Home » Install Apache Guacamole on Ubuntu

Install Apache Guacamole on Ubuntu

written by Snaky 0 comment 126 views

First of all, clear install a Ubuntu. For me, I used Proxmox LXC.

For Proxmox LXC, it need to disable IPv6 on LXC, by below.

 Set net.ipv6.conf.all.disable_ipv6=1 in /etc/sysctl.conf

Update system as follow.

apt-get update -y

Install dependecies

apt-get install make gcc g++ libcairo2-dev libjpeg-turbo8-dev libpng-dev libtool-bin libossp-uuid-dev libavcodec-dev libavutil-dev libswscale-dev freerdp2-dev libpango1.0-dev libssh2-1-dev libvncserver-dev libtelnet-dev libssl-dev libvorbis-dev libwebp-dev -y

Install Tomcat Server

apt-get install tomcat9 tomcat9-admin tomcat9-common tomcat9-user -y

Start, enable and check status for tomcat

systemctl start tomcat9
systemctl enable tomcat9
systemctl status tomcat9

Install Guacamole

It can be download by wget as below. But I download the latest version.

wget https://downloads.apache.org/guacamole/1.1.0/source/guacamole-server-1.1.0.tar.gz

Extract it

tar -xvzf guacamole-server-1.1.0.tar.gz

Run the config script

cd guacamole-server-1.1.0
./configure --with-init-dir=/etc/init.d

Compile and install

make
make install

Update your system’s cache of installed libraries

ldconfig

Start, enable, check status of Guacamole

systemctl enable guacd
systemctl start guacd
systemctl status guacd

Install Guacamole client, same as server, it can be download by wget, and I downloaded the latest version.

wget https://mirrors.estointernet.in/apache/guacamole/1.1.0/binary/guacamole-1.1.0.war

Copy war file to the /etc/guacamole

mkdir /etc/guacamole
mv guacamole-1.1.0.war /etc/guacamole/guacamole.war

Create a symbolic link of the guacamole client to Tomcat webapps directory

ln -s /etc/guacamole/guacamole.war /var/lib/tomcat9/webapps/

Restart Tomcat and Guacamole

systemctl restart tomcat9
systemctl restart guacd

Configure Guacamole

nano /etc/guacamole/guacamole.properties

Add following lines

guacd-hostname: localhost
guacd-port:    4822
user-mapping:    /etc/guacamole/user-mapping.xml

Create two folders

mkdir /etc/guacamole/{extensions,lib}

Set the guacamole home directory environment variable and add it to /etc/default/tomcat9 configuration file

echo "GUACAMOLE_HOME=/etc/guacamole" >> /etc/default/tomcat9

Generate a password as MD5 hash

echo -n password | openssl md5

Keep it for coming step

(stdin)= xxxxxxxxxxxxxxxxxxxxxxxxxxxx

Create a new user-mapping.xml

nano /etc/guacamole/user-mapping.xml

Add following code

<user-mapping>
    <authorize 
            username="admin"
            password="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
            encoding="md5">

        <connection name="Ubuntu20.04-Server">
            <protocol>ssh</protocol>
            <param name="hostname">192.168.11.10</param>
            <param name="port">22</param>
            <param name="username">root</param>
        </connection>
        <connection name="Windows Server">
            <protocol>rdp</protocol>
            <param name="hostname">192.168.11.20</param>
            <param name="port">3389</param>
        </connection>
    </authorize>
</user-mapping>

Restart tomcat and guacamole.

systemctl restart tomcat9
systemctl restart guacd

Up to here, this is already able to use, by access http://your-server-ip:8080/guacamole.

After that, configure Nginx as a reverse proxy.

apt-get install nginx -y

Create virtual host

nano /etc/nginx/sites-available/guacamole.conf

Add following code

server {
        listen 80;
        server_name your-server-ip;
        access_log  /var/log/nginx/guac_access.log;
        error_log  /var/log/nginx/guac_error.log;

        location / {
                    proxy_pass http://your-server-ip:8080/guacamole/;
                    proxy_buffering off;
                    proxy_http_version 1.1;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                    proxy_set_header Upgrade $http_upgrade;
                    proxy_set_header Connection $http_connection;
                    proxy_cookie_path /guacamole/ /;
        }

}

Enable the Nginx virtual host by create a symbolic link.

ln -s /etc/nginx/sites-available/guacamole.conf /etc/nginx/sites-enabled/

Restart Nginx

systemctl restart nginx

Now the Guacamole can be access from http://your-server-ip.

To have better security, I added Let’s Encrypt.

apt install certbot python3-certbot-nginx

Run to get the cert

certbot --nginx

Then follow the instruction to get the cert.

Once it done, Nginx will add the SSL part to Guacamole virtual host file.

I have then add Database Authenication

apt install mariadb-server

Set the db security

mysql_secure_installation

Download the MySQL Connector/J (Java Connector)

wget https://dev.mysql.com/get/Downloads/Connector-J/mysql-connector-java-8.0.26.tar.gz

Extract the tar file and copy it to /etc/guacamole/lib/

tar -xf mysql-connector-java-8.0.26.tar.gz
sudo cp mysql-connector-java-8.0.26/mysql-connector-java-8.0.26.jar /etc/guacamole/lib/

Download the JDBC auth plugin for Apache Guacamole

wget https://downloads.apache.org/guacamole/1.3.0/binary/guacamole-auth-jdbc-1.3.0.tar.gz

Extract the tar file and copy it to /etc/guacamole/extensions/

tar -xf guacamole-auth-jdbc-1.3.0.tar.gz
sudo mv guacamole-auth-jdbc-1.3.0/mysql/guacamole-auth-jdbc-mysql-1.3.0.jar /etc/guacamole/extensions/

Log in to mysql as the root user.

mysql -u root -p

Run below command, to create, and set DB.

ALTER USER 'root'@'localhost' IDENTIFIED BY 'password'; 
CREATE DATABASE guacamole_db; 
CREATE USER 'guacamole_user'@'localhost' IDENTIFIED BY 'password'; 
GRANT SELECT,INSERT,UPDATE,DELETE ON guacamole_db.* TO 'guacamole_user'@'localhost'; 
FLUSH PRIVILEGES;

Then quit the SQL.

Locate the scheme files in the extracted directory for the JDBC plugin

cd guacamole-auth-jdbc-1.3.0/mysql/schema

Import those sql schema files into the MySQL database.

cat *.sql | mysql -u root -p guacamole_db

Update the properties file for Guacamole.

nano /etc/guacamole/guacamole.properties

Paste in the following configuration settings, replacing [password] with the password of the new guacamole_user that you created for the database.

# MySQL properties
mysql-hostname: 127.0.0.1
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: guacamole_user
mysql-password: [password]

Restart all related services.

systemctl restart tomcat9 guacd mysql

Then access Guacamole, username is guacadmin and password is guacadmin.

After that, create a new admin account, and change guacadmin password.

To have better security, I added TOTP.

Go to official website to download TOTP plugin.

http://guacamole.apache.org/releases/

Then extract the tar to get the jar file. Copy the jar file to GUACAMOLE_HOME/extensions.

After that, access Guacamole again, it should ask to set the TOTP.

Once everything done for Guacamole, remember set Cloudflare Tunnel with https.

Refer
https://guacamole.apache.org/releases/
https://www.howtoforge.com/how-to-install-apache-guacamole-on-debian-11/#setup-nginx-reverse-proxy-for-guacamole
https://www.howtoforge.com/how-to-install-and-configure-guacamole-on-ubuntu-2004/
https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-22-04
https://www.linode.com/docs/guides/installing-apache-guacamole-on-ubuntu-and-debian/
https://guacamole.apache.org/doc/gug/totp-auth.html
https://guacamole.apache.org/doc/gug/configuring-guacamole.html

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.