Guacamole Package?

#Install guacamole on NS7

Install prerequisites

  • Install from GUI:
    OpenLDAP
    Firewall Base
    MariaDB (MySQL)
    Reverse Proxy
    Web Server

Now from console

yum update

Install needed packages, you can remove some of them based on the features you want enabled on guacamole, http://guacamole.incubator.apache.org/doc/0.9.10-incubating/gug/installing-guacamole.html

yum install cairo-devel libjpeg-devel uuid-devel freerdp-devel pango-devel libssh2-devel libtelnet-devel libvncserver-devel pulseaudio-libs-devel libvorbis-devel libwebp-devel nethserver-tomcat gcc

  • ffmpeg is not found in EPEL, I got it from nux dextop repoā€¦

rpm -Uvh http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-1.el7.nux.noarch.rpm

  • Disable the repo to avoid unintentional updates from it

vi /etc/yum.repos.d/nux-dextop.repo
Set enabled=0 and save

  • Install ffmpeg

yum install --enablerepo=nux-dextop ffmpeg ffmpeg-devel

#Get guacamole and related parts

cd /opt/

Place here:
- guacamole-server-0.9.10-incubating.tar.gz
- guacamole-0.9.10-incubating.war
- guacamole-auth-jdbc-0.9.10-incubating.tar.gz
- mysql-connector-java-5.1.38.tar.gz

You can get the server parts from https://guacamole.incubator.apache.org/releases/0.9.10-incubating/ and the java connector from https://dev.mysql.com/downloads/connector/j/

tar -xzf guacamole-server-0.9.10-incubating.tar.gz

mv guacamole-server-0.9.10-incubating guacamole

rm guacamole-server-0.9.10-incubating.tar.gz

cd guacamole

./configure --with-init-dir=/etc/init.d

make

make install

ldconfig

mkdir -p /var/lib/guacamole && mv /opt/guacamole-0.9.10-incubating.war /var/lib/guacamole/guacamole.war

ln -s /var/lib/guacamole/guacamole.war /var/lib/tomcat/webapps/

rm -rf /usr/lib64/freerdp/guacdr.so

ln -s /usr/local/lib/freerdp/guacdr.so /usr/lib64/freerdp/

mkdir ~/guacamole && cd ~/guacamole 

mv /opt/guacamole-auth-jdbc-0.9.10-incubating.tar.gz ~/guacamole/guacamole-auth-jdbc-0.9.10-incubating.tar.gz

mv /opt/mysql-connector-java-5.1.38.tar.gz ~/guacamole/mysql-connector-java-5.1.38.tar.gz

mkdir -p /usr/share/tomcat/.guacamole/{extensions,lib}

tar -zxf guacamole-auth-jdbc-0.9.10-incubating.tar.gz

tar -zxf mysql-connector-java-5.1.38.tar.gz

tar -zxvf guacamole-auth-ldap-0.9.10-incubating.tar.gz

mv guacamole-auth-jdbc-0.9.10-incubating/mysql/guacamole-auth-jdbc-mysql-0.9.10-incubating.jar /usr/share/tomcat/.guacamole/extensions/guacamole-auth-jdbc-mysql.jar

mv mysql-connector-java-5.1.38/mysql-connector-java-5.1.38-bin.jar /usr/share/tomcat/.guacamole/lib/

mv guacamole-auth-ldap-0.9.10-incubating/guacamole-auth-ldap-0.9.10-incubating.jar /usr/share/tomcat/.guacamole/extensions/guacamole-auth-ldap.jar
  • Enter mysql CLI and setup DB and user

mysql

create database guacdb;

create user 'guacuser'@'localhost' identified by 'guacDBpass';
MODIFY THESE CREDENTIALS TO SOMETHING SECURE

grant all privileges on guacdb.* to 'guacuser'@'localhost';

flush privileges;

quit

If you need the mysql password:
cat /var/lib/nethserver/secrets/mysql

    cd ~/guacamole/guacamole-auth-jdbc-0.9.10-incubating/mysql/schema/

    cat ./*.sql | mysql -u root -p guacdb
  • Edit guacamole main configuration file

mkdir -p /etc/guacamole/ && vi /etc/guacamole/guacamole.properties

# MySQL properties
    mysql-hostname: localhost
    mysql-port: 3306
    mysql-database: guacdb
    mysql-username: guacuser #Taken from mysql user set earlier
    mysql-password: guacDBpass #Taken from mysql pwd set earlier
	 
# LDAP properties
	ldap-hostname: localhost
	ldap-encryption-method: starttls
	ldap-search-bind-dn: cn=ldapservice,dc=directory,dc=nh
	ldap-search-bind-password: xxxxxxxxxxxxxxxx #Taken from /var/lib/nethserver/secrets/ldapservice
	ldap-user-base-dn: dc=directory,dc=nh

ln -s /etc/guacamole/guacamole.properties /usr/share/tomcat/.guacamole/

cd ~ && rm -rf guacamole*

Setup the reverse proxy

vi /etc/httpd/conf.d/guacamole_reverse.conf

    SSLProxyEngine on
	# ProxyPass: guacamole
	# Description:
	ProxyPass       /path/to/guacamole/      http://FQDN:8080/guacamole/ flushpackets=on
	ProxyPassReverse        /path/to/guacamole/      http://FQDN:8080/guacamole/

        <Location />
		SSLRequireSSL
	</Location>

	ProxyPass /path/to/guacamole/ ws://FQDN:8080/guacamole/websocket-tunnel
	ProxyPassReverse /path/to/guacamole/ ws://FQDN:8080/guacamole/websocket-tunnel
	<Location /websocket-tunnel>

	</Location>

#Start services

systemctl enable tomcat.service
chkconfig guacd on
systemctl restart tomcat.service
systemctl start guacd.service
systemctl restart httpd.service

#Use it
Guacamole should be now accessible from the path you chose in the reverse proxy conf file on https (httpd) or FQDN:8080 over http (tomcat)

To use its new copy-paste feature, this extension is needed on chrome, it works like a charm !

9 Likes

Great Job!

Continuing from above
#First Login

To access guacamole login to it from your newly created https://FQDN/path/to/guacamole reverse proxy, using the default credentials guacadmin guacadmin

Once inside you can go to Settings and change password to something very very long (donā€™t fatfinger it!)

Setup a new user named ā€œadminā€ and give it any password, be sure to check ā€œlogin disabledā€ as weā€™ll be using LDAP users to login

Now logout and, if it doesnā€™t exist yet, create an ā€œadminā€ account from NS GUI, give it a password, and use these credentials to login to guacamole, this will be the guacamole administrator account

Once logged in with admin user, youā€™ll notice you can now see and edit already existing LDAP users, when doing so, thereā€™s new images on top that tell which backend is being used for the user

Guacamole uses all authentication backends it has to authenticate users, if the same account name exists in 2 different backends, any of their passwords can be used to login, which is why we edit users you intend to grant access to guacamole and check the ā€œlogin disabledā€ option, so that all passwords are handled only by NS

Assign existing connections to users

Now users can login with their NS credentials and use the connections assigned to them

6 Likes

Waiting for guacamole rpm packages, that post looks like a great howto man! :clap:
Could you please move it on our wiki?

In the evening i plan on posting an howto to install (or update to) 0.9.11, released a few days ago, it comes with a couple more features, then iā€™ll move it to the wiki

Also testing the docker install method, but iā€™m currently having problems allowing the container to speak with the local LDAP and MySQL daemons, NS GUI doesnā€™t handle the docker0 bridge created by docker and iā€™ll have to work on iptables rules i guessā€¦

(about that, is there a nethserver-docker or perhaps a nethserver-kubernetes in your plans? :slight_smile: )

Just a question, nethserver-packages are built starting from existing rpms and then adding custom code to it right? Is it possible to create a rpm starting from sources somehow?

Sorry for the silly question, but iā€™m not really into rpm making :slight_smile:

1 Like

@stephdl is very good at that :slight_smile:

Not yet but we are going to play with docker sooner or later.

Well to be honest I retrieve the most of time a rpm in epel, maintaining directly a rpm could be a full time job. However we could take a look and find a way to build it. For guacamole I believe we can start from a spec file of an older rpm and looks what it appends, otherwise we could start with a spec file of another rpm based distro.

Perhaps this will help
https://build.opensuse.org/package/view_file/home:ecsos:server/guacamole-server/guacamole-server.spec

0.9.11

Provides TFA with DUO and improvement to double authentication backend

If installed from source i think the 0.9.10 howto should work just fine by just replacing files with the ones found here, and editing the guacamole.properties

To update from 0.9.10 the following worked

cd /opt/

tar -xzf guacamole-server-0.9.11-incubating.tar.gz

mv guacamole-server-0.9.11-incubating guacamole-0.9.11

rm guacamole-server-0.9.11-incubating.tar.gz

cd guacamole-0.9.11

./configure --with-init-dir=/etc/init.d

make

make install

ldconfig

mv /opt/guacamole-0.9.11-incubating.war /var/lib/guacamole/guacamole.war

rm -rf /var/lib/tomcat/webapps/guacamole.war && ln -s /var/lib/guacamole/guacamole.war /var/lib/tomcat/webapps/

rm -rf /usr/lib64/freerdp/guacdr.so && ln -s /usr/local/lib/freerdp/guacdr.so /usr/lib64/freerdp/

mkdir ~/guacamole && cd ~/guacamole

mv /opt/guacamole-auth-jdbc-0.9.11-incubating.tar.gz ~/guacamole/guacamole-auth-jdbc-0.9.11-incubating.tar.gz

tar -zxf guacamole-auth-jdbc-0.9.11-incubating.tar.gz

mv /opt/guacamole-auth-ldap-0.9.11-incubating.tar.gz ~/guacamole/guacamole-auth-ldap-0.9.11-incubating.tar.gz

tar -zxvf guacamole-auth-ldap-0.9.11-incubating.tar.gz

mv guacamole-auth-jdbc-0.9.11-incubating/mysql/guacamole-auth-jdbc-mysql-0.9.11-incubating.jar /usr/share/tomcat/.guacamole/extensions/guacamole-auth-jdbc-mysql.jar

mv guacamole-auth-ldap-0.9.11-incubating/guacamole-auth-ldap-0.9.11-incubating.jar /usr/share/tomcat/.guacamole/extensions/guacamole-auth-ldap.jar

cat guacamole-auth-jdbc-0.9.11-incubating/mysql/schema/upgrade/upgrade-pre-0.9.11.sql | mysql -u root -p guacdb

#Allow logins from existing users only
This will prevent users who do not exist in MySQL to even attempt to login, instead of giving them an empty guacamole screen with no connections, the ā€œlogin disabledā€ option in users settings is no longer needed

vi /etc/guacamole/guacamole.properties

Add > mysql-user-required: true

#Cleanup

cd ~ && rm -rf guacamole*

systemctl daemon-reload

systemctl restart guacd.service

systemctl restart tomcat.service

The DUO TFA seems really neat, itā€™s really interesting as it allows for a stronger security when exposing internal machines to the internet, users have to authenticate to guacamole with both LDAP and TFA, if either fail, access is denied

If the user has not set it up yet, thereā€™s a wizard with QR codes to set it up

It also supports U2F devices, has anyone tried these USB and can offer advice on which to try?

4 Likes

Hi Team,

Iā€™ve seen mention of a great app called Guacamole. The official blurb from their website says this:

Apache Guacamole is a clientless remote desktop gateway. It supports standard protocols like VNC, RDP, and SSH.
We call it clientless because no plugins or client software are required.
Thanks to HTML5, once Guacamole is installed on a server, all you need to access your desktops is a web browser.

Iā€™ve installed Guacamole a few years back to try it out and I thought it was pretty amazing. But Iā€™m sure others are looking at it and wondering how it can be useful and why would anyone want to add it. I thought I would share my plans for our officeā€™s use case for it.

We are an assaylab business so we use special machines at each workstation to help us do our daily work. The machines have a physical/hardware component and run using software. Rarely does the hardware fail so if there are issues itā€™s usually with the setup in the software.

All of our workstations that run the software for these machines are locked down from Internet access at our gateway. They are almost like dumb terminals in that they are always running and logged in with a generic account so an operator can go to any workstation and use it. This is a really quick overview of our operation so Iā€™m skipping a lot of detail but you get the idea of our setup now.

All our workstations have VNC Server installed on them so I can remote into the office via VPN to assist. There is no access to any of these workstations from outside unless Iā€™ve granted VPN access.

Our vendors do provide remote support via Internet but with all workstations locked down they cannot automatically remote in and assist when an operator requires help. I have provided VPN access to our vendor (and only allowed them access to the workstations they need to get too) but then our vendor needs to have a list of IPā€™s for each workstation. It works but is kind of messy.

This is where I see Guacamole can help. Serving up a webpage and creating a user account for our vendor I can display the workstations they can have access too. They can use VNC to look over our operators shoulder and assist. I still prefer to use VPN access as I donā€™t want to leave the Guacamole page opened for hackers to try and break in. But for a short period of time I suppose I could expose the Guacamole webpage to the Net for the duration of the vendor that provides support. Itā€™s always best to be careful so VPN is very important to me and our office. :slight_smile:

If others have a use case for Guacamole they would like to share Iā€™d like to hear it!

Thanks.

I have just added your post here, I think that itā€™s the right place.
Thanks for your thoughts I think that Guacamole is a GREAT package, sadly itā€™s not so straightforward installing it as rpm, as you can say above.

1 Like

Thanks @alefattorini for putting my post in the right location.

Iā€™m still getting my head around requirements with regards to adding new modules. Is there a document or would someone be able to list of me what is needed from an App before it would be considered for nethserver? It sounds like an .rpm file is a must. Anything else you look for?

Thank you.

Iā€™ve found .rpm for guacamole-common for Fedora. Would this be of any help for someone with the knowledge to build off of for Guacamole on NS?

you have a guacamole rpm in epel for centos7, it could be a good startting point also.

I was trying to find a solution for people to access RDP sessions with zero config and no installation files.
first I solved it by implementing sslexplorer until I found out about Guacamole.

I would like to share my experience about that,
Compiling it over Centos or Ubuntu is not an issue at all, no need for Docker as there are some posts advising to do so.
The trick about guacamole is that, best to be integrated into Nextcloud rather than being exposed to the public internet.

What I did: downloaded and compiled the guacamole from source.
Then inside nextcloud I pointed to it with external site link (however I used its private ip address)
So now the guacamole and its ports 8080 and 443 are not exposed to the outside world hence no one can access it directly.

The only problem I have is solving the issue of the certificate being pointing to a private IP.

1 Like

How does external site work when accessing nextcloud from outside using its FQDN? Does it just embed guacamoleā€™s page inside nextcloud (meaning that page has to be directly reachable from the user, i.e. you still have to open tomcat port 8080 to the outside world to make it work) or does it work like a reverse proxy?

Also check this out, next release will add an http authentication header module which could be helpful when giving a user access to its desktops when that user has already been authenticated by a different service (nextcloud, authenticated reverse proxy, etcā€¦)

@edi

Guacamole is working fine however there is a need to port forward 443
There is a way to avoid exposing the guacamole server to the public net.

I am launching a community request to develop 2 simple apps for nextcloud
one for freepbx webrtc and one for the guacamole.
@alefattorini could you please create a thread for that request ?

1 Like

I agree @ghost, guacamole really needs to be added to nethserverā€¦where did your community request to develop your two apps go? I donā€™t see a continuation of this thread. I hope itā€™s not dead. :slight_smile:

@alefattorini, that bounty that you createdā€¦Iā€™m guessing itā€™s still open? Iā€™m not a developer so sadly I canā€™t create the package nethserver needsā€¦but Iā€™m more than willing to help with testing.

How close are we to having guacamole integrated into nethserverā€¦or is it best to just use the excellent instructions from this thread (thanks @edi and @Adam!).

1 Like

@greavette I hear you well.
Unfortunately my request did not get the @alefattorini attention.
I am not a developer either, however I am willing to contribute!
Just upgraded to 0.9.12 ( credits to Chase Wright https://www.chasewright.com/guacamole-upgrade/ ) and looks even nicer very bright resolution with RDP. It will be a pity to let this nice jewellery out of Nethserver.
Back to you @alefattorini

1 Like

Iā€™ll pull an @alefattorini and sayā€¦

Cā€™mon teamā€¦letā€™s get this implemented into Nethserver!

But seriouslyā€¦how close are we to having this module installed? From what I read there is an older version of the rpm from epel available? what if Nethserver added that older version to the Software Center and provide command line instructions on how to update it. At least that will allow people to use/try out Guacamole until such time Nethserver team decides if they want to create/maintain a more recent rpm version? Just a suggestionā€¦

@greavette @alefattorini
2 Threads created

1 Like