From b7b167e37817e0c89efe3ce1fc4ec7cc959dff96 Mon Sep 17 00:00:00 2001
From: Giacomo Longo <gabibbo97@gmail.com>
Date: Thu, 2 Apr 2020 09:21:03 +0200
Subject: [PATCH] GUACAMOLE-1005: Docker, configure RemoteIPValve

---
 guacamole-docker/bin/start.sh | 65 ++++++++++++++++++++++++++++++++++-
 1 file changed, 64 insertions(+), 1 deletion(-)

diff --git a/guacamole-docker/bin/start.sh b/guacamole-docker/bin/start.sh
index 24b7a2fe7..205d9cf85 100755
--- a/guacamole-docker/bin/start.sh
+++ b/guacamole-docker/bin/start.sh
@@ -708,6 +708,65 @@ associate_json() {
     # Add required .jar files to GUACAMOLE_EXT
     ln -s /opt/guacamole/json/guacamole-auth-*.jar "$GUACAMOLE_EXT"
 }
+##
+## Sets up Tomcat's remote IP valve that allows gathering the remote IP
+## from headers set by a remote proxy
+##
+enable_remote_ip_valve() {
+    # Check the required variables
+    if [ -z "$GUACAMOLE_PROXY_ALLOWED_IPS_REGEX" ]; then
+        cat <<END
+FATAL: Missing required environment variables
+-------------------------------------------------------------------------------
+If using the Tomcat RemoteIPValve preseed, you must provide each of the
+following environment variables:
+
+    GUACAMOLE_PROXY_ALLOWED_IPS_REGEX   The regex of addresses allowed to set
+                                        the remote IP of the client via
+                                        transmission of specific headers
+END
+        exit 1
+    fi
+
+    # Set reasonable defaults if optional variables have not been provided
+    if [ -z "$GUACAMOLE_PROXY_IP_HEADER" ]; then
+        GUACAMOLE_PROXY_IP_HEADER='X-Forwarded-For'
+        echo "Defaulted RemoteIPValve IP header to: $GUACAMOLE_PROXY_IP_HEADER"
+    fi
+    if [ -z "$GUACAMOLE_PROXY_PROTOCOL_HEADER" ]; then
+        GUACAMOLE_PROXY_PROTOCOL_HEADER='X-Forwarded-Proto'
+        echo "Defaulted RemoteIPValve protocol header to: $GUACAMOLE_PROXY_PROTOCOL_HEADER"
+    fi
+    if [ -z "$GUACAMOLE_PROXY_BY_HEADER" ]; then
+        GUACAMOLE_PROXY_BY_HEADER='X-Forwarded-By'
+        echo "Defaulted RemoteIPValve source header to: $GUACAMOLE_PROXY_BY_HEADER"
+    fi
+
+    # Build the new Tomcat configuration
+    cat > /tmp/valve.xml <<EOF
+        <Valve className="org.apache.catalina.valves.RemoteIpValve"
+          internalProxies="$GUACAMOLE_PROXY_ALLOWED_IPS_REGEX"
+          remoteIpHeader="$GUACAMOLE_PROXY_IP_HEADER"
+          remoteIpProxiesHeader="$GUACAMOLE_PROXY_BY_HEADER"
+          protocolHeader="$GUACAMOLE_PROXY_PROTOCOL_HEADER" />
+EOF
+
+    # Get the line where the Host configuration ends
+    LINEN=$(grep -n '</Host>' /usr/local/tomcat/conf/server.xml | cut -d ':' -f 1)
+
+    # Split the file in 2 around the Host configuration
+    head -n "$(( LINEN - 1 ))" < /usr/local/tomcat/conf/server.xml > /tmp/head.xml
+    tail -n "+$LINEN" < /usr/local/tomcat/conf/server.xml > /tmp/tail.xml
+
+    # Reassemble the file
+    cat /tmp/head.xml /tmp/valve.xml /tmp/tail.xml > /usr/local/tomcat/conf/server.xml
+
+    # Cleanup
+    rm -f \
+        /tmp/head.xml \
+        /tmp/tail.xml \
+        /tmp/valve.xml
+}
 
 ##
 ## Starts Guacamole under Tomcat, replacing the current process with the
@@ -794,6 +853,11 @@ fi
 set_property "guacd-hostname" "$GUACD_HOSTNAME"
 set_property "guacd-port"     "$GUACD_PORT"
 
+# Set up Tomcat RemoteIPValve
+if [ -n "$GUACAMOLE_PROXY_ALLOWED_IPS_REGEX" ]; then
+    enable_remote_ip_valve
+fi
+
 #
 # Track which authentication backends are installed
 #
@@ -883,4 +947,3 @@ fi
 #
 
 start_guacamole
-