jwetzell / docker-guacamole

A self-contained guacamole docker container for x64 and ARM. Remotely connect over SSH, RDP or VNC using HTML5.
https://hub.docker.com/r/oznu/guacamole/
GNU General Public License v3.0
108 stars 18 forks source link

Issue with using Traefik #45

Closed crack-kitty closed 5 months ago

crack-kitty commented 5 months ago

Describe Your Problem: I am using traefik with your guacamole setup.

When I configure an ssh connection I get the following errors:

From WebUI:

An internal error has occurred within the Guacamole server, and the connection has been terminated. If the problem persists, please notify your system administrator, or check your system logs.

From docker logs:

guacamole  | 13:44:12.204 [http-nio-8080-exec-8] ERROR o.a.g.w.GuacamoleWebSocketTunnelEndpoint - Creation of WebSocket tunnel to guacd failed: javax.net.ssl.SSLException: Unsupported or unrecognized SSL message
guacamole  | 13:44:12.308 [http-nio-8080-exec-8] ERROR o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request failed: javax.net.ssl.SSLException: Unsupported or unrecognized SSL message

Docker Compose is fairly straightforward, here are the traefik labels I'm trying to use:

    labels:
      - traefik.enable=true
      - traefik.http.routers.guacamole.entrypoints=websecure
      - traefik.http.routers.guacamole.rule=Host(`guacamole.example.com`)
      - traefik.http.services.guacamole.loadbalancer.server.port=8080

Logs:

See above.

Screenshots:

Environment:

The main traefik config:

networks:
  traefik:
    name: traefik

# https://hub.docker.com/_/traefik

services:
  traefik:
    image: traefik:${TRAEFIK_DOCKER_TAG:-2.10} # replace with traefik:latest if you are feeling frisky
    container_name: ${TRAEFIK_CONTAINER_NAME:-traefik}
    restart: ${TRAEFIK_RESTART:-unless-stopped}
    mem_limit: ${TRAEFIK_MEM_LIMIT:-100m}
    networks:
      - traefik
    extra_hosts:
      - host.docker.internal:172.17.0.1
    ports:
      - 80:80
      - 443:443
    env_file:
      - .env
    volumes:
      - ./etc/traefik/letsencrypt:/letsencrypt
      - ./etc/traefik/enabled:/enabled
      - /etc/localtime:/etc/localtime:ro
      - /usr/share/zoneinfo:/usr/share/zoneinfo:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
    command:
      - --api
      - --api.dashboard=${TRAEFIK_DASHBOARD_ENABLE:-true}
      - --log.level=${TRAEFIK_LOG_LEVEL:-ERROR}
      - --accesslog=${TRAEFIK_ACCESSLOG:-false}
      - --entryPoints.metrics.address=:8082
      - --metrics.prometheus.entryPoint=metrics
      - --providers.docker
      - --providers.file.watch=true
      - --providers.file.directory=/enabled
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entrypoints.web.http.redirections.entrypoint.scheme=https
      - --entrypoints.websecure.http.tls=true
      - --entrypoints.websecure.http.tls.certResolver=letsencrypt
      - --entrypoints.websecure.http.tls.domains[0].main=${HOST_DOMAIN}
      - --entrypoints.websecure.http.tls.domains[0].sans=*.${HOST_DOMAIN}
      - --serverstransport.insecureskipverify=true
      - --certificatesresolvers.letsencrypt.acme.dnschallenge=true
      - --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=${DNS_CHALLENGE_PROVIDER:-cloudflare}
      - --certificatesresolvers.letsencrypt.acme.email=${DNS_CHALLENGE_API_EMAIL}
      - --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
      - --certificatesResolvers.letsencrypt.acme.dnsChallenge.delayBeforeCheck=${CF_RESOLVER_WAITTIME:-60}
      - --certificatesresolvers.letsencrypt.acme.dnschallenge.resolvers=1.1.1.1:53,1.0.0.1:53
      - --certificatesresolvers.letsencrypt.acme.caserver=${ACME_CASERVER:-https://acme-v02.api.letsencrypt.org/directory}
    labels:
      - joyride.host.name=${HOST_NAME}.${HOST_DOMAIN}
      - traefik.enable=true
      - traefik.http.routers.traefik.entrypoints=websecure
      - traefik.http.routers.traefik.service=api@internal
      - traefik.http.routers.traefik.rule=Host(`${HOST_NAME}.${HOST_DOMAIN}`)  && (PathPrefix(`/traefik`) || PathPrefix(`/api`))
      - traefik.http.routers.traefik.middlewares=traefik_strip
      - traefik.http.middlewares.traefik_strip.stripprefix.prefixes=/traefik
jwetzell commented 5 months ago

I don't know much about setting up or configuring traefik.

crack-kitty commented 5 months ago

Thanks. Can we leave this open for a bit to see if anyone else swings by? I'm continuing to google furiously. ;)

crack-kitty commented 5 months ago

Actually found another image that seems to work natively with Traefik. https://github.com/abesnier/docker-guacamole Not entirely sure what the functional differences are but for now I'll close this... thanks for responding!

jwetzell commented 5 months ago

Hmm not sure that is also a fork of the same repo this one . When I get a chance I'll can sift through the differences between the two since the fork but that one has a lot more modifications than mine and does including breaking changes like the PostgreSQL version that make it not a drop-in replacement for the oznu image.

jwetzell commented 5 months ago

I updated the latest tag to use the latest version of tomcat and java 17. Not sure of a way for me to test that that would have any change to the issues you were seeing though.

crack-kitty commented 5 months ago

Okay, I'm pretty sure I can spin up a new VM and test your changes to see if they make a difference for the issue I was seeing with traefik. I might not get to it tonight but this week for sure! thanks!

On Tue, May 7, 2024 at 12:44 PM Joel Wetzell @.***> wrote:

I updated the latest tag to use the latest version of tomcat and java 17. Not sure of a way for me to test that that would have any change to the issues you were seeing though.

— Reply to this email directly, view it on GitHub https://github.com/jwetzell/docker-guacamole/issues/45#issuecomment-2098882396, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJROPT5JLXL5GJPBISIJSOTZBEAF3AVCNFSM6AAAAABHH45MGSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOJYHA4DEMZZGY . You are receiving this because you modified the open/close state.Message ID: @.***>

crack-kitty commented 5 months ago

Sorry for the delay, I was able to confirm that the changes you made allowed traefik to be used.... good stuff! pretty simple traefik labels but i could get both SSH and VNC connections to work with my traefik setup. I didn't check other connections. Thanks!!!

jwetzell commented 5 months ago

Good to hear!