GUACAMOLE-1746: Docker Allow usage of custom keystore and custom certificat

[ronansalmon]

The start script handles custom keystore/certificat.

[necouchman]

A few spelling corrections, but I'm also concerned about the nature of the instructions added to the README.md file.

The instructions seem to cover a scenario where you're running guacd natively on a system but you're running guacamole-client in a Docker container. This is a perfectly valid scenario; however, I'm not sure that the README for guacamole-client within Docker should include instructions that are specific to guacd - either Docker-based or natively installed. It might be better to document that in either the gaucamole-server repo or the Docker chapter in the User Guide (guacamole-manual), and just put a note, here, that refers people to one of those two places?

[necouchman]

I suspect we should document this somewhere in the Guacamole User Guide (Manual), and link to that instead of linking directly to the Github repository.

[necouchman]

@ronansalmon Any chance we can wrap this one up?

[ronansalmon]

Hey !
This PR is linked to apache/guacamole-server#419.
I was waiting for the PR 419 to be merged (if accepted) to go any further.

So, how should we proceed ?

[sirux88]

I would add some thoughts:
1) What is the environment variabale GUACD_SSL for? As far as I can see it's not used on guacamole-client nor on guacamole-server anywhere (except within the changed files). Seems obsolete to me
2) Maybe the environment variables GUACD_SSL_KEYSTORE_FILE and GUACD_SSL_KEYSTORE_PASS should be renamed to something fitting better to their true purpose like JAVA_KEYSTORE_FILE and JAVA_KEYSTORE_PASS

For reference: I had a similar approach here sirux88@e02d2be. My use case was using a self signed cert for LDAP

[mike-jumper]

The GUACD_SSL environment variable controls the guacd-ssl property, which is used to enable SSL/TLS encryption between the webapp and guacd. It's uncommon to use this, as that communication is typically purely over loopback or at least on a trusted network route, but it's not obsolete.

[sirux88]

The GUACD_SSL environment variable controls the guacd-ssl property, which is used to enable SSL/TLS encryption between the webapp and guacd. It's uncommon to use this, as that communication is typically purely over loopback or at least on a trusted network route, but it's not obsolete.

I still can't find it. But if you're saying it's used I'm ok with this

[mike-jumper]

The GUACD_SSL environment variable controls the guacd-ssl property, which is used to enable SSL/TLS encryption between the webapp and guacd. It's uncommon to use this, as that communication is typically purely over loopback or at least on a trusted network route, but it's not obsolete.

I still can't find it. But if you're saying it's used I'm ok with this

For reference, here's the code path:

Property Declaration (standardized as part of guacamole-ext)

guacamole-client/guacamole-ext/src/main/java/org/apache/guacamole/environment/Environment.java

Lines 61 to 69 in ac6e501

	/**
	* Whether guacd requires SSL/TLS on connections.
	*/
	public static final BooleanGuacamoleProperty GUACD_SSL = new BooleanGuacamoleProperty() {
	@Override
	public String getName() { return "guacd-ssl"; }
	};

Property Retrieval (via a GuacamoleProxyConfiguration from LocalEnvironment)

guacamole-client/guacamole-ext/src/main/java/org/apache/guacamole/environment/LocalEnvironment.java

Lines 379 to 390 in ac6e501

	@Override
	public GuacamoleProxyConfiguration getDefaultGuacamoleProxyConfiguration()
	throws GuacamoleException {
	// Parse guacd hostname/port/ssl properties
	return new GuacamoleProxyConfiguration(
	getProperty(Environment.GUACD_HOSTNAME, DEFAULT_GUACD_HOSTNAME),
	getProperty(Environment.GUACD_PORT, DEFAULT_GUACD_PORT),
	getProperty(Environment.GUACD_SSL, DEFAULT_GUACD_SSL)
	);
	}

(Voluntary) Usage of Retrieved Values

Implementations aren't strictly required to use getDefaultGuacamoleProxyConfiguration(), but most do, either explicitly or implicitly via SimpleConnection.

guacamole-client/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/simple/SimpleConnection.java

Line 206 in ac6e501

GuacamoleProxyConfiguration proxyConfig = environment.getDefaultGuacamoleProxyConfiguration();

guacamole-client/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-base/src/main/java/org/apache/guacamole/auth/jdbc/connection/ModeledConnection.java

Line 462 in ac6e501

GuacamoleProxyConfiguration defaultConfig = environment.getDefaultGuacamoleProxyConfiguration();

etc.

[ronansalmon]

I would add some thoughts: 1) What is the environment variabale GUACD_SSL for? As far as I can see it's not used on guacamole-client nor on guacamole-server anywhere (except within the changed files). Seems obsolete to me 2) Maybe the environment variables GUACD_SSL_KEYSTORE_FILE and GUACD_SSL_KEYSTORE_PASS should be renamed to something fitting better to their true purpose like JAVA_KEYSTORE_FILE and JAVA_KEYSTORE_PASS

@sirux88 Done