Passing client ip to tomcat - Cloudflare tunnel

abesnier / docker-guacamole

A self-contained guacamole docker container for x64. Remotely connect over SSH, RDP or VNC using HTML5.

https://hub.docker.com/r/abesnier/guacamole

GNU General Public License v3.0

78 stars 14 forks source link

Passing client ip to tomcat - Cloudflare tunnel #22

Closed amaurib closed 1 year ago

amaurib commented 1 year ago

Hi,

More than reporting a bug, what i would like to ask is how do I pass the client public ip address to tomcat server when using cloudflare tunnel as reverse proxy. I have added the variable REMOTE_IP_VALVE_ENABLED: "true" to my compose file but that didn't do anything... Guacamole keeps logging the cloudflared tunnel container ip...

version: "3"
services:
  guacamole:
      image: abesnier/guacamole
      container_name: guacamole
      volumes:
        - postgres:/config
        - /home/guacamole/branding.jar:/config/guacamole/extensions/guacamole-branding-1.5.2.jar
      ports:
        - 8082:8080
      environment:
        USE_DEFAULT_BRANDING: N
        REMOTE_IP_VALVE_ENABLED: true
volumes:
  postgres:
    driver: local

amaurib commented 1 year ago

Got to show the client IP on the Dashboard.

I Had to modify the tomcat configuration to allow it to see the real ip address of the client. /usr/local/tomcat/conf/server.xml

Add the following code inside the <Host> section

<Valve className="org.apache.catalina.valves.RemoteIpValve"
            internalProxies="172.25.0.3" 
            remoteIpHeader="x-forwarded-for"
            remoteIpProxiesHeader="x-forwarded-by"
            protocolHeader="x-forwarded-proto" />

docker compose file now looks like this.

version: "3"
services:
  guacamole:
      image: abesnier/guacamole
      container_name: guacamole
      volumes:
        - postgres:/config
        - /home/guacamole/branding.jar:/config/guacamole/extensions/guacamole-branding-1.5.2.jar
        - /home/guacamole/server.xml:/usr/local/tomcat/conf/server.xml
      ports:
        - 8082:8080
      environment:
        USE_DEFAULT_BRANDING: N
        REMOTE_IP_VALVE_ENABLED: true

volumes:
  postgres:
    driver: local

abesnier commented 1 year ago

well, that was the easiest issue ever raised ! I did not even had time to read it fully and find documentation.

I'll add a section in the readme, as I know this question is asked regularly on the Guacamole mailing list.

Cheers

abesnier commented 11 months ago

Coming back on this subject, let me add some points:

the REMOTE_IP_VALVE_ENABLEDenvironment variable is not used in my image. This is specific to the official guacamole client docker image.
the modifications of the server.conf can be tricky if you are using a reverse proxy. It is not easy to get the proper internalProxies value, as docker ip address can change every time you restart a container. I find it easier to just not fill this item, and let Tomcat work it out. Omitting this item will allow most private network IP ranges to be recognized as an authorized proxy (10/8, 192.168/16, 169.254/16, 127/8, 100.64/10, 172.16/12, and ::1). Actually, just adding <Valve className="org.apache.catalina.valves.RemoteIpValve" /> will work with most configurations because of default values.