=====CentOS 7, Guacamole: clientless remote desktop gateway=====
The packaged version in EPEL is 0.8.4. A fairly (a few years) old version. So this page uses the most recent files from: [[http://guacamole.incubator.apache.org/releases/|Apache Guacamole]].
====Upgrade====
* Check the release notes for addtional actions, like upgrading the database schema.
===Upgrade server===
* Download the source code and SHA sums from: [[http://guacamole.incubator.apache.org/releases/]]
* Verify the source code:
sha256sum -c *.sha
guacamole-client-0.9.11-incubating.tar.gz: OK
guacamole-server-0.9.11-incubating.tar.gz: OK
* Compile the server:
tar zxf guacamole-server-0.9.11-incubating.tar.gz
cd guacamole-server-0.9.11-incubating/
autoreconf -fi
# No SystemD services yet...
./configure --with-init-dir=/etc/init.d --prefix=/opt/guacamole
make
make install # as root
* Stop guacd:service guacd stop
* Edit /etc/init.d/guacd:
change: pidfile="/var/run/$prog.pid"
to: pidfile="/opt/guacamole/run/$prog.pid"
change: getpid > /dev/null || $exec -p "$pidfile"
to: getpid > /dev/null || sudo -u guacuser -- $exec -p "$pidfile"
* Start guacd:
service guacd restart
===Build guacamole-client===
* Install the client:tar -xzf guacamole-client-0.9.11-incubating.tar.gz
cd guacamole-client-0.9.11-incubating
mvn package
===Deploy webapp===
* Deploy:
cd guacamole-client-0.9.11-incubating
rm /var/lib/tomcat/webapps/guacamole.war
cp guacamole/target/guacamole-0.9.11-incubating.war /var/lib/tomcat/webapps/guacamole.war
#Check logging
journalctl -u tomcat
====Two factor authentication====
* Guacamole supports TFA via Duo
* Download the Duo extention via [[http://guacamole.incubator.apache.org/releases/]].
* Verify the archive:
sha256sum -c *.sha
guacamole-auth-duo-0.9.11-incubating.tar.gz: OK
* Create the GUACAMOLE_HOME/extensions directory, if it does not already exist. We have a symlink from ''/etc/guacamole'' to ''/usr/share/tomcat/.guacamole''.cd /etc/guacamole
mkdir extensions
* Copy guacamole-auth-duo-0.9.11-incubating.jar within GUACAMOLE_HOME/extensions.
tar zxvf guacamole-auth-duo-0.9.11-incubating.tar.gz
cp guacamole-auth-duo-0.9.11-incubating/guacamole-auth-duo-0.9.11-incubating.jar /etc/guacamole/extensions
chown tomcat. /etc/guacamole/extensions/
* Restart Tomcat:systemctl restart tomcat
* Follow the documentation at [[https://guacamole.incubator.apache.org/doc/gug/duo-auth.html]]
====Install a new guacamole-server====
* This was based on the 0.9.10 version.
* Install dependencies. I'm not recording sessions, so i don't need ffmpeg.
yum install cairo-devel libjpeg-turbo-devel libpng-devel uuid-devel freerdp-devel pango-devel libssh2-devel libtelnet-devel libvncserver-devel pulseaudio-libs-devel openssl-devel libvorbis-devel libwebp-devel libtool dejavu-sans-mono-fonts.noarch liberation-mono-fonts.noarch
* Download the source code and SHA sums from: [[http://guacamole.incubator.apache.org/releases/0.9.10-incubating/]]
* Verify the source code:
sha256sum -c *.sha
guacamole-client-0.9.10-incubating.tar.gz: OK
guacamole-server-0.9.10-incubating.tar.gz: OK
* Compile the server:
tar zxf guacamole-server-0.9.10-incubating.tar.gz
cd guacamole-server-0.9.10-incubating/
autoreconf -fi
# No SystemD services yet...
./configure --with-init-dir=/etc/init.d --prefix=/opt/guacamole
make
make install # as root
* Create a non root user:
useradd -c "guacamole user" -M -s /sbin/nologin guacuser
mkdir /opt/guacamole/run
chown guacuser. /opt/guacamole/run
* Edit /etc/init.d/guacd:
change: pidfile="/var/run/$prog.pid"
to: pidfile="/opt/guacamole/run/$prog.pid"
change: getpid > /dev/null || $exec -p "$pidfile"
to: getpid > /dev/null || sudo -u guacuser -- $exec -p "$pidfile"
* Enable and start guacd:chkconfig --add guacd
service guacd start
===Install Tomcat===
* Install pacakges:yum install tomcat
* Enable and start Tomcat:systemctl enable tomcat
systemctl start tomcat
===Build guacamole-client===
* Install required packages:yum install maven
* Install the client:tar -xzf guacamole-client-0.9.10-incubating.tar.gz
cd guacamole-client-0.9.10-incubating
mvn package
===Deploy webapp===
* Deploy:
cd guacamole-client-0.9.10-incubating
cp guacamole/target/guacamole-0.9.10-incubating.war /var/lib/tomcat/webapps/guacamole.war
#Check logging
journalctl -u tomcat
====Install reverse proxy====
* Install nginx:yum install nginx setools
* Change SELinux boolean:setsebool -P httpd_can_network_connect 1
* Configure the reverse proxy, create ''/etc/nginx/conf.d/guacamole.conf'':
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name _;
root /usr/share/nginx/html;
ssl_certificate "/etc/pki/nginx/server.crt";
ssl_certificate_key "/etc/pki/nginx/private/server.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
}
location /guacamole/ {
proxy_pass http://127.0.0.1:8080/guacamole/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
access_log off;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
* Enable and start nginx:systemctl enable nginx
systemctl start nginx
====Configure users====
* Create directory and file: ''/usr/share/tomcat/.guacamole/user-mapping.xml''. See example in ''/root/guacamole-client-0.9.10-incubating/guacamole/doc/example/user-mapping.xml''. Example:
ssh
example.com
Liberation Mono
ssh
ssh.example.com
vnc
vnc.example.com
5901
vncpassword
rdp
win10.example.com
3389
* Change owner and rights:
chown -R tomcat. /usr/share/tomcat/.guacamole/
chmod 600 /usr/share/tomcat/.guacamole/user-mapping.xml
* Create a symlink to /etc for ease of use:ln -s /usr/share/tomcat/.guacamole /etc/guacamolesystemctl restart tomcat
====Additional configuration====
===List fonts for use with SSH / Telnet===
* You can list fonts with:fc-list :spacing=mono
/usr/share/fonts/adobe-source-code-pro/SourceCodePro-BlackIt.otf: Source Code Pro,Source Code Pro Black:style=Black Italic,Italic
/usr/share/fonts/adobe-source-code-pro/SourceCodePro-LightIt.otf: Source Code Pro,Source Code Pro Light:style=Light Italic,Italic
/usr/share/fonts/liberation/LiberationMono-Bold.ttf: Liberation Mono:style=Bold
/usr/share/fonts/adobe-source-code-pro/SourceCodePro-Bold.otf: Source Code Pro:style=Bold
/usr/share/fonts/dejavu/DejaVuSansMono-BoldOblique.ttf: DejaVu Sans Mono:style=Bold Oblique
/usr/share/fonts/adobe-source-code-pro/SourceCodePro-Regular.otf: Source Code Pro:style=Regular
/usr/share/fonts/dejavu/DejaVuSansMono.ttf: DejaVu Sans Mono:style=Book
/usr/share/fonts/adobe-source-code-pro/SourceCodePro-Medium.otf: Source Code Pro,Source Code Pro Medium:style=Medium,Regular
/usr/share/fonts/adobe-source-code-pro/SourceCodePro-MediumIt.otf: Source Code Pro,Source Code Pro Medium:style=Medium Italic,Italic
/usr/share/fonts/levien-inconsolata/Inconsolata.ttf: Inconsolata:style=Medium
/usr/share/X11/fonts/Type1/c0611bt_.pfb: Courier 10 Pitch:style=Bold Italic
/usr/share/fonts/dejavu/DejaVuSansMono-Bold.ttf: DejaVu Sans Mono:style=Bold
/usr/share/fonts/adobe-source-code-pro/SourceCodePro-Light.otf: Source Code Pro,Source Code Pro Light:style=Light,Regular
/usr/share/fonts/liberation/LiberationMono-Italic.ttf: Liberation Mono:style=Italic
/usr/share/X11/fonts/Type1/c0419bt_.pfb: Courier 10 Pitch:style=Regular
/usr/share/fonts/adobe-source-code-pro/SourceCodePro-Black.otf: Source Code Pro,Source Code Pro Black:style=Black,Regular
/usr/share/fonts/adobe-source-code-pro/SourceCodePro-ExtraLight.otf: Source Code Pro,Source Code Pro ExtraLight:style=ExtraLight,Regular
/usr/share/fonts/adobe-source-code-pro/SourceCodePro-BoldIt.otf: Source Code Pro:style=Bold Italic
/usr/share/fonts/adobe-source-code-pro/SourceCodePro-ExtraLightIt.otf: Source Code Pro,Source Code Pro ExtraLight:style=ExtraLight Italic,Italic
/usr/share/fonts/dejavu/DejaVuSansMono-Oblique.ttf: DejaVu Sans Mono:style=Oblique
/usr/share/X11/fonts/Type1/cursor.pfa: Cursor:style=Regular
/usr/share/fonts/liberation/LiberationMono-Regular.ttf: Liberation Mono:style=Regular
/usr/share/X11/fonts/Type1/c0583bt_.pfb: Courier 10 Pitch:style=Bold
/usr/share/fonts/adobe-source-code-pro/SourceCodePro-SemiboldIt.otf: Source Code Pro,Source Code Pro Semibold:style=Semibold Italic,Italic
/usr/share/X11/fonts/Type1/c0582bt_.pfb: Courier 10 Pitch:style=Italic
/usr/share/fonts/liberation/LiberationMono-BoldItalic.ttf: Liberation Mono:style=Bold Italic
/usr/share/fonts/adobe-source-code-pro/SourceCodePro-It.otf: Source Code Pro:style=Italic
/usr/share/fonts/adobe-source-code-pro/SourceCodePro-Semibold.otf: Source Code Pro,Source Code Pro Semibold:style=Semibold,Regular
====Troubleshooting====
* If the application won't start, check for leftover PID files in ''/opt/guacamole/run''.