centos_guacamole
Table of Contents
CentOS 7, Guacamole: clientless remote desktop gateway
The packaged version in EPEL is 0.8.4. A fairly (a few years) old version. So this page uses the most recent files from: Apache Guacamole.
Upgrade
- Check the release notes for addtional actions, like upgrading the database schema.
Upgrade server
- Download the source code and SHA sums from: http://guacamole.incubator.apache.org/releases/
- Verify the source code:
sha256sum -c *.sha guacamole-client-0.9.11-incubating.tar.gz: OK guacamole-server-0.9.11-incubating.tar.gz: OK
- Compile the server:
tar zxf guacamole-server-0.9.11-incubating.tar.gz cd guacamole-server-0.9.11-incubating/ autoreconf -fi # No SystemD services yet... ./configure --with-init-dir=/etc/init.d --prefix=/opt/guacamole make make install # as root
- Stop guacd:
service guacd stop
- Edit /etc/init.d/guacd:
change: pidfile="/var/run/$prog.pid" to: pidfile="/opt/guacamole/run/$prog.pid" change: getpid > /dev/null || $exec -p "$pidfile" to: getpid > /dev/null || sudo -u guacuser -- $exec -p "$pidfile"
- Start guacd:
service guacd restart
Build guacamole-client
- Install the client:
tar -xzf guacamole-client-0.9.11-incubating.tar.gz cd guacamole-client-0.9.11-incubating mvn package
Deploy webapp
- Deploy:
cd guacamole-client-0.9.11-incubating rm /var/lib/tomcat/webapps/guacamole.war cp guacamole/target/guacamole-0.9.11-incubating.war /var/lib/tomcat/webapps/guacamole.war #Check logging journalctl -u tomcat
Two factor authentication
- Guacamole supports TFA via Duo
- Download the Duo extention via http://guacamole.incubator.apache.org/releases/.
- Verify the archive:
sha256sum -c *.sha guacamole-auth-duo-0.9.11-incubating.tar.gz: OK
- Create the GUACAMOLE_HOME/extensions directory, if it does not already exist. We have a symlink from
/etc/guacamoleto/usr/share/tomcat/.guacamole.cd /etc/guacamole mkdir extensions
- Copy guacamole-auth-duo-0.9.11-incubating.jar within GUACAMOLE_HOME/extensions.
tar zxvf guacamole-auth-duo-0.9.11-incubating.tar.gz cp guacamole-auth-duo-0.9.11-incubating/guacamole-auth-duo-0.9.11-incubating.jar /etc/guacamole/extensions chown tomcat. /etc/guacamole/extensions/
- Restart Tomcat:
systemctl restart tomcat
- Follow the documentation at https://guacamole.incubator.apache.org/doc/gug/duo-auth.html
Install a new guacamole-server
- This was based on the 0.9.10 version.
- Install dependencies. I'm not recording sessions, so i don't need ffmpeg.
yum install cairo-devel libjpeg-turbo-devel libpng-devel uuid-devel freerdp-devel pango-devel libssh2-devel libtelnet-devel libvncserver-devel pulseaudio-libs-devel openssl-devel libvorbis-devel libwebp-devel libtool dejavu-sans-mono-fonts.noarch liberation-mono-fonts.noarch
- Download the source code and SHA sums from: http://guacamole.incubator.apache.org/releases/0.9.10-incubating/
- Verify the source code:
sha256sum -c *.sha guacamole-client-0.9.10-incubating.tar.gz: OK guacamole-server-0.9.10-incubating.tar.gz: OK
- Compile the server:
tar zxf guacamole-server-0.9.10-incubating.tar.gz cd guacamole-server-0.9.10-incubating/ autoreconf -fi # No SystemD services yet... ./configure --with-init-dir=/etc/init.d --prefix=/opt/guacamole make make install # as root
- Create a non root user:
useradd -c "guacamole user" -M -s /sbin/nologin guacuser mkdir /opt/guacamole/run chown guacuser. /opt/guacamole/run
- Edit /etc/init.d/guacd:
change: pidfile="/var/run/$prog.pid" to: pidfile="/opt/guacamole/run/$prog.pid" change: getpid > /dev/null || $exec -p "$pidfile" to: getpid > /dev/null || sudo -u guacuser -- $exec -p "$pidfile"
- Enable and start guacd:
chkconfig --add guacd service guacd start
Install Tomcat
- Install pacakges:
yum install tomcat
- Enable and start Tomcat:
systemctl enable tomcat systemctl start tomcat
Build guacamole-client
- Install required packages:
yum install maven
- Install the client:
tar -xzf guacamole-client-0.9.10-incubating.tar.gz cd guacamole-client-0.9.10-incubating mvn package
Deploy webapp
- Deploy:
cd guacamole-client-0.9.10-incubating cp guacamole/target/guacamole-0.9.10-incubating.war /var/lib/tomcat/webapps/guacamole.war #Check logging journalctl -u tomcat
Install reverse proxy
- Install nginx:
yum install nginx setools
- Change SELinux boolean:
setsebool -P httpd_can_network_connect 1
- Configure the reverse proxy, create
/etc/nginx/conf.d/guacamole.conf:server { listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server; server_name _; root /usr/share/nginx/html; ssl_certificate "/etc/pki/nginx/server.crt"; ssl_certificate_key "/etc/pki/nginx/private/server.key"; ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; # Load configuration files for the default server block. include /etc/nginx/default.d/*.conf; location / { } location /guacamole/ { proxy_pass http://127.0.0.1:8080/guacamole/; proxy_buffering off; proxy_http_version 1.1; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; access_log off; } error_page 404 /404.html; location = /40x.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } }
- Enable and start nginx:
systemctl enable nginx systemctl start nginx
Configure users
- Create directory and file:
/usr/share/tomcat/.guacamole/user-mapping.xml. See example in/root/guacamole-client-0.9.10-incubating/guacamole/doc/example/user-mapping.xml. Example:<?xml version="1.0" encoding="UTF-8"?> <user-mapping> <authorize username="user" password="md5pass" encoding="md5"> <connection name="example.com"> <protocol>ssh</protocol> <param name="hostname">example.com</param> <param name="font-name">Liberation Mono</param> </connection> <connection name="ssh.example.com (SSH)"> <protocol>ssh</protocol> <param name="hostname">ssh.example.com</param> </connection> <connection name="vnc.example.com (VNC)"> <protocol>vnc</protocol> <param name="hostname">vnc.example.com</param> <param name="port">5901</param> <param name="password">vncpassword</param> </connection> <connection name="win10.example.com (RDP)"> <protocol>rdp</protocol> <param name="hostname">win10.example.com</param> <param name="port">3389</param> </connection> </authorize> </user-mapping> - Change owner and rights:
chown -R tomcat. /usr/share/tomcat/.guacamole/ chmod 600 /usr/share/tomcat/.guacamole/user-mapping.xml
- Create a symlink to /etc for ease of use:
ln -s /usr/share/tomcat/.guacamole /etc/guacamole</code * Restart tomcat:<code>systemctl restart tomcat
Additional configuration
List fonts for use with SSH / Telnet
- You can list fonts with:
fc-list :spacing=mono /usr/share/fonts/adobe-source-code-pro/SourceCodePro-BlackIt.otf: Source Code Pro,Source Code Pro Black:style=Black Italic,Italic /usr/share/fonts/adobe-source-code-pro/SourceCodePro-LightIt.otf: Source Code Pro,Source Code Pro Light:style=Light Italic,Italic /usr/share/fonts/liberation/LiberationMono-Bold.ttf: Liberation Mono:style=Bold /usr/share/fonts/adobe-source-code-pro/SourceCodePro-Bold.otf: Source Code Pro:style=Bold /usr/share/fonts/dejavu/DejaVuSansMono-BoldOblique.ttf: DejaVu Sans Mono:style=Bold Oblique /usr/share/fonts/adobe-source-code-pro/SourceCodePro-Regular.otf: Source Code Pro:style=Regular /usr/share/fonts/dejavu/DejaVuSansMono.ttf: DejaVu Sans Mono:style=Book /usr/share/fonts/adobe-source-code-pro/SourceCodePro-Medium.otf: Source Code Pro,Source Code Pro Medium:style=Medium,Regular /usr/share/fonts/adobe-source-code-pro/SourceCodePro-MediumIt.otf: Source Code Pro,Source Code Pro Medium:style=Medium Italic,Italic /usr/share/fonts/levien-inconsolata/Inconsolata.ttf: Inconsolata:style=Medium /usr/share/X11/fonts/Type1/c0611bt_.pfb: Courier 10 Pitch:style=Bold Italic /usr/share/fonts/dejavu/DejaVuSansMono-Bold.ttf: DejaVu Sans Mono:style=Bold /usr/share/fonts/adobe-source-code-pro/SourceCodePro-Light.otf: Source Code Pro,Source Code Pro Light:style=Light,Regular /usr/share/fonts/liberation/LiberationMono-Italic.ttf: Liberation Mono:style=Italic /usr/share/X11/fonts/Type1/c0419bt_.pfb: Courier 10 Pitch:style=Regular /usr/share/fonts/adobe-source-code-pro/SourceCodePro-Black.otf: Source Code Pro,Source Code Pro Black:style=Black,Regular /usr/share/fonts/adobe-source-code-pro/SourceCodePro-ExtraLight.otf: Source Code Pro,Source Code Pro ExtraLight:style=ExtraLight,Regular /usr/share/fonts/adobe-source-code-pro/SourceCodePro-BoldIt.otf: Source Code Pro:style=Bold Italic /usr/share/fonts/adobe-source-code-pro/SourceCodePro-ExtraLightIt.otf: Source Code Pro,Source Code Pro ExtraLight:style=ExtraLight Italic,Italic /usr/share/fonts/dejavu/DejaVuSansMono-Oblique.ttf: DejaVu Sans Mono:style=Oblique /usr/share/X11/fonts/Type1/cursor.pfa: Cursor:style=Regular /usr/share/fonts/liberation/LiberationMono-Regular.ttf: Liberation Mono:style=Regular /usr/share/X11/fonts/Type1/c0583bt_.pfb: Courier 10 Pitch:style=Bold /usr/share/fonts/adobe-source-code-pro/SourceCodePro-SemiboldIt.otf: Source Code Pro,Source Code Pro Semibold:style=Semibold Italic,Italic /usr/share/X11/fonts/Type1/c0582bt_.pfb: Courier 10 Pitch:style=Italic /usr/share/fonts/liberation/LiberationMono-BoldItalic.ttf: Liberation Mono:style=Bold Italic /usr/share/fonts/adobe-source-code-pro/SourceCodePro-It.otf: Source Code Pro:style=Italic /usr/share/fonts/adobe-source-code-pro/SourceCodePro-Semibold.otf: Source Code Pro,Source Code Pro Semibold:style=Semibold,Regular
Troubleshooting
- If the application won't start, check for leftover PID files in
/opt/guacamole/run.
centos_guacamole.txt · Last modified: 2021/10/09 15:14 by 127.0.0.1