servers:guacamole

GUACAMOLE SERVER Instructions

guacamole is working and the performances are linked to the network you are using. but in case you do not have time to spend with this you can trust:

La solution est Wallix Bastion (https://www.wallix.com/modules-bastion/).

(cf. certification CSPN ANSSI : https://www.ssi.gouv.fr/entreprise/certification_cspn/wallix-adminbastion-version-3-1-9-avec-correctifs-de-securite-3354-5420-et-5435/)

Server Names

for remote control from internet : 'http://remoteclear.c2n.u-psud.fr'

for remote control from intranet: 'http://remoteclear-lan.c2n.u-psud.fr'

Guacamole Server Installation from .DEB

sudo add-apt-repository ppa:guacamole/stable
sudo update
sudo joe /etc/debconf.conf 
sudo joe /etc/apt/sources.list
ls
sudo joe /etc/apt/sources.list.d/guacamole-ubuntu-stable-bionic.list
sudo update
sudo apt-get install guacamole 
sudo apt-get install libguac-client-*
Bash

Guacamole installation from sources (better)

https://guacamole.apache.org/doc/gug/installing-guacamole.html#building-guacamole-server

# install required packages

add-apt-repository ppa:webupd8team/java
apt -y update
apt -y upgrade
apt -y dist-upgrade
apt -y install libcairo2-dev libjpeg-turbo8-dev libpng-dev libossp-uuid-dev libfreerdp-dev libpango1.0-dev libssh2-1-dev libtelnet-dev libvncserver-dev libpulse-dev libssl-dev libvorbis-dev libwebp-dev git build-essential autoconf libtool tomcat8 tomcat8-admin tomcat8-common tomcat8-docs tomcat8-user maven mysql-server mysql-client mysql-common mysql-utilities libpulse-dev libvorbis-dev  ghostscript wget libfreerdp-dev maven-repo-helper maven-ant-helper default-jdk

export JAVA_HOME
Bash

# create directories

mkdir -p /etc/guacamole
mkdir -p /etc/guacamole/lib
mkdir -p /etc/guacamole/extensions
Bash

# configure GUACAMOLE_HOME for tomcat

echo "" >> /etc/default/tomcat8
echo "# GUACAMOLE ENV VARIABLE" >> /etc/default/tomcat8
echo "GUACAMOLE_HOME=/etc/guacamole" >> /etc/default/tomcat8
cd /opt
Bash

# install guacamole server

git clone https://github.com/apache/incubator-guacamole-server.git
cd incubator-guacamole-server/
autoreconf -fi
./configure --with-init-dir=/etc/init.d
make && make install
systemctl enable guacd
Bash

To enable the service @boot time for the server you can also do 

sudo update-rc.d guacd defaults
Bash

# install guacamole client (web app)

Before compiling the guacamole client, you have to get the sources 

cd /opt
git clone https://github.com/apache/guacamole-client.git
cd guacamole-client
Bash
Then you have to modify some pom.xml files like this. 
nano ./guacamole-client/guacamole-ext/pom.xml
nano ./guacamole-client/guacamole-common/pom.xml
Bash
and changing as following

If the project uses source/target 8, adding <source>8</source> in javadoc configuration should make the project buildable on jdk {11, 12, 13}: 

<plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-javadoc-plugin</artifactId>
    <configuration>
      <source>8</source>
    </configuration>
     ...
  </plugin>
XML

mvn package
cp ./guacamole/target/guacamole-1.1.0.war /var/lib/tomcat8/webapps/
cp ./extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/target/guacamole-auth-jdbc-mysql-0.9.10-incubating.jar /etc/guacamole/extensions/
cp ./extensions/guacamole-auth-ldap/target/guacamole-auth-ldap-0.9.10-incubating.jar /etc/guacamole/extensions/
Bash

# install mysql connector

wget https://dev.mysql.com/get/Downloads/Connector-J/mysql-connector-java-5.1.40.tar.gz
tar xf mysql-conn*
cp mysql-connector-java-5.1.40/mysql-connector-java-5.1.40-bin.jar /etc/guacamole/lib/
ln -s /usr/local/lib/freerdp/* /usr/lib/x86_64-linux-gnu/freerdp/.
Bash

# configure mysql for guacamole

echo "mysql-hostname: localhost" >> /etc/guacamole/guacamole.properties
echo "mysql-port: 3306" >> /etc/guacamole/guacamole.properties
echo "mysql-database: guacamole_db" >> /etc/guacamole/guacamole.properties
echo "mysql-username: guacamole_user" >> /etc/guacamole/guacamole.properties
echo "mysql-password: PASSWORD" >> /etc/guacamole/guacamole.properties
Bash

rm -rf /usr/share/tomcat8/.guacamole
ln -s /etc/guacamole /usr/share/tomcat8/.guacamole
service tomcat8 restart
Bash

# provision the guacamole database

mysql -u root -pMYSQLROOTPASSWORD
create database guacamole_db;
create user 'guacamole_user'@'localhost' identified by 'PASSWORD';
GRANT SELECT,INSERT,UPDATE,DELETE ON guacamole_db.* TO 'guacamole_user'@'localhost';
flush privileges;
quit
cat /opt/incubator-guacamole-client/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/schema/*.sql | mysql -u root \
-pMYSQLROOTPASSWORD guacamole_db
SQL

# TODO: include instructions for ldap integration

systemctl restart guacd
systemctl restart tomcat8
Bash

Compilation of guacamole client, once it is done is in /target as tar.gz. You have to untar it and in the directory you have to use jar 

jar -cvf guacamole.war *
Bash
this will genrate a .war file that you copy in the wabapp of tomcat8 
sudo cp guacamole.war /var/lib/tomcat8/webapps/
Bash

Guacamole Configuration files

in /etc/guacamole/guacamole.properties 

guacd-hostname: localhost
guacd-port:    4822
user-mapping:    /etc/guacamole/user-mapping.xml
auth-provider:    net.sourceforge.guacamole.net.basic.BasicFileAuthenticationProvider
basic-user-mapping:    /etc/guacamole/user-mapping.xml
#lib-directory: /var/lib/tomcat8/webapps/guacamole/WEB-INF/classes
Bash

Guacamole configuration

sudo joe /etc/guacamole/guacamole.properties 
sudo joe /etc/guacamole/user-mapping.xml 
sudo update
Bash

<user-mapping>

        <authorize 
                username="stephane" 
                password="ff4a146903c58ec0fc543a630115ec44"
                encoding="md5">
        
                <connection name="S4800">
                        <protocol>rdp</protocol>
                        <param name="hostname">192.168.72.38</param>
                        <param name="port">3389</param>
                        <param name="server-layout">fr-fr-azerty</param>
                        <param name="color-depth">16</param>
                        <param name="enable-printing">false</param>
                
                </connection>
                        
        </authorize>
        
</user-mapping>
XML

There are some options for each kind of protocol. Hereafter you will find some tips to configure these protocol with common parameters

VNC and password

<user-mapping>

        <authorize 
                username="stephane" 
                password="ff4a146903c58ec0fc543a630115ec44"
                encoding="md5">
        
                <connection name="machine2">
                        <protocol>vnc</protocol>
                        <param name="hostname">192.168.???.???</param>
                        <param name="port">5900</param>
                        <param name="password">******</param>                
                </connection>
                        
        </authorize>
        
</user-mapping>
XML

Tips for guacamole Configuration

Installation

from ubuntu packages .deb You need to manually add the guacamole.war java client execution soft to the TOMCAT 8 machine.
just put the .war file to the /var/lib/tomcat8/webapp directory and the default behaviour should be to install and deploy the webapp automatically.
Be careful to take the right version of the .war for your right server version of guacd.

exemple /etc/guacamole/guacamole.properties 

# Hostname and port of guacamole proxy
guacd-hostname: localhost
guacd-port:     4822

# Auth provider class (authenticates user/pass combination, needed if using the provided login screen)
auth-provider: net.sourceforge.guacamole.net.basic.BasicFileAuthenticationProvider
basic-user-mapping: /etc/guacamole/user-mapping.xml
Bash

/etc/guacamole/tomcat.xml 

<Context path="/guacamole" docBase="/usr/share/guacamole/guacamole">
 <Resources allowLinking="true" />
</Context>
XML

configuration of the machines access for specific users is done in /etc/guacamole/user-mapping.xml 

<user-mapping>

    <!-- Example user configurations are given below. For more information,
         see the user-mapping.xml section of the Guacamole configuration
         documentation: http://guac-dev.org/Configuring%20Guacamole -->

    <!-- Per-user authentication and config information -->
    <authorize username="stephane" password="58tsxxj96">
    	<connection name="TerraNova">
    		<protocol>ssh</protocol>
    		<param name="hostname">192.168.0.2</param>
    		<param name="port">22</param>
    		<param name="server-layout">fr-fr-azerty</param>
    	</connection>
    	<connection name="MediaCenter">
    		<protocol>ssh</protocol>
    		<param name="hostname">192.168.0.9</param>
    		<param name="port">22</param>
    		<param name="server-layout">fr-fr-azerty</param>
    	</connection>
    	<connection name="KidPaddle">
    		<protocol>ssh</protocol>
    		<param name="hostname">192.168.0.5</param>
    		<param name="port">22</param>
    		<param name="server-layout">fr-fr-azerty</param>
    	</connection>
    	
    </authorize>


    <!-- Another user, but using md5 to hash the password
         (example below uses the md5 hash of "PASSWORD") -->
    <!--
    <authorize 
            username="USERNAME2"
            password="319f4d26e3c536b5dd871bb2c52e3178"
            encoding="md5">
        <protocol>vnc</protocol>
        <param name="hostname">localhost</param>
        <param name="port">5901</param>
        <param name="password">VNCPASS</param>
    </authorize>
    -->

</user-mapping>
XML

Configuring Tomcat 8 the Java Machine

You are not authorized to view this page. If you have not changed any configuration files, please examine the file conf/tomcat-users.xml in your installation. That file must contain the credentials to let you use this webapp.

For example, to add the manager-gui role to a user named tomcat with a password of s3cret, add the following to the config file listed above.

<role rolename=“manager-gui”/> <user username=“tomcat” password=“s3cret” roles=“manager-gui”/>

Note that for Tomcat 7 onwards, the roles required to use the manager application were changed from the single manager role to the following four roles. You will need to assign the role(s) required for the functionality you wish to access. 

  manager-gui - allows access to the HTML GUI and the status pages
  manager-script - allows access to the text interface and the status pages
  manager-jmx - allows access to the JMX proxy and the status pages
  manager-status - allows access to the status pages only

The HTML interface is protected against CSRF but the text and JMX interfaces are not. To maintain the CSRF protection: 

  Users with the manager-gui role should not be granted either the manager-script or manager-jmx roles.
  If the text or jmx interfaces are accessed through a browser (e.g. for testing since these interfaces are intended for tools not humans) then the browser must be closed afterwards to terminate the session.

For more information - please see the Manager App HOW-TO.

Changing Tomcat Port

in the file /etc/tomcat8/server.xml 

<Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />
XML

Compiling from sources

Basic instructions for the server and the client are there:
http://guacamole.apache.org/doc/gug/installing-guacamole.html#building-guacamole-server
to simplify I give the instruction to copy and paste: 

sudo apt-get install build-essential
sudo apt-get install libcairo2-dev libjpeg-turbo8-dev libpng-dev libossp-uuid-dev
Bash
and the optionnal package but it will be better with 
sudo apt-get install libavcodec-dev  libavutil-dev libswscale-dev libfreerdp-dev libpango1.0-dev libssh2-1-dev libtelnet-dev libvncserver-dev libpulse-dev libssl-dev libvorbis-dev  libwebp-dev
Bash

For the git code for the server you will need to do: 

autoreconf -fi
Bash

For the client (in JAVA) don't forget to set up the JAVA_HOME 

export JAVA_HOME=/usr/lib/jvm/default-java
echo $JAVA_HOME
Bash

Installing packages: 

sudo apt install openjdk-11-jdk javacc
Bash

For the server compilation: http://guacamole.apache.org/doc/gug/installing-guacamole.html#building-guacamole-server

Configuring ReverseProxy for C2N configuration

The server name is remoteclear. From internet the IP is 129.175.134.79 from intranet : the sever name is remoteclear-lan and the IP is 192.168.70.103 

server {
        listen 80 default_server;
        listen [::]:80 default_server;

        server_name remoteclear remoteclear-lan remoteclear.c2n.u-psud.fr remoteclear-lan.c2n.u-psud.fr;

        # SSL configuration
        #
        # listen 443 ssl default_server;
        # listen [::]:443 ssl default_server;
        #


        root /var/www/html;

        # Add index.php to the list if you are using PHP
        index index.html index.htm index.nginx-debian.html;

        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                # try_files $uri $uri/ =404;
                proxy_pass      http://localhost:8080;
                proxy_set_header Host      $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }

}
nginx

Si NGINX n'est pas installé: 

sudo apt-get install nginx
Bash

  • servers/guacamole.txt
  • Last modified: 2021/09/14 15:20
  • by stephane