Follow this guide. Some notes are below.

sudo apt update

sudo apt install build-essential libcairo2-dev libjpeg-turbo8-dev libpng-dev libtool-bin libossp-uuid-dev libvncserver-dev freerdp2-dev libssh2-1-dev libtelnet-dev libwebsockets-dev libpulse-dev libvorbis-dev libwebp-dev libssl-dev libpango1.0-dev libswscale-dev libavcodec-dev libavutil-dev libavformat-dev

wget http://mirror.cc.columbia.edu/pub/software/apache/guacamole/1.2.0/source/guacamole-server-1.2.0.tar.gz

tar -xvf guacamole-server-1.2.0.tar.gz

cd guacamole-server-1.2.0

./configure --with-init-dir=/etc/init.d

sudo make

sudo make install

sudo ldconfig

sudo systemctl daemon-reload

sudo systemctl start guacd

sudo systemctl enable guacd

systemctl status guacd

sudo apt install tomcat9 tomcat9-admin tomcat9-common tomcat9-user -y

wget https://downloads.apache.org/guacamole/1.2.0/binary/guacamole-1.2.0.war

sudo mv guacamole-1.2.0.war /var/lib/tomcat9/webapps/guacamole.war

sudo systemctl start tomcat9 guacd

sudo systemctl enable tomcat9 guacd

sudo systemctl restart tomcat9 guacd

sudo mkdir /etc/guacamole/

sudo vi /etc/guacamole/guacamole.properties

# Hostname and port of guacamole proxy
guacd-hostname: localhost
guacd-port:     4822

# Auth provider class (authenticates user/pass combination, needed if using the provided login screen)
auth-provider: net.sourceforge.guacamole.net.basic.BasicFileAuthenticationProvider
basic-user-mapping: /etc/guacamole/user-mapping.xml

This is to get a list of logins to the Gucamole web app and what they can access.

Generate the password md5hash for a user (Just copy the jumble of characters).

echo -n your_password | openssl md5

sudo vi /etc/guacamole/user-mapping.xml

<user-mapping>

    <!-- Per-user authentication and config information -->
    <authorize
         username="username"
         password="themd5hashpasswordoaf9023jhf83hf"
         encoding="md5">

       <connection name="lin01">
         <protocol>vnc</protocol>
         <param name="hostname">192.168.1.2</param>
         <param name="port">5901</param>
         <param name="password">password01</param>
       </connection>
	   
       <connection name="win01">
         <protocol>rdp</protocol>
         <param name="hostname">192.168.1.3</param>
         <param name="port">3389</param>
         <param name="username">username</param>
         <param name="password">password02</param>
         <param name="security">nla</param>
         <param name="ignore-cert">true</param>
       </connection>

       <connection name="lin01-ssh">
         <protocol>ssh</protocol>
         <param name="hostname">192.168.1.1</param>
         <param name="port">22</param>
         <param name="username">username</param>
         <param name="password">password02</param>
      </connection>

    </authorize>

</user-mapping>

This configuration of Nginx will host a TLS connection on TCP-443 as well as redirecting any TCP-80 traffic to TCP-443. The TLS configuration is below. /etc/nginx/conf.d/guacamole.conf

server {
        # SSL configuration
        #
        listen 443 ssl http2;
        listen [::]:443 ssl;

        include snippets/ssl-params.conf;

        server_name guacamole.example.local;


        location / {
                    proxy_pass http://guacamole.example.local:8080/guacamole/;
                    proxy_buffering off;
                    proxy_http_version 1.1;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                    proxy_set_header Upgrade $http_upgrade;
                    proxy_set_header Connection $http_connection;
                    proxy_cookie_path /guacamole/ /;
        }

        error_page 404 /custom_404.html;
        location = /custom_404.html {
            root /usr/share/nginx/html;
            internal;
        }

        location ~ /\.ht {
            deny all;
        }
}
server {
    if ($host = guacamole.example.local) {
        return 301 https://$host$request_uri;
    }
    listen 80;
    listen [::]:80;
    server_name guacamole.example.local;
    return 404;
}

sudo openssl dhparam -out /etc/nginx/certs/certsdhparam.pem 4096

/etc/nginx/snippets/ssl-params.conf

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;

ssl_dhparam /etc/nginx/certs/certsdhparam.pem;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;

ssl_ecdh_curve secp384r1;

ssl_certificate /etc/nginx/certs/certificatefile.pem;
ssl_certificate_key /etc/nginx/certs/certificatekeyfile.pem;

ssl_session_timeout  10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9

ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
ssl_trusted_certificate /etc/nginx/certs/fullchain.pem;
resolver 1.1.1.1 valid=300s;
resolver_timeout 5s;

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options DENY;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer;

# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;

1. /etc/nginx/certs/certsdhparam.pem Used for strong TLS. Generate with openssl dhparam -out /etc/nginx/certs/certsdhparam.pem 4096
2. /etc/nginx/certs/certificatefile.pem This is the certificate of guacamole.example.local
3. /etc/nginx/certs/certificatekeyfile.pem This is the unencrypted private key of guacamole.example.local
4. /etc/nginx/certs/certificatechain.pem This is the certificate of guacamole.example.local and below it in the same file the intermediate and then the root certificate to form a full chain. This is used for OCSP stapling.

You can edit the login screen icon by replacing the following PNG file

/var/lib/tomcat9/webapps/guacamole/images/guac-tricolor.png

You can edit the facicon by replacing the following PNG file

/var/lib/tomcat9/webapps/guacamole/images/logo-144.png

You can edit the text on the login screen by editing the following file and changing the value of the “NAME” field (7th line down?)

/var/lib/tomcat9/webapps/guacamole/translations/en.json

Download mysql-connector-java_8.0.21-1ubuntu20.04_all.deb from https://dev.mysql.com/downloads/connector/j/

sudo dpkg -i mysql-connector-java_8.0.21-1ubuntu20.04_all.deb

sudo mkdir -p /etc/guacamole/extensions

sudo mkdir -p /etc/guacamole/lib

sudo cp /usr/share/java/mysql-connector-java-* /etc/guacamole/lib

wget "http://apache.org/dyn/closer.cgi?action=download&filename=guacamole/1.2.0/binary/guacamole-auth-jdbc-1.2.0.tar.gz"

mv ./"closer.cgi?action=download&filename=guacamole%2F1.2.0%2Fbinary%2Fguacamole-auth-jdbc-1.2.0.tar.gz" guacamole-auth-jdbc-1.2.0.tar.gz

tar -xzf guacamole-auth-jdbc-1.2.0.tar.gz

sudo cp ./guacamole-auth-jdbc-1.2.0/mysql/guacamole-auth-jdbc-mysql-1.2.0.jar /etc/guacamole/extensions/guacamole-auth-jdbc-mysql-1.2.0.jar

sudo apt install mysql-server

sudo mysql_secure_installation

mysql -u root -p

CREATE DATABASE guacamole_db;

CREATE USER 'guacamole_user'@'localhost' IDENTIFIED BY 'somepassword';

GRANT SELECT,INSERT,UPDATE,DELETE ON guacamole_db.* TO 'guacamole_user'@'localhost';

FLUSH PRIVILEGES;

quit

ls ./guacamole-auth-jdbc-1.2.0/mysql/schema/

cat ./guacamole-auth-jdbc-1.2.0/mysql/schema/*.sql | mysql -u root -p guacamole_db

sudo vi /etc/guacamole/guacamole.properties

# Hostname and port of guacamole proxy
guacd-hostname: localhost
guacd-port:     4822

# Auth provider class
auth-provider: net.sourceforge.guacamole.net.auth.mysql.MySQLAuthenticationProvider

# MySQL properties
mysql-hostname: localhost
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: guacamole_user
mysql-password: somepassword

# MySQL
mysql-disallow-simultaneous-connections: true

# MySQL
mysql-disallow-duplicate-connections: false

sudo systemctl restart tomcat9 guacd

The default Guacamole user created by the provided SQL scripts is guacadmin, with a default password of guacadmin.

https://mole.stafford.local/#/settings/sessions

From here.

curl -s -L https://url_of_server.local | grep -oE "app.js\?v=.*\"" | awk -F"=" {​​​​​​​'print $2'}​​​​​​​ | sed 's/\"//g'

Guacamole 1.2.0 RDP client is broken when talking to Windows 2019 Server, by default Windows Server 2019 attempts to negotiate a connection. To get Guacamole 1.2.0 to work you must configure the Group Policy to the following

Computer Configuration → Administrative Templates → Windows Components → Remote Desktop Service → Remote Desktop Session Host → Security → Require use of specific security layer for remote (RDP) connections - Enable and set to RDP

For Guacamole 0.9.14 you must configure it to the default of negotiate

Computer Configuration → Administrative Templates → Windows Components → Remote Desktop Service → Remote Desktop Session Host → Security → Require use of specific security layer for remote (RDP) connections - Enable and set to negotiate