Authentication

[Igglybuff]

Is there a way to add some authentication to this? I'm running this container with an nginx reverse proxy container + letsencrypt companion container with its own subdomain on the public internet. It works great but anyone can use it while the container is running.

Great work though, this is very functional.

[coppit]

You're using the GUI version of FileBot? I can take a look, but the docker model is sorta like processes, which don't have that kind of authorization model.

…

On Tue, Aug 8, 2017 at 10:32 AM Ed Shelton ***@***.***> wrote: Is there a way to add some authentication to this? I'm running this container with an nginx reverse proxy container + letsencrypt companion container with its own subdomain on the public internet. It works great but anyone can use it while the container is running. Great work though, this is very functional. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#16>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAe0WcETMP2UZnsSUHp4NJbVHDo_j6Yfks5sWHGMgaJpZM4Ow0hB> .

[Igglybuff]

I'm using it from a web browser with Guac - perhaps there's some Guac authentication that can be enabled? I'd like to see a log-in form somewhere - I've avoided forwarding the RDP port when running the container so the only way to connect in this instance is via the web browser. Not familiar with Guac so excuse my ignorance 🙂

[Loader23]

If you are going to implement authentication you should also make it optional. So its not annoying for internal users ;-)

[Igglybuff]

Looking at the Guacamole documentation, the best option is probably this:

https://guacamole.incubator.apache.org/doc/gug/jdbc-auth.html

Which requires a MySQL or Postgres database for authentication. I guess I could spin up MariaDB in a separate container and make them talk.

EDIT: Actually it has some basic auth here:

https://guacamole.incubator.apache.org/doc/gug/configuring-guacamole.html#basic-auth

Which would be easier, just need to map Guacamole's configuration to the host.

[coppit]

Igglybuff, you want to expose this on the Internet, but not without security. Is that right? I don't want to complicate it with a mysql database, but I can look into basic auth. Would that be sufficient for you?

[Igglybuff]

Basic auth is achievable for me using my nginx reverse proxy which might be easier for some people:

https://github.com/jwilder/nginx-proxy#basic-authentication-support

@coppit It would be useful for other people to have basic auth setup documented + implemented but the above is my preferred method for my setup 🙂

[coppit]

EDIT: Actually it has some basic auth here:

It's not "basic auth" in the sense of HTTP basic auth. I played around with it a bit and couldn't get it to work. If anyone else wants to figure it out, where's what I did:

Create a file in the config dir called user-mapping.xml with this content:

<user-mapping>

    <!-- Per-user authentication and config information. Password is "PASSWORD" -->
    <authorize username="USERNAME" password="319f4d26e3c536b5dd871bb2c52e3178" encoding="md5">
        <protocol>rdp</protocol>
        <param name="hostname">localhost</param>
        <param name="port">3389</param>
        <param name="color-depth">16</param>
    </authorize>

</user-mapping>

Then edit /etc/guacamole/guacamole.properties, commenting out this line:

noauth-config: /etc/guacamole/noauth-config.xml

and adding this line:

user-mapping: /config/user-mapping.xml

The app link at http://tower:8082/#/client/c/Filebot complains that I need to be logged in, which makes sense. But going to the home (http://tower:8082/) to log in just shows a spinning gear for me.