safebox/guacamole-client
4
0
Fork 0
mirror of https://github.com/gyurix1968/guacamole-client.git synced 2025-09-07 13:41:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

GUACAMOLE-1005: Docker, configure RemoteIPValve inplace

Browse Source
This commit is contained in:
Giacomo Longo
2020-09-23 09:20:56 +02:00
parent b7b167e378
commit 205cf1797d
1 changed files with 22 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

67
guacamole-docker/bin/start.sh
View File

@@ -711,61 +711,38 @@ associate_json() {
## ##
## Sets up Tomcat's remote IP valve that allows gathering the remote IP ## Sets up Tomcat's remote IP valve that allows gathering the remote IP
## from headers set by a remote proxy ## from headers set by a remote proxy
## Upstream documentation: https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valves/RemoteIpValve.html
## ##
enable_remote_ip_valve() { enable_remote_ip_valve() {
# Check the required variables # Use Tomcat defaults if optional variables have not been provided
if [ -z "$GUACAMOLE_PROXY_ALLOWED_IPS_REGEX" ]; then if [ -z "$GUACAMOLE_PROXY_ALLOWED_IPS_REGEX" ]; then
cat <<END echo "Using default Tomcat allowed IPs regex"
FATAL: Missing required environment variables
-------------------------------------------------------------------------------
If using the Tomcat RemoteIPValve preseed, you must provide each of the
following environment variables:
GUACAMOLE_PROXY_ALLOWED_IPS_REGEX The regex of addresses allowed to set
the remote IP of the client via
transmission of specific headers
END
exit 1
fi fi
# Set reasonable defaults if optional variables have not been provided
if [ -z "$GUACAMOLE_PROXY_IP_HEADER" ]; then if [ -z "$GUACAMOLE_PROXY_IP_HEADER" ]; then
GUACAMOLE_PROXY_IP_HEADER='X-Forwarded-For' echo "Using default Tomcat proxy IP header"
echo "Defaulted RemoteIPValve IP header to: $GUACAMOLE_PROXY_IP_HEADER"
fi fi
if [ -z "$GUACAMOLE_PROXY_PROTOCOL_HEADER" ]; then if [ -z "$GUACAMOLE_PROXY_PROTOCOL_HEADER" ]; then
GUACAMOLE_PROXY_PROTOCOL_HEADER='X-Forwarded-Proto' echo "Using default Tomcat proxy protocol header"
echo "Defaulted RemoteIPValve protocol header to: $GUACAMOLE_PROXY_PROTOCOL_HEADER"
fi fi
if [ -z "$GUACAMOLE_PROXY_BY_HEADER" ]; then if [ -z "$GUACAMOLE_PROXY_BY_HEADER" ]; then
GUACAMOLE_PROXY_BY_HEADER='X-Forwarded-By' echo "Using default Tomcat proxy forwarded by header"
echo "Defaulted RemoteIPValve source header to: $GUACAMOLE_PROXY_BY_HEADER"
fi fi
# Build the new Tomcat configuration # Build the new Tomcat configuration inplace
cat > /tmp/valve.xml <<EOF ## Explaination:
<Valve className="org.apache.catalina.valves.RemoteIpValve" ## The initial regex ((\s)+)</Host>
internalProxies="$GUACAMOLE_PROXY_ALLOWED_IPS_REGEX" ## Matches the spaces before </Host> as \1 and individual spaces as \2, ...
remoteIpHeader="$GUACAMOLE_PROXY_IP_HEADER" ## The replacement will be located at \1\2\2 (original + 2 spaces)
remoteIpProxiesHeader="$GUACAMOLE_PROXY_BY_HEADER" ## ${VAR:+expr} expressions yield either empty (thus using Tomcat's default) or our setting
protocolHeader="$GUACAMOLE_PROXY_PROTOCOL_HEADER" /> ## The last line restores the configuration file original tag at its original indentation
EOF sed -i "s|^\(\(\s\)\+\)</Host>|\1\2\2<Valve \
className=\"org.apache.catalina.valves.RemoteIpValve\" \
# Get the line where the Host configuration ends ${GUACAMOLE_PROXY_ALLOWED_IPS_REGEX:+internalProxies=\"$GUACAMOLE_PROXY_ALLOWED_IPS_REGEX\"} \
LINEN=$(grep -n '</Host>' /usr/local/tomcat/conf/server.xml | cut -d ':' -f 1) ${GUACAMOLE_PROXY_IP_HEADER:+remoteIpHeader=\"$GUACAMOLE_PROXY_IP_HEADER\"} \
${GUACAMOLE_PROXY_BY_HEADER:+remoteIpProxiesHeader=\"$GUACAMOLE_PROXY_BY_HEADER\"} \
# Split the file in 2 around the Host configuration ${GUACAMOLE_PROXY_PROTOCOL_HEADER:+protocolHeader=\"$GUACAMOLE_PROXY_PROTOCOL_HEADER\"} \
head -n "$(( LINEN - 1 ))" < /usr/local/tomcat/conf/server.xml > /tmp/head.xml />\n\1</Host>|" \
tail -n "+$LINEN" < /usr/local/tomcat/conf/server.xml > /tmp/tail.xml /usr/local/tomcat/conf/server.xml
# Reassemble the file
cat /tmp/head.xml /tmp/valve.xml /tmp/tail.xml > /usr/local/tomcat/conf/server.xml
# Cleanup
rm -f \
/tmp/head.xml \
/tmp/tail.xml \
/tmp/valve.xml
} }
## ##
@@ -854,7 +831,7 @@ set_property "guacd-hostname" "$GUACD_HOSTNAME"
set_property "guacd-port" "$GUACD_PORT" set_property "guacd-port" "$GUACD_PORT"
# Set up Tomcat RemoteIPValve # Set up Tomcat RemoteIPValve
if [ -n "$GUACAMOLE_PROXY_ALLOWED_IPS_REGEX" ]; then if [ "$REMOTE_IP_VALVE_ENABLED" = "true" ]; then
enable_remote_ip_valve enable_remote_ip_valve
fi fi