Howto install guacamole

howto
v7

(Vinit Makol) #61

We have been testing guacamole for a few days now and its been working beautifully. The combination of guacamole and multi-wan(and both of them working) has made things a lot easier.

I want to share some stats and see if it makes sense. The server we are running NS and guacamole is running on server:
Model
ProLiant DL380 G6
CPU model
16 x Intel® Xeon® CPU E5530 @ 2.40GH
8GB RAM.

We ran a test with three users with 6 remote desktop connections each and the memory usage peaked at 93%, and the 25th connection caused the connections to reset, and the pages needed to be reloaded. CPU usage remained less than 10% the whole time. Does this sound right?


(Markus Neuberger) #62

Thanks again for testing and feedback!

You mean the 5th users 1st connection (4 x 6 + 1 = 25) resets all connections?

I did some research:

Guacamole itself should have no limits:
https://sourceforge.net/p/guacamole/discussion/1110834/thread/b425b9fe/

There seems to be a kind of browser tab connection limit:
https://sourceforge.net/p/guacamole/discussion/1110833/thread/ed44ddf9

Simultanous connections are allowed by default, duplicates are not:
https://sourceforge.net/p/guacamole/discussion/1110834/thread/bb801fd6/


(Vinit Makol) #63

You are correct. We are doing some more tests…will post.


(Vinit Makol) #64

You are correct. The limits are on the browser side.


(Stephan) #65

Hi all ,

i’ll do have a Problem after the update of the Reverse Proxy also nethserver.
After the last updates for the reverse proxy i only get a blank page for the Guacamole
i checked everything and it seems OK.
the parameter flushpackets=on is set but for me it seems that it is not used?
as i know this problem if the parameter is not set.
what can i do ?
before the update it works absolut fine.
Kindly regards
StephanS


(Markus Neuberger) #66

Hi Stephan,

I updated too and guacamole is still working.

Are there errors in /var/log/messages or in /var/log/tomcat/*.log ?

Which version of proxypass do you have?

[root@testserver ~]# rpm -q nethserver-httpd-proxypass
nethserver-httpd-proxypass-3.2.1-1.ns7.noarch

Does the database exist?

mysql guacamole

Is the port open or maybe another application using similar port?

netstat -tlpn | grep 8080

Which packages are installed, just to able to reproduce:

rpm -qa "nethserver-*"


(Stephan) #67

Okay here my Config:

[root@DMZSERVER ~]# rpm -q nethserver-httpd-proxypass
nethserver-httpd-proxypass-3.2.1-1.ns7.noarch
guacamole works perfectly inside my network but as i use it to get to my systems with only https or http possible i used the reverse proxy to use it from external
the message log on the server that has the reverse proxy has nothing unusual.

Proxy conf file has this opion in general defined:

SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
and for gucamole it is configured with this opions:

ProxyPass: guacamole

Description:

ProxyPass /guacamole https://nexttv:8443/guacamole/ flushpackets=on
ProxyPassReverse /guacamole https://nexttv:8443/guacamole/
<Location /guacamole>
SSLRequireSSL

ProxyPass /guacamole/websocket-tunnel ws://nexttv:8443/guacamole/websocket-tunnel
ProxyPassReverse /guacamole/websocket-tunnel ws://nexttv:8443/guacamole/websocket-tunnel
<Location /guacamole/websocket-tunnel>

As it is working perfect inside my network if i address the server directly it must be the reverse proxy
and i assume that the flushpackets option is not used however i have no error report
May 14 20:46:34 DMZSERVER control-service: httpd restart
May 14 20:46:34 DMZSERVER systemd: Stopping The Apache HTTP Server…
May 14 20:46:37 DMZSERVER systemd: Starting The Apache HTTP Server…
May 14 20:46:39 DMZSERVER systemd: Started The Apache HTTP Server.

here the httpd ssl log if you access the site
192.168.3.100 - - [14/May/2018:20:48:23 +0200] “GET /guacamole/app.css?v=0.9.13-incubating HTTP/1.1” 404 987
192.168.3.100 - - [14/May/2018:20:48:23 +0200] “GET /guacamole/webjars/angular-module-shim/0.0.4/angular-module-shim.js HTTP/1.1” 200 774
192.168.3.100 - - [14/May/2018:20:48:23 +0200] “GET /guacamole/app.js?v=0.9.13-incubating HTTP/1.1” 404 985
192.168.3.100 - - [14/May/2018:20:48:23 +0200] “GET /guacamole/webjars/angular-cookies/1.3.16/angular-cookies.min.js HTTP/1.1” 200 865
192.168.3.100 - - [14/May/2018:20:48:24 +0200] “GET /guacamole/app.js?v=0.9.13-incubating HTTP/1.1” 404 985
192.168.3.100 - - [14/May/2018:20:48:24 +0200] “GET /guacamole/images/logo-144.png HTTP/1.1” 200 9167

So i have not a trace what went wrong :frowning:

Any Ideas ?

Packets on the reversproxy server:
[root@DMZSERVER ~]# rpm -qa "nethserver-*"
nethserver-diagtools-1.0.1-1.ns7.noarch
nethserver-cgp-2.1.3-1.ns7.noarch
nethserver-vsftpd-1.1.0-1.ns7.noarch
nethserver-lightsquid-1.1.2-1.ns7.noarch
nethserver-ddclient-1.0.5-1.ns7.sdl.noarch
nethserver-smartd-1.1.0-1.ns7.noarch
nethserver-release-7-5.ns7.noarch
nethserver-suricata-1.1.1-1.ns7.noarch
nethserver-lib-2.2.7-1.ns7.noarch
nethserver-mail-filter-1.4.4-1.ns7.noarch
nethserver-mail-smarthost-1.0.1-1.ns7.noarch
nethserver-firewall-base-ui-3.3.2-1.ns7.noarch
nethserver-libvirt-1.1.0-1.ns7.noarch
nethserver-duc-1.4.3-1.ns7.noarch
nethserver-base-3.1.5-1.ns7.noarch
nethserver-firewall-base-3.3.2-1.ns7.noarch
nethserver-mail-common-1.6.7-1.ns7.noarch
nethserver-letsencrypt-1.1.6-1.ns7.noarch
nethserver-httpd-3.2.1-1.ns7.noarch
nethserver-sssd-1.3.8-1.ns7.noarch
nethserver-wordpress-1.1.5-1.ns7.sdl.noarch
nethserver-awstats-0.1.5-1.ns7.sdl.noarch
nethserver-webvirtmgr-1.1.1-1.ns7.noarch
nethserver-lsm-1.2.3-1.ns7.noarch
nethserver-hosts-1.2.2-1.ns7.noarch
nethserver-ntp-1.1.3-1.ns7.noarch
nethserver-unbound-1.1.0-1.ns7.noarch
nethserver-rh-php56-php-fpm-1.0.0-1.ns7.noarch
nethserver-phonehome-1.3.0-1.ns7.noarch
nethserver-collectd-3.0.6-1.ns7.noarch
nethserver-lang-en-1.2.10-1.ns7.noarch
nethserver-httpd-virtualhosts-3.2.1-1.ns7.noarch
nethserver-stephdl-1.0.6-1.ns7.sdl.noarch
nethserver-yum-1.4.1-1.ns7.noarch
nethserver-php-1.2.0-1.ns7.noarch
nethserver-moodle-0.0.9-1.ns7.noarch
nethserver-antivirus-1.2.1-1.ns7.noarch
nethserver-net-snmp-1.1.0-1.ns7.noarch
nethserver-evebox-1.0.1-1.ns7.noarch
nethserver-openssh-1.2.2-1.ns7.noarch
nethserver-c-icap-1.1.0-1.ns7.noarch
nethserver-squidguard-1.8.0-1.ns7.noarch
nethserver-backup-config-2.0.4-1.ns7.noarch
nethserver-ndpi-1.1.1-1.ns7.noarch
nethserver-httpd-admin-2.2.1-1.ns7.noarch
nethserver-fail2ban-0.1.37-1.ns7.sdl.noarch
nethserver-httpd-proxypass-3.2.1-1.ns7.noarch
nethserver-squid-1.7.0-1.ns7.noarch
nethserver-pulledpork-2.1.2-1.ns7.noarch
nethserver-nethforge-release-7-0.3.ns7.noarch
nethserver-mail-disclaimer-1.6.7-1.ns7.noarch
nethserver-squidclamav-3.0.0-1.ns7.noarch
nethserver-mysql-1.1.3-1.ns7.noarch
nethserver-dnsmasq-1.6.6-1.ns7.noarch
nethserver-ntopng-2.1.0-1.ns7.noarch

and these are from the target guacamole server:

[root@NEXTTV ~]# rpm -qa "nethserver-*"
nethserver-base-3.1.5-1.ns7.noarch
nethserver-httpd-3.2.0-1.ns7.noarch
nethserver-diagtools-1.0.1-1.ns7.noarch
nethserver-lang-en-1.2.10-1.ns7.noarch
nethserver-firewall-base-ui-3.3.2-1.ns7.noarch
nethserver-zabbix-0.0.1-6.ns7.noarch
nethserver-ejabberd-1.1.5-1.ns7.noarch
nethserver-smartd-1.1.0-1.ns7.noarch
nethserver-httpd-admin-2.2.1-1.ns7.noarch
nethserver-mysql-1.1.3-1.ns7.noarch
nethserver-rh-php56-php-fpm-1.0.0-1.ns7.noarch
nethserver-dnsmasq-1.6.6-1.ns7.noarch
nethserver-duc-1.4.3-1.ns7.noarch
nethserver-mrmarkuz-0.0.1-2.ns7.noarch
nethserver-letsencrypt-1.1.6-1.ns7.noarch
nethserver-stephdl-1.0.6-1.ns7.sdl.noarch
nethserver-net-snmp-1.1.0-1.ns7.noarch
nethserver-hosts-1.2.2-1.ns7.noarch
nethserver-pulledpork-2.1.2-1.ns7.noarch
nethserver-release-7-5.ns7.noarch
nethserver-lib-2.2.7-1.ns7.noarch
nethserver-firewall-base-3.3.2-1.ns7.noarch
nethserver-suricata-1.1.1-1.ns7.noarch
nethserver-yum-1.4.1-1.ns7.noarch
nethserver-php-1.2.0-1.ns7.noarch
nethserver-backup-config-2.0.4-1.ns7.noarch
nethserver-webvirtmgr-1.1.1-1.ns7.noarch
nethserver-nextcloud-1.2.0-1.ns7.noarch
nethserver-openssh-1.2.2-1.ns7.noarch
nethserver-fail2ban-0.1.37-1.ns7.sdl.noarch
nethserver-postgresql-1.1.0-1.ns7.noarch
nethserver-phonehome-1.3.0-1.ns7.noarch
nethserver-libvirt-1.1.0-1.ns7.noarch
nethserver-rh-php71-php-fpm-1.0.0-1.ns7.noarch
nethserver-sssd-1.3.7-1.ns7.noarch
nethserver-evebox-1.0.1-1.ns7.noarch
nethserver-mail-smarthost-1.0.1-1.ns7.noarch
nethserver-collectd-3.0.6-1.ns7.noarch
nethserver-nethforge-release-7-0.3.ns7.noarch
nethserver-cgp-2.1.3-1.ns7.noarch
nethserver-redis-1.1.0-1.ns7.noarch
nethserver-lsm-1.2.3-1.ns7.noarch
nethserver-ntp-1.1.3-1.ns7.noarch
[root@NEXTTV ~]#

I hope you have a clue;)


(Markus Neuberger) #68

The module works on the same server and does the reverse proxying without need for manual settings or separate reverse proxy. Do you need to reverse proxy to another server?

EDIT:

I tried it with a separate reverse proxy and it worked via web UI:

grafik

This gives following proxypass.conf file:

#
# 10base
#
SSLProxyEngine on
# ProxyPass: guacamole
# Description:
ProxyPass   /guacamole   http://testserver.cmb.local:8080/guacamole
ProxyPassReverse   /guacamole   http://testserver.cmb.local:8080/guacamole
<Location /guacamole>
    SSLRequireSSL
</Location>

(Stephan) #69

Nope by me sadly no effect
the config way is as followed:
Router full port forward -> Firewall (Untangle) -> selective portforward to “DMZSERVER” Nethserver with reverse proxy this server forward to my internal sub servers which have different functions like webmail/nextcloud and the one server for guacamole.
I need the reverseproxy to address the different internal machines that have specific functions in my network.
What i do not understand there are some data that are transfered like the logo but nothing else which was every time the case before i activated the flushpackets option after this option all forwards worked perfektly before the update.

And secondly if it works in your case what could went wrong by me as we have the same config for this part.
i will think about it some more if you have any additional ideas i am happy to hear them :wink:
regards
Stephan


(Markus Neuberger) #70
  • You may enable proxy debugging in /etc/httpd/conf/httpd.conf by replacing

LogLevel warn

with

LogLevel error proxy:trace5

and then restart apache with

systemctl restart httpd

and then check the httpd error_log after trying to reach guacamole.

  • You didn’t install nethserver-guacamole. The module works without port 8443, there’s only 8080. You may give it a try.

  • I saw you use suricata. You may try to disable it for testing.

  • It seems some </Location> closings are missing in your config but maybe discourse misinterpreted some chars. Here is some help for formatting:

  • It works without ports too:
SSLProxyEngine on
<Location /guacamole/>
    SSLRequireSSL
    Order allow,deny
    Allow from all
    ProxyPass https://testserver.cmb.local/guacamole/ flushpackets=on
    ProxyPassReverse https://testserver.cmb.local/guacamole/
</Location>

<Location /guacamole/websocket-tunnel>
    Order allow,deny
    Allow from all
    ProxyPass ws://testserver.cmb.local/guacamole/websocket-tunnel
    ProxyPassReverse ws://testserver.cmb.local/guacamole/websocket-tunnel
</Location>

(Stephan) #71

okay i will come back to you after the weekend have to solve some problems that now emereged on the dedicated server i think i will create a VM machine for this function but i need more time than a few hours in the night :wink:

thanks a lot for helping out i will give you a feedback of the final results

regards
Stephan


(Stephan) #72

I need to come back to you.

one Fresh installed reverse proxy system
one fresh installed guacamole system

internaly works perfectly
via reverseproxy nope.
the main difference is here:

192.168.2.104 - - [27/May/2018:16:32:55 +0200] "GET /guacamole// HTTP/1.1" 304 -
192.168.2.104 - - [27/May/2018:16:32:55 +0200] "GET /guacamole//app.css?v=0.9.13-incubating HTTP/1.1" 404 987
192.168.2.104 - - [27/May/2018:16:32:55 +0200] "GET /guacamole//app.js?v=0.9.13-incubating HTTP/1.1" 404 985
192.168.2.104 - - [27/May/2018:16:32:55 +0200] "GET /guacamole//app.js?v=0.9.13-incubating HTTP/1.1" 404 985
192.168.2.104 - - [27/May/2018:16:32:55 +0200] "GET /guacamole//images/logo-144.png HTTP/1.1" 200 9167
192.168.2.83 - - [27/May/2018:16:33:00 +0200] "GET /guacamole/ HTTP/1.1" 304 -
192.168.2.83 - - [27/May/2018:16:33:00 +0200] "GET /guacamole/api/patches HTTP/1.1" 200 352
192.168.2.83 - - [27/May/2018:16:33:00 +0200] "GET /guacamole/api/languages HTTP/1.1" 200 136
192.168.2.83 - - [27/May/2018:16:33:00 +0200] "POST /guacamole/api/tokens HTTP/1.1" 403 237
192.168.2.83 - - [27/May/2018:16:33:00 +0200] "GET /guacamole/images/logo-144.png HTTP/1.1" 200 9167

104 is the reververse proxy
83 is an internal client

it seemed they asked differently
but I do not get why.
booth systems are upgraded on patch level yesterday
it must be the that the reverse proxy doing something other than a normal client.
and my second thought is why you can not replicate this problem?
again I think the problem is the flushpacket option but i do not find any error messages
kindly regards
stephan


(Stephan) #73

got it!
Created a Virtual Host instead of a standard path now it works just fine without any config change.
why or how I do not now but it is working!

Update reverse proxy webrdp.xxxxxxxx.org
Name

webrdp.xxxxxxxx.org
Description

Access from CIDR networks

SSL/TLS certificate choosen the right one

Require SSL encrypted connection yes
Target URL internal

http://webrdp:8080/guacamole/
Accept invalid SSL certificate from target yes
Forward HTTP “Host” header to target yes

Kindly Regards
Stephan


(Alessio Fattorini) #74

I would edit the howto point directly to the module page. What do you think?
I would remove database/configuration/certificate etc…


(Markus Neuberger) #75

The module link is already there. I kept the howto to share the technical details and the way we solved problems but you are right. I am going to have a look and tidy up the howto.


(Alessio Fattorini) #76

It’s all great. Just to not confuse people and go directly to the module installation…