRES_USER: guac
      POSTGRES_PASSWORD: [snip]
    volumes:
      - ./db:/var/lib/postgresql/data
      - ./initdb.sql:/docker-entrypoint-initdb.d/initdb.sql
    restart: unless-stopped

scopefield · February 5, 2018, 1:50am

Thank you all for your help! I got this to work by tinkering around with unRAID. It turns out it wouldn’t work on the same IP as unRAID (presumably something else was occupying 8080 without me know). So what I did to fix the issue was use the br0 interface and assign Guacamole to 192.168.2.14 instead of the default 192.168.2.3. Works great! I hope this fixes the issue for anybody else that runs into the same problem.

I do have another question however. Would it be possible to bypass the login screen and go directly into the VM? I tried adding this to Caddyfile " proxy / http://192.168.2.14:8080/#/client/c/1 (this link goes directly to the VM when I’m logged in locally). Then I realized there’s the Guac front end I need to bypass. Any ideas?

Whitestrake · February 5, 2018, 3:09am

I haven’t done it myself, but this looks like exactly what you’re after!

Guacamole normally enforces authentication, requiring all users to have a corresponding set of credentials. If you would rather just type in your server’s URL and gain access to your computer, you can do this with the “noauth” extension.

– Chapter 6. Disabling authentication

Pretty scary putting remote access to your computer on the open internet, though!

system · May 6, 2018, 3:09am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.