[Support] jasonbean - Apache Guacamole


Message added by Taddeusz,

Before upgrading to 1.5.0 you need to have first upgraded to 1.4.0-3 of the container. I discovered that prior to 1.4.0-3 it was not shutting down MariaDB correctly and causing the database to be left in a dirty state.

 

If after upgrading to 1.5.0 you discover that MariaDB is stopping and the log mentions something about needing to open the database in an older version of MariaDB you should downgrade specifically to 1.4.0-3, start the container and make sure it's running correctly. Then you may upgrade to 1.5.0.

Recommended Posts

Thanks for new images!

but i have a question about Windows RDP connection. i have two nearly identical Win10 VMs, and i have configured Guac connections to them without password stored on Guac. one VM works like expected - on connection it just displays login dialog and asks for password, but second VM just disconnects immediately with message "The remote desktop server is currently unreachable. If the problem persists, please notify your system administrator, or check your system logs." when i enter a user password in guac, then it works - it connects to VM without asking a password.  

 

on tomcat\catalina.log a see the following..

 

19:43:14.959 [http-nio-8080-exec-2] INFO  o.a.g.tunnel.TunnelRequestService - User "uldise" connected to connection "5".
Exception in thread "Thread-15" 19:43:15.006 [http-nio-8080-exec-6] INFO  o.a.g.tunnel.TunnelRequestService - User "uldise" disconnected from connection "5". Duration: 46 milliseconds
java.lang.IllegalStateException: Message will not be sent because the WebSocket session has been closed
	at org.apache.tomcat.websocket.WsRemoteEndpointImplBase.writeMessagePart(WsRemoteEndpointImplBase.java:425)
	at org.apache.tomcat.websocket.WsRemoteEndpointImplBase.sendMessageBlock(WsRemoteEndpointImplBase.java:309)
	at org.apache.tomcat.websocket.WsRemoteEndpointImplBase.sendMessageBlock(WsRemoteEndpointImplBase.java:250)
	at org.apache.tomcat.websocket.WsRemoteEndpointImplBase.sendString(WsRemoteEndpointImplBase.java:191)
	at org.apache.tomcat.websocket.WsRemoteEndpointBasic.sendText(WsRemoteEndpointBasic.java:37)
	at org.apache.guacamole.websocket.GuacamoleWebSocketTunnelEndpoint.sendInstruction(GuacamoleWebSocketTunnelEndpoint.java:152)
	at org.apache.guacamole.websocket.GuacamoleWebSocketTunnelEndpoint.access$200(GuacamoleWebSocketTunnelEndpoint.java:53)
	at org.apache.guacamole.websocket.GuacamoleWebSocketTunnelEndpoint$2.run(GuacamoleWebSocketTunnelEndpoint.java:253)

 any ideas?

 

EDIT: got it working - just recreated a connection and it started to work...

Edited by uldise
Link to comment

I have been trying to get this up and running and I believe I have bypassed my initial concern.  I loaded the docker and was unable to connect through to one of my virtual machines.  The last time I had this working was before Unraid implemented docker by docker IP allocations.  I tried to mimic this by setting the network type for this docker to Bridge; magically it all worked and I am able to connect to my virtual machines now.

 

What I have to figure out now is how to make it work with Letsencrypt so I can reverse proxy it.

Link to comment
20 minutes ago, bambino53 said:

I have been trying to get this up and running and I believe I have bypassed my initial concern.  I loaded the docker and was unable to connect through to one of my virtual machines.  The last time I had this working was before Unraid implemented docker by docker IP allocations.  I tried to mimic this by setting the network type for this docker to Bridge; magically it all worked and I am able to connect to my virtual machines now.

 

What I have to figure out now is how to make it work with Letsencrypt so I can reverse proxy it.

I realized in the last week that the linuxserver guys had redone their letsencrypt docker to use files in the nginx/proxy-confs folder. I moved things around and created a conf file specifically for Guacamole. If you follow Spaceinvader One's directions on how to configure letsencrypt he has you create a docker network. In his case he calls it "proxynet". This enables Docker's internal DNS resolution for any containers you place on that virtual network. One of the caveats I found is that the DNS is case sensitive but Nginx is not. As a result I had to change the name of my containers to change the uppercase characters to lowercase.

 

Here is the "guacamole.subfolder.conf" file I created and placed into the proxy-confs folder. This assumes that the folder you want to link to is called guacamole and that your container is called "apacheguacamole". If you would like to instead link it to a subdomain there are examples in that folder that you can use to create a conf file.

location ^~ /guacamole {
    # enable the next two lines for http auth
    #auth_basic "Restricted";
    #auth_basic_user_file /config/nginx/.htpasswd;

    # enable the next two lines for ldap auth
    #auth_request /auth;
    #error_page 401 =200 /login;

    proxy_buffering off;
    proxy_http_version 1.1;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    access_log off;
    resolver 127.0.0.11 valid=30s;
    set $upstream_guacamole apacheguacamole;
    proxy_pass http://$upstream_guacamole:8080;
}

Here is the link to Spaceinvader One's video: https://www.youtube.com/watch?v=I0lhZc25Sro&t=955s

Link to comment

Thank you very much @Taddeusz.  What you suggested worked wonders.

 

I was hoping to use a subdomain rather than a folder to proxy ApacheGuacamole.  As you said I scavenged bits and pieces from other examples and I came up with something that is working for me.  I thought I should share it here in case anyone else is looking to do the same.

"guacamole.subdomain.conf"

server {
    listen 80;
    server_name guacamole.domain.org;
    return 301 https://$host$request_uri;
}
server {
    listen 443 ssl http2;
    server_name guacamole.domain.org;
    root html;
    index index.html index.htm;
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
    access_log  /var/log/nginx/guacamole.access.log;
    location / {
    proxy_pass http://[IP Address]:[Port]/guacamole/;
    proxy_buffering off;
    proxy_http_version 1.1;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_cookie_path /guacamole/ /;
    }
}

 

Edited by bambino53
Link to comment
  • 2 weeks later...

Is there something I'm missing to get the TOTP working? I've flipped the switch to Y on the option and even blew away the container thinking perhaps I had something in the DB just stuck. At this point, it will let me login with user/pass, then it says Multi Factor Auth has been enabled with the ONLY option of clicking a Continue button. The screen does a simple shake notification and the top bar saying "Verification failed, please try again."

 

image.thumb.png.a950e36460644629228f58aaff00635a.png

image.thumb.png.8edd22e3a1a609e73476127910a79e05.png

Link to comment
12 minutes ago, 1activegeek said:

Is there something I'm missing to get the TOTP working? I've flipped the switch to Y on the option and even blew away the container thinking perhaps I had something in the DB just stuck. At this point, it will let me login with user/pass, then it says Multi Factor Auth has been enabled with the ONLY option of clicking a Continue button. The screen does a simple shake notification and the top bar saying "Verification failed, please try again."

 

image.thumb.png.a950e36460644629228f58aaff00635a.png

image.thumb.png.8edd22e3a1a609e73476127910a79e05.png

Can you please post your catalina.out log from logs/tomcat8.

Link to comment

Yes I had read that in the documentation as well. I ensured that was set on both my local user and the admin. Interestingly though I tried my user again, this time I'm receiving a new message:

 

image.thumb.png.4487dc0dab6ff333eac54265794abb2e.png

 

catalina.out

 

PS - is there a way to change the admin password? I'm noticing now that it won't let me change the admin password from the default - really not a safe thing. 

Edited by 1activegeek
Link to comment

Ya I thought it looked odd. Thank you though, that was foolish of me to not try clearing the cache. That was it! 

 

It is still odd though that I'm not able as "guacadmin" to change ANY of the settings on the guacadmin user. I had to login as my user, set with permissions for everything, and change them for that account. Little weird, seems like some sort of wacky permissions bug?

 

Anyhow - all set now. Thanks for the work on this, now with OTP I feel better opening this up without hiding it behind my proxy. Though I'm going to look at setting up Fail2Ban in conjunction anyway. 

Link to comment
3 minutes ago, 1activegeek said:

Ya I thought it looked odd. Thank you though, that was foolish of me to not try clearing the cache. That was it! 

 

It is still odd though that I'm not able as "guacadmin" to change ANY of the settings on the guacadmin user. I had to login as my user, set with permissions for everything, and change them for that account. Little weird, seems like some sort of wacky permissions bug?

 

Anyhow - all set now. Thanks for the work on this, now with OTP I feel better opening this up without hiding it behind my proxy. Though I'm going to look at setting up Fail2Ban in conjunction anyway. 

I know the letsencrypt docker from linuxserver.io includes fail2ban. That's what I use for proxying my home services.

Link to comment
20 hours ago, Taddeusz said:

It's hosted on Docker Hub, hub.docker.com. I was just able to pull it to my laptop with no problem. Can you nslookup hub.docker.com?

Yea, it resolves, but I appear to be unable to connect to or ping any of the ips.


Name:    us-east-1-elbdefau-1nlhaqqbnj2z8-140214243.us-east-1.elb.amazonaws.com
Addresses:  52.86.8.163
          34.232.230.241
          52.205.36.130
Aliases:  hub.docker.com
          elb-default.us-east-1.aws.dckr.io

Link to comment
15 minutes ago, glave said:

Yea, it resolves, but I appear to be unable to connect to or ping any of the ips.


Name:    us-east-1-elbdefau-1nlhaqqbnj2z8-140214243.us-east-1.elb.amazonaws.com
Addresses:  52.86.8.163
          34.232.230.241
          52.205.36.130
Aliases:  hub.docker.com
          elb-default.us-east-1.aws.dckr.io

Looks like AWS has a bad route. 54.240.229.185 is the last hop I can hit before it dead ends.

Link to comment

Apologies if this has already been answered, but I searched and came up blank here and when Googling it.

 

I get the following error in the log when trying to create a regular RDP connection to a new Windows 10 box.

 

guacd[948]: INFO:	User "@b28e83be-7933-4609-88c6-3752f3d9e8a6" disconnected (0 users remain)
guacd[948]: INFO:	Last user of connection "$464a76e4-48b9-4a35-a8b1-f46fd2646f22" disconnected
guacd[14]: INFO:	Connection "$464a76e4-48b9-4a35-a8b1-f46fd2646f22" removed.
guacd[14]: INFO:	Creating new client for protocol "rdp"
guacd[14]: INFO:	Connection ID is "$464a76e4-48b9-4a35-a8b1-f46fd2646f22"
guacd[948]: INFO:	Security mode: ANY
guacd[948]: INFO:	Resize method: none
guacd[948]: INFO:	User "@b28e83be-7933-4609-88c6-3752f3d9e8a6" joined connection "$464a76e4-48b9-4a35-a8b1-f46fd2646f22" (1 users now present)
guacd[948]: INFO:	Loading keymap "base"
guacd[948]: INFO:	Loading keymap "en-us-qwerty"
connected to 192.168.1.186:3389
creating directory /root/.config/freerdp
creating directory /root/.config/freerdp/certs
creating directory /root/.config/freerdp/server
certificate_store_open: error opening [/root/.config/freerdp/known_hosts] for writing

SSL_read: Failure in SSL library (protocol error?)

SSL_read: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error

guacd[948]: ERROR:	Error connecting to RDP server

I have not changed or disabled any RDP parameters on the Windows 10 box aside from simply enabling Remote Desktop itself.  The connection is set up to use NLA (Win 10 default from my reading) and Ignore Server Certificate.

 

Any thoughts?  I can connect fine via Mac RDP and Windows RDP clients to this box.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.