[Support] jasonbean - Apache Guacamole


Message added by Taddeusz,

Before upgrading to 1.5.0 you need to have first upgraded to 1.4.0-3 of the container. I discovered that prior to 1.4.0-3 it was not shutting down MariaDB correctly and causing the database to be left in a dirty state.

 

If after upgrading to 1.5.0 you discover that MariaDB is stopping and the log mentions something about needing to open the database in an older version of MariaDB you should downgrade specifically to 1.4.0-3, start the container and make sure it's running correctly. Then you may upgrade to 1.5.0.

Recommended Posts

1 hour ago, Taddeusz said:

@bigbangus I personally leave my Guacamole container set to Bridge. I just think it’s too much of a security risk to let every container be allowed to have host access. My Guacamole container is the only outside accessible service that needs this kind of access.

 

I reverted it back based on what you're saying. I think @SpaceInvaderOne mentioned it was necessary to set it on br0 with a static IP so that VM Wake-On-Lan feature works.

Link to comment
On 9/16/2020 at 11:11 PM, Taddeusz said:

I will look into it. This is already a pretty huge container. While I do sympathize with your situation, given its size I'm hesitant to add more functionality that isn't core to Guacamole and can be provided another way.

On 9/16/2020 at 11:19 PM, nuhll said:

Thanks, i cant ask for more.

 

Fail2ban seems to be around 1 mb. I dont know how much "iptables" (or equevalent) as size is, but that cant be much? Webserver is already inclued, fail2ban should only need to watch log and then set a ban. I think you use debian docker core? Mabye its already included...?

 

Any news on fail2ban? Ive come back to this because ive noticed that guaca is using 12gb of RAM, while not using it... ;)

Link to comment
10 minutes ago, nuhll said:

still this (the failed connections) starts to hammer my server

 

well, may consider it, then you can bind the guacamole service also only to your domain name while "attacks" wont bother guac server etc ...

 

i assume most users are running this behind a reverse proxy anyway and as the author already said its a pretty huge project already, so i wouldnt count on it.

Link to comment
11 minutes ago, nuhll said:

no, i dont really need that... i think my account / pw combo is 100% secure still this (the failed connections) starts to hammer my server

I still don’t think it’s necessary to weigh down this container with yet another feature when fail2ban can be provided in other ways and is likely the way most people are and should be routing applications to the public Internet.

 

Another way to prevent this kind of attack would be to enable TOTP or Duo. You should be using some kind of 2FA on all your accounts anyway when it’s available.

  • Like 1
Link to comment

I'm having trouble logging into my PopOS VM.

 

I have setup WOL as well as turned on screen sharing in PopOS. I have set the screen share password to the same one that I use to log into the VM.

 

WOL seems to be working fine. I can see the VM turn on in my unraid dashboard, but it refuses to connect to apache guacamole because it is sitting on the log in page for PopOS. Once I enter the password using VNC through unraid, I can then connect to the VM through apache guacamole.

 

I'm pretty sure I have followed spaceinvaderone's tutorial correctly but I can't seem to figure out where I am going wrong.

Link to comment
1 hour ago, ikiya13 said:

I have set the screen share password to the same one that I use to log into the VM.

i dont think this will work so, the credentials in guac VNC are for the VNC server, log into the mashine is prolly not supported like this.

 

1 hour ago, ikiya13 said:

Once I enter the password using VNC through unraid

did you may try a vnc client and connect to your VM if that works ? i guess you will end in the same result, auto login may would be a solution so your system is ready for the VNC connection.

 

RDP is capable todo so, VNC on linux ... may read some steps if and how to accomplish this, x11vnc etc ...

 

dont mix the unraid VNC usage, it connects in a different way to qemu host and not to a VNC server on the VM directly, you could also use guac VNC to unraid to login and use it ... but will be slower (like using unraid vnc) compared to VNC directly.

Edited by alturismo
Link to comment
  • 2 weeks later...

I have an ongoing issue with Apache Guacamole when logging in at work.

 

I enter my username & password without any issues, then i enter my 2fa code and get presented with the attached error screenshot.

 

When I turn off 2fa for Guacamole and log in i also receive the same error.

 

The only way i can log in is to VPN into the server from my mobile, create a new user in Guacamole with 2fa turned on, then log in with the new user credentials on my work pc, scan barcode to google auth app to set it up, then i have access to guacamole. Once i navigate away from the Apache web interface and navigate back i get the above error once again and i need to delete the account over the vpn & repeat the new account setup to gain access again.

 

Any advice?

Capture1.JPG

Link to comment
On 8/28/2021 at 3:20 PM, alturismo said:

anything in the logs ? i know this error message when access to database is not working, so i wonder what it could be ...

 

So I jut tried to log in and work and it failed. The usual error. This is on today's docker log. 

 

User UID: 99
User GID: 100
----------------------
Using existing properties file.
Using existing MySQL extension.
Using existing TOTP extension.
No permissions changes needed.
Database exists.
Database upgrade not needed.
2021-08-30 09:07:15,315 INFO Included extra file "/etc/supervisor/conf.d/supervisord.conf" during parsing
2021-08-30 09:07:15,322 INFO Set uid to user 0 succeeded
2021-08-30 09:07:15,362 INFO supervisord started with pid 28
2021-08-30 09:07:16,363 INFO spawned: 'guacd' with pid 31
2021-08-30 09:07:16,364 INFO spawned: 'mariadb' with pid 32
2021-08-30 09:07:16,365 INFO spawned: 'tomcat9' with pid 33
guacd[31]: INFO: Guacamole proxy daemon (guacd) version 1.3.0 started
guacd[31]: INFO: Listening on host 0.0.0.0, port 4822
2021-08-30 09:07:17,820 INFO success: guacd entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2021-08-30 09:07:17,820 INFO success: mariadb entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2021-08-30 09:07:17,821 INFO success: tomcat9 entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)

 

Link to comment

i've zipped all the logs in that folder and attached. Whats jumping out at me is the following error from the catalina.out log. I would be happy to try trial and error it but i don't know where to start with increasing the client timeouts or adding "autoreconnect=true" to the configuration. Do i need to log into the SQL server to make those changes or can they be made from the docker parameters?
 

<4>Execution of ping query 'SELECT 1' failed: The last packet successfully received from the server was 20,713,706 milliseconds ago.  The last packet sent successfully to the server was 20,713,706 milliseconds ago. is longer than the server configured value of 'wait_timeout'. You should consider either expiring and/or testing connection validity before use in your application, increasing the server configured values for client timeouts, or using the Connector/J connection property 'autoReconnect=true' to avoid this problem.

 

 

Edited by AceRimmer
Removing log.zip attachment for privacy
Link to comment
  • 4 weeks later...

I would bet this has been answered before, but I was unable to find it.

 

I just loaded up this docker with the TOTP option enabled.  I go to login with the default guacadmin account, and it pops up with Multi-Factor authentication has been enabled on your account, with just a continue button.  I click that button and it tells me verification failed.  How do I get past this?

totp.JPG

Link to comment
On 9/22/2021 at 9:32 PM, InfInIty said:

I would bet this has been answered before, but I was unable to find it.

 

I just loaded up this docker with the TOTP option enabled.  I go to login with the default guacadmin account, and it pops up with Multi-Factor authentication has been enabled on your account, with just a continue button.  I click that button and it tells me verification failed.  How do I get past this?

totp.JPG

 

I am having the same issue using nginx proxy manager, if I go to the local address then it works fine, I have other sites where I user built in TOTP are fine, so is Authelia, I tried clearing browser cache, using different browsers, turning off caching on nginx proxy manager, cleared cache on cloudflare, put cloudflare into dev mode (turns off all caching).

 

I was able to register and get qrcode first time around but that was done using the local address.

Link to comment

Was able to fix the issue by creating another user, and then registering that user via the reverse proxy i.e use the external fqdn I setup in cloudflare and nginx proxy manager, the Authenication field then appeard after logging out and back in with new user via reverse proxy, then logged out and tried my origional user again and the field appeared as it should, seems like even though I cleared the cache something didn't clear prorpely I have removed the new user and it's still working see below

 

image.png.4c9426cdb94e2e5aefe4d58c2a51b4ab.png

Edited by Brianf
typo
Link to comment

Any way to set subnet as safe and if not then MFA?
Right now I have guacamole accessable from the net, with MFA, but most of the time I'm not at another location and the need of MFA is then limited.
Could I tell the MFA that 10.0.0.0/24 is safe and that there is no need to throw up the MFA function?

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.