Apache Guacamole behind Traefik

Traefik Traefik v2
1

hi there

got a problem with guacamole from external access. if i connect from outside my LAN then i become this message:

guacd_guacamole | 18:48:15.056 [http-nio-8080-exec-3] INFO  o.a.g.tunnel.TunnelRequestService - User "dani" connected to connection "2".
guacd_guacamole | 18:48:15.059 [http-nio-8080-exec-3] INFO  o.a.g.t.h.RestrictedGuacamoleHTTPTunnelServlet - Using HTTP tunnel (not WebSocket). Performance may be sub-optimal.

The performance is very bad, so entering some letters took 5 - 10 seconds to appear.

if i connect from LAN then this WebSocket message not appear and the performance is smooth.

guacd_guacamole | 18:49:12.375 [http-nio-8080-exec-3] INFO  o.a.g.tunnel.TunnelRequestService - User "dani" connected to connection "2".

traefik labels:

labels:
  - "traefik.enable=true"
  - "traefik.http.routers.guacamole.rule=Host(`remote.domain.xx`)"
  - "traefik.http.routers.guacamole.tls=true"
  - "traefik.http.middlewares.guacamole-prefix.addprefix.prefix=/guacamole" 
  - "traefik.http.routers.guacamole.middlewares=guacamole-prefix"

i also try'd some lables like

- "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=http"

but i don't bring it to work.

has anyone a idea for me?

2

Did you then also add the new middleware to your router? From a quick search it seems this could be your issue (see here: WebSockets not working after migrating to Traefik 2.0)

labels:
  - "traefik.enable=true"
  - "traefik.http.routers.guacamole.rule=Host(`remote.domain.xx`)"
  - "traefik.http.routers.guacamole.tls=true"
  - "traefik.http.middlewares.guacamole-prefix.addprefix.prefix=/guacamole"
  - "traefik.http.middlewares.guacamole-sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
  - "traefik.http.routers.guacamole.middlewares=guacamole-prefix,guacamole-sslheader"
3

thank you for your reply!

yes, i try'd this, with http and https
the logs from guacamole shows the same result. the console on the client shows this:

WebSocket connection to 'wss://remote.domain.xy/websocket-tunnel?token=658F5DD8963CD54FF43E6CBC0F8E1BED24237F9E38A5690D0E193CBB700684&GUAC_DATA_SOURCE=postgresql&GUAC_ID=2&GUAC_TYPE=c&GUAC_WIDTH=2231&GUAC_HEIGHT=1192&GUAC_DPI=96&GUAC_TIMEZONE=Europe%2FWarsaw&GUAC_AUDIO=audio%2FL8&GUAC_AUDIO=audio%2FL16&GUAC_IMAGE=image%2Fjpeg&GUAC_IMAGE=image%2Fpng&GUAC_IMAGE=image%2Fwebp' failed: 

connect @ app.js?v=1.3.0:140
b @ app.js?v=1.3.0:144
connect @ app.js?v=1.3.0:144
connect @ app.js?v=1.3.0:36
(anonymous) @ app.js?v=1.3.0:432
(anonymous) @ angular.js:17169
$digest @ angular.js:18352
$apply @ angular.js:18649
l @ angular.js:12627
t @ angular.js:12871
A.onload @ angular.js:12788

there also comes to folling error in the console:

app.js?v=1.3.0:135 GET https://remote.domain.xy/tunnel?read:99b7f49c-dbe8-4349-a09c-4ce000a7e02b:3 404
app.js?v=1.3.0:133 POST https://remote.domain.xy/tunnel?write:99b7f49c-dbe8-4349-a09c-4ce000a7e02b 404

in the logs from guacamole i can find this lines:


14:43:53.415 [http-nio-8080-exec-8] INFO  o.a.g.tunnel.TunnelRequestService - User "dani" connected to connection "2".
14:43:53.415 [http-nio-8080-exec-8] INFO  o.a.g.t.h.RestrictedGuacamoleHTTPTunnelServlet - Using HTTP tunnel (not WebSocket). Performance may be sub-optimal.
14:44:07.495 [http-nio-8080-exec-2] INFO  o.a.g.tunnel.TunnelRequestService - User "dani" disconnected from connection "2". Duration: 14080 milliseconds
14:44:07.604 [http-nio-8080-exec-7] WARN  o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request rejected: No such tunnel.
14:44:07.656 [http-nio-8080-exec-6] WARN  o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request rejected: No such tunnel.

do i need an entrypoint for wss? i did research the whole internet, but i cannot find anything

4

Can you please check the post "Websocket does not upgrade ws to wss" ?

5

Thank you much for answer.

i saw that this today, and try'd for me, but won't work for me :frowning:

      - "traefik.http.routers.guacamole.rule=Host(`remote.domain.xy`)"
      - "traefik.http.routers.guacamole.tls=true"
      - "traefik.http.middlewares.guacamole-prefix.addprefix.prefix=/guacamole"   
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https,wss"
      - "traefik.http.routers.guacamole.middlewares=guacamole-prefix,sslheader"

got the same error's in cosole (browser) and logs.

6

First of all, remember to globally upgrade from http to https. Keep your current settings and add the lines below.

- traefik.http.routers.guacamole.rule=hostregexp(`{host:.+}`)
- traefik.http.routers.guacamole.entrypoints=web
- traefik.http.routers.guacamole.middlewares=redirect-to-https
- traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https

Greetings from Brazil.

1 Like
7

Did you finally make it work? I have exactly the same problem with 404 error for two files when I try to reach Guacamole with SSL enabled in the Traefik configuration.

8

Finally found an error - wrong prefix in the middleware config, "/guacamole/" instead of "/guacamole". :laughing: