Howto install guacamole

howto
v7

(Vinit Makol) #61

We have been testing guacamole for a few days now and its been working beautifully. The combination of guacamole and multi-wan(and both of them working) has made things a lot easier.

I want to share some stats and see if it makes sense. The server we are running NS and guacamole is running on server:
Model
ProLiant DL380 G6
CPU model
16 x Intel® Xeon® CPU E5530 @ 2.40GH
8GB RAM.

We ran a test with three users with 6 remote desktop connections each and the memory usage peaked at 93%, and the 25th connection caused the connections to reset, and the pages needed to be reloaded. CPU usage remained less than 10% the whole time. Does this sound right?


(Markus Neuberger) #62

Thanks again for testing and feedback!

You mean the 5th users 1st connection (4 x 6 + 1 = 25) resets all connections?

I did some research:

Guacamole itself should have no limits:
https://sourceforge.net/p/guacamole/discussion/1110834/thread/b425b9fe/

There seems to be a kind of browser tab connection limit:
https://sourceforge.net/p/guacamole/discussion/1110833/thread/ed44ddf9

Simultanous connections are allowed by default, duplicates are not:
https://sourceforge.net/p/guacamole/discussion/1110834/thread/bb801fd6/


(Vinit Makol) #63

You are correct. We are doing some more tests…will post.


(Vinit Makol) #64

You are correct. The limits are on the browser side.


(Stephan) #65

Hi all ,

i’ll do have a Problem after the update of the Reverse Proxy also nethserver.
After the last updates for the reverse proxy i only get a blank page for the Guacamole
i checked everything and it seems OK.
the parameter flushpackets=on is set but for me it seems that it is not used?
as i know this problem if the parameter is not set.
what can i do ?
before the update it works absolut fine.
Kindly regards
StephanS


(Markus Neuberger) #66

Hi Stephan,

I updated too and guacamole is still working.

Are there errors in /var/log/messages or in /var/log/tomcat/*.log ?

Which version of proxypass do you have?

[root@testserver ~]# rpm -q nethserver-httpd-proxypass
nethserver-httpd-proxypass-3.2.1-1.ns7.noarch

Does the database exist?

mysql guacamole

Is the port open or maybe another application using similar port?

netstat -tlpn | grep 8080

Which packages are installed, just to able to reproduce:

rpm -qa "nethserver-*"


(Stephan) #67

Okay here my Config:

[root@DMZSERVER ~]# rpm -q nethserver-httpd-proxypass
nethserver-httpd-proxypass-3.2.1-1.ns7.noarch
guacamole works perfectly inside my network but as i use it to get to my systems with only https or http possible i used the reverse proxy to use it from external
the message log on the server that has the reverse proxy has nothing unusual.

Proxy conf file has this opion in general defined:

SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
and for gucamole it is configured with this opions:

ProxyPass: guacamole

Description:

ProxyPass /guacamole https://nexttv:8443/guacamole/ flushpackets=on
ProxyPassReverse /guacamole https://nexttv:8443/guacamole/
<Location /guacamole>
SSLRequireSSL

ProxyPass /guacamole/websocket-tunnel ws://nexttv:8443/guacamole/websocket-tunnel
ProxyPassReverse /guacamole/websocket-tunnel ws://nexttv:8443/guacamole/websocket-tunnel
<Location /guacamole/websocket-tunnel>

As it is working perfect inside my network if i address the server directly it must be the reverse proxy
and i assume that the flushpackets option is not used however i have no error report
May 14 20:46:34 DMZSERVER control-service: httpd restart
May 14 20:46:34 DMZSERVER systemd: Stopping The Apache HTTP Server…
May 14 20:46:37 DMZSERVER systemd: Starting The Apache HTTP Server…
May 14 20:46:39 DMZSERVER systemd: Started The Apache HTTP Server.

here the httpd ssl log if you access the site
192.168.3.100 - - [14/May/2018:20:48:23 +0200] “GET /guacamole/app.css?v=0.9.13-incubating HTTP/1.1” 404 987
192.168.3.100 - - [14/May/2018:20:48:23 +0200] “GET /guacamole/webjars/angular-module-shim/0.0.4/angular-module-shim.js HTTP/1.1” 200 774
192.168.3.100 - - [14/May/2018:20:48:23 +0200] “GET /guacamole/app.js?v=0.9.13-incubating HTTP/1.1” 404 985
192.168.3.100 - - [14/May/2018:20:48:23 +0200] “GET /guacamole/webjars/angular-cookies/1.3.16/angular-cookies.min.js HTTP/1.1” 200 865
192.168.3.100 - - [14/May/2018:20:48:24 +0200] “GET /guacamole/app.js?v=0.9.13-incubating HTTP/1.1” 404 985
192.168.3.100 - - [14/May/2018:20:48:24 +0200] “GET /guacamole/images/logo-144.png HTTP/1.1” 200 9167

So i have not a trace what went wrong :frowning:

Any Ideas ?

Packets on the reversproxy server:
[root@DMZSERVER ~]# rpm -qa "nethserver-*"
nethserver-diagtools-1.0.1-1.ns7.noarch
nethserver-cgp-2.1.3-1.ns7.noarch
nethserver-vsftpd-1.1.0-1.ns7.noarch
nethserver-lightsquid-1.1.2-1.ns7.noarch
nethserver-ddclient-1.0.5-1.ns7.sdl.noarch
nethserver-smartd-1.1.0-1.ns7.noarch
nethserver-release-7-5.ns7.noarch
nethserver-suricata-1.1.1-1.ns7.noarch
nethserver-lib-2.2.7-1.ns7.noarch
nethserver-mail-filter-1.4.4-1.ns7.noarch
nethserver-mail-smarthost-1.0.1-1.ns7.noarch
nethserver-firewall-base-ui-3.3.2-1.ns7.noarch
nethserver-libvirt-1.1.0-1.ns7.noarch
nethserver-duc-1.4.3-1.ns7.noarch
nethserver-base-3.1.5-1.ns7.noarch
nethserver-firewall-base-3.3.2-1.ns7.noarch
nethserver-mail-common-1.6.7-1.ns7.noarch
nethserver-letsencrypt-1.1.6-1.ns7.noarch
nethserver-httpd-3.2.1-1.ns7.noarch
nethserver-sssd-1.3.8-1.ns7.noarch
nethserver-wordpress-1.1.5-1.ns7.sdl.noarch
nethserver-awstats-0.1.5-1.ns7.sdl.noarch
nethserver-webvirtmgr-1.1.1-1.ns7.noarch
nethserver-lsm-1.2.3-1.ns7.noarch
nethserver-hosts-1.2.2-1.ns7.noarch
nethserver-ntp-1.1.3-1.ns7.noarch
nethserver-unbound-1.1.0-1.ns7.noarch
nethserver-rh-php56-php-fpm-1.0.0-1.ns7.noarch
nethserver-phonehome-1.3.0-1.ns7.noarch
nethserver-collectd-3.0.6-1.ns7.noarch
nethserver-lang-en-1.2.10-1.ns7.noarch
nethserver-httpd-virtualhosts-3.2.1-1.ns7.noarch
nethserver-stephdl-1.0.6-1.ns7.sdl.noarch
nethserver-yum-1.4.1-1.ns7.noarch
nethserver-php-1.2.0-1.ns7.noarch
nethserver-moodle-0.0.9-1.ns7.noarch
nethserver-antivirus-1.2.1-1.ns7.noarch
nethserver-net-snmp-1.1.0-1.ns7.noarch
nethserver-evebox-1.0.1-1.ns7.noarch
nethserver-openssh-1.2.2-1.ns7.noarch
nethserver-c-icap-1.1.0-1.ns7.noarch
nethserver-squidguard-1.8.0-1.ns7.noarch
nethserver-backup-config-2.0.4-1.ns7.noarch
nethserver-ndpi-1.1.1-1.ns7.noarch
nethserver-httpd-admin-2.2.1-1.ns7.noarch
nethserver-fail2ban-0.1.37-1.ns7.sdl.noarch
nethserver-httpd-proxypass-3.2.1-1.ns7.noarch
nethserver-squid-1.7.0-1.ns7.noarch
nethserver-pulledpork-2.1.2-1.ns7.noarch
nethserver-nethforge-release-7-0.3.ns7.noarch
nethserver-mail-disclaimer-1.6.7-1.ns7.noarch
nethserver-squidclamav-3.0.0-1.ns7.noarch
nethserver-mysql-1.1.3-1.ns7.noarch
nethserver-dnsmasq-1.6.6-1.ns7.noarch
nethserver-ntopng-2.1.0-1.ns7.noarch

and these are from the target guacamole server:

[root@NEXTTV ~]# rpm -qa "nethserver-*"
nethserver-base-3.1.5-1.ns7.noarch
nethserver-httpd-3.2.0-1.ns7.noarch
nethserver-diagtools-1.0.1-1.ns7.noarch
nethserver-lang-en-1.2.10-1.ns7.noarch
nethserver-firewall-base-ui-3.3.2-1.ns7.noarch
nethserver-zabbix-0.0.1-6.ns7.noarch
nethserver-ejabberd-1.1.5-1.ns7.noarch
nethserver-smartd-1.1.0-1.ns7.noarch
nethserver-httpd-admin-2.2.1-1.ns7.noarch
nethserver-mysql-1.1.3-1.ns7.noarch
nethserver-rh-php56-php-fpm-1.0.0-1.ns7.noarch
nethserver-dnsmasq-1.6.6-1.ns7.noarch
nethserver-duc-1.4.3-1.ns7.noarch
nethserver-mrmarkuz-0.0.1-2.ns7.noarch
nethserver-letsencrypt-1.1.6-1.ns7.noarch
nethserver-stephdl-1.0.6-1.ns7.sdl.noarch
nethserver-net-snmp-1.1.0-1.ns7.noarch
nethserver-hosts-1.2.2-1.ns7.noarch
nethserver-pulledpork-2.1.2-1.ns7.noarch
nethserver-release-7-5.ns7.noarch
nethserver-lib-2.2.7-1.ns7.noarch
nethserver-firewall-base-3.3.2-1.ns7.noarch
nethserver-suricata-1.1.1-1.ns7.noarch
nethserver-yum-1.4.1-1.ns7.noarch
nethserver-php-1.2.0-1.ns7.noarch
nethserver-backup-config-2.0.4-1.ns7.noarch
nethserver-webvirtmgr-1.1.1-1.ns7.noarch
nethserver-nextcloud-1.2.0-1.ns7.noarch
nethserver-openssh-1.2.2-1.ns7.noarch
nethserver-fail2ban-0.1.37-1.ns7.sdl.noarch
nethserver-postgresql-1.1.0-1.ns7.noarch
nethserver-phonehome-1.3.0-1.ns7.noarch
nethserver-libvirt-1.1.0-1.ns7.noarch
nethserver-rh-php71-php-fpm-1.0.0-1.ns7.noarch
nethserver-sssd-1.3.7-1.ns7.noarch
nethserver-evebox-1.0.1-1.ns7.noarch
nethserver-mail-smarthost-1.0.1-1.ns7.noarch
nethserver-collectd-3.0.6-1.ns7.noarch
nethserver-nethforge-release-7-0.3.ns7.noarch
nethserver-cgp-2.1.3-1.ns7.noarch
nethserver-redis-1.1.0-1.ns7.noarch
nethserver-lsm-1.2.3-1.ns7.noarch
nethserver-ntp-1.1.3-1.ns7.noarch
[root@NEXTTV ~]#

I hope you have a clue;)


(Markus Neuberger) #68

The module works on the same server and does the reverse proxying without need for manual settings or separate reverse proxy. Do you need to reverse proxy to another server?

EDIT:

I tried it with a separate reverse proxy and it worked via web UI:

grafik

This gives following proxypass.conf file:

#
# 10base
#
SSLProxyEngine on
# ProxyPass: guacamole
# Description:
ProxyPass   /guacamole   http://testserver.cmb.local:8080/guacamole
ProxyPassReverse   /guacamole   http://testserver.cmb.local:8080/guacamole
<Location /guacamole>
    SSLRequireSSL
</Location>

(Stephan) #69

Nope by me sadly no effect
the config way is as followed:
Router full port forward -> Firewall (Untangle) -> selective portforward to “DMZSERVER” Nethserver with reverse proxy this server forward to my internal sub servers which have different functions like webmail/nextcloud and the one server for guacamole.
I need the reverseproxy to address the different internal machines that have specific functions in my network.
What i do not understand there are some data that are transfered like the logo but nothing else which was every time the case before i activated the flushpackets option after this option all forwards worked perfektly before the update.

And secondly if it works in your case what could went wrong by me as we have the same config for this part.
i will think about it some more if you have any additional ideas i am happy to hear them :wink:
regards
Stephan


(Markus Neuberger) #70
  • You may enable proxy debugging in /etc/httpd/conf/httpd.conf by replacing

LogLevel warn

with

LogLevel error proxy:trace5

and then restart apache with

systemctl restart httpd

and then check the httpd error_log after trying to reach guacamole.

  • You didn’t install nethserver-guacamole. The module works without port 8443, there’s only 8080. You may give it a try.

  • I saw you use suricata. You may try to disable it for testing.

  • It seems some </Location> closings are missing in your config but maybe discourse misinterpreted some chars. Here is some help for formatting:

  • It works without ports too:
SSLProxyEngine on
<Location /guacamole/>
    SSLRequireSSL
    Order allow,deny
    Allow from all
    ProxyPass https://testserver.cmb.local/guacamole/ flushpackets=on
    ProxyPassReverse https://testserver.cmb.local/guacamole/
</Location>

<Location /guacamole/websocket-tunnel>
    Order allow,deny
    Allow from all
    ProxyPass ws://testserver.cmb.local/guacamole/websocket-tunnel
    ProxyPassReverse ws://testserver.cmb.local/guacamole/websocket-tunnel
</Location>

(Stephan) #71

okay i will come back to you after the weekend have to solve some problems that now emereged on the dedicated server i think i will create a VM machine for this function but i need more time than a few hours in the night :wink:

thanks a lot for helping out i will give you a feedback of the final results

regards
Stephan


(Stephan) #72

I need to come back to you.

one Fresh installed reverse proxy system
one fresh installed guacamole system

internaly works perfectly
via reverseproxy nope.
the main difference is here:

192.168.2.104 - - [27/May/2018:16:32:55 +0200] "GET /guacamole// HTTP/1.1" 304 -
192.168.2.104 - - [27/May/2018:16:32:55 +0200] "GET /guacamole//app.css?v=0.9.13-incubating HTTP/1.1" 404 987
192.168.2.104 - - [27/May/2018:16:32:55 +0200] "GET /guacamole//app.js?v=0.9.13-incubating HTTP/1.1" 404 985
192.168.2.104 - - [27/May/2018:16:32:55 +0200] "GET /guacamole//app.js?v=0.9.13-incubating HTTP/1.1" 404 985
192.168.2.104 - - [27/May/2018:16:32:55 +0200] "GET /guacamole//images/logo-144.png HTTP/1.1" 200 9167
192.168.2.83 - - [27/May/2018:16:33:00 +0200] "GET /guacamole/ HTTP/1.1" 304 -
192.168.2.83 - - [27/May/2018:16:33:00 +0200] "GET /guacamole/api/patches HTTP/1.1" 200 352
192.168.2.83 - - [27/May/2018:16:33:00 +0200] "GET /guacamole/api/languages HTTP/1.1" 200 136
192.168.2.83 - - [27/May/2018:16:33:00 +0200] "POST /guacamole/api/tokens HTTP/1.1" 403 237
192.168.2.83 - - [27/May/2018:16:33:00 +0200] "GET /guacamole/images/logo-144.png HTTP/1.1" 200 9167

104 is the reververse proxy
83 is an internal client

it seemed they asked differently
but I do not get why.
booth systems are upgraded on patch level yesterday
it must be the that the reverse proxy doing something other than a normal client.
and my second thought is why you can not replicate this problem?
again I think the problem is the flushpacket option but i do not find any error messages
kindly regards
stephan


(Stephan) #73

got it!
Created a Virtual Host instead of a standard path now it works just fine without any config change.
why or how I do not now but it is working!

Update reverse proxy webrdp.xxxxxxxx.org
Name

webrdp.xxxxxxxx.org
Description

Access from CIDR networks

SSL/TLS certificate choosen the right one

Require SSL encrypted connection yes
Target URL internal

http://webrdp:8080/guacamole/
Accept invalid SSL certificate from target yes
Forward HTTP “Host” header to target yes

Kindly Regards
Stephan


(Alessio Fattorini) #74

I would edit the howto point directly to the module page. What do you think?
I would remove database/configuration/certificate etc…


(Markus Neuberger) #75

The module link is already there. I kept the howto to share the technical details and the way we solved problems but you are right. I am going to have a look and tidy up the howto.


(Alessio Fattorini) #76

It’s all great. Just to not confuse people and go directly to the module installation…


(Pedro Sitan) #77

I install the module but when I try to access by https://xxxxxxx.com/guacamole just show me

failure: 404
1 / guacamole /

I try to fix with the previous support of @mrmarkuz, but always shows the same error, however, I have a doubt with the mariadb service I understand that not start because another daemon its running with the same socket.

[root@xxxx conf.d]# systemctl status mariadb -l
● mariadb.service - MariaDB database server
Loaded: loaded (/usr/lib/systemd/system/mariadb.service; disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Wed 2018-08-29 13:27:58 CST; 16min ago

Aug 29 13:27:58 xxx.xxxx.localdomain systemd[1]: Starting MariaDB database server…
Aug 29 13:27:58 xxx.xxxx.localdomain mariadb-prepare-db-dir[11661]: Socket file /var/lib/mysql/mysql.sock exists.
Aug 29 13:27:58 xxx.xxxx.localdomain mariadb-prepare-db-dir[11661]: Is another MySQL daemon already running with the same unix socket?
Aug 29 13:27:58 xxx.xxxx.localdomain systemd[1]: mariadb.service: control process exited, code=exited status=1
Aug 29 13:27:58 xxx.xxxx.localdomain systemd[1]: Failed to start MariaDB database server.
Aug 29 13:27:58 xxx.xxxx.localdomain systemd[1]: Unit mariadb.service entered failed state.
Aug 29 13:27:58 xxx.xxxx.localdomain systemd[1]: mariadb.service failed.

Can you help me?

Mysql services its running without any problem.

mysql -e “show databases;”
±-------------------+
| Database |
±-------------------+
| information_schema |
| guacamole |
| mysql |
| nextcloud |
| ocsweb |
| performance_schema |
| roundcubemail |
| smbaudit |
| sogo |
±-------------------+

When I access from my LAN https://192.168.25.1/guacamole

Works perfectly


(Markus Neuberger) #78

Are you able to see the nethserver default page when you browse to yourdomain.com?

Do you have a router between Internet and your Nethserver or is Nethserver your gateway? You may need to port forward 80 and 443 to your Nethserver.

Usually if it works in LAN it has to work from outside too.

You may try systemctl status mysqld -l to see if the service is running.


(Pedro Sitan) #79

Yes I can access from wan using mydomain.com

[root@motodo conf.d]# systemctl status mysqld -l
● mysqld.service - MariaDB database server
Loaded: loaded (/usr/lib/systemd/system/mysqld.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2018-08-29 13:43:16 CST; 46min ago
Main PID: 13981 (mysqld_safe)
CGroup: /system.slice/mysqld.service
├─13981 /bin/sh /usr/bin/mysqld_safe --basedir=/usr
└─14154 /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib64/mysql/plugin --log-error=/var/log/mariadb/mariadb.log --pid-file=/var/run/mariadb/mariadb.pid --socket=/var/lib/mysql/mysql.sock

Aug 29 13:43:14 motodo.central.localdomain systemd[1]: Starting MariaDB database server…
Aug 29 13:43:14 motodo.central.localdomain mariadb-prepare-db-dir[13949]: Database MariaDB is probably initialized in /var/lib/mysql already, nothing is done.
Aug 29 13:43:14 motodo.central.localdomain mariadb-prepare-db-dir[13949]: If this is not the case, make sure the /var/lib/mysql is empty before running mariadb-prepare-db-dir.
Aug 29 13:43:14 motodo.central.localdomain mysqld_safe[13981]: 180829 13:43:14 mysqld_safe Logging to ‘/var/log/mariadb/mariadb.log’.
Aug 29 13:43:14 motodo.central.localdomain mysqld_safe[13981]: 180829 13:43:14 mysqld_safe Starting mysqld daemon with databases from /var/lib/mysql
Aug 29 13:43:16 motodo.central.localdomain systemd[1]: Started MariaDB database server.

this is the result to see mysql status

I use ocsinventory and it was the same error but I dont use that from outside


(Markus Neuberger) #80

Sorry, I can’t reproduce.

Do you see errors in /var/log/messages or /var/log/httpd/* ?

Does it work in another browser?

Can you post a screenshot?