[Support] jasonbean - Apache Guacamole


Message added by Taddeusz,

Before upgrading to 1.5.0 you need to have first upgraded to 1.4.0-3 of the container. I discovered that prior to 1.4.0-3 it was not shutting down MariaDB correctly and causing the database to be left in a dirty state.

 

If after upgrading to 1.5.0 you discover that MariaDB is stopping and the log mentions something about needing to open the database in an older version of MariaDB you should downgrade specifically to 1.4.0-3, start the container and make sure it's running correctly. Then you may upgrade to 1.5.0.

Recommended Posts

@tamito You may also check in your container's appdata folder in guacamole/extensions to make sure there aren't any weird jar files in there. The only jar files that should be there are ones that you have configured such as for MySQL or possibly a rebranding file if you have done that.

 

I can't think of any other way this container could be compromised.

Link to comment

Just a note to anyone trying to implement DUO 2fa on this docker - I spent a long time failing to implement it as my browser kept saying https://api-xxxxxxx.duosecurity.com%20%20%20 was incorrect.  It turns out that if you accidentally leave spaces behind the api url in the Guacamole.properties file, it will actually try to include those spaces and fail the api request (evidenced by the %20%20 in the browser console).

 

Other than that, if anyone is trying to set it up, the entire process was straightforward according to the Guacamole docs and works just fine at the end.  I even run this program behind the lsio/letsencrypt reverse proxy.  Only difference from the official documentation is that the DUO secret key does not have to be 20 characters as noted, the supplied 40 characters works just fine.

Link to comment
  • 2 months later...
  • 1 month later...

Helllo, 

somehow whatever parameters i set, can't get either the Firefox or VNC Web Browser docker container working under this Guacamole container.

It always gives me error:

The Guacamole server is denying access to this connection because you have exhausted the limit for simultaneous connection use by an individual user. Please close one or more connections and try again.

Edited by Daxxio
html
Link to comment
4 hours ago, Daxxio said:

Helllo, 

somehow whatever parameters i set, can't get either the Firefox or VNC Web Browser docker container working under this Guacamole container.

It always gives me error:

The Guacamole server is denying access to this connection because you have exhausted the limit for simultaneous connection use by an individual user. Please close one or more connections and try again.

When you get this error have you tried logging off and logging back in? Whenever I’ve gotten this error that has worked for me.

Link to comment

unfortunately that does not work. been trying lots of thing:

both apache guacamole and ff are now in bridge, I tried it in custom with a fixed IP. I can access firefox from the docker itself, just not from apache guacamole.

also killed all sessions, limit increased to 20. nothing seems to work except for VNC and RDP to VM's, those work without any problems.

Link to comment
On 1/16/2020 at 10:57 PM, Taddeusz said:

That’s interesting. Currently it wouldn’t work. You would need to expose the guacd port as it’s currently just an internal service.

if you have an interest, i got it working. some manual work needed, but it just works then.. yes, it looks interesting, but lacks of 2FA authentication, if you wanna make it accessible public. just let me know, i can publish docker settings.

Link to comment
  • 3 weeks later...
17 minutes ago, ndaringer said:

I'm not sure, but maybe I'm using the wrong docker here. This page says that it hasn't been updated in a year.

That is correct. 1.0.0 was released Jan 8, 2019. There were no new versions until the recent 1.1.0 release over a year later. I currently don’t have a timeline to release an updated container. My family has been rather busy lately and I started a new job in November. Please be patient.

Link to comment

Thanks for all your hard work on this container!

I use this almost daily for various things.

I was wondering if you'd be able to modify the default tomcat config the container ships with to include the Remote IP Valve:

<Valve className="org.apache.catalina.valves.RemoteIpValve"
       remoteIpHeader="x-forwarded-for" />

This would allow Guacamole's connection history page to reflect the correct source IP for people using a reverse proxy like NGINX or HAProxy.

Currently, i'm doing it by adding "/bin/bash /config/startup.sh" to the containers "post arguments" which copies a modified "server.xml" that includes the valve over the existing one, then exec's "/etc/firststart/firststart.sh" to continue starting the container as usual.

 

Don't get me wrong, It works, but it's basically a bodge

Link to comment
50 minutes ago, JamiePhonic said:

Thanks for all your hard work on this container!

I use this almost daily for various things.

I was wondering if you'd be able to modify the default tomcat config the container ships with to include the Remote IP Valve:


<Valve className="org.apache.catalina.valves.RemoteIpValve"
       remoteIpHeader="x-forwarded-for" />

This would allow Guacamole's connection history page to reflect the correct source IP for people using a reverse proxy like NGINX or HAProxy.

Currently, i'm doing it by adding "/bin/bash /config/startup.sh" to the containers "post arguments" which copies a modified "server.xml" that includes the valve over the existing one, then exec's "/etc/firststart/firststart.sh" to continue starting the container as usual.

 

Don't get me wrong, It works, but it's basically a bodge

I'll look at this. I've had a busy life lately and just haven't had time to sit down and work on it.

Link to comment

Just wanted to post this in case someone else is running into trouble.  I was trying to do a reverse proxy in nginx (letsencrypt container) and kept getting served a blank page when I played around with the reverse proxy config from Apache Guacamole's own documentation.  Ended up figuring it out.  Here's what worked for me:

  location ^~ /guacamole {
    proxy_pass http://[IP-ADDRESS]:[PORT];
    proxy_buffering off;
    proxy_http_version 1.1;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    access_log off;
  }

Now everything's working fine when I access using my.url/guacamole.  Unfortunately I couldn't manage to get a different subfolder name to work but I'm going to play around with that a little more.

Link to comment
On 2/16/2020 at 2:55 PM, JamiePhonic said:

Thanks for all your hard work on this container!

I use this almost daily for various things.

I was wondering if you'd be able to modify the default tomcat config the container ships with to include the Remote IP Valve:


<Valve className="org.apache.catalina.valves.RemoteIpValve"
       remoteIpHeader="x-forwarded-for" />

This would allow Guacamole's connection history page to reflect the correct source IP for people using a reverse proxy like NGINX or HAProxy.

Currently, i'm doing it by adding "/bin/bash /config/startup.sh" to the containers "post arguments" which copies a modified "server.xml" that includes the valve over the existing one, then exec's "/etc/firststart/firststart.sh" to continue starting the container as usual.

 

Don't get me wrong, It works, but it's basically a bodge

I'm almost ready to push out 1.1.0. I just want to get some clarification on this. I've added this to the /etc/tomcat9/server.xml file within the Host element. I have my personal container set to use a custom proxy network and I'm just seeing 172.x.x.x addresses. I'm not sure if this would change if my container was set to "bridge".

 

If you'd like to try it out you can change the repository in your container to "jasonbean/guacamole:1.1.0-nomariadb" or "jasonbean/guacamole:1.1.0" depending on which version you're using.

 

I'll wait to change these to "latest" just in case I need to make some changes.

Link to comment
5 hours ago, Taddeusz said:

I'm almost ready to push out 1.1.0. I just want to get some clarification on this. I've added this to the /etc/tomcat9/server.xml file within the Host element. I have my personal container set to use a custom proxy network and I'm just seeing 172.x.x.x addresses. I'm not sure if this would change if my container was set to "bridge".

 

If you'd like to try it out you can change the repository in your container to "jasonbean/guacamole:1.1.0-nomariadb" or "jasonbean/guacamole:1.1.0" depending on which version you're using.

 

I'll wait to change these to "latest" just in case I need to make some changes.

tested your 110 version now and looking good, also the change to see real ip in history looked good, external and internal tested and showing wan or lan in history ...

 

finally can switch back and remove the 2 original ones, really nice with new rdp and auto resize is improved (specially win clients)

 

thanks for the update from here

Link to comment

Apache Guacamole 1.1.0 has been pushed out to "latest". Other than the version change the base container is now debian:stable-slim to shave off some size. No database schema changes this time around. Have fun.

 

Especially since this deviates slightly from the official containers in using Tomcat 9 and Java 11. Please let me know if you have any issues.

Link to comment
19 hours ago, Taddeusz said:

I'm almost ready to push out 1.1.0. I just want to get some clarification on this. I've added this to the /etc/tomcat9/server.xml file within the Host element. I have my personal container set to use a custom proxy network and I'm just seeing 172.x.x.x addresses. I'm not sure if this would change if my container was set to "bridge".

 

If you'd like to try it out you can change the repository in your container to "jasonbean/guacamole:1.1.0-nomariadb" or "jasonbean/guacamole:1.1.0" depending on which version you're using.

 

I'll wait to change these to "latest" just in case I need to make some changes.

Thanks so much for all your hard work on this!

Tested connections from a couple different locations (Via VPN) and the remote IP seems to be showing correctly!

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.