GUACAMOLE SERVER Instructions
guacamole is working and the performances are linked to the network you are using. but in case you do not have time to spend with this you can trust:
La solution est Wallix Bastion (https://www.wallix.com/modules-bastion/).
(cf. certification CSPN ANSSI : https://www.ssi.gouv.fr/entreprise/certification_cspn/wallix-adminbastion-version-3-1-9-avec-correctifs-de-securite-3354-5420-et-5435/)
Server Names
for remote control from internet : 'http://remoteclear.c2n.u-psud.fr'
for remote control from intranet: 'http://remoteclear-lan.c2n.u-psud.fr'
Guacamole Server Installation from .DEB
sudo add-apt-repository ppa:guacamole/stable
sudo update
sudo joe /etc/debconf.conf
sudo joe /etc/apt/sources.list
ls
sudo joe /etc/apt/sources.list.d/guacamole-ubuntu-stable-bionic.list
sudo update
sudo apt-get install guacamole
sudo apt-get install libguac-client-*Guacamole installation from sources (better)
# install required packages
add-apt-repository ppa:webupd8team/java
apt -y update
apt -y upgrade
apt -y dist-upgrade
apt -y install libcairo2-dev libjpeg-turbo8-dev libpng-dev libossp-uuid-dev libfreerdp-dev libpango1.0-dev libssh2-1-dev libtelnet-dev libvncserver-dev libpulse-dev libssl-dev libvorbis-dev libwebp-dev git build-essential autoconf libtool tomcat8 tomcat8-admin tomcat8-common tomcat8-docs tomcat8-user maven mysql-server mysql-client mysql-common mysql-utilities libpulse-dev libvorbis-dev ghostscript wget libfreerdp-dev maven-repo-helper maven-ant-helper default-jdk
export JAVA_HOME# create directories
mkdir -p /etc/guacamole
mkdir -p /etc/guacamole/lib
mkdir -p /etc/guacamole/extensions# configure GUACAMOLE_HOME for tomcat
echo "" >> /etc/default/tomcat8
echo "# GUACAMOLE ENV VARIABLE" >> /etc/default/tomcat8
echo "GUACAMOLE_HOME=/etc/guacamole" >> /etc/default/tomcat8
cd /opt# install guacamole server
git clone https://github.com/apache/incubator-guacamole-server.git
cd incubator-guacamole-server/
autoreconf -fi
./configure --with-init-dir=/etc/init.d
make && make install
systemctl enable guacdTo enable the service @boot time for the server you can also do
sudo update-rc.d guacd defaults# install guacamole client (web app)
Before compiling the guacamole client, you have to get the sources
cd /opt
git clone https://github.com/apache/guacamole-client.git
cd guacamole-clientpom.xml files like this.
nano ./guacamole-client/guacamole-ext/pom.xml
nano ./guacamole-client/guacamole-common/pom.xmlIf the project uses source/target 8, adding <source>8</source> in javadoc configuration should make the project buildable on jdk {11, 12, 13}:
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<configuration>
<source>8</source>
</configuration>
...
</plugin>
mvn package
cp ./guacamole/target/guacamole-1.1.0.war /var/lib/tomcat8/webapps/
cp ./extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/target/guacamole-auth-jdbc-mysql-0.9.10-incubating.jar /etc/guacamole/extensions/
cp ./extensions/guacamole-auth-ldap/target/guacamole-auth-ldap-0.9.10-incubating.jar /etc/guacamole/extensions/# install mysql connector
wget https://dev.mysql.com/get/Downloads/Connector-J/mysql-connector-java-5.1.40.tar.gz
tar xf mysql-conn*
cp mysql-connector-java-5.1.40/mysql-connector-java-5.1.40-bin.jar /etc/guacamole/lib/
ln -s /usr/local/lib/freerdp/* /usr/lib/x86_64-linux-gnu/freerdp/.# configure mysql for guacamole
echo "mysql-hostname: localhost" >> /etc/guacamole/guacamole.properties
echo "mysql-port: 3306" >> /etc/guacamole/guacamole.properties
echo "mysql-database: guacamole_db" >> /etc/guacamole/guacamole.properties
echo "mysql-username: guacamole_user" >> /etc/guacamole/guacamole.properties
echo "mysql-password: PASSWORD" >> /etc/guacamole/guacamole.properties# link guacamole dir to tomcat
rm -rf /usr/share/tomcat8/.guacamole
ln -s /etc/guacamole /usr/share/tomcat8/.guacamole
service tomcat8 restart# provision the guacamole database
mysql -u root -pMYSQLROOTPASSWORD
create database guacamole_db;
create user 'guacamole_user'@'localhost' identified by 'PASSWORD';
GRANT SELECT,INSERT,UPDATE,DELETE ON guacamole_db.* TO 'guacamole_user'@'localhost';
flush privileges;
quit
cat /opt/incubator-guacamole-client/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/schema/*.sql | mysql -u root \
-pMYSQLROOTPASSWORD guacamole_db# TODO: include instructions for ldap integration
systemctl restart guacd
systemctl restart tomcat8
Compilation of guacamole client, once it is done is in /target as tar.gz.
You have to untar it and in the directory you have to use jar
jar -cvf guacamole.war *.war file that you copy in the wabapp of tomcat8
sudo cp guacamole.war /var/lib/tomcat8/webapps/Guacamole Configuration files
in /etc/guacamole/guacamole.properties
guacd-hostname: localhost
guacd-port: 4822
user-mapping: /etc/guacamole/user-mapping.xml
auth-provider: net.sourceforge.guacamole.net.basic.BasicFileAuthenticationProvider
basic-user-mapping: /etc/guacamole/user-mapping.xml
#lib-directory: /var/lib/tomcat8/webapps/guacamole/WEB-INF/classesGuacamole configuration
sudo joe /etc/guacamole/guacamole.properties
sudo joe /etc/guacamole/user-mapping.xml
sudo update
<user-mapping>
<authorize
username="stephane"
password="ff4a146903c58ec0fc543a630115ec44"
encoding="md5">
<connection name="S4800">
<protocol>rdp</protocol>
<param name="hostname">192.168.72.38</param>
<param name="port">3389</param>
<param name="server-layout">fr-fr-azerty</param>
<param name="color-depth">16</param>
<param name="enable-printing">false</param>
</connection>
</authorize>
</user-mapping>
There are some options for each kind of protocol. Hereafter you will find some tips to configure these protocol with common parameters
VNC and password
<user-mapping>
<authorize
username="stephane"
password="ff4a146903c58ec0fc543a630115ec44"
encoding="md5">
<connection name="machine2">
<protocol>vnc</protocol>
<param name="hostname">192.168.???.???</param>
<param name="port">5900</param>
<param name="password">******</param>
</connection>
</authorize>
</user-mapping>Tips for guacamole Configuration
Installation
from ubuntu packages .deb
You need to manually add the guacamole.war java client execution soft to the TOMCAT 8 machine.
just put the .war file to the /var/lib/tomcat8/webapp directory and the default behaviour should be to install and deploy the webapp automatically.
Be careful to take the right version of the .war for your right server version of guacd.
exemple /etc/guacamole/guacamole.properties
# Hostname and port of guacamole proxy
guacd-hostname: localhost
guacd-port: 4822
# Auth provider class (authenticates user/pass combination, needed if using the provided login screen)
auth-provider: net.sourceforge.guacamole.net.basic.BasicFileAuthenticationProvider
basic-user-mapping: /etc/guacamole/user-mapping.xml
/etc/guacamole/tomcat.xml
<Context path="/guacamole" docBase="/usr/share/guacamole/guacamole">
<Resources allowLinking="true" />
</Context>
configuration of the machines access for specific users is done in /etc/guacamole/user-mapping.xml
<user-mapping>
<!-- Example user configurations are given below. For more information,
see the user-mapping.xml section of the Guacamole configuration
documentation: http://guac-dev.org/Configuring%20Guacamole -->
<!-- Per-user authentication and config information -->
<authorize username="stephane" password="58tsxxj96">
<connection name="TerraNova">
<protocol>ssh</protocol>
<param name="hostname">192.168.0.2</param>
<param name="port">22</param>
<param name="server-layout">fr-fr-azerty</param>
</connection>
<connection name="MediaCenter">
<protocol>ssh</protocol>
<param name="hostname">192.168.0.9</param>
<param name="port">22</param>
<param name="server-layout">fr-fr-azerty</param>
</connection>
<connection name="KidPaddle">
<protocol>ssh</protocol>
<param name="hostname">192.168.0.5</param>
<param name="port">22</param>
<param name="server-layout">fr-fr-azerty</param>
</connection>
</authorize>
<!-- Another user, but using md5 to hash the password
(example below uses the md5 hash of "PASSWORD") -->
<!--
<authorize
username="USERNAME2"
password="319f4d26e3c536b5dd871bb2c52e3178"
encoding="md5">
<protocol>vnc</protocol>
<param name="hostname">localhost</param>
<param name="port">5901</param>
<param name="password">VNCPASS</param>
</authorize>
-->
</user-mapping>Configuring Tomcat 8 the Java Machine
You are not authorized to view this page. If you have not changed any configuration files, please examine the file conf/tomcat-users.xml in your installation. That file must contain the credentials to let you use this webapp.
For example, to add the manager-gui role to a user named tomcat with a password of s3cret, add the following to the config file listed above.
<role rolename=“manager-gui”/> <user username=“tomcat” password=“s3cret” roles=“manager-gui”/>
Note that for Tomcat 7 onwards, the roles required to use the manager application were changed from the single manager role to the following four roles. You will need to assign the role(s) required for the functionality you wish to access.
manager-gui - allows access to the HTML GUI and the status pages manager-script - allows access to the text interface and the status pages manager-jmx - allows access to the JMX proxy and the status pages manager-status - allows access to the status pages only
The HTML interface is protected against CSRF but the text and JMX interfaces are not. To maintain the CSRF protection:
Users with the manager-gui role should not be granted either the manager-script or manager-jmx roles. If the text or jmx interfaces are accessed through a browser (e.g. for testing since these interfaces are intended for tools not humans) then the browser must be closed afterwards to terminate the session.
For more information - please see the Manager App HOW-TO.
Changing Tomcat Port
in the file /etc/tomcat8/server.xml
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />Compiling from sources
Basic instructions for the server and the client are there:
http://guacamole.apache.org/doc/gug/installing-guacamole.html#building-guacamole-server
to simplify I give the instruction to copy and paste:
sudo apt-get install build-essential
sudo apt-get install libcairo2-dev libjpeg-turbo8-dev libpng-dev libossp-uuid-devsudo apt-get install libavcodec-dev libavutil-dev libswscale-dev libfreerdp-dev libpango1.0-dev libssh2-1-dev libtelnet-dev libvncserver-dev libpulse-dev libssl-dev libvorbis-dev libwebp-devFor the git code for the server you will need to do:
autoreconf -fi
For the client (in JAVA)
don't forget to set up the JAVA_HOME
export JAVA_HOME=/usr/lib/jvm/default-java
echo $JAVA_HOMEInstalling packages:
sudo apt install openjdk-11-jdk javaccFor the server compilation: http://guacamole.apache.org/doc/gug/installing-guacamole.html#building-guacamole-server
Configuring ReverseProxy for C2N configuration
The server name is remoteclear. From internet the IP is 129.175.134.79
from intranet : the sever name is remoteclear-lan and the IP is 192.168.70.103
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name remoteclear remoteclear-lan remoteclear.c2n.u-psud.fr remoteclear-lan.c2n.u-psud.fr;
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
# try_files $uri $uri/ =404;
proxy_pass http://localhost:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}Si NGINX n'est pas installé:
sudo apt-get install nginx