====== Configure Guacamole ======
===== Main Install of Guacamole =====
Follow [[https://www.linuxbabe.com/ubuntu/apache-guacamole-remote-desktop-ubuntu-20-04|this guide]]. Some notes are below.
===== Build Guacamole Server App =====
sudo apt update
sudo apt install build-essential libcairo2-dev libjpeg-turbo8-dev libpng-dev libtool-bin libossp-uuid-dev libvncserver-dev freerdp2-dev libssh2-1-dev libtelnet-dev libwebsockets-dev libpulse-dev libvorbis-dev libwebp-dev libssl-dev libpango1.0-dev libswscale-dev libavcodec-dev libavutil-dev libavformat-dev
wget http://mirror.cc.columbia.edu/pub/software/apache/guacamole/1.2.0/source/guacamole-server-1.2.0.tar.gz
tar -xvf guacamole-server-1.2.0.tar.gz
cd guacamole-server-1.2.0
./configure --with-init-dir=/etc/init.d
sudo make
sudo make install
sudo ldconfig
sudo systemctl daemon-reload
sudo systemctl start guacd
sudo systemctl enable guacd
systemctl status guacd
===== Install Guacamole Web App =====
sudo apt install tomcat9 tomcat9-admin tomcat9-common tomcat9-user -y
wget https://downloads.apache.org/guacamole/1.2.0/binary/guacamole-1.2.0.war
sudo mv guacamole-1.2.0.war /var/lib/tomcat9/webapps/guacamole.war
sudo systemctl start tomcat9 guacd
sudo systemctl enable tomcat9 guacd
sudo systemctl restart tomcat9 guacd
===== Configure Guacamole =====
sudo mkdir /etc/guacamole/
sudo vi /etc/guacamole/guacamole.properties
# Hostname and port of guacamole proxy
guacd-hostname: localhost
guacd-port: 4822
# Auth provider class (authenticates user/pass combination, needed if using the provided login screen)
auth-provider: net.sourceforge.guacamole.net.basic.BasicFileAuthenticationProvider
basic-user-mapping: /etc/guacamole/user-mapping.xml
===== Set Users in Guacamole =====
This is to get a list of logins to the Gucamole web app and what they can access.
Generate the password md5hash for a user (Just copy the jumble of characters).
echo -n your_password | openssl md5
sudo vi /etc/guacamole/user-mapping.xml
vnc
192.168.1.2
5901
password01
rdp
192.168.1.3
3389
username
password02
nla
true
ssh
192.168.1.1
22
username
password02
===== Nginx =====
This configuration of Nginx will host a TLS connection on TCP-443 as well as redirecting any TCP-80 traffic to TCP-443. The TLS configuration is below.
''/etc/nginx/conf.d/guacamole.conf''
server {
# SSL configuration
#
listen 443 ssl http2;
listen [::]:443 ssl;
include snippets/ssl-params.conf;
server_name guacamole.example.local;
location / {
proxy_pass http://guacamole.example.local:8080/guacamole/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_cookie_path /guacamole/ /;
}
error_page 404 /custom_404.html;
location = /custom_404.html {
root /usr/share/nginx/html;
internal;
}
location ~ /\.ht {
deny all;
}
}
server {
if ($host = guacamole.example.local) {
return 301 https://$host$request_uri;
}
listen 80;
listen [::]:80;
server_name guacamole.example.local;
return 404;
}
sudo openssl dhparam -out /etc/nginx/certs/certsdhparam.pem 4096
''/etc/nginx/snippets/ssl-params.conf''
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/certs/certsdhparam.pem;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;
ssl_ecdh_curve secp384r1;
ssl_certificate /etc/nginx/certs/certificatefile.pem;
ssl_certificate_key /etc/nginx/certs/certificatekeyfile.pem;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
ssl_trusted_certificate /etc/nginx/certs/fullchain.pem;
resolver 1.1.1.1 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options DENY;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
- ''/etc/nginx/certs/certsdhparam.pem'' Used for strong TLS. Generate with ''openssl dhparam -out /etc/nginx/certs/certsdhparam.pem 4096''
- ''/etc/nginx/certs/certificatefile.pem'' This is the certificate of guacamole.example.local
- ''/etc/nginx/certs/certificatekeyfile.pem'' This is the unencrypted private key of guacamole.example.local
- ''/etc/nginx/certs/certificatechain.pem'' This is the certificate of guacamole.example.local and below it in the same file the intermediate and then the root certificate to form a full chain. This is used for OCSP stapling.
===== Tidy Up =====
You can edit the login screen icon by replacing the following PNG file
/var/lib/tomcat9/webapps/guacamole/images/guac-tricolor.png
You can edit the facicon by replacing the following PNG file
/var/lib/tomcat9/webapps/guacamole/images/logo-144.png
You can edit the text on the login screen by editing the following file and changing the value of the "NAME" field (7th line down?)
/var/lib/tomcat9/webapps/guacamole/translations/en.json
===== Enabled Database Authentication ======
Download mysql-connector-java_8.0.21-1ubuntu20.04_all.deb from https://dev.mysql.com/downloads/connector/j/
sudo dpkg -i mysql-connector-java_8.0.21-1ubuntu20.04_all.deb
sudo mkdir -p /etc/guacamole/extensions
sudo mkdir -p /etc/guacamole/lib
sudo cp /usr/share/java/mysql-connector-java-* /etc/guacamole/lib
wget "http://apache.org/dyn/closer.cgi?action=download&filename=guacamole/1.2.0/binary/guacamole-auth-jdbc-1.2.0.tar.gz"
mv ./"closer.cgi?action=download&filename=guacamole%2F1.2.0%2Fbinary%2Fguacamole-auth-jdbc-1.2.0.tar.gz" guacamole-auth-jdbc-1.2.0.tar.gz
tar -xzf guacamole-auth-jdbc-1.2.0.tar.gz
sudo cp ./guacamole-auth-jdbc-1.2.0/mysql/guacamole-auth-jdbc-mysql-1.2.0.jar /etc/guacamole/extensions/guacamole-auth-jdbc-mysql-1.2.0.jar
sudo apt install mysql-server
sudo mysql_secure_installation
mysql -u root -p
CREATE DATABASE guacamole_db;
CREATE USER 'guacamole_user'@'localhost' IDENTIFIED BY 'somepassword';
GRANT SELECT,INSERT,UPDATE,DELETE ON guacamole_db.* TO 'guacamole_user'@'localhost';
FLUSH PRIVILEGES;
quit
ls ./guacamole-auth-jdbc-1.2.0/mysql/schema/
cat ./guacamole-auth-jdbc-1.2.0/mysql/schema/*.sql | mysql -u root -p guacamole_db
sudo vi /etc/guacamole/guacamole.properties
# Hostname and port of guacamole proxy
guacd-hostname: localhost
guacd-port: 4822
# Auth provider class
auth-provider: net.sourceforge.guacamole.net.auth.mysql.MySQLAuthenticationProvider
# MySQL properties
mysql-hostname: localhost
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: guacamole_user
mysql-password: somepassword
# MySQL
mysql-disallow-simultaneous-connections: true
# MySQL
mysql-disallow-duplicate-connections: false
sudo systemctl restart tomcat9 guacd
The default Guacamole user created by the provided SQL scripts is ''guacadmin'', with a default password of ''guacadmin''.
https://mole.stafford.local/#/settings/sessions
===== Identify Version of Guacamole Installed =====
[[http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/Guacamole-Version-identification-td7741.html|From here]].
curl -s -L https://url_of_server.local | grep -oE "app.js\?v=.*\"" | awk -F"=" {'print $2'} | sed 's/\"//g'
===== Windows Server 2019 =====
Guacamole 1.2.0 RDP client is broken when talking to Windows 2019 Server, by default Windows Server 2019 attempts to negotiate a connection. To get Guacamole 1.2.0 to work you must configure the Group Policy to the following
Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Service -> Remote Desktop Session Host -> Security -> Require use of specific security layer for remote (RDP) connections - Enable and set to RDP
For Guacamole 0.9.14 you must configure it to the default of negotiate
Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Service -> Remote Desktop Session Host -> Security -> Require use of specific security layer for remote (RDP) connections - Enable and set to negotiate