I am running ThinLinc on a server in my home. I am however making it accessible via the internet through HAProxy. THE problem I am running into is this:
When I go to the web address I am presented with the ThinLinc login page. Good so far!
BUT when I login the browser tries to redirect me to my local IP.
So far I changed the hostname in the adminstration page under VSM Agent Settings HOWEVER, it still tries to forward me to the hostname followed by the PORT 300. I can’t have it put the port 300 in the address after the hostname. My web address that is accessible on HAProxy is port 443… and HAProxy behind the scenes is accessing the ThinLinc client at ipaddress:300(which is fine)… but the page after login cannot try to include the port 300 after the hostname.
I did try making changes in the webaccess.hconf file but that didn’t help the issue. Please advise… is there some source code somewhere I can modify to correct this?
For you to be able to have a chance to getting this to work, you’d need to rewrite all the content that is being generated by ThinLinc Webaccess. There’s an old blog post about how this can be done with Nginx, it’s fairly old but I still think it holds true today.
Perhaps it can give you some pointers on what to look at, and see if you can incorporate them into HAProxy ?
Please keep in mind that these are internal aspects of ThinLinc so they are difficult for the administrator (you) to keep an eye on, and an upgrade of ThinLinc could lead to it not working if the url structure of ThinLinc Webaccess changes between releases.
HAProxy is essentially “re-serving” the web content generated by ThinLinc. The problem is the ThinLinc web client is doing non standard stuff with adding a port number at the end of the web addresses it is serving up. I took a look at the nginx reverse proxy article but I am not seeing how to address the issue of the web client of trying to redirect to its internal address…
The haproxy address is https://skyhop.com (on port 443) but the web client is trying to force the user to redirect to https://skyhop:300. It seems to me that if I could simply configure the address the ThinLinc web client will use in all of its HTML content I would have a working solution. It will let you set the hostname but it still insists on adding the port number at the end of the address. It probably should be an option to include the port number.
I think I may have come up with a solution for now… I basically created a frontend for on port 443 and 300… so unfortuantley I had to open up port 300 on my firewall and allow incoming traffic on this port. I don’t feel very comtorable doing this but for now I will work with it to see if Cendio is gonna be an appropriate solution for my project. In the end I anticipate maybe as many as 100 users at a time. I really need to work on getting the server error sorted out now for the Desktop Customizer. Before I make any large financial commitments I need to see that this is gonna work in my environment. And it must work safely… I cannot put my current network at risk in any way. I will be back with many more questions soon. Thanks for your help.
I’m afraid Web Access does not have any extra support for adding a
reverse proxy in front of it. So that proxy needs to be completely
transparent to ThinLinc for things to work. Which unfortunately is
non-trivial.
Is there any particular reason why you want to run Webaccess behind a proxy like this? Is it only for your home lab or is also a requirement when you plan to go into production ?
So last night I thought I had finally got it all working behind HA Proxy(which I run on my pfSense server)… but today that is broke! lol. So i will revisit that later tonight. The main reason I want it to run behind the proxy is because i have several domains i use to serve up web sites from my home lab. So yes… currently this is in my home lab but my goal is to get a production server up and running in a reliable server environment this year. I will actually be(or TRYING to) running a free virtual desktop service so people can test out my favorite open source project ever! So this isn’t a profit thing at this point… its nothing SUPER CRITICAL but I do need to be sure it is secure. Anyhow… I think the Proxy issue can be tabled for now. I see I have a reply on my desktop customizer post, I am heading over to the thread now. Thanks for your time Martin.
your conversation describes the same problem that I have (see the post from today).
I do not want to add additional complexity, no need for a reverse proxy, however, I do not want to have the port number added.
We do have a use case for this. All our services run behind Cloudflare and we have a central proxy for authentication and distributing the requests to all domains. In our setup services are also reachable by multiple names, and that would be a pain to set up when we can’t do it from a central server.
EDIT: To clarify: I am able to set this up with nginx using the instructions in the post you mention, it is just unfortunate that this does not work out of the box.
