search

boschkundendienst / guacamole-docker-compose

Guacamole with docker-compose using PostgreSQL, nginx with SSL (self-signed)
GNU General Public License v3.0
983 stars 410 forks source link

Would it be reasonable to offer a LetsEncrypt example of this? #27

Closed Leopere closed 2 years ago

Leopere commented 2 years ago

Preface

First of all, thank you very much for producing one of the only passable Guacamole container stacks in Docker-compose.

I ask the following because I'm trying to prepare this docker-compose stuff for Docker Swarm and I've noticed a few potential redundancies and am trying to understand what's possible to cut out. I might also offer a PR when I'm done to offer some insight on how to optimize this stack a bit.

Question itself.

Is this part of the Guacamole requirements or is it possible to skip encrypting traffic passed over host networking?

https://github.com/boschkundendienst/guacamole-docker-compose/blob/2c6ebd69deb2abad436d6ced0a4fbc82390de6bf/prepare.sh#L15-L18

Leopere commented 2 years ago

I just noticed this wasn't exclusively for the Postgres container my apologies. Have you considered potentially adding LetsEncrypt functionality in some way? I slapped this stack behind Traefik reverse proxy to get Let's Encrypt TLS termination with valid certs fairly successfully.

boschkundendienst commented 2 years ago

Hi @Leopere, thanks for your feedback. I am glad, that my version works for you. I see it only as a proof-of-concept to show guacamole to others in a quick and easy way. As you already pointed out, the nginx-part and also the creating of self-signed certificates is just for quick testing. For production environments I would of course use a reverse-proxy with Let's encrypt functionality like nginx-proxy-manager or traeffic.

Concerning a Let's Encrypt example. I know how this works but it will definitely create problems when people just clone the repo and try to use it since Let's encrypt needs to be able to connect back to you on port 80 from "outside". So if I would add LE functionallity I would receive a Github issue every day since people behind their home internet router will not be able to use LE.

I would say it is better to keep the project like it is (which btw. needs some optimizing already) to demonstrate how easy it is to setup guacamole and for production use one should create his own custom setup.

Leopere commented 2 years ago

Honestly, this is pretty great regardless. Works by default is exactly what I needed to get started on deploying this in our prod environment anyways. I'm gonna shove this behind Authelia, Traefik, and LDAP/AD(Planned). At the office to allow a more secure point of ingress for RDP for remote workers.

boschkundendienst commented 2 years ago

Honestly, this is pretty great regardless. Works by default is exactly what I needed to get started on deploying this in our prod environment anyways. I'm gonna shove this behind Authelia, Traefik, and LDAP/AD(Planned). At the office to allow a more secure point of ingress for RDP for remote workers.

Would be nice to have a read of the documentation (if one is created) after the setup.

boschkundendienst commented 2 years ago

Honestly, this is pretty great regardless. Works by default is exactly what I needed to get started on deploying this in our prod environment anyways. I'm gonna shove this behind Authelia, Traefik, and LDAP/AD(Planned). At the office to allow a more secure point of ingress for RDP for remote workers.

Would be nice to have a read of the documentation (if one is created) after the setup.