HTTP header authentication#
Guacamole supports delegating authentication to an arbitrary external service, relying on the presence of an HTTP header which contains the username of the authenticated user. This authentication method must be layered on top of some other authentication extension, such as those available from the main project website, in order to provide access to actual connections.
Danger
All external requests must be properly sanitized if this extension is used. The chosen HTTP header must be stripped from untrusted requests, such that the authentication service is the only possible source of that header.
If such sanitization is not performed, it will be trivial for malicious users to add this header manually, and thus gain unrestricted access.
Warning
You will need to restart the Guacamole web application in order to complete configuration. Doing this will disconnect all active users, so please:
Do this only at a time that you can tolerate service unavailability, such as a scheduled maintenance window.
Keep in mind that configuration errors may prevent Guacamole from starting back up.
Installing/Enabling HTTP header authentication#
Guacamole is configured differently depending on whether Guacamole was installed natively or using the provided Docker images. The documentation here covers both methods.
Native installations of Guacamole under Apache Tomcat
or similar are configured by modifying the contents of GUACAMOLE_HOME
(Guacamole’s configuration directory), which is located at
/etc/guacamole by default and may need to be created first:
Download
guacamole-auth-header-1.6.0.tar.gzfrom the release page for Apache Guacamole 1.6.0 and extract it.Create the
GUACAMOLE_HOME/extensionsdirectory, if it does not already exist.Copy the
guacamole-auth-header-1.6.0.jarfile from the contents of the archive toGUACAMOLE_HOME/extensions/.Proceed with the configuring Guacamole for the newly installed extension as described below. The extension will be loaded after Guacamole has been restarted.
Note
Download and documentation links for all officially supported extensions for a particular version of Guacamole are always provided in the release notes for that version. The copy of the documentation you are reading now is from Apache Guacamole 1.6.0.
If you are using a different version of Guacamole, please locate that version within the release archives and consult the documentation for that release instead.
Docker installations of Guacamole include a bundled copy of Apache
Tomcat and are configured using environment
variables. The startup process of the Docker image automatically populates
GUACAMOLE_HOME (Guacamole’s configuration directory) based
on the values of these variables.
- If deploying Guacamole using Docker Compose:
You will need to add at least one relevant environment variable to the
environmentsection of yourguacamole/guacamolecontainer, such as theHTTP_AUTH_ENABLEDenvironment variable:HTTP_AUTH_ENABLED: "true"
- If instead deploying Guacamole by running
docker runmanually: The same environment variable(s) will need to be provided using the
-eoption. For example:$ docker run --name some-guacamole \ -e HTTP_AUTH_ENABLED="true" \ -d -p 8080:8080 guacamole/guacamole
If HTTP_AUTH_ENABLED is set to false, the extension will NOT be
installed, even if other related environment variables have been set. This can
be used to temporarily disable usage of an extension without needing to remove
all other related configuration.
You don’t strictly need to set HTTP_AUTH_ENABLED if other related
environment variables are provided, but the extension will be installed only if
at least one related environment variable is set.
Configuration (optional)#
This extension has no required properties. So long as you are satisfied with the default behavior/values noted below, this extension requires no configuration beyond installation.
http-auth-headerThe HTTP header containing the username of the authenticated user.
This property is optional. If not specified,
REMOTE_USERwill be used by default. If your authentication system uses a different HTTP header you can use this option to override it and specify the header for Guacamole to expect.
This extension has no required environment variables. So long as you are satisfied with the default behavior/values noted below, this extension requires no configuration beyond installation.
HTTP_AUTH_HEADERThe HTTP header containing the username of the authenticated user.
This property is optional. If not specified,
REMOTE_USERwill be used by default. If your authentication system uses a different HTTP header you can use this option to override it and specify the header for Guacamole to expect.
Completing installation#
Guacamole will only reread its configuration and load newly-installed extensions during startup, so Tomcat will need to be restarted before these changes can take effect. Restart Tomcat and give the new functionality a try.
You do not need to restart guacd.
Hint
If Guacamole does not come back online after restarting Tomcat, check the logs. Configuration problems may prevent Guacamole from starting up, and any such errors will be recorded in Tomcat’s logs.
The environment variables that configure the behavior of Docker can only be set at the time the Docker container is created. To apply these configuration changes, you will need to recreate the container.
- If your Guacamole container was deployed using Docker Compose:
Simply making the desired changes to your
docker-compose.ymland runningdocker compose upis sufficient. Docker Compose will automatically recognize that the environment variables of the container have changed and recreate it.- If your Guacamole container was deployed manually (using
docker run): You wll need to manually use
docker rmto remove the old container and then manually recreate it withdocker runand the new environment variables.
Hint
If Guacamole does not come back online after recreating the container, check the Docker logs. Configuration problems may prevent Guacamole from starting up, and any such errors will be recorded in the Docker logs for the Guacamole container.