{"id":3032,"date":"2019-12-01T17:39:48","date_gmt":"2019-12-01T16:39:48","guid":{"rendered":"https:\/\/kudzia.eu\/b\/?p=3032"},"modified":"2019-12-01T19:55:58","modified_gmt":"2019-12-01T18:55:58","slug":"guacamole-under-debian","status":"publish","type":"post","link":"https:\/\/kudzia.eu\/b\/2019\/12\/guacamole-under-debian\/","title":{"rendered":"guacamole under Debian"},"content":{"rendered":"

Apache Guacamole is a clientless remote desktop gateway – with it you can access RDP-enabled Windows PC using ordinary web browser and HTTP[S]. below – notes taken while setting it up under Debian 10.<\/p>\n

<\/p>\n

docker<\/h2>\n

commands taken from this guide<\/a>, just the first step:<\/p>\n

\r\napt-get update\r\napt-get install apt-transport-https ca-certificates curl gnupg2 software-properties-common\r\ncurl -fsSL https:\/\/download.docker.com\/linux\/debian\/gpg | apt-key add -\r\nadd-apt-repository "deb [arch=amd64] https:\/\/download.docker.com\/linux\/debian $(lsb_release -cs) stable"\r\napt-get update\r\napt-cache policy docker-ce\r\napt-get install docker-ce\r\n<\/pre>\n
guacamole installation<\/h2>\n
taken from here<\/a><\/p>\n
\r\ndocker pull guacamole\/guacamole\r\ndocker pull guacamole\/guacd\r\ndocker pull mysql\/mysql-server\r\ndocker run --rm guacamole\/guacamole \/opt\/guacamole\/bin\/initdb.sh --mysql > initdb.sql\r\ndocker run --name example-mysql -e MYSQL_RANDOM_ROOT_PASSWORD=yes -e MYSQL_ONETIME_PASSWORD=yes -d mysql\/mysql-server\r\n# get the initial mysql password, write it down:\r\ndocker logs example-mysql 2>&1 |grep "GENERATED ROOT PASSWORD"\r\ndocker cp initdb.sql example-mysql:\/guac_db.sql\r\ndocker exec -it example-mysql bash\r\n# now you're in a shell of a container with mysql \r\n# log in to mysql with password grep'ed in the the earlier step\r\nmysql -u root -p\r\n# set a new password; don't copy & paste this literally - come up with something better\r\nALTER USER 'root'@'localhost' IDENTIFIED BY 'new_root_password';\r\nCREATE DATABASE guacamole_db;\r\n# also below be more creative - come up with complex pass\r\nCREATE USER 'guacamole_user'@'%' IDENTIFIED BY 'guacamole_user_password';\r\nGRANT SELECT,INSERT,UPDATE,DELETE ON guacamole_db.* TO 'guacamole_user'@'%';\r\nFLUSH PRIVILEGES;\r\nexit;\r\n# create schemas needed for guacamole\r\ncat guac_db.sql | mysql -u root -p guacamole_db\r\n# exit the mysql container\r\nexit\r\n\r\ndocker run --name example-guacd -d guacamole\/guacd\r\n\r\n# below - provide credentials for the newly created mysql user\r\ndocker run --name example-guacamole --link example-guacd:guacd --link example-mysql:mysql -e MYSQL_DATABASE='guacamole_db' -e MYSQL_USER='guacamole_user' -e MYSQL_PASSWORD='guacamole_user_password' -d -p 127.0.0.1:8080:8080 guacamole\/guacamole\r\n<\/pre>\n
at this stage guacamole is ready for use, but it listens only on the loop-back.<\/p>\n
nginx<\/h2>\n
to expose it to the internet i’ve set up nginx with https cert from lets encrypt<\/p>\n
\r\napt-get install nginx python-certbot-nginx\r\n<\/pre>\n
change the server_name in \/etc\/nginx\/sites-enabled\/default to FQDN <\/p>\n
\r\nservice nginx restart\r\ncertbot\r\n# follow the steps to issue https cert for the chosen domain name\r\n<\/pre>\n
in \/etc\/nginx\/sites-enabled\/default add this in the https vhost section:<\/p>\n
\r\nlocation \/ {\r\nproxy_pass http:\/\/localhost:8080\/guacamole\/;\r\nproxy_buffering off;\r\nproxy_http_version 1.1;\r\nproxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\r\nproxy_set_header Upgrade $http_upgrade;\r\nproxy_set_header Connection $http_connection;\r\n}\r\n<\/pre>\n
and another nginx restart to apply that change:<\/p>\n
\r\nservice nginx restart\r\n<\/pre>\n
guacamole use<\/h2>\n
if all went fine https:\/\/my.domain\/ should give access to guacamole’s web interface. the default credentials are guacadmin\/guacadmin. after logging in change them to something more secure via menu > settings > preferences. <\/p>\n
to make Windows Server 2016 reachable from guacamole i had to go to its control panel > system > remote settings and un-tick [ ] allow connections only from computers running remote desktop with network level authentication.<\/p>\n
in gaucamole’s admin panel under settings > connections create a new one, select:<\/p>\n
    \n
  • protocol – rdp<\/li>\n
  • maximum number of connections – 1<\/li>\n
  • maximum number of connections for user – 1<\/li>\n
  • hostname – address of the windows server that’s reachable over RDP<\/li>\n
  • port – likely 3389<\/li>\n
  • username, password – windows credentials<\/li>\n
  • security mode – any<\/li>\n
  • ignore server certificate [x] tick <\/li>\n<\/ul>\n
    save, connect from guacamole’s home page. it works surprisingly well!<\/p>\n
    disclaimer – it’s a rough sketch how to get the initial setup done. i strongly suggest to secure it by:<\/p>\n
      \n
    • having http-auth on the nginx level for whole URI reverse-proxied to guacamole<\/li>\n
    • adding firewall on the linux server preventing incoming\/outgoing traffic besides the absolute necessities [ incoming 443, outgoing 3389 + perhaps http for unattended debian updates ]<\/li>\n
    • firewall on the windows server preventing any incoming traffic except RDP from the server hosting guacamole<\/li>\n<\/ul>\n
      i assumed that connection between guacamole and the RDP server is secure – hence ignoring the server’s certificate. you might want to revisit it.<\/p>\n","protected":false},"excerpt":{"rendered":"
      Apache Guacamole is a clientless remote desktop gateway – with it you can access RDP-enabled Windows PC using ordinary web browser and HTTP[S]. below – notes taken while setting it up under Debian 10.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[51],"tags":[],"class_list":["post-3032","post","type-post","status-publish","format-standard","hentry","category-unimportant"],"_links":{"self":[{"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/posts\/3032","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/comments?post=3032"}],"version-history":[{"count":11,"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/posts\/3032\/revisions"}],"predecessor-version":[{"id":3043,"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/posts\/3032\/revisions\/3043"}],"wp:attachment":[{"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/media?parent=3032"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/categories?post=3032"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kudzia.eu\/b\/wp-json\/wp\/v2\/tags?post=3032"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}