This is a HTML5 to RDP gateway
Ubuntu 18.04 installed from my template.
Configure the passwords by changing both bingo and root to something more sensible.
Configure /etc/netplan/01-netcfg.yaml for the static IP.
network:
version: 2
renderer: networkd
ethernets:
ens160:
dhcp4: no
addresses:
- 10.53.79.59/24
gateway4: 10.53.79.1
nameservers:
search: [example.ca]
addresses: [10.53.79.1]
Edit the following files to change hostname from ubuntu-18.04-amd64-tpl to guac.
sed -i 's/ubuntu-18\|ubuntu-18.04-amd64-tpl/guac/g' /etc/hosts && \
sed -i 's/ubuntu-18\|ubuntu-18.04-amd64-tpl/guac/g' /etc/hostname && \
sed -i 's/ubuntu-18\|ubuntu-18.04-amd64-tpl/guac/g' /etc/mailname && \
sed -i 's/ubuntu-18\|ubuntu-18.04-amd64-tpl/guac/g' /etc/postfix/main.cf && \
hostname guac
Refresh the ssh host keys by removing them, then recreating them.
rm -v /etc/ssh/ssh_host*{key,pub}
dpkg-reconfigure openssh-server
Update the system using apt.
apt update
apt upgrade
https://www.tecmint.com/guacamole-access-remote-linux-windows-machines-via-web-browser/ https://guacamole.apache.org/doc/0.9.14/gug/installing-guacamole.html#guacamole-server-installation https://github.com/MysticRyuujin/guac-install
For reference here are some locations we are working with. Note that there are install paths to which symlinks are created during isntallation.
| Directory | Purpose | Variable |
|---|---|---|
| /var/lib/tomcat8/webapps | place to link .war into | |
| /var/lib/tomcat8/.guacamole | symlink to /etc/guacamole | GUACAMOLE_HOME |
| /etc/guacamole | configuration files install | |
| /var/lib/guacamole | jar & war install | |
| /usr/local/src | Sources build directory |
Install Oracle Java 8
apt install --no-install-recommends software-properties-common
add-apt-repository ppa:webupd8team/java # For Java 8
add-apt-repository ppa:linuxuprising/java # For Java 10/11
apt update
apt search oracle-java # Show available installable Oracle Java versions
apt install default-jdk # Install latest OpenJDK from Ubuntu
apt install oracle-java8-installer # Install Java 8
update-alternatives --config java # Select the default java
Make sure the last command shows Oracle Java 8 as default, as Guacamole 0.9.14 didn't build for me using the OpenJDK versions.
Install the prerequisites for the guacamole-server, guacamole-client, the tomcat server and build tools.
apt install libcairo2-dev libjpeg-turbo8-dev libjpeg-dev libpng-dev libossp-uuid-dev \
libavcodec-dev libavutil-dev libswscale-dev libfreerdp-dev libpango1.0-dev libssh2-1-dev \
libtelnet-dev libvncserver-dev libpulse-dev libssl-dev libvorbis-dev libwebp-dev \
ghostscript tomcat8 tomcat8-admin tomcat8-user \
git build-essential autoconf maven
This error occurs on Ubuntu 18.04:
Makefile:566: recipe for target 'libguac_terminal_la-typescript.lo' failed
make[2]: *** [libguac_terminal_la-typescript.lo] Error 1
make[2]: Leaving directory '/usr/local/src/guacamole-server-0.9.14/src/terminal'
Makefile:503: recipe for target 'all-recursive' failed
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory '/usr/local/src/guacamole-server-0.9.14'
Makefile:427: recipe for target 'all' failed
make: *** [all] Error 2
It has been discussed here and fixed here.
Place ubuntu-18.04-amd64-20181012.patch into /usr/local/src and apply at the appropriate stage.
Create a convenient location to build, then download and build the server sources.
mkdir -p /usr/local/src
cd /usr/local/src
git clone git://github.com/apache/guacamole-server.git
cd guacamole-server
git checkout tags/0.9.14 -b tag-0.9.14
patch -p1 < ../ubuntu-18.04-amd64-20181012.patch # Apply patch for <1.0.0
autoreconf -fi
./configure --with-init-dir=/etc/init.d
make
make install
Create a convenient location to build, then download and build the server sources.
mkdir -p /usr/local/src
cd /usr/local/src
wget http://apache.mirror.iweb.ca/guacamole/0.9.14/source/guacamole-server-0.9.14.tar.gz
tar -xzf guacamole-server-0.9.14.tar.gz
patch -p0 < ../ubuntu-18.04-amd64-20181012.patch # Apply patch for <1.0.0
cd guacamole-server-0.9.14/
./configure --with-init-dir=/etc/init.d
make
make install
Link the libraries.
mkdir -p /usr/lib/$(dpkg-architecture -qDEB_BUILD_GNU_TYPE)/freerdp
ln -s /usr/local/lib/freerdp/guac*.so /usr/lib/$(dpkg-architecture -qDEB_BUILD_GNU_TYPE)/freerdp/
ldconfig
Download and build the client sources.
cd /usr/local/src
git clone https://github.com/apache/guacamole-client.git
cd guacamole-client
git checkout tags/0.9.14 -b tag-0.9.14
mvn package
Note: Use mvn clean to cleanup sources before rebuilding. Important when checking out a different release.
Download and build the client sources.
cd /usr/local/src
wget http://apache.mirror.iweb.ca/guacamole/0.9.14/source/guacamole-client-0.9.14.tar.gz
tar xzf guacamole-client-0.9.14.tar.gz
cd guacamole-client-0.9.14
mvn package
Installation
mkdir -p /var/lib/guacamole
cp guacamole/target/guacamole-0.9.14.war /var/lib/guacamole/
find extensions -type f -name *.jar -exec cp {} /var/lib/guacamole/ \;
Create directories and deploy webapp
mkdir -p /etc/guacamole/{lib,extensions}
ln -s /etc/guacamole/ /var/lib/tomcat8/.guacamole
ln -s /var/lib/guacamole/guacamole-0.9.14.war /var/lib/tomcat8/webapps/guacamole.war
File /etc/guacamole/guacamole.properties
guacd-hostname: localhost
guacd-port: 4822
user-mapping: /etc/guacamole/user-mapping.xml
File /etc/guacamole/user-mapping.xml
<user-mapping>
<authorize
username="tecmint"
password="8383339b9c90775ac14693d8e620981f"
encoding="md5">
<connection name="RHEL 7">
<protocol>ssh</protocol>
<param name="hostname">10.53.79.18</param>
<param name="port">22</param>
<param name="username">gacanepa</param>
</connection>
<connection name="Windows 10">
<protocol>rdp</protocol>
<param name="hostname">10.53.79.19</param>
<param name="port">3389</param>
<param name="security">tls</param>
<param name="ignore-cert">true</param>
<param name="enable-printing">true</param>
</connection>
<connection name="VNC Host">
<protocol>vnc</protocol>
<param name="hostname">10.53.79.21</param>
<param name="port">5900</param>
</connection>
</authorize>
</user-mapping>
Passwords are MD5 and can be generated with
printf '%s' "tecmint01" | md5sum
Restart services.
systemctl enable guacd
service guacd start
service tomcat8 restart
Create a keystore with a single self-signed certificate.
keytool -genkey -alias Guacamole -keyalg RSA -keystore /etc/tomcat8/guac.jks -storepass cookedBeaver \
-keypass cookedBeaver -noprompt -dname "CN=guac.example.ca,OU=,O=,L=,S=,C="
Add the port 8443 connector to /etc/tomcat8/server.xml.
<Connector port="8443" protocol="HTTP/1.1"
SSLEnabled="true"
maxThreads="150"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLS"
keystoreFile="conf/guac.jks"
keystorePass="cookedBeaver"
URIEncoding="UTF-8" />
Comment out the <Connector port="8443" in /etc/tomcat8/server.xml if only SSL traffic is desired.
Install MariaDB packages
apt install --no-install-recommends mariadb-client mariadb-server mariadb-common libmysql-java
Create the database and database user
mysql -u root
create database guacdb;
create user 'guac_user'@'localhost' identified by 'somesecret';
GRANT SELECT,INSERT,UPDATE,DELETE ON guacdb.* TO 'guac_user'@'localhost';
flush privileges;
Deploy the database schema and create the default administrative user (guacadmin/guacadmin)
cat /usr/local/src/guacamole-client/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/schema/*.sql | mysql -u root guacdb
Add to the contents of /etc/guacamole/guacamole.properties.
mysql-hostname: localhost
mysql-port: 3306
mysql-database: guacdb
mysql-username: guac_user
mysql-password: somesecret
Replace the contents of /etc/guacamole/user-mapping.xml with
<user-mapping>
</user-mapping>
Install the MySQL extension and JDBC driver
ln -s /var/lib/guacamole/guacamole-auth-jdbc-mysql-0.9.14.jar /etc/guacamole/extensions/guacamole-auth-jdbc-mysql.jar
ln -s /usr/share/java/mysql-connector-java.jar /etc/guacamole/lib/
Restart services
service guacd restart
service tomcat8 restart
Note: This isn't working for me. I cannot associate the username in user-mapping.xml nor in database when using MySQL.
Guacamole supports authentication via HTTP header. This is NOT real authentication but just passing the username to guacamole.
Install the guacamole extension.
ln -s /var/lib/guacamole/guacamole-auth-header-0.9.14.jar /etc/guacamole/extensions/guacamole-auth-header.jar
Optionally, add http-auth-header to the /etc/guacamole/guacamole.properties file for a header other than REMOTE_USER to pull username from.
http-auth-header: X-Guacamole-User
This would require the following additional statements in an nginx proxy.
proxy_set_header Authorization "";
proxy_set_header X-Guacamole-User $remote_user;
Official doc: https://guacamole.apache.org/doc/gug/proxying-guacamole.html#proxying-with-nginx
This is the standard nginx config fragment.
location /guacamole/ {
proxy_pass http://HOSTNAME:8080/guacamole/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
access_log off;
}
This a config fragment with path changed to new-path.
location /new-path/ {
proxy_pass http://HOSTNAME:8080/guacamole/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_cookie_path /guacamole/ /new-path/;
access_log off;
}