Follow this guide. Some notes are below.
sudo apt update
sudo apt install build-essential libcairo2-dev libjpeg-turbo8-dev libpng-dev libtool-bin libossp-uuid-dev libvncserver-dev freerdp2-dev libssh2-1-dev libtelnet-dev libwebsockets-dev libpulse-dev libvorbis-dev libwebp-dev libssl-dev libpango1.0-dev libswscale-dev libavcodec-dev libavutil-dev libavformat-dev
wget http://mirror.cc.columbia.edu/pub/software/apache/guacamole/1.2.0/source/guacamole-server-1.2.0.tar.gz
tar -xvf guacamole-server-1.2.0.tar.gz
cd guacamole-server-1.2.0
./configure --with-init-dir=/etc/init.d
sudo make
sudo make install
sudo ldconfig
sudo systemctl daemon-reload
sudo systemctl start guacd
sudo systemctl enable guacd
systemctl status guacd
sudo apt install tomcat9 tomcat9-admin tomcat9-common tomcat9-user -y
wget https://downloads.apache.org/guacamole/1.2.0/binary/guacamole-1.2.0.war
sudo mv guacamole-1.2.0.war /var/lib/tomcat9/webapps/guacamole.war
sudo systemctl start tomcat9 guacd
sudo systemctl enable tomcat9 guacd
sudo systemctl restart tomcat9 guacd
sudo mkdir /etc/guacamole/
sudo vi /etc/guacamole/guacamole.properties
# Hostname and port of guacamole proxy guacd-hostname: localhost guacd-port: 4822 # Auth provider class (authenticates user/pass combination, needed if using the provided login screen) auth-provider: net.sourceforge.guacamole.net.basic.BasicFileAuthenticationProvider basic-user-mapping: /etc/guacamole/user-mapping.xml
This is to get a list of logins to the Gucamole web app and what they can access.
Generate the password md5hash for a user (Just copy the jumble of characters).
echo -n your_password | openssl md5
sudo vi /etc/guacamole/user-mapping.xml
<user-mapping>
<!-- Per-user authentication and config information -->
<authorize
username="username"
password="themd5hashpasswordoaf9023jhf83hf"
encoding="md5">
<connection name="lin01">
<protocol>vnc</protocol>
<param name="hostname">192.168.1.2</param>
<param name="port">5901</param>
<param name="password">password01</param>
</connection>
<connection name="win01">
<protocol>rdp</protocol>
<param name="hostname">192.168.1.3</param>
<param name="port">3389</param>
<param name="username">username</param>
<param name="password">password02</param>
<param name="security">nla</param>
<param name="ignore-cert">true</param>
</connection>
<connection name="lin01-ssh">
<protocol>ssh</protocol>
<param name="hostname">192.168.1.1</param>
<param name="port">22</param>
<param name="username">username</param>
<param name="password">password02</param>
</connection>
</authorize>
</user-mapping>
This configuration of Nginx will host a TLS connection on TCP-443 as well as redirecting any TCP-80 traffic to TCP-443. The TLS configuration is below.
/etc/nginx/conf.d/guacamole.conf
server {
# SSL configuration
#
listen 443 ssl http2;
listen [::]:443 ssl;
include snippets/ssl-params.conf;
server_name guacamole.example.local;
location / {
proxy_pass http://guacamole.example.local:8080/guacamole/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_cookie_path /guacamole/ /;
}
error_page 404 /custom_404.html;
location = /custom_404.html {
root /usr/share/nginx/html;
internal;
}
location ~ /\.ht {
deny all;
}
}
server {
if ($host = guacamole.example.local) {
return 301 https://$host$request_uri;
}
listen 80;
listen [::]:80;
server_name guacamole.example.local;
return 404;
}
sudo openssl dhparam -out /etc/nginx/certs/certsdhparam.pem 4096
/etc/nginx/snippets/ssl-params.conf
ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_dhparam /etc/nginx/certs/certsdhparam.pem; ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384; ssl_ecdh_curve secp384r1; ssl_certificate /etc/nginx/certs/certificatefile.pem; ssl_certificate_key /etc/nginx/certs/certificatekeyfile.pem; ssl_session_timeout 10m; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; # Requires nginx >= 1.5.9 ssl_stapling on; # Requires nginx >= 1.3.7 ssl_stapling_verify on; # Requires nginx => 1.3.7 ssl_trusted_certificate /etc/nginx/certs/fullchain.pem; resolver 1.1.1.1 valid=300s; resolver_timeout 5s; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Frame-Options DENY; add_header X-XSS-Protection "1; mode=block"; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none; add_header X-Download-Options noopen; add_header X-Permitted-Cross-Domain-Policies none; add_header Referrer-Policy no-referrer; # Remove X-Powered-By, which is an information leak fastcgi_hide_header X-Powered-By;
/etc/nginx/certs/certsdhparam.pem Used for strong TLS. Generate with openssl dhparam -out /etc/nginx/certs/certsdhparam.pem 4096/etc/nginx/certs/certificatefile.pem This is the certificate of guacamole.example.local/etc/nginx/certs/certificatekeyfile.pem This is the unencrypted private key of guacamole.example.local/etc/nginx/certs/certificatechain.pem This is the certificate of guacamole.example.local and below it in the same file the intermediate and then the root certificate to form a full chain. This is used for OCSP stapling.You can edit the login screen icon by replacing the following PNG file
/var/lib/tomcat9/webapps/guacamole/images/guac-tricolor.png
You can edit the facicon by replacing the following PNG file
/var/lib/tomcat9/webapps/guacamole/images/logo-144.png
You can edit the text on the login screen by editing the following file and changing the value of the “NAME” field (7th line down?)
/var/lib/tomcat9/webapps/guacamole/translations/en.json
Download mysql-connector-java_8.0.21-1ubuntu20.04_all.deb from https://dev.mysql.com/downloads/connector/j/
sudo dpkg -i mysql-connector-java_8.0.21-1ubuntu20.04_all.deb
sudo mkdir -p /etc/guacamole/extensions
sudo mkdir -p /etc/guacamole/lib
sudo cp /usr/share/java/mysql-connector-java-* /etc/guacamole/lib
wget "http://apache.org/dyn/closer.cgi?action=download&filename=guacamole/1.2.0/binary/guacamole-auth-jdbc-1.2.0.tar.gz"
mv ./"closer.cgi?action=download&filename=guacamole%2F1.2.0%2Fbinary%2Fguacamole-auth-jdbc-1.2.0.tar.gz" guacamole-auth-jdbc-1.2.0.tar.gz
tar -xzf guacamole-auth-jdbc-1.2.0.tar.gz
sudo cp ./guacamole-auth-jdbc-1.2.0/mysql/guacamole-auth-jdbc-mysql-1.2.0.jar /etc/guacamole/extensions/guacamole-auth-jdbc-mysql-1.2.0.jar
sudo apt install mysql-server
sudo mysql_secure_installation
mysql -u root -p CREATE DATABASE guacamole_db; CREATE USER 'guacamole_user'@'localhost' IDENTIFIED BY 'somepassword'; GRANT SELECT,INSERT,UPDATE,DELETE ON guacamole_db.* TO 'guacamole_user'@'localhost'; FLUSH PRIVILEGES; quit
ls ./guacamole-auth-jdbc-1.2.0/mysql/schema/
cat ./guacamole-auth-jdbc-1.2.0/mysql/schema/*.sql | mysql -u root -p guacamole_db
sudo vi /etc/guacamole/guacamole.properties
# Hostname and port of guacamole proxy guacd-hostname: localhost guacd-port: 4822 # Auth provider class auth-provider: net.sourceforge.guacamole.net.auth.mysql.MySQLAuthenticationProvider # MySQL properties mysql-hostname: localhost mysql-port: 3306 mysql-database: guacamole_db mysql-username: guacamole_user mysql-password: somepassword # MySQL mysql-disallow-simultaneous-connections: true # MySQL mysql-disallow-duplicate-connections: false
sudo systemctl restart tomcat9 guacd
The default Guacamole user created by the provided SQL scripts is guacadmin, with a default password of guacadmin.
https://mole.stafford.local/#/settings/sessions
curl -s -L https://url_of_server.local | grep -oE "app.js\?v=.*\"" | awk -F"=" {'print $2'} | sed 's/\"//g'
Guacamole 1.2.0 RDP client is broken when talking to Windows 2019 Server, by default Windows Server 2019 attempts to negotiate a connection. To get Guacamole 1.2.0 to work you must configure the Group Policy to the following
Computer Configuration → Administrative Templates → Windows Components → Remote Desktop Service → Remote Desktop Session Host → Security → Require use of specific security layer for remote (RDP) connections - Enable and set to RDP
For Guacamole 0.9.14 you must configure it to the default of negotiate
Computer Configuration → Administrative Templates → Windows Components → Remote Desktop Service → Remote Desktop Session Host → Security → Require use of specific security layer for remote (RDP) connections - Enable and set to negotiate