diff --git a/Dockerfile b/Dockerfile index 1b6e9be17..be6060375 100644 --- a/Dockerfile +++ b/Dockerfile @@ -50,6 +50,9 @@ RUN /opt/guacamole/bin/build-guacamole.sh "$BUILD_DIR" /opt/guacamole "$BUILD_PR # For the runtime image, we start with the official Tomcat distribution FROM tomcat:${TOMCAT_VERSION}-${TOMCAT_JRE} +# Install XMLStarlet for server.conf alterations +RUN apt-get update -qq && apt-get install -y xmlstarlet + # This is where the build artifacts go in the runtime image WORKDIR /opt/guacamole @@ -68,4 +71,3 @@ USER guacamole # Start Guacamole under Tomcat, listening on 0.0.0.0:8080 EXPOSE 8080 CMD ["/opt/guacamole/bin/start.sh" ] - diff --git a/guacamole-docker/bin/start.sh b/guacamole-docker/bin/start.sh index 9f5008013..c79fafc89 100755 --- a/guacamole-docker/bin/start.sh +++ b/guacamole-docker/bin/start.sh @@ -714,35 +714,51 @@ associate_json() { ## Upstream documentation: https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valves/RemoteIpValve.html ## enable_remote_ip_valve() { - # Use Tomcat defaults if optional variables have not been provided + # Add element + xmlstarlet edit --inplace \ + --insert '/Server/Service/Engine/Host/*' --type elem -n Valve \ + --insert '/Server/Service/Engine/Host/Valve[not(@className)]' --type attr -n className -v org.apache.catalina.valves.RemoteIpValve \ + $CATALINA_BASE/conf/server.xml + + # Allowed IPs if [ -z "$GUACAMOLE_PROXY_ALLOWED_IPS_REGEX" ]; then echo "Using default Tomcat allowed IPs regex" - fi - if [ -z "$GUACAMOLE_PROXY_IP_HEADER" ]; then - echo "Using default Tomcat proxy IP header" - fi - if [ -z "$GUACAMOLE_PROXY_PROTOCOL_HEADER" ]; then - echo "Using default Tomcat proxy protocol header" - fi - if [ -z "$GUACAMOLE_PROXY_BY_HEADER" ]; then - echo "Using default Tomcat proxy forwarded by header" + else + xmlstarlet edit --inplace \ + --insert '/Server/Service/Engine/Host/Valve[@className="org.apache.catalina.valves.RemoteIpValve"]' \ + --type attr -n internalProxies -v "$GUACAMOLE_PROXY_ALLOWED_IPS_REGEX" \ + $CATALINA_BASE/conf/server.xml fi - # Build the new Tomcat configuration inplace - ## Explaination: - ## The initial regex ((\s)+) - ## Matches the spaces before as \1 and individual spaces as \2, ... - ## The replacement will be located at \1\2\2 (original + 2 spaces) - ## ${VAR:+expr} expressions yield either empty (thus using Tomcat's default) or our setting - ## The last line restores the configuration file original tag at its original indentation - sed -i "s|^\(\(\s\)\+\)|\1\2\2\n\1|" \ - $CATALINA_BASE/conf/server.xml + # X-Forwarded-For + if [ -z "$GUACAMOLE_PROXY_IP_HEADER" ]; then + echo "Using default Tomcat proxy IP header" + else + xmlstarlet edit --inplace \ + --insert "/Server/Service/Engine/Host/Valve[@className='org.apache.catalina.valves.RemoteIpValve']" \ + --type attr -n remoteIpHeader -v "$GUACAMOLE_PROXY_IP_HEADER" \ + $CATALINA_BASE/conf/server.xml + fi + + # X-Forwarded-Proto + if [ -z "$GUACAMOLE_PROXY_PROTOCOL_HEADER" ]; then + echo "Using default Tomcat proxy protocol header" + else + xmlstarlet edit --inplace \ + --insert "/Server/Service/Engine/Host/Valve[@className='org.apache.catalina.valves.RemoteIpValve']" \ + --type attr -n protocolHeader -v "$GUACAMOLE_PROXY_PROTOCOL_HEADER" \ + $CATALINA_BASE/conf/server.xml + fi + + # X-Forwarded-By + if [ -z "$GUACAMOLE_PROXY_BY_HEADER" ]; then + echo "Using default Tomcat proxy forwarded by header" + else + xmlstarlet edit --inplace \ + --insert "/Server/Service/Engine/Host/Valve[@className='org.apache.catalina.valves.RemoteIpValve']" \ + --type attr -n remoteIpProxiesHeader -v "$GUACAMOLE_PROXY_BY_HEADER" \ + $CATALINA_BASE/conf/server.xml + fi } ##