Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.
Message added by Taddeusz,

Before upgrading to 1.5.0 you need to have first upgraded to 1.4.0-3 of the container. I discovered that prior to 1.4.0-3 it was not shutting down MariaDB correctly and causing the database to be left in a dirty state.

 

If after upgrading to 1.5.0 you discover that MariaDB is stopping and the log mentions something about needing to open the database in an older version of MariaDB you should downgrade specifically to 1.4.0-3, start the container and make sure it's running correctly. Then you may upgrade to 1.5.0.

[Support] jasonbean - Apache Guacamole

Featured Replies

  • Author

@bigbangus I personally leave my Guacamole container set to Bridge. I just think it’s too much of a security risk to let every container be allowed to have host access. My Guacamole container is the only outside accessible service that needs this kind of access.

  • Replies 1.2k
  • Views 282.5k
  • Created
  • Last Reply

Top Posters In This Topic

Most Popular Posts

  • I just wanted to post an update about my progress with 1.5.5. It was a busy weekend but I did get a chance to work on it. I ran into an issue that I'm trying to figure out but I think I'll be able to

  • I'm sorry. I've been trying to avoid this for a while. I just don't have the time I used to have to work on Guacamole. Maybe some day I can come back to it but for now I'm going to have to throw in th

  • I have forked Jason project and upgrade to version 1.6.0, you can try using the same template changing the name to create a new application and in the field: Repository replace the word jasonbean to c

Posted Images

1 hour ago, Taddeusz said:

@bigbangus I personally leave my Guacamole container set to Bridge. I just think it’s too much of a security risk to let every container be allowed to have host access. My Guacamole container is the only outside accessible service that needs this kind of access.

 

I reverted it back based on what you're saying. I think @SpaceInvaderOne mentioned it was necessary to set it on br0 with a static IP so that VM Wake-On-Lan feature works.

On 9/16/2020 at 11:11 PM, Taddeusz said:

I will look into it. This is already a pretty huge container. While I do sympathize with your situation, given its size I'm hesitant to add more functionality that isn't core to Guacamole and can be provided another way.

On 9/16/2020 at 11:19 PM, nuhll said:

Thanks, i cant ask for more.

 

Fail2ban seems to be around 1 mb. I dont know how much "iptables" (or equevalent) as size is, but that cant be much? Webserver is already inclued, fail2ban should only need to watch log and then set a ban. I think you use debian docker core? Mabye its already included...?

 

Any news on fail2ban? Ive come back to this because ive noticed that guaca is using 12gb of RAM, while not using it... ;)

8 hours ago, nuhll said:

Any news on fail2ban? Ive come back to this because ive noticed that guaca is using 12gb of RAM, while not using it... ;)

thats pretty much ... and you dont run guac behind a reverse proxy with f2b included like swag ?

On 8/8/2021 at 7:07 AM, alturismo said:

thats pretty much ... and you dont run guac behind a reverse proxy with f2b included like swag ?

no, i dont really need that... i think my account / pw combo is 100% secure still this (the failed connections) starts to hammer my server

Edited by nuhll

10 minutes ago, nuhll said:

still this (the failed connections) starts to hammer my server

 

well, may consider it, then you can bind the guacamole service also only to your domain name while "attacks" wont bother guac server etc ...

 

i assume most users are running this behind a reverse proxy anyway and as the author already said its a pretty huge project already, so i wouldnt count on it.

  • Author
11 minutes ago, nuhll said:

no, i dont really need that... i think my account / pw combo is 100% secure still this (the failed connections) starts to hammer my server

I still don’t think it’s necessary to weigh down this container with yet another feature when fail2ban can be provided in other ways and is likely the way most people are and should be routing applications to the public Internet.

 

Another way to prevent this kind of attack would be to enable TOTP or Duo. You should be using some kind of 2FA on all your accounts anyway when it’s available.

I'm having trouble logging into my PopOS VM.

 

I have setup WOL as well as turned on screen sharing in PopOS. I have set the screen share password to the same one that I use to log into the VM.

 

WOL seems to be working fine. I can see the VM turn on in my unraid dashboard, but it refuses to connect to apache guacamole because it is sitting on the log in page for PopOS. Once I enter the password using VNC through unraid, I can then connect to the VM through apache guacamole.

 

I'm pretty sure I have followed spaceinvaderone's tutorial correctly but I can't seem to figure out where I am going wrong.

1 hour ago, ikiya13 said:

I have set the screen share password to the same one that I use to log into the VM.

i dont think this will work so, the credentials in guac VNC are for the VNC server, log into the mashine is prolly not supported like this.

 

1 hour ago, ikiya13 said:

Once I enter the password using VNC through unraid

did you may try a vnc client and connect to your VM if that works ? i guess you will end in the same result, auto login may would be a solution so your system is ready for the VNC connection.

 

RDP is capable todo so, VNC on linux ... may read some steps if and how to accomplish this, x11vnc etc ...

 

dont mix the unraid VNC usage, it connects in a different way to qemu host and not to a VNC server on the VM directly, you could also use guac VNC to unraid to login and use it ... but will be slower (like using unraid vnc) compared to VNC directly.

Edited by alturismo

  • 2 weeks later...

I have an ongoing issue with Apache Guacamole when logging in at work.

 

I enter my username & password without any issues, then i enter my 2fa code and get presented with the attached error screenshot.

 

When I turn off 2fa for Guacamole and log in i also receive the same error.

 

The only way i can log in is to VPN into the server from my mobile, create a new user in Guacamole with 2fa turned on, then log in with the new user credentials on my work pc, scan barcode to google auth app to set it up, then i have access to guacamole. Once i navigate away from the Apache web interface and navigate back i get the above error once again and i need to delete the account over the vpn & repeat the new account setup to gain access again.

 

Any advice?

Capture1.JPG

may some issue since the latest mariadb update ? in case you use mariadb externally from lsio

10 minutes ago, alturismo said:

may some issue since the latest mariadb update ? in case you use mariadb externally from lsio

 

I've only been using it for about a week so I've nothing to compare to. I'm not using an external db though. 

1 hour ago, AceRimmer said:

I'm not using an external db though. 

ok, then it must be somthing with your 2fa ... as im not using this feature in my reverse proxy setup im out.

1 hour ago, alturismo said:

ok, then it must be somthing with your 2fa ... as im not using this feature in my reverse proxy setup im out.

 

I don't think 2fa is the problem because I get that error when it's turned off as well as on. 

anything in the logs ? i know this error message when access to database is not working, so i wonder what it could be ...

On 8/28/2021 at 3:20 PM, alturismo said:

anything in the logs ? i know this error message when access to database is not working, so i wonder what it could be ...

 

So I jut tried to log in and work and it failed. The usual error. This is on today's docker log. 

 

User UID: 99
User GID: 100
----------------------
Using existing properties file.
Using existing MySQL extension.
Using existing TOTP extension.
No permissions changes needed.
Database exists.
Database upgrade not needed.
2021-08-30 09:07:15,315 INFO Included extra file "/etc/supervisor/conf.d/supervisord.conf" during parsing
2021-08-30 09:07:15,322 INFO Set uid to user 0 succeeded
2021-08-30 09:07:15,362 INFO supervisord started with pid 28
2021-08-30 09:07:16,363 INFO spawned: 'guacd' with pid 31
2021-08-30 09:07:16,364 INFO spawned: 'mariadb' with pid 32
2021-08-30 09:07:16,365 INFO spawned: 'tomcat9' with pid 33
guacd[31]: INFO: Guacamole proxy daemon (guacd) version 1.3.0 started
guacd[31]: INFO: Listening on host 0.0.0.0, port 4822
2021-08-30 09:07:17,820 INFO success: guacd entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2021-08-30 09:07:17,820 INFO success: mariadb entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2021-08-30 09:07:17,821 INFO success: tomcat9 entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)

 

2 hours ago, AceRimmer said:

So I jut tried to log in and work and it failed. The usual error. This is on today's docker log. 

 

the docker is working fine, thats prolly not the place to look for ;)

 

i would start with the available logs here

 

image.png.2b2c41ec92a386d22c0e8387f26187d4.png

i've zipped all the logs in that folder and attached. Whats jumping out at me is the following error from the catalina.out log. I would be happy to try trial and error it but i don't know where to start with increasing the client timeouts or adding "autoreconnect=true" to the configuration. Do i need to log into the SQL server to make those changes or can they be made from the docker parameters?
 

<4>Execution of ping query 'SELECT 1' failed: The last packet successfully received from the server was 20,713,706 milliseconds ago.  The last packet sent successfully to the server was 20,713,706 milliseconds ago. is longer than the server configured value of 'wait_timeout'. You should consider either expiring and/or testing connection validity before use in your application, increasing the server configured values for client timeouts, or using the Connector/J connection property 'autoReconnect=true' to avoid this problem.

 

 

Edited by AceRimmer
Removing log.zip attachment for privacy

43 minutes ago, Taddeusz said:

@AceRimmer I would take a look at those logs but my MBP is down right now waiting on a new battery.

 

No worries, I'll leave them up for a few days, hopefully someone will stumble upon them and if not I'll post elsewhere. Thanks for your help 

  • 4 weeks later...

I would bet this has been answered before, but I was unable to find it.

 

I just loaded up this docker with the TOTP option enabled.  I go to login with the default guacadmin account, and it pops up with Multi-Factor authentication has been enabled on your account, with just a continue button.  I click that button and it tells me verification failed.  How do I get past this?

totp.JPG

On 9/22/2021 at 9:32 PM, InfInIty said:

I would bet this has been answered before, but I was unable to find it.

 

I just loaded up this docker with the TOTP option enabled.  I go to login with the default guacadmin account, and it pops up with Multi-Factor authentication has been enabled on your account, with just a continue button.  I click that button and it tells me verification failed.  How do I get past this?

totp.JPG

 

I am having the same issue using nginx proxy manager, if I go to the local address then it works fine, I have other sites where I user built in TOTP are fine, so is Authelia, I tried clearing browser cache, using different browsers, turning off caching on nginx proxy manager, cleared cache on cloudflare, put cloudflare into dev mode (turns off all caching).

 

I was able to register and get qrcode first time around but that was done using the local address.

Was able to fix the issue by creating another user, and then registering that user via the reverse proxy i.e use the external fqdn I setup in cloudflare and nginx proxy manager, the Authenication field then appeard after logging out and back in with new user via reverse proxy, then logged out and tried my origional user again and the field appeared as it should, seems like even though I cleared the cache something didn't clear prorpely I have removed the new user and it's still working see below

 

image.png.4c9426cdb94e2e5aefe4d58c2a51b4ab.png

Edited by Brianf
typo

Any way to set subnet as safe and if not then MFA?
Right now I have guacamole accessable from the net, with MFA, but most of the time I'm not at another location and the need of MFA is then limited.
Could I tell the MFA that 10.0.0.0/24 is safe and that there is no need to throw up the MFA function?

  • Author

@kborvall Sorry, been out of pocket for a week. As far as I know it’s all or nothing. No way to filter based on the incoming IP address.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.