guacamole under Debian

by .pQd
unimportant

Apache Guacamole is a clientless remote desktop gateway – with it you can access RDP-enabled Windows PC using ordinary web browser and HTTP[S]. below – notes taken while setting it up under Debian 10.

docker

commands taken from this guide, just the first step:

apt-get update
apt-get install apt-transport-https ca-certificates curl gnupg2 software-properties-common
curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -
add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable"
apt-get update
apt-cache policy docker-ce
apt-get install docker-ce

guacamole installation

taken from here

docker pull guacamole/guacamole
docker pull guacamole/guacd
docker pull mysql/mysql-server
docker run --rm guacamole/guacamole /opt/guacamole/bin/initdb.sh --mysql > initdb.sql
docker run --name example-mysql -e MYSQL_RANDOM_ROOT_PASSWORD=yes -e MYSQL_ONETIME_PASSWORD=yes -d mysql/mysql-server
# get the initial mysql password, write it down:
docker logs example-mysql 2>&1 |grep "GENERATED ROOT PASSWORD"
docker cp initdb.sql example-mysql:/guac_db.sql
docker exec -it example-mysql bash
# now you're in a shell of a container with mysql 
# log in to mysql with password grep'ed in the the earlier step
mysql -u root -p
# set a new password; don't copy & paste this literally - come up with something better
ALTER USER 'root'@'localhost' IDENTIFIED BY 'new_root_password';
CREATE DATABASE guacamole_db;
# also below be more creative - come up with complex pass
CREATE USER 'guacamole_user'@'%' IDENTIFIED BY 'guacamole_user_password';
GRANT SELECT,INSERT,UPDATE,DELETE ON guacamole_db.* TO 'guacamole_user'@'%';
FLUSH PRIVILEGES;
exit;
# create schemas needed for guacamole
cat guac_db.sql | mysql -u root -p guacamole_db
# exit the mysql container
exit

docker run --name example-guacd -d guacamole/guacd

# below - provide credentials for the newly created mysql user
docker run --name example-guacamole --link example-guacd:guacd --link example-mysql:mysql -e MYSQL_DATABASE='guacamole_db' -e MYSQL_USER='guacamole_user' -e MYSQL_PASSWORD='guacamole_user_password' -d -p 127.0.0.1:8080:8080 guacamole/guacamole

at this stage guacamole is ready for use, but it listens only on the loop-back.

nginx

to expose it to the internet i’ve set up nginx with https cert from lets encrypt

apt-get install nginx python-certbot-nginx

change the server_name in /etc/nginx/sites-enabled/default to FQDN 

service nginx restart
certbot
# follow the steps to issue https cert for the chosen domain name

in /etc/nginx/sites-enabled/default add this in the https vhost section:

location / {
proxy_pass http://localhost:8080/guacamole/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
}

and another nginx restart to apply that change:

service nginx restart

guacamole use

if all went fine https://my.domain/ should give access to guacamole’s web interface. the default credentials are guacadmin/guacadmin. after logging in change them to something more secure via menu > settings > preferences.

to make Windows Server 2016 reachable from guacamole i had to go to its control panel > system > remote settings and un-tick [ ] allow connections only from computers running remote desktop with network level authentication.

in gaucamole’s admin panel under settings > connections create a new one, select:

  • protocol – rdp
  • maximum number of connections – 1
  • maximum number of connections for user – 1
  • hostname – address of the windows server that’s reachable over RDP
  • port – likely 3389
  • username, password – windows credentials
  • security mode – any
  • ignore server certificate [x] tick

save, connect from guacamole’s home page. it works surprisingly well!

disclaimer – it’s a rough sketch how to get the initial setup done. i strongly suggest to secure it by:

  • having http-auth on the nginx level for whole URI reverse-proxied to guacamole
  • adding firewall on the linux server preventing incoming/outgoing traffic besides the absolute necessities [ incoming 443, outgoing 3389 + perhaps http for unattended debian updates ]
  • firewall on the windows server preventing any incoming traffic except RDP from the server hosting guacamole

i assumed that connection between guacamole and the RDP server is secure – hence ignoring the server’s certificate. you might want to revisit it.

Leave a Reply

Your email address will not be published. Required fields are marked *

(Spamcheck Enabled)