Jump to content
Taddeusz

[Support] jasonbean - Apache Guacamole

411 posts in this topic Last Reply

Recommended Posts

Thanks for new images!

but i have a question about Windows RDP connection. i have two nearly identical Win10 VMs, and i have configured Guac connections to them without password stored on Guac. one VM works like expected - on connection it just displays login dialog and asks for password, but second VM just disconnects immediately with message "The remote desktop server is currently unreachable. If the problem persists, please notify your system administrator, or check your system logs." when i enter a user password in guac, then it works - it connects to VM without asking a password.  

 

on tomcat\catalina.log a see the following..

 

19:43:14.959 [http-nio-8080-exec-2] INFO  o.a.g.tunnel.TunnelRequestService - User "uldise" connected to connection "5".
Exception in thread "Thread-15" 19:43:15.006 [http-nio-8080-exec-6] INFO  o.a.g.tunnel.TunnelRequestService - User "uldise" disconnected from connection "5". Duration: 46 milliseconds
java.lang.IllegalStateException: Message will not be sent because the WebSocket session has been closed
	at org.apache.tomcat.websocket.WsRemoteEndpointImplBase.writeMessagePart(WsRemoteEndpointImplBase.java:425)
	at org.apache.tomcat.websocket.WsRemoteEndpointImplBase.sendMessageBlock(WsRemoteEndpointImplBase.java:309)
	at org.apache.tomcat.websocket.WsRemoteEndpointImplBase.sendMessageBlock(WsRemoteEndpointImplBase.java:250)
	at org.apache.tomcat.websocket.WsRemoteEndpointImplBase.sendString(WsRemoteEndpointImplBase.java:191)
	at org.apache.tomcat.websocket.WsRemoteEndpointBasic.sendText(WsRemoteEndpointBasic.java:37)
	at org.apache.guacamole.websocket.GuacamoleWebSocketTunnelEndpoint.sendInstruction(GuacamoleWebSocketTunnelEndpoint.java:152)
	at org.apache.guacamole.websocket.GuacamoleWebSocketTunnelEndpoint.access$200(GuacamoleWebSocketTunnelEndpoint.java:53)
	at org.apache.guacamole.websocket.GuacamoleWebSocketTunnelEndpoint$2.run(GuacamoleWebSocketTunnelEndpoint.java:253)

 any ideas?

 

EDIT: got it working - just recreated a connection and it started to work...

Edited by uldise

Share this post


Link to post

I'm glad you got it working. I've found that the most likely explanation is that the hostname gets put into the Guacamole Proxy Parameters section rather than the correct Parameters section.

Share this post


Link to post

I have been trying to get this up and running and I believe I have bypassed my initial concern.  I loaded the docker and was unable to connect through to one of my virtual machines.  The last time I had this working was before Unraid implemented docker by docker IP allocations.  I tried to mimic this by setting the network type for this docker to Bridge; magically it all worked and I am able to connect to my virtual machines now.

 

What I have to figure out now is how to make it work with Letsencrypt so I can reverse proxy it.

Share this post


Link to post
20 minutes ago, bambino53 said:

I have been trying to get this up and running and I believe I have bypassed my initial concern.  I loaded the docker and was unable to connect through to one of my virtual machines.  The last time I had this working was before Unraid implemented docker by docker IP allocations.  I tried to mimic this by setting the network type for this docker to Bridge; magically it all worked and I am able to connect to my virtual machines now.

 

What I have to figure out now is how to make it work with Letsencrypt so I can reverse proxy it.

I realized in the last week that the linuxserver guys had redone their letsencrypt docker to use files in the nginx/proxy-confs folder. I moved things around and created a conf file specifically for Guacamole. If you follow Spaceinvader One's directions on how to configure letsencrypt he has you create a docker network. In his case he calls it "proxynet". This enables Docker's internal DNS resolution for any containers you place on that virtual network. One of the caveats I found is that the DNS is case sensitive but Nginx is not. As a result I had to change the name of my containers to change the uppercase characters to lowercase.

 

Here is the "guacamole.subfolder.conf" file I created and placed into the proxy-confs folder. This assumes that the folder you want to link to is called guacamole and that your container is called "apacheguacamole". If you would like to instead link it to a subdomain there are examples in that folder that you can use to create a conf file.

location ^~ /guacamole {
    # enable the next two lines for http auth
    #auth_basic "Restricted";
    #auth_basic_user_file /config/nginx/.htpasswd;

    # enable the next two lines for ldap auth
    #auth_request /auth;
    #error_page 401 =200 /login;

    proxy_buffering off;
    proxy_http_version 1.1;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    access_log off;
    resolver 127.0.0.11 valid=30s;
    set $upstream_guacamole apacheguacamole;
    proxy_pass http://$upstream_guacamole:8080;
}

Here is the link to Spaceinvader One's video: https://www.youtube.com/watch?v=I0lhZc25Sro&t=955s

Share this post


Link to post

Thank you very much @Taddeusz.  What you suggested worked wonders.

 

I was hoping to use a subdomain rather than a folder to proxy ApacheGuacamole.  As you said I scavenged bits and pieces from other examples and I came up with something that is working for me.  I thought I should share it here in case anyone else is looking to do the same.

"guacamole.subdomain.conf"

server {
    listen 80;
    server_name guacamole.domain.org;
    return 301 https://$host$request_uri;
}
server {
    listen 443 ssl http2;
    server_name guacamole.domain.org;
    root html;
    index index.html index.htm;
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
    access_log  /var/log/nginx/guacamole.access.log;
    location / {
    proxy_pass http://[IP Address]:[Port]/guacamole/;
    proxy_buffering off;
    proxy_http_version 1.1;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_cookie_path /guacamole/ /;
    }
}

 

Edited by bambino53

Share this post


Link to post

Is there something I'm missing to get the TOTP working? I've flipped the switch to Y on the option and even blew away the container thinking perhaps I had something in the DB just stuck. At this point, it will let me login with user/pass, then it says Multi Factor Auth has been enabled with the ONLY option of clicking a Continue button. The screen does a simple shake notification and the top bar saying "Verification failed, please try again."

 

image.thumb.png.a950e36460644629228f58aaff00635a.png

image.thumb.png.8edd22e3a1a609e73476127910a79e05.png

Share this post


Link to post
12 minutes ago, 1activegeek said:

Is there something I'm missing to get the TOTP working? I've flipped the switch to Y on the option and even blew away the container thinking perhaps I had something in the DB just stuck. At this point, it will let me login with user/pass, then it says Multi Factor Auth has been enabled with the ONLY option of clicking a Continue button. The screen does a simple shake notification and the top bar saying "Verification failed, please try again."

 

image.thumb.png.a950e36460644629228f58aaff00635a.png

image.thumb.png.8edd22e3a1a609e73476127910a79e05.png

Can you please post your catalina.out log from logs/tomcat8.

Share this post


Link to post

It looks like for TOTP to be supported the user must have the permission be able to change their own password.

Share this post


Link to post

Yes I had read that in the documentation as well. I ensured that was set on both my local user and the admin. Interestingly though I tried my user again, this time I'm receiving a new message:

 

image.thumb.png.4487dc0dab6ff333eac54265794abb2e.png

 

catalina.out

 

PS - is there a way to change the admin password? I'm noticing now that it won't let me change the admin password from the default - really not a safe thing. 

Edited by 1activegeek

Share this post


Link to post

The only way I know to change the admin password is to log in as the admin and change it in Settings on the Preferences page.

 

That looks weird. What browser are you using? I would suggest Ctrl-F5 to force bypassing your browser's cache.

Share this post


Link to post

Ya I thought it looked odd. Thank you though, that was foolish of me to not try clearing the cache. That was it! 

 

It is still odd though that I'm not able as "guacadmin" to change ANY of the settings on the guacadmin user. I had to login as my user, set with permissions for everything, and change them for that account. Little weird, seems like some sort of wacky permissions bug?

 

Anyhow - all set now. Thanks for the work on this, now with OTP I feel better opening this up without hiding it behind my proxy. Though I'm going to look at setting up Fail2Ban in conjunction anyway. 

Share this post


Link to post
3 minutes ago, 1activegeek said:

Ya I thought it looked odd. Thank you though, that was foolish of me to not try clearing the cache. That was it! 

 

It is still odd though that I'm not able as "guacadmin" to change ANY of the settings on the guacadmin user. I had to login as my user, set with permissions for everything, and change them for that account. Little weird, seems like some sort of wacky permissions bug?

 

Anyhow - all set now. Thanks for the work on this, now with OTP I feel better opening this up without hiding it behind my proxy. Though I'm going to look at setting up Fail2Ban in conjunction anyway. 

I know the letsencrypt docker from linuxserver.io includes fail2ban. That's what I use for proxying my home services.

Share this post


Link to post
Just now, Taddeusz said:

I know the letsencrypt docker from linuxserver.io includes fail2ban. That's what I use for proxying my home services.

Yup, that's what I'm going to use. I'm an Org guy - so of course running this all in Org. :D 

Share this post


Link to post

I can't pull the image down. Is the address still correct?

 

TOTAL DATA PULLED: 0 B

 

Share this post


Link to post

It's hosted on Docker Hub, hub.docker.com. I was just able to pull it to my laptop with no problem. Can you nslookup hub.docker.com?

Share this post


Link to post
20 hours ago, Taddeusz said:

It's hosted on Docker Hub, hub.docker.com. I was just able to pull it to my laptop with no problem. Can you nslookup hub.docker.com?

Yea, it resolves, but I appear to be unable to connect to or ping any of the ips.


Name:    us-east-1-elbdefau-1nlhaqqbnj2z8-140214243.us-east-1.elb.amazonaws.com
Addresses:  52.86.8.163
          34.232.230.241
          52.205.36.130
Aliases:  hub.docker.com
          elb-default.us-east-1.aws.dckr.io

Share this post


Link to post
15 minutes ago, glave said:

Yea, it resolves, but I appear to be unable to connect to or ping any of the ips.


Name:    us-east-1-elbdefau-1nlhaqqbnj2z8-140214243.us-east-1.elb.amazonaws.com
Addresses:  52.86.8.163
          34.232.230.241
          52.205.36.130
Aliases:  hub.docker.com
          elb-default.us-east-1.aws.dckr.io

Looks like AWS has a bad route. 54.240.229.185 is the last hop I can hit before it dead ends.

Share this post


Link to post
34 minutes ago, glave said:

Looks like AWS has a bad route. 54.240.229.185 is the last hop I can hit before it dead ends.

Weird, have you tried downloading other Docker images?

Share this post


Link to post

I can't pull the image neither. Other docker images work.

 

edit: I can pull the image with mysql included, but not the light image

Edited by wblondel

Share this post


Link to post

I'm sorry. I had apparently put the wrong tag in the template. The latest template should fix the problem. If you're still having issues replace the "nomariadb" tag with "latest-nomariadb".

Share this post


Link to post

Apologies if this has already been answered, but I searched and came up blank here and when Googling it.

 

I get the following error in the log when trying to create a regular RDP connection to a new Windows 10 box.

 

guacd[948]: INFO:	User "@b28e83be-7933-4609-88c6-3752f3d9e8a6" disconnected (0 users remain)
guacd[948]: INFO:	Last user of connection "$464a76e4-48b9-4a35-a8b1-f46fd2646f22" disconnected
guacd[14]: INFO:	Connection "$464a76e4-48b9-4a35-a8b1-f46fd2646f22" removed.
guacd[14]: INFO:	Creating new client for protocol "rdp"
guacd[14]: INFO:	Connection ID is "$464a76e4-48b9-4a35-a8b1-f46fd2646f22"
guacd[948]: INFO:	Security mode: ANY
guacd[948]: INFO:	Resize method: none
guacd[948]: INFO:	User "@b28e83be-7933-4609-88c6-3752f3d9e8a6" joined connection "$464a76e4-48b9-4a35-a8b1-f46fd2646f22" (1 users now present)
guacd[948]: INFO:	Loading keymap "base"
guacd[948]: INFO:	Loading keymap "en-us-qwerty"
connected to 192.168.1.186:3389
creating directory /root/.config/freerdp
creating directory /root/.config/freerdp/certs
creating directory /root/.config/freerdp/server
certificate_store_open: error opening [/root/.config/freerdp/known_hosts] for writing

SSL_read: Failure in SSL library (protocol error?)

SSL_read: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error

guacd[948]: ERROR:	Error connecting to RDP server

I have not changed or disabled any RDP parameters on the Windows 10 box aside from simply enabling Remote Desktop itself.  The connection is set up to use NLA (Win 10 default from my reading) and Ignore Server Certificate.

 

Any thoughts?  I can connect fine via Mac RDP and Windows RDP clients to this box.

Share this post


Link to post

What do your connection settings look like? For NLA to work you must enter a username and password in the connection.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.