[Support] jasonbean - Apache Guacamole


Message added by Taddeusz,

Before upgrading to 1.5.0 you need to have first upgraded to 1.4.0-3 of the container. I discovered that prior to 1.4.0-3 it was not shutting down MariaDB correctly and causing the database to be left in a dirty state.

 

If after upgrading to 1.5.0 you discover that MariaDB is stopping and the log mentions something about needing to open the database in an older version of MariaDB you should downgrade specifically to 1.4.0-3, start the container and make sure it's running correctly. Then you may upgrade to 1.5.0.

Recommended Posts

Apache Guacamole is a clientless remote desktop gateway. It supports standard protocols like VNC, RDP, SSH, and Telnet. This docker primarily has a MariaDB (MySQL) database built-in for authentication and configuration. It also has support for LDAP authentication and configuration as well as Duo two-factor authentication.

 

For general usage of Apache Guacamole the full manual is located here: https://guacamole.apache.org/doc/gug/

 

The different authentication methods can be enabled or disabled through the template. MySQL is the default authentication and configuration method.

 

Template Options

OPT_MYSQL: Y(default) / N

OPT_MYSQL_EXTENSION: Y / N(default)

OPT_SQLSERVER: Y / N(default)

OPT_LDAP: Y / N(default)

OPT_DUO: Y / N(default)

OPT_CAS: Y / N(default)

OPT_OPENID: Y / N(default)

OPT_TOTP: Y / N(default)

OPT_QUICKCONNECT: Y / N(default)

 

Note: MySQL, SQL Server, and LDAP cannot be used at the same time. Duo two-factor can be used with MySQL, SQL Server, or LDAP authentication.

 

Microsoft SQL Server Authentication/Configuration

For SQL Server support modify your guacamole.properties file as follows:

  • Create a database on your SQL Server
  • Execute the SQL scripts found in the sqlserver-schema folder on the new database you created.
  • Comment the MySQL properties.
  • Uncomment the SQL Server properties.
  • Modify SQL Server properties to match your configuration.

Further instructions can be found here: https://guacamole.apache.org/doc/gug/jdbc-auth.html#jdbc-auth-sqlserver

 

LDAP Authentication/Configuration

For LDAP authentication modify your guacamole.properties file as follows:

  • Comment the MySQL properties.
  • Uncomment the LDAP properties.
  • Modify LDAP properties to match your configuration.

Further instructions can be found here: https://guacamole.apache.org/doc/gug/ldap-auth.html

 

Duo Two-Factor Authentication

For Duo two-factor authentication uncomment the Duo properties in your guacamole.properties and follow these instructions:

 

https://guacamole.apache.org/doc/gug/duo-auth.html#guac-duo-config

 

  • 4/4/2017
    • Upgraded to Apache Guacamole 0.9.12-incubating.
    • Upgraded MySQL Java Connector to 5.1.41.
  • 8/2/2017
    • Upgraded to Apache Guacamole 0.9.13-incubating.
    • Upgraded MySQL Java Connector to 5.1.43.
    • Database schema upgrades to 0.9.13.
  • 8/4/2017
    • Added all optional libraries for guacd to enable all features.
    • Got rid of log warning by moving the offending symbolic link creation from firstrun.sh to Dockerfile.
  • 8/7/2017
    • Upgraded to phusion/baseimage 0.9.22.
    • Upgraded to MariaDB 10.2.
    • Upgraded to Tomcat 8.
  • 12/16/2017
    • Added Powerline fonts to support Oh My Zsh agnoster theme.
  • 1/24/2018
    • Upgraded to Apache Guacamole 0.9.14.
    • Upgraded MySQL Java Connector to 5.1.45
    • Added Microsoft SQL Server JDBC 6.2.2 driver.
    • Converted to multi-stage Docker to reduce size.
    • Ability to downgrade using a tag (e.g. jasonbean/guacamole:0.9.13)
  • 6/7/2018
    • Added GhostScript to allow remote printing.
  • 6/8/2018
    • Changed location of Tomcat catalina.out log file /config/guacamole/log to improve troubleshooting.
    • Attempt to mitigate a file permissions problem by always setting 755 permissions on container start.
  • 6/11/2018
    • Fixed creation of /config/guacamole/log folder so that it will exist when Tomcat is started.
    • Corrected a regression error introduced when switching to a multi-stage build.
  • 6/12/2018
    • Modified unRAID template to make this a privileged container so that Tomcat will run correctly.
    • Added more logging messages and ensure that the database doesn't get created when the guacamole.properties file doesn't exist.
    • Modified so that all Tomcat logs get placed in guacamole/log directory.
  • 8/18/2018
    • tyler43636 submitted pull request to add the tzdata package to correct for the RTC being set to the local time rather than UTC.
  • 9/24/2018
    • Modified the firstrun.sh script so that the MySQL schema files are copied to /config when OPT_MYSQL is set "Y" in case someone wants to use an external MySQL or MariaDB database.
  • 1/10/2019
    • Upgraded to Apache Guacamole 1.0.0.
    • BIG UPGRADE!
      • Thanks to the Guacamole team my build process has been greatly improved.
      • Now uses the Debian base container just like the guacd Docker container from Apache.
      • Retooled entire run process to use tini/supervisor to manage services.
      • Added version that comes without MariaDB so that container size is halved if you have an external database source or use the default authentication.
  • 2/23/2020
    • Upgraded to Apache Guacamole 1.1.0.
      • Changed to debian:stable-slim base container to shave off some size.
      • No database schema changes.
  • 7/5/2020
    • Upgraded to Apache Guacamole 1.2.0.
    • Fixed problem with OpenID extension so that it would load before all other auth extensions.
    • No database schema changes.
  • 11/29/2020
    • Added -s argument to tini to make sure it can subreap if not PID 1.

  • 12/6/2020

    • Implemented PUID and PGID environment variables to run tasks in non-root and match nobody user in file system.

    • Cleaned up code to improve maintainability.

  • 12/14/2020

    • Fixed regression to restore OPT_MYSQL_EXTENSION.

  • 1/9/2021

    • Upgraded to Apache Guacamole 1.3.0.

  • 5/30/2021

    • Merged changes from Sean to add logrotate to prevent Catalina log from growing forever.

  • 1/12/2022

    • Upgraded to Apache Guacamole 1.4.0.

    • Changed to install latest version of Tomcat directly from Apache since the Debian Buster repository contains an old version.

  • 11/11/2022

    • Updated MariaDB install process.

    • Cleaned up code.

    • New build to update Tomcat.

  • 3/18/2023

    • Correct how mysqld loads so that it shuts down correctly.

  • 3/21/2023

    • Upgraded to Apache Guacamole 1.5.0.

  • 3/24/2023

    • Added missing dependency for guacd.

  • 4/14/2023

    • Upgraded to Apache Guacamole 1.5.1.

    • Removed privileged from template.

    • Changed to OpenJDK 11 to fix OpenID.

  • 5/26/2023

    • Upgraded to Apache Guacamole 1.5.2.

    • Implmented client log level.

    • Simplified Dockerfile.

  • 8/4/2023

    • Upgraded to Apache Guacamole 1.5.3.

  • 1/10/2023

    • Upgrade to Apache Guacamole 1.5.4.

    • Simplify versioning.

Edited by Taddeusz
Upgraded to Apache Guacamole 1.5.4.
  • Like 2
  • Upvote 1
Link to comment
  • 2 weeks later...

Hi, just trying to get this docker running, one issue im struggling with.

 

setup is here behind an apache reverse proxy

 

outside -> apache reverse proxy -> apache guacamole

 

now when trying to access my connections, when using the chrome browser it times out with an error it cant connect, using IE11 its working ...

 

may an idea what the reason could be ?

Link to comment

I'm now using the letsencrypt docker which uses Nginx and, IMHO, it works better than Apache. However, for Guacamole to be used at its full potential you need to also forward web sockets. I had this set up when I was using Apache. Here is the snippet I used and I have obfuscated my vital information. Keep in mind this requires the proxy_wstunnel module:

<VirtualHost *:443 *:8443>
	ServerName <external_hostname>

	SSLEngine On
	SSLProxyEngine On
	SSLCertificateFile /etc/apache2/ssl/guacamole.crt
	SSLCertificateKeyFile /etc/apache2/ssl/guacamole.pem

	ProxyPass / http://<Internal_IP>:<port>/
	ProxyPassReverse / http://<Internal_IP>:<port>/
	<Location /guacamole/websocket-tunnel>
		Order allow,deny
		Allow from all
		ProxyPass ws://<Internal_IP>:<port>/guacamole/websocket-tunnel
		ProxyPassReverse ws://<Internal_IP>:<port>/guacamole/websocket-tunnel
	</Location>
</VirtualHost>

FYI, the reason I say Nginx works better is that using Apache I would get odd errors when disconnecting from remote computers. Using Nginx I get none of those errors and seems to work as is intended.

Link to comment
20 hours ago, Taddeusz said:

I'm now using the letsencrypt docker which uses Nginx and, IMHO, it works better than Apache. However, for Guacamole to be used at its full potential you need to also forward web sockets. I had this set up when I was using Apache. Here is the snippet I used and I have obfuscated my vital information. Keep in mind this requires the proxy_wstunnel module:


<VirtualHost *:443 *:8443>
	ServerName <external_hostname>

	SSLEngine On
	SSLProxyEngine On
	SSLCertificateFile /etc/apache2/ssl/guacamole.crt
	SSLCertificateKeyFile /etc/apache2/ssl/guacamole.pem

	ProxyPass / http://<Internal_IP>:<port>/
	ProxyPassReverse / http://<Internal_IP>:<port>/
	<Location /guacamole/websocket-tunnel>
		Order allow,deny
		Allow from all
		ProxyPass ws://<Internal_IP>:<port>/guacamole/websocket-tunnel
		ProxyPassReverse ws://<Internal_IP>:<port>/guacamole/websocket-tunnel
	</Location>
</VirtualHost>

FYI, the reason I say Nginx works better is that using Apache I would get odd errors when disconnecting from remote computers. Using Nginx I get none of those errors and seems to work as is intended.

 

Hi, thanks for the tipp, actually, same result as before ...websocket module is loaded by default already.

 

my virtual host looks like this (i dont need any ssl)

 

<VirtualHost *:81>
    ServerName remote.mydomain.de
    ProxyPass        /    http://192.168.1.2:10080/
    ProxyPassReverse    /    http://192.168.1.2:10080/
    <Location /guacamole/websocket-tunnel>
        Order allow,deny
        Allow from all
        ProxyPass ws://192.168.1.2:10080/guacamole/websocket-tunnel
        ProxyPassReverse ws://192.168.1.2:10080/guacamole/websocket-tunnel
    </Location>
</VirtualHost>

 

after some tests its proably the chrome portable here at work in combination behind the works proxy ...

just wonders me that the internet explorer 11 here acts just fine, also my other reverse proxy´s are working, for example the jdownloader2 one wich

also uses guacamole rdp ... very strange ;) thanks anyway, in case u may have another hint ;)

 

outside work on normal PC, all browsers work, chrome, inet, ...

at work behind proxy, internet explorer work, chrome not.

Link to comment
1 hour ago, Taddeusz said:

What are the errors you are seeing?

 

actually none ... i try to check in guacamole log but i dont see anything there ...

 

it just times out ... waiting around 10 seconds and then it asks to repeat or go back to start page

 

example (im at work actually)

 

Feb 28 16:45:11 84cbd06e816d guacd[1223]: SSH connection successful.
Feb 28 16:45:11 84cbd06e816d guacd[1223]: SSH connection successful.
Feb 28 16:45:28 84cbd06e816d guacd[1223]: User "@128088b5-fe89-423e-998d-dc484e655085" disconnected (0 users remain)
Feb 28 16:45:28 84cbd06e816d guacd[1223]: Last user of connection "$25c4a545-7864-4c25-ae61-b07843e37550" disconnected
Feb 28 16:45:28 84cbd06e816d guacd[1223]: SSH connection ended.
Feb 28 16:45:29 84cbd06e816d guacd[68]: Connection "$25c4a545-7864-4c25-ae61-b07843e37550" removed.
Feb 28 16:45:29 84cbd06e816d guacd[68]: Connection "$25c4a545-7864-4c25-ae61-b07843e37550" removed.

<-- HERE i TRYED WITH CHROME
Feb 28 16:46:34 84cbd06e816d guacd[68]: Creating new client for protocol "ssh"
Feb 28 16:46:34 84cbd06e816d guacd[68]: Connection ID is "$f31bbc5d-3e36-41b6-b593-debae20c41e5"
Feb 28 16:46:34 84cbd06e816d guacd[1233]: User "@4f05e389-855d-4dbb-9b98-5e2a30ce7278" joined connection "$f31bbc5d-3e36-41b6-b593-debae20c41e5" (1 users now present)
Feb 28 16:46:34 84cbd06e816d guacd[1233]: SSH connection successful.
Feb 28 16:46:37 84cbd06e816d guacd[1233]: User "@4f05e389-855d-4dbb-9b98-5e2a30ce7278" disconnected (0 users remain)
Feb 28 16:46:37 84cbd06e816d guacd[1233]: Last user of connection "$f31bbc5d-3e36-41b6-b593-debae20c41e5" disconnected
Feb 28 16:46:37 84cbd06e816d guacd[1233]: SSH connection ended.
Feb 28 16:46:37 84cbd06e816d guacd[68]: Connection "$f31bbc5d-3e36-41b6-b593-debae20c41e5" removed.
Feb 28 16:46:37 84cbd06e816d guacd[1233]: User "@4f05e389-855d-4dbb-9b98-5e2a30ce7278" disconnected (0 users remain)
Feb 28 16:46:37 84cbd06e816d guacd[1233]: Last user of connection "$f31bbc5d-3e36-41b6-b593-debae20c41e5" disconnected
Feb 28 16:46:37 84cbd06e816d guacd[1233]: SSH connection ended.
Feb 28 16:46:37 84cbd06e816d guacd[68]: Connection "$f31bbc5d-3e36-41b6-b593-debae20c41e5" removed.

 

i tested 2 ssh connections inside internet explorer, between them i tested 2 different on chrome browser, nothing happens ...

Edited by alturismo
Link to comment

The key "target-densitydpi" is not supported.
/#/client/NQBjAG15c3Fs:1 WebSocket connection to 'ws://remote.domain.de/websocket-tunnel?token=83C954A100054CBA2A00EB71A60ED95F807C929E5FF0331B674964BF5709FC4E&GUAC_DATA_SOURCE=mysql&GUAC_ID=5&GUAC_TYPE=c&GUAC_WIDTH=1362&GUAC_HEIGHT=950&GUAC_DPI=96&GUAC_AUDIO=audio%2FL8&GUAC_AUDIO=audio%2FL16&GUAC_IMAGE=image%2Fjpeg&GUAC_IMAGE=image%2Fpng&GUAC_IMAGE=image%2Fwebp' failed: WebSocket is closed before the connection is established.

 

This was with ws configuration

Edited by alturismo
Link to comment

without any ws config

 

<VirtualHost *:81>
    ServerName remote.mydomain.de
    ProxyPass        /    http://192.168.1.2:10080/
    ProxyPassReverse    /    http://192.168.1.2:10080/
</VirtualHost>

 

The key "target-densitydpi" is not supported.
http://remote.mydomain.de/api/tokens Failed to load resource: the server responded with a status of 403 (Forbidden)
angular.js:9902 DELETE http://remote.mydomain.de/api/tokens/83C954A100054CBA2A00EB71A60ED95F807C929E5FF0331B674964BF5709FC4E 404 (Not Found)
(anonymous) @ angular.js:9902
m @ angular.js:9703
f @ angular.js:9415
(anonymous) @ angular.js:13292
$eval @ angular.js:14547
$digest @ angular.js:14363
$apply @ angular.js:14652
l @ angular.js:9734
P @ angular.js:9924
H.onload @ angular.js:9865
/#/client/MgBjAG15c3Fs:1 WebSocket connection to 'ws://remote.mydomain.de/websocket-tunnel?token=B3597283F5CE7A7BC19EC79D1ABF3CEFCE57EF11518C11FB920A8A057C399738&GUAC_DATA_SOURCE=mysql&GUAC_ID=2&GUAC_TYPE=c&GUAC_WIDTH=1362&GUAC_HEIGHT=950&GUAC_DPI=96&GUAC_AUDIO=audio%2FL8&GUAC_AUDIO=audio%2FL16&GUAC_IMAGE=image%2Fjpeg&GUAC_IMAGE=image%2Fpng&GUAC_IMAGE=image%2Fwebp' failed: WebSocket is closed before the connection is established.

Edited by alturismo
Link to comment

The target-densitydpi is not a problem since I assume you're not connecting on a mobile device. What I do see, though, is the URL path appears to be wrong. It should be  "ws://remote.mydomain.de/guacamole/websocket-tunnel". Not sure why that would be happening since it appears that you're not doing any rewriting.

Link to comment

I just did a little testing with my Nginx by disabling the websocket proxy and got similar, but not the same, errors. You might double check to make sure your proxy_wstunnel mod is enabled. When I was running Apache I was using the linuxserver.io docker. It had that module available but not enabled. With that docker I had to create a symbolic link from mods-available to mods-enabled for it to work. In fact, I believe I was getting your very same error when the proxy_wstunnel module was not enabled on my Apache.

Link to comment

root@AlsServer:~# docker exec -ti apache bash
root@AlsServer:/# a2enmod proxy_wstunnel
Considering dependency proxy for proxy_wstunnel:
Module proxy already enabled
Module proxy_wstunnel already enabled
root@AlsServer:/#
 

thats the respond i get when i check in docker, also using linuxserver.io apache ...

about that symbolic link ... no idea ;)

 

here are the loaded mods

 

root@AlsServer:/# apache2ctl -M
Loaded Modules:
 core_module (static)
 so_module (static)
 watchdog_module (static)
 http_module (static)
 log_config_module (static)
 logio_module (static)
 version_module (static)
 unixd_module (static)
 access_compat_module (shared)
 actions_module (shared)
 alias_module (shared)
 auth_basic_module (shared)
 authn_core_module (shared)
 authn_file_module (shared)
 authnz_ldap_module (shared)
 authz_core_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 autoindex_module (shared)
 cgi_module (shared)
 dav_module (shared)
 dav_fs_module (shared)
 deflate_module (shared)
 dir_module (shared)
 env_module (shared)
 fastcgi_module (shared)
 filter_module (shared)
 headers_module (shared)
 ldap_module (shared)
 mime_module (shared)
 mpm_prefork_module (shared)
 negotiation_module (shared)
 php5_module (shared)
 proxy_module (shared)
 proxy_ajp_module (shared)
 proxy_balancer_module (shared)
 proxy_connect_module (shared)
 proxy_html_module (shared)
 proxy_http_module (shared)
 proxy_wstunnel_module (shared)
 rewrite_module (shared)
 setenvif_module (shared)
 slotmem_shm_module (shared)
 socache_shmcb_module (shared)
 ssl_module (shared)
 status_module (shared)
 substitute_module (shared)
 xml2enc_module (shared)
root@AlsServer:/#
 

Edited by alturismo
Link to comment

So I am wanting to set Guacamole to a baseurl so that I can use it via nginx.  Looks like you guys have done that, can you share that with me?  I have looked up and can't seem to quite figure out how to set it.  I am sure I am an idiot and it's something simple I am missing.

 

So I basically want blah.domain.com/guac

 

and to set it up in nginx with the
 

location ^~/guac{

        auth_basic "Restricted";
        auth_basic_user_file /config/nginx/.htpasswd;
        include /config/nginx/proxy.conf;
        proxy_pass http://ip:port/guac;

}

But I can't find the place to set the base url in guacamole.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.