Taddeusz Posted February 14, 2017 Share Posted February 14, 2017 (edited) Apache Guacamole is a clientless remote desktop gateway. It supports standard protocols like VNC, RDP, SSH, and Telnet. This docker primarily has a MariaDB (MySQL) database built-in for authentication and configuration. It also has support for LDAP authentication and configuration as well as Duo two-factor authentication. For general usage of Apache Guacamole the full manual is located here: https://guacamole.apache.org/doc/gug/ The different authentication methods can be enabled or disabled through the template. MySQL is the default authentication and configuration method. Template Options OPT_MYSQL: Y(default) / N OPT_MYSQL_EXTENSION: Y / N(default) OPT_SQLSERVER: Y / N(default) OPT_LDAP: Y / N(default) OPT_DUO: Y / N(default) OPT_CAS: Y / N(default) OPT_OPENID: Y / N(default) OPT_TOTP: Y / N(default) OPT_QUICKCONNECT: Y / N(default) Note: MySQL, SQL Server, and LDAP cannot be used at the same time. Duo two-factor can be used with MySQL, SQL Server, or LDAP authentication. Microsoft SQL Server Authentication/Configuration For SQL Server support modify your guacamole.properties file as follows: Create a database on your SQL Server Execute the SQL scripts found in the sqlserver-schema folder on the new database you created. Comment the MySQL properties. Uncomment the SQL Server properties. Modify SQL Server properties to match your configuration. Further instructions can be found here: https://guacamole.apache.org/doc/gug/jdbc-auth.html#jdbc-auth-sqlserver LDAP Authentication/Configuration For LDAP authentication modify your guacamole.properties file as follows: Comment the MySQL properties. Uncomment the LDAP properties. Modify LDAP properties to match your configuration. Further instructions can be found here: https://guacamole.apache.org/doc/gug/ldap-auth.html Duo Two-Factor Authentication For Duo two-factor authentication uncomment the Duo properties in your guacamole.properties and follow these instructions: https://guacamole.apache.org/doc/gug/duo-auth.html#guac-duo-config 4/4/2017 Upgraded to Apache Guacamole 0.9.12-incubating. Upgraded MySQL Java Connector to 5.1.41. 8/2/2017 Upgraded to Apache Guacamole 0.9.13-incubating. Upgraded MySQL Java Connector to 5.1.43. Database schema upgrades to 0.9.13. 8/4/2017 Added all optional libraries for guacd to enable all features. Got rid of log warning by moving the offending symbolic link creation from firstrun.sh to Dockerfile. 8/7/2017 Upgraded to phusion/baseimage 0.9.22. Upgraded to MariaDB 10.2. Upgraded to Tomcat 8. 12/16/2017 Added Powerline fonts to support Oh My Zsh agnoster theme. 1/24/2018 Upgraded to Apache Guacamole 0.9.14. Upgraded MySQL Java Connector to 5.1.45 Added Microsoft SQL Server JDBC 6.2.2 driver. Converted to multi-stage Docker to reduce size. Ability to downgrade using a tag (e.g. jasonbean/guacamole:0.9.13) 6/7/2018 Added GhostScript to allow remote printing. 6/8/2018 Changed location of Tomcat catalina.out log file /config/guacamole/log to improve troubleshooting. Attempt to mitigate a file permissions problem by always setting 755 permissions on container start. 6/11/2018 Fixed creation of /config/guacamole/log folder so that it will exist when Tomcat is started. Corrected a regression error introduced when switching to a multi-stage build. 6/12/2018 Modified unRAID template to make this a privileged container so that Tomcat will run correctly. Added more logging messages and ensure that the database doesn't get created when the guacamole.properties file doesn't exist. Modified so that all Tomcat logs get placed in guacamole/log directory. 8/18/2018 tyler43636 submitted pull request to add the tzdata package to correct for the RTC being set to the local time rather than UTC. 9/24/2018 Modified the firstrun.sh script so that the MySQL schema files are copied to /config when OPT_MYSQL is set "Y" in case someone wants to use an external MySQL or MariaDB database. 1/10/2019 Upgraded to Apache Guacamole 1.0.0. BIG UPGRADE! Thanks to the Guacamole team my build process has been greatly improved. Now uses the Debian base container just like the guacd Docker container from Apache. Retooled entire run process to use tini/supervisor to manage services. Added version that comes without MariaDB so that container size is halved if you have an external database source or use the default authentication. 2/23/2020 Upgraded to Apache Guacamole 1.1.0. Changed to debian:stable-slim base container to shave off some size. No database schema changes. 7/5/2020 Upgraded to Apache Guacamole 1.2.0. Fixed problem with OpenID extension so that it would load before all other auth extensions. No database schema changes. 11/29/2020 Added -s argument to tini to make sure it can subreap if not PID 1. 12/6/2020 Implemented PUID and PGID environment variables to run tasks in non-root and match nobody user in file system. Cleaned up code to improve maintainability. 12/14/2020 Fixed regression to restore OPT_MYSQL_EXTENSION. 1/9/2021 Upgraded to Apache Guacamole 1.3.0. 5/30/2021 Merged changes from Sean to add logrotate to prevent Catalina log from growing forever. 1/12/2022 Upgraded to Apache Guacamole 1.4.0. Changed to install latest version of Tomcat directly from Apache since the Debian Buster repository contains an old version. 11/11/2022 Updated MariaDB install process. Cleaned up code. New build to update Tomcat. Edited November 11, 2022 by Taddeusz Updated to include latest version of Tomcat. 2 1 Quote Link to comment
ninthwalker Posted February 15, 2017 Share Posted February 15, 2017 Awesome, Thanks for the fork and updating to the latest version with the new features. Don't forget to add your repository and github links in the original post. =) I wanted this mainly for 2FA w/ DUO since I use that already. However after I went to set it up, I found out it requires a DUO paid plan =( Quote Link to comment
Taddeusz Posted February 15, 2017 Author Share Posted February 15, 2017 Interesting. I just noticed the my Duo account is on a trial for a month. What are the limitations of the Duo Free that make it unworkable for Guacamole? Quote Link to comment
ninthwalker Posted February 17, 2017 Share Posted February 17, 2017 Interesting. I just noticed the my Duo account is on a trial for a month. What are the limitations of the Duo Free that make it unworkable for Guacamole? Don't have access to their Duo Auth API which is what's needed for Guac. https://duo.com/docs/authapi Quote Link to comment
Taddeusz Posted February 17, 2017 Author Share Posted February 17, 2017 Well that stinks. Quote Link to comment
alturismo Posted February 27, 2017 Share Posted February 27, 2017 Hi, just trying to get this docker running, one issue im struggling with. setup is here behind an apache reverse proxy outside -> apache reverse proxy -> apache guacamole now when trying to access my connections, when using the chrome browser it times out with an error it cant connect, using IE11 its working ... may an idea what the reason could be ? Quote Link to comment
Taddeusz Posted February 27, 2017 Author Share Posted February 27, 2017 I'm now using the letsencrypt docker which uses Nginx and, IMHO, it works better than Apache. However, for Guacamole to be used at its full potential you need to also forward web sockets. I had this set up when I was using Apache. Here is the snippet I used and I have obfuscated my vital information. Keep in mind this requires the proxy_wstunnel module: <VirtualHost *:443 *:8443> ServerName <external_hostname> SSLEngine On SSLProxyEngine On SSLCertificateFile /etc/apache2/ssl/guacamole.crt SSLCertificateKeyFile /etc/apache2/ssl/guacamole.pem ProxyPass / http://<Internal_IP>:<port>/ ProxyPassReverse / http://<Internal_IP>:<port>/ <Location /guacamole/websocket-tunnel> Order allow,deny Allow from all ProxyPass ws://<Internal_IP>:<port>/guacamole/websocket-tunnel ProxyPassReverse ws://<Internal_IP>:<port>/guacamole/websocket-tunnel </Location> </VirtualHost> FYI, the reason I say Nginx works better is that using Apache I would get odd errors when disconnecting from remote computers. Using Nginx I get none of those errors and seems to work as is intended. Quote Link to comment
glapri Posted February 27, 2017 Share Posted February 27, 2017 I'm trying to install the docker from the community apps and it won't finish. It says " Error: layers from manifest don't match image configuration " I could really use some help here. Quote Link to comment
Squid Posted February 27, 2017 Share Posted February 27, 2017 There's an entry in the Docker FAQ about that Quote Link to comment
alturismo Posted February 28, 2017 Share Posted February 28, 2017 20 hours ago, Taddeusz said: I'm now using the letsencrypt docker which uses Nginx and, IMHO, it works better than Apache. However, for Guacamole to be used at its full potential you need to also forward web sockets. I had this set up when I was using Apache. Here is the snippet I used and I have obfuscated my vital information. Keep in mind this requires the proxy_wstunnel module: <VirtualHost *:443 *:8443> ServerName <external_hostname> SSLEngine On SSLProxyEngine On SSLCertificateFile /etc/apache2/ssl/guacamole.crt SSLCertificateKeyFile /etc/apache2/ssl/guacamole.pem ProxyPass / http://<Internal_IP>:<port>/ ProxyPassReverse / http://<Internal_IP>:<port>/ <Location /guacamole/websocket-tunnel> Order allow,deny Allow from all ProxyPass ws://<Internal_IP>:<port>/guacamole/websocket-tunnel ProxyPassReverse ws://<Internal_IP>:<port>/guacamole/websocket-tunnel </Location> </VirtualHost> FYI, the reason I say Nginx works better is that using Apache I would get odd errors when disconnecting from remote computers. Using Nginx I get none of those errors and seems to work as is intended. Hi, thanks for the tipp, actually, same result as before ...websocket module is loaded by default already. my virtual host looks like this (i dont need any ssl) <VirtualHost *:81> ServerName remote.mydomain.de ProxyPass / http://192.168.1.2:10080/ ProxyPassReverse / http://192.168.1.2:10080/ <Location /guacamole/websocket-tunnel> Order allow,deny Allow from all ProxyPass ws://192.168.1.2:10080/guacamole/websocket-tunnel ProxyPassReverse ws://192.168.1.2:10080/guacamole/websocket-tunnel </Location> </VirtualHost> after some tests its proably the chrome portable here at work in combination behind the works proxy ... just wonders me that the internet explorer 11 here acts just fine, also my other reverse proxy´s are working, for example the jdownloader2 one wich also uses guacamole rdp ... very strange thanks anyway, in case u may have another hint outside work on normal PC, all browsers work, chrome, inet, ... at work behind proxy, internet explorer work, chrome not. Quote Link to comment
Taddeusz Posted February 28, 2017 Author Share Posted February 28, 2017 What are the errors you are seeing? Quote Link to comment
alturismo Posted February 28, 2017 Share Posted February 28, 2017 (edited) 1 hour ago, Taddeusz said: What are the errors you are seeing? actually none ... i try to check in guacamole log but i dont see anything there ... it just times out ... waiting around 10 seconds and then it asks to repeat or go back to start page example (im at work actually) Feb 28 16:45:11 84cbd06e816d guacd[1223]: SSH connection successful.Feb 28 16:45:11 84cbd06e816d guacd[1223]: SSH connection successful.Feb 28 16:45:28 84cbd06e816d guacd[1223]: User "@128088b5-fe89-423e-998d-dc484e655085" disconnected (0 users remain)Feb 28 16:45:28 84cbd06e816d guacd[1223]: Last user of connection "$25c4a545-7864-4c25-ae61-b07843e37550" disconnectedFeb 28 16:45:28 84cbd06e816d guacd[1223]: SSH connection ended.Feb 28 16:45:29 84cbd06e816d guacd[68]: Connection "$25c4a545-7864-4c25-ae61-b07843e37550" removed.Feb 28 16:45:29 84cbd06e816d guacd[68]: Connection "$25c4a545-7864-4c25-ae61-b07843e37550" removed. <-- HERE i TRYED WITH CHROMEFeb 28 16:46:34 84cbd06e816d guacd[68]: Creating new client for protocol "ssh"Feb 28 16:46:34 84cbd06e816d guacd[68]: Connection ID is "$f31bbc5d-3e36-41b6-b593-debae20c41e5"Feb 28 16:46:34 84cbd06e816d guacd[1233]: User "@4f05e389-855d-4dbb-9b98-5e2a30ce7278" joined connection "$f31bbc5d-3e36-41b6-b593-debae20c41e5" (1 users now present)Feb 28 16:46:34 84cbd06e816d guacd[1233]: SSH connection successful.Feb 28 16:46:37 84cbd06e816d guacd[1233]: User "@4f05e389-855d-4dbb-9b98-5e2a30ce7278" disconnected (0 users remain)Feb 28 16:46:37 84cbd06e816d guacd[1233]: Last user of connection "$f31bbc5d-3e36-41b6-b593-debae20c41e5" disconnectedFeb 28 16:46:37 84cbd06e816d guacd[1233]: SSH connection ended.Feb 28 16:46:37 84cbd06e816d guacd[68]: Connection "$f31bbc5d-3e36-41b6-b593-debae20c41e5" removed.Feb 28 16:46:37 84cbd06e816d guacd[1233]: User "@4f05e389-855d-4dbb-9b98-5e2a30ce7278" disconnected (0 users remain)Feb 28 16:46:37 84cbd06e816d guacd[1233]: Last user of connection "$f31bbc5d-3e36-41b6-b593-debae20c41e5" disconnectedFeb 28 16:46:37 84cbd06e816d guacd[1233]: SSH connection ended.Feb 28 16:46:37 84cbd06e816d guacd[68]: Connection "$f31bbc5d-3e36-41b6-b593-debae20c41e5" removed. i tested 2 ssh connections inside internet explorer, between them i tested 2 different on chrome browser, nothing happens ... Edited February 28, 2017 by alturismo Quote Link to comment
Taddeusz Posted February 28, 2017 Author Share Posted February 28, 2017 If you go into developer mode in Chrome (F12) do you see any errors in the console? Quote Link to comment
alturismo Posted February 28, 2017 Share Posted February 28, 2017 (edited) The key "target-densitydpi" is not supported. /#/client/NQBjAG15c3Fs:1 WebSocket connection to 'ws://remote.domain.de/websocket-tunnel?token=83C954A100054CBA2A00EB71A60ED95F807C929E5FF0331B674964BF5709FC4E&GUAC_DATA_SOURCE=mysql&GUAC_ID=5&GUAC_TYPE=c&GUAC_WIDTH=1362&GUAC_HEIGHT=950&GUAC_DPI=96&GUAC_AUDIO=audio%2FL8&GUAC_AUDIO=audio%2FL16&GUAC_IMAGE=image%2Fjpeg&GUAC_IMAGE=image%2Fpng&GUAC_IMAGE=image%2Fwebp' failed: WebSocket is closed before the connection is established. This was with ws configuration Edited February 28, 2017 by alturismo Quote Link to comment
alturismo Posted February 28, 2017 Share Posted February 28, 2017 (edited) without any ws config <VirtualHost *:81> ServerName remote.mydomain.de ProxyPass / http://192.168.1.2:10080/ ProxyPassReverse / http://192.168.1.2:10080/ </VirtualHost> The key "target-densitydpi" is not supported.http://remote.mydomain.de/api/tokens Failed to load resource: the server responded with a status of 403 (Forbidden) angular.js:9902 DELETE http://remote.mydomain.de/api/tokens/83C954A100054CBA2A00EB71A60ED95F807C929E5FF0331B674964BF5709FC4E 404 (Not Found) (anonymous) @ angular.js:9902 m @ angular.js:9703 f @ angular.js:9415 (anonymous) @ angular.js:13292 $eval @ angular.js:14547 $digest @ angular.js:14363 $apply @ angular.js:14652 l @ angular.js:9734 P @ angular.js:9924 H.onload @ angular.js:9865 /#/client/MgBjAG15c3Fs:1 WebSocket connection to 'ws://remote.mydomain.de/websocket-tunnel?token=B3597283F5CE7A7BC19EC79D1ABF3CEFCE57EF11518C11FB920A8A057C399738&GUAC_DATA_SOURCE=mysql&GUAC_ID=2&GUAC_TYPE=c&GUAC_WIDTH=1362&GUAC_HEIGHT=950&GUAC_DPI=96&GUAC_AUDIO=audio%2FL8&GUAC_AUDIO=audio%2FL16&GUAC_IMAGE=image%2Fjpeg&GUAC_IMAGE=image%2Fpng&GUAC_IMAGE=image%2Fwebp' failed: WebSocket is closed before the connection is established. Edited February 28, 2017 by alturismo Quote Link to comment
Taddeusz Posted February 28, 2017 Author Share Posted February 28, 2017 The target-densitydpi is not a problem since I assume you're not connecting on a mobile device. What I do see, though, is the URL path appears to be wrong. It should be "ws://remote.mydomain.de/guacamole/websocket-tunnel". Not sure why that would be happening since it appears that you're not doing any rewriting. Quote Link to comment
Taddeusz Posted February 28, 2017 Author Share Posted February 28, 2017 In Chrome's developer mode there's a Network tab. It will tell you each connection request being made and the response. You can do the same in IE and compare. Same F12 to open developer mode. Quote Link to comment
alturismo Posted February 28, 2017 Share Posted February 28, 2017 Here is the NetworkData.xml respond from working internet explorer, didnt found yet howto export this from chrome ... i can tell it get stuck at "blank.html", i copied something from chrome network tab ... hope u may see something NetworkData.xml chrome.txt Quote Link to comment
Taddeusz Posted February 28, 2017 Author Share Posted February 28, 2017 I just did a little testing with my Nginx by disabling the websocket proxy and got similar, but not the same, errors. You might double check to make sure your proxy_wstunnel mod is enabled. When I was running Apache I was using the linuxserver.io docker. It had that module available but not enabled. With that docker I had to create a symbolic link from mods-available to mods-enabled for it to work. In fact, I believe I was getting your very same error when the proxy_wstunnel module was not enabled on my Apache. Quote Link to comment
alturismo Posted February 28, 2017 Share Posted February 28, 2017 (edited) [email protected]:~# docker exec -ti apache bash [email protected]:/# a2enmod proxy_wstunnel Considering dependency proxy for proxy_wstunnel: Module proxy already enabled Module proxy_wstunnel already enabled [email protected]:/# thats the respond i get when i check in docker, also using linuxserver.io apache ... about that symbolic link ... no idea here are the loaded mods [email protected]:/# apache2ctl -M Loaded Modules: core_module (static) so_module (static) watchdog_module (static) http_module (static) log_config_module (static) logio_module (static) version_module (static) unixd_module (static) access_compat_module (shared) actions_module (shared) alias_module (shared) auth_basic_module (shared) authn_core_module (shared) authn_file_module (shared) authnz_ldap_module (shared) authz_core_module (shared) authz_host_module (shared) authz_user_module (shared) autoindex_module (shared) cgi_module (shared) dav_module (shared) dav_fs_module (shared) deflate_module (shared) dir_module (shared) env_module (shared) fastcgi_module (shared) filter_module (shared) headers_module (shared) ldap_module (shared) mime_module (shared) mpm_prefork_module (shared) negotiation_module (shared) php5_module (shared) proxy_module (shared) proxy_ajp_module (shared) proxy_balancer_module (shared) proxy_connect_module (shared) proxy_html_module (shared) proxy_http_module (shared) proxy_wstunnel_module (shared) rewrite_module (shared) setenvif_module (shared) slotmem_shm_module (shared) socache_shmcb_module (shared) ssl_module (shared) status_module (shared) substitute_module (shared) xml2enc_module (shared) [email protected]:/# Edited February 28, 2017 by alturismo Quote Link to comment
alturismo Posted February 28, 2017 Share Posted February 28, 2017 and as last note, using the IE Tab addon in chrome ... it somehow works (always for 1 instance, then i need to reconnect to guac...). Just as note Quote Link to comment
alturismo Posted March 2, 2017 Share Posted March 2, 2017 Hi again, just as note, i made myself my ssl certs for my subdomains and now ... via https it works , exact same config as before, just using https .. and voila just as note in case some others have issues like me great addon for my unraid server, thanks alot Quote Link to comment
Taddeusz Posted March 2, 2017 Author Share Posted March 2, 2017 I'm glad you got it working. I'm sorry I couldn't help you out better. Quote Link to comment
Shamalamadindong Posted March 5, 2017 Share Posted March 5, 2017 (edited) FYI, I'm using Duo and not paying for it. Edited March 5, 2017 by Shamalamadindong Quote Link to comment
theDrell Posted March 8, 2017 Share Posted March 8, 2017 So I am wanting to set Guacamole to a baseurl so that I can use it via nginx. Looks like you guys have done that, can you share that with me? I have looked up and can't seem to quite figure out how to set it. I am sure I am an idiot and it's something simple I am missing. So I basically want blah.domain.com/guac and to set it up in nginx with the location ^~/guac{ auth_basic "Restricted"; auth_basic_user_file /config/nginx/.htpasswd; include /config/nginx/proxy.conf; proxy_pass http://ip:port/guac; } But I can't find the place to set the base url in guacamole. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.