[Support] jasonbean - Apache Guacamole

[Taddeusz]

Apache Guacamole is a clientless remote desktop gateway. It supports standard protocols like VNC, RDP, SSH, and Telnet. This docker primarily has a MariaDB (MySQL) database built-in for authentication and configuration. It also has support for LDAP authentication and configuration as well as Duo two-factor authentication.

 

For general usage of Apache Guacamole the full manual is located here: https://guacamole.apache.org/doc/gug/

 

The different authentication methods can be enabled or disabled through the template. MySQL is the default authentication and configuration method.

 

Template Options

OPT_MYSQL: Y(default) / N

OPT_MYSQL_EXTENSION: Y / N(default)

OPT_SQLSERVER: Y / N(default)

OPT_LDAP: Y / N(default)

OPT_DUO: Y / N(default)

OPT_CAS: Y / N(default)

OPT_OPENID: Y / N(default)

OPT_TOTP: Y / N(default)

OPT_QUICKCONNECT: Y / N(default)

 

Note: MySQL, SQL Server, and LDAP cannot be used at the same time. Duo two-factor can be used with MySQL, SQL Server, or LDAP authentication.

 

Microsoft SQL Server Authentication/Configuration

For SQL Server support modify your guacamole.properties file as follows:

• Create a database on your SQL Server
• Execute the SQL scripts found in the sqlserver-schema folder on the new database you created.
• Comment the MySQL properties.
• Uncomment the SQL Server properties.
• Modify SQL Server properties to match your configuration.

Further instructions can be found here: https://guacamole.apache.org/doc/gug/jdbc-auth.html#jdbc-auth-sqlserver

 

LDAP Authentication/Configuration

For LDAP authentication modify your guacamole.properties file as follows:

• Comment the MySQL properties.
• Uncomment the LDAP properties.
• Modify LDAP properties to match your configuration.

Further instructions can be found here: https://guacamole.apache.org/doc/gug/ldap-auth.html

 

Duo Two-Factor Authentication

For Duo two-factor authentication uncomment the Duo properties in your guacamole.properties and follow these instructions:

 

https://guacamole.apache.org/doc/gug/duo-auth.html#guac-duo-config

 

• 4/4/2017
  • Upgraded to Apache Guacamole 0.9.12-incubating.
  • Upgraded MySQL Java Connector to 5.1.41.
• 8/2/2017
  • Upgraded to Apache Guacamole 0.9.13-incubating.
  • Upgraded MySQL Java Connector to 5.1.43.
  • Database schema upgrades to 0.9.13.
• 8/4/2017
  • Added all optional libraries for guacd to enable all features.
  • Got rid of log warning by moving the offending symbolic link creation from firstrun.sh to Dockerfile.
• 8/7/2017
  • Upgraded to phusion/baseimage 0.9.22.
  • Upgraded to MariaDB 10.2.
  • Upgraded to Tomcat 8.
• 12/16/2017
  • Added Powerline fonts to support Oh My Zsh agnoster theme.
• 1/24/2018
  • Upgraded to Apache Guacamole 0.9.14.
  • Upgraded MySQL Java Connector to 5.1.45
  • Added Microsoft SQL Server JDBC 6.2.2 driver.
  • Converted to multi-stage Docker to reduce size.
  • Ability to downgrade using a tag (e.g. jasonbean/guacamole:0.9.13)
• 6/7/2018
  • Added GhostScript to allow remote printing.
• 6/8/2018
  • Changed location of Tomcat catalina.out log file /config/guacamole/log to improve troubleshooting.
  • Attempt to mitigate a file permissions problem by always setting 755 permissions on container start.
• 6/11/2018
  • Fixed creation of /config/guacamole/log folder so that it will exist when Tomcat is started.
  • Corrected a regression error introduced when switching to a multi-stage build.
• 6/12/2018
  • Modified unRAID template to make this a privileged container so that Tomcat will run correctly.
  • Added more logging messages and ensure that the database doesn't get created when the guacamole.properties file doesn't exist.
  • Modified so that all Tomcat logs get placed in guacamole/log directory.
• 8/18/2018
  • tyler43636 submitted pull request to add the tzdata package to correct for the RTC being set to the local time rather than UTC.
• 9/24/2018
  • Modified the firstrun.sh script so that the MySQL schema files are copied to /config when OPT_MYSQL is set "Y" in case someone wants to use an external MySQL or MariaDB database.
• 1/10/2019
  • Upgraded to Apache Guacamole 1.0.0.
  • BIG UPGRADE!
    • Thanks to the Guacamole team my build process has been greatly improved.
    • Now uses the Debian base container just like the guacd Docker container from Apache.
    • Retooled entire run process to use tini/supervisor to manage services.
    • Added version that comes without MariaDB so that container size is halved if you have an external database source or use the default authentication.
• 2/23/2020
  • Upgraded to Apache Guacamole 1.1.0.
    • Changed to debian:stable-slim base container to shave off some size.
    • No database schema changes.
• 7/5/2020
  • Upgraded to Apache Guacamole 1.2.0.
  • Fixed problem with OpenID extension so that it would load before all other auth extensions.
  • No database schema changes.
• 11/29/2020

  • Added -s argument to tini to make sure it can subreap if not PID 1.

• 12/6/2020

  • Implemented PUID and PGID environment variables to run tasks in non-root and match nobody user in file system.

  • Cleaned up code to improve maintainability.

• 12/14/2020

  • Fixed regression to restore OPT_MYSQL_EXTENSION.

• 1/9/2021

  • Upgraded to Apache Guacamole 1.3.0.

• 5/30/2021

  • Merged changes from Sean to add logrotate to prevent Catalina log from growing forever.

• 1/12/2022

  • Upgraded to Apache Guacamole 1.4.0.

  • Changed to install latest version of Tomcat directly from Apache since the Debian Buster repository contains an old version.

• 11/11/2022

  • Updated MariaDB install process.

  • Cleaned up code.

  • New build to update Tomcat.

• 3/18/2023

  • Correct how mysqld loads so that it shuts down correctly.

• 3/21/2023

  • Upgraded to Apache Guacamole 1.5.0.

• 3/24/2023

  • Added missing dependency for guacd.

• 4/14/2023

  • Upgraded to Apache Guacamole 1.5.1.

  • Removed privileged from template.

  • Changed to OpenJDK 11 to fix OpenID.

• 5/26/2023

  • Upgraded to Apache Guacamole 1.5.2.

  • Implmented client log level.

  • Simplified Dockerfile.

Edited Friday at 04:53 PM by Taddeusz
Upgraded to Apache Guacamole 1.5.2.

[ninthwalker]

Awesome, Thanks for the fork and updating to the latest version with the new features.

Don't forget to add your repository and github links in the original post. =)

 

I wanted this mainly for 2FA w/ DUO since I use that already.

However after I went to set it up, I found out it requires a DUO paid plan =(

[Taddeusz]

Interesting. I just noticed the my Duo account is on a trial for a month. What are the limitations of the Duo Free that make it unworkable for Guacamole?

[ninthwalker]

Interesting. I just noticed the my Duo account is on a trial for a month. What are the limitations of the Duo Free that make it unworkable for Guacamole?

 

Don't have access to their Duo Auth API which is what's needed for Guac.

 

https://duo.com/docs/authapi

[Taddeusz]

Well that stinks. 

[alturismo]

Hi, just trying to get this docker running, one issue im struggling with.

 

setup is here behind an apache reverse proxy

 

outside -> apache reverse proxy -> apache guacamole

 

now when trying to access my connections, when using the chrome browser it times out with an error it cant connect, using IE11 its working ...

 

may an idea what the reason could be ?

[Taddeusz]

I'm now using the letsencrypt docker which uses Nginx and, IMHO, it works better than Apache. However, for Guacamole to be used at its full potential you need to also forward web sockets. I had this set up when I was using Apache. Here is the snippet I used and I have obfuscated my vital information. Keep in mind this requires the proxy_wstunnel module:

<VirtualHost *:443 *:8443>
	ServerName <external_hostname>

	SSLEngine On
	SSLProxyEngine On
	SSLCertificateFile /etc/apache2/ssl/guacamole.crt
	SSLCertificateKeyFile /etc/apache2/ssl/guacamole.pem

	ProxyPass / http://<Internal_IP>:<port>/
	ProxyPassReverse / http://<Internal_IP>:<port>/
	<Location /guacamole/websocket-tunnel>
		Order allow,deny
		Allow from all
		ProxyPass ws://<Internal_IP>:<port>/guacamole/websocket-tunnel
		ProxyPassReverse ws://<Internal_IP>:<port>/guacamole/websocket-tunnel
	</Location>
</VirtualHost>

FYI, the reason I say Nginx works better is that using Apache I would get odd errors when disconnecting from remote computers. Using Nginx I get none of those errors and seems to work as is intended.

[glapri]

I'm trying to install the docker from the community apps and it won't finish. It says " Error: layers from manifest don't match image configuration " I could really use some help here.

[Squid]

There's an entry in the Docker FAQ about that

[alturismo]

20 hours ago, Taddeusz said:

I'm now using the letsencrypt docker which uses Nginx and, IMHO, it works better than Apache. However, for Guacamole to be used at its full potential you need to also forward web sockets. I had this set up when I was using Apache. Here is the snippet I used and I have obfuscated my vital information. Keep in mind this requires the proxy_wstunnel module:

<VirtualHost *:443 *:8443>
	ServerName <external_hostname>

	SSLEngine On
	SSLProxyEngine On
	SSLCertificateFile /etc/apache2/ssl/guacamole.crt
	SSLCertificateKeyFile /etc/apache2/ssl/guacamole.pem

	ProxyPass / http://<Internal_IP>:<port>/
	ProxyPassReverse / http://<Internal_IP>:<port>/
	<Location /guacamole/websocket-tunnel>
		Order allow,deny
		Allow from all
		ProxyPass ws://<Internal_IP>:<port>/guacamole/websocket-tunnel
		ProxyPassReverse ws://<Internal_IP>:<port>/guacamole/websocket-tunnel
	</Location>
</VirtualHost>

FYI, the reason I say Nginx works better is that using Apache I would get odd errors when disconnecting from remote computers. Using Nginx I get none of those errors and seems to work as is intended.

 

Hi, thanks for the tipp, actually, same result as before ...websocket module is loaded by default already.

 

my virtual host looks like this (i dont need any ssl)

 

<VirtualHost *:81>
    ServerName remote.mydomain.de
    ProxyPass        /    http://192.168.1.2:10080/
    ProxyPassReverse    /    http://192.168.1.2:10080/
    <Location /guacamole/websocket-tunnel>
        Order allow,deny
        Allow from all
        ProxyPass ws://192.168.1.2:10080/guacamole/websocket-tunnel
        ProxyPassReverse ws://192.168.1.2:10080/guacamole/websocket-tunnel
    </Location>
</VirtualHost>

 

after some tests its proably the chrome portable here at work in combination behind the works proxy ...

just wonders me that the internet explorer 11 here acts just fine, also my other reverse proxy´s are working, for example the jdownloader2 one wich

also uses guacamole rdp ... very strange  thanks anyway, in case u may have another hint

 

outside work on normal PC, all browsers work, chrome, inet, ...

at work behind proxy, internet explorer work, chrome not.

[Taddeusz]

What are the errors you are seeing?

[alturismo]

1 hour ago, Taddeusz said:

What are the errors you are seeing?

 

actually none ... i try to check in guacamole log but i dont see anything there ...

 

it just times out ... waiting around 10 seconds and then it asks to repeat or go back to start page

 

example (im at work actually)

 

Feb 28 16:45:11 84cbd06e816d guacd[1223]: SSH connection successful.
Feb 28 16:45:11 84cbd06e816d guacd[1223]: SSH connection successful.
Feb 28 16:45:28 84cbd06e816d guacd[1223]: User "@128088b5-fe89-423e-998d-dc484e655085" disconnected (0 users remain)
Feb 28 16:45:28 84cbd06e816d guacd[1223]: Last user of connection "$25c4a545-7864-4c25-ae61-b07843e37550" disconnected
Feb 28 16:45:28 84cbd06e816d guacd[1223]: SSH connection ended.
Feb 28 16:45:29 84cbd06e816d guacd[68]: Connection "$25c4a545-7864-4c25-ae61-b07843e37550" removed.
Feb 28 16:45:29 84cbd06e816d guacd[68]: Connection "$25c4a545-7864-4c25-ae61-b07843e37550" removed.

<-- HERE i TRYED WITH CHROME
Feb 28 16:46:34 84cbd06e816d guacd[68]: Creating new client for protocol "ssh"
Feb 28 16:46:34 84cbd06e816d guacd[68]: Connection ID is "$f31bbc5d-3e36-41b6-b593-debae20c41e5"
Feb 28 16:46:34 84cbd06e816d guacd[1233]: User "@4f05e389-855d-4dbb-9b98-5e2a30ce7278" joined connection "$f31bbc5d-3e36-41b6-b593-debae20c41e5" (1 users now present)
Feb 28 16:46:34 84cbd06e816d guacd[1233]: SSH connection successful.
Feb 28 16:46:37 84cbd06e816d guacd[1233]: User "@4f05e389-855d-4dbb-9b98-5e2a30ce7278" disconnected (0 users remain)
Feb 28 16:46:37 84cbd06e816d guacd[1233]: Last user of connection "$f31bbc5d-3e36-41b6-b593-debae20c41e5" disconnected
Feb 28 16:46:37 84cbd06e816d guacd[1233]: SSH connection ended.
Feb 28 16:46:37 84cbd06e816d guacd[68]: Connection "$f31bbc5d-3e36-41b6-b593-debae20c41e5" removed.
Feb 28 16:46:37 84cbd06e816d guacd[1233]: User "@4f05e389-855d-4dbb-9b98-5e2a30ce7278" disconnected (0 users remain)
Feb 28 16:46:37 84cbd06e816d guacd[1233]: Last user of connection "$f31bbc5d-3e36-41b6-b593-debae20c41e5" disconnected
Feb 28 16:46:37 84cbd06e816d guacd[1233]: SSH connection ended.
Feb 28 16:46:37 84cbd06e816d guacd[68]: Connection "$f31bbc5d-3e36-41b6-b593-debae20c41e5" removed.

 

i tested 2 ssh connections inside internet explorer, between them i tested 2 different on chrome browser, nothing happens ...

Edited February 28, 2017 by alturismo

[Taddeusz]

If you go into developer mode in Chrome (F12) do you see any errors in the console?

[alturismo]

The key "target-densitydpi" is not supported.
/#/client/NQBjAG15c3Fs:1 WebSocket connection to 'ws://remote.domain.de/websocket-tunnel?token=83C954A100054CBA2A00EB71A60ED95F807C929E5FF0331B674964BF5709FC4E&GUAC_DATA_SOURCE=mysql&GUAC_ID=5&GUAC_TYPE=c&GUAC_WIDTH=1362&GUAC_HEIGHT=950&GUAC_DPI=96&GUAC_AUDIO=audio%2FL8&GUAC_AUDIO=audio%2FL16&GUAC_IMAGE=image%2Fjpeg&GUAC_IMAGE=image%2Fpng&GUAC_IMAGE=image%2Fwebp' failed: WebSocket is closed before the connection is established.

 

This was with ws configuration

Edited February 28, 2017 by alturismo

[alturismo]

without any ws config

 

<VirtualHost *:81>
    ServerName remote.mydomain.de
    ProxyPass        /    http://192.168.1.2:10080/
    ProxyPassReverse    /    http://192.168.1.2:10080/
</VirtualHost>

 

The key "target-densitydpi" is not supported.
http://remote.mydomain.de/api/tokens Failed to load resource: the server responded with a status of 403 (Forbidden)
angular.js:9902 DELETE http://remote.mydomain.de/api/tokens/83C954A100054CBA2A00EB71A60ED95F807C929E5FF0331B674964BF5709FC4E 404 (Not Found)
(anonymous) @ angular.js:9902
m @ angular.js:9703
f @ angular.js:9415
(anonymous) @ angular.js:13292
$eval @ angular.js:14547
$digest @ angular.js:14363
$apply @ angular.js:14652
l @ angular.js:9734
P @ angular.js:9924
H.onload @ angular.js:9865
/#/client/MgBjAG15c3Fs:1 WebSocket connection to 'ws://remote.mydomain.de/websocket-tunnel?token=B3597283F5CE7A7BC19EC79D1ABF3CEFCE57EF11518C11FB920A8A057C399738&GUAC_DATA_SOURCE=mysql&GUAC_ID=2&GUAC_TYPE=c&GUAC_WIDTH=1362&GUAC_HEIGHT=950&GUAC_DPI=96&GUAC_AUDIO=audio%2FL8&GUAC_AUDIO=audio%2FL16&GUAC_IMAGE=image%2Fjpeg&GUAC_IMAGE=image%2Fpng&GUAC_IMAGE=image%2Fwebp' failed: WebSocket is closed before the connection is established.

Edited February 28, 2017 by alturismo

[Taddeusz]

The target-densitydpi is not a problem since I assume you're not connecting on a mobile device. What I do see, though, is the URL path appears to be wrong. It should be  "ws://remote.mydomain.de/guacamole/websocket-tunnel". Not sure why that would be happening since it appears that you're not doing any rewriting.

[Taddeusz]

In Chrome's developer mode there's a Network tab. It will tell you each connection request being made and the response.

 

You can do the same in IE and compare. Same F12 to open developer mode.

[alturismo]

Here is the NetworkData.xml respond from working internet explorer, didnt found yet howto export this from chrome ...

 

i can tell it get stuck at "blank.html", i copied something from chrome network tab ... hope u may see something

NetworkData.xml

chrome.txt

[Taddeusz]

I just did a little testing with my Nginx by disabling the websocket proxy and got similar, but not the same, errors. You might double check to make sure your proxy_wstunnel mod is enabled. When I was running Apache I was using the linuxserver.io docker. It had that module available but not enabled. With that docker I had to create a symbolic link from mods-available to mods-enabled for it to work. In fact, I believe I was getting your very same error when the proxy_wstunnel module was not enabled on my Apache.

[alturismo]

[email protected]:~# docker exec -ti apache bash
[email protected]:/# a2enmod proxy_wstunnel
Considering dependency proxy for proxy_wstunnel:
Module proxy already enabled
Module proxy_wstunnel already enabled
[email protected]:/#
 

thats the respond i get when i check in docker, also using linuxserver.io apache ...

about that symbolic link ... no idea

 

here are the loaded mods

 

[email protected]:/# apache2ctl -M
Loaded Modules:
 core_module (static)
 so_module (static)
 watchdog_module (static)
 http_module (static)
 log_config_module (static)
 logio_module (static)
 version_module (static)
 unixd_module (static)
 access_compat_module (shared)
 actions_module (shared)
 alias_module (shared)
 auth_basic_module (shared)
 authn_core_module (shared)
 authn_file_module (shared)
 authnz_ldap_module (shared)
 authz_core_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 autoindex_module (shared)
 cgi_module (shared)
 dav_module (shared)
 dav_fs_module (shared)
 deflate_module (shared)
 dir_module (shared)
 env_module (shared)
 fastcgi_module (shared)
 filter_module (shared)
 headers_module (shared)
 ldap_module (shared)
 mime_module (shared)
 mpm_prefork_module (shared)
 negotiation_module (shared)
 php5_module (shared)
 proxy_module (shared)
 proxy_ajp_module (shared)
 proxy_balancer_module (shared)
 proxy_connect_module (shared)
 proxy_html_module (shared)
 proxy_http_module (shared)
 proxy_wstunnel_module (shared)
 rewrite_module (shared)
 setenvif_module (shared)
 slotmem_shm_module (shared)
 socache_shmcb_module (shared)
 ssl_module (shared)
 status_module (shared)
 substitute_module (shared)
 xml2enc_module (shared)
[email protected]:/#
 

Edited February 28, 2017 by alturismo

[alturismo]

and as last note, using the IE Tab addon in chrome ... it somehow works (always for 1 instance, then i need to reconnect to guac...).

 

Just as note

[alturismo]

Hi again, just as note, i made myself my ssl certs for my subdomains and now ... via https it works ,

exact same config as before, just using https .. and voila

 

just as note in case some others have issues like me

 

great addon for my unraid server, thanks alot

 

[Taddeusz]

I'm glad you got it working. I'm sorry I couldn't help you out better.

[Shamalamadindong]

FYI, I'm using Duo and not paying for it.

Edited March 5, 2017 by Shamalamadindong

[theDrell]

So I am wanting to set Guacamole to a baseurl so that I can use it via nginx.  Looks like you guys have done that, can you share that with me?  I have looked up and can't seem to quite figure out how to set it.  I am sure I am an idiot and it's something simple I am missing.

 

So I basically want blah.domain.com/guac

 

and to set it up in nginx with the
 

location ^~/guac{

        auth_basic "Restricted";
        auth_basic_user_file /config/nginx/.htpasswd;
        include /config/nginx/proxy.conf;
        proxy_pass http://ip:port/guac;

}

But I can't find the place to set the base url in guacamole.