IT-Projectmanagement IT-Projectmanagement
  • ITPROMA startpagina
  • Techniek
    • Audio
    • Auto's
    • ICT
  • Vastgoed
    • Heerlen - Wannerplein
    • Kerkrade - Einderstraat
    • Sittard - Handelsstraat
  • Coaching
  • Neem contact op
IT-Projectmanagement IT-Projectmanagement
  • ITPROMA startpagina
  • Techniek
    • Audio
    • Auto's
    • ICT
  • Vastgoed
    • Heerlen - Wannerplein
    • Kerkrade - Einderstraat
    • Sittard - Handelsstraat
  • Coaching
  • Neem contact op
  1. U bevindt zich hier:  
  2. Startpagina
  3. Techniek
  4. ICT
  5. Guacamole proxy
Details
Categorie: ICT
Leon Jehae By Leon Jehae
Leon Jehae
21.nov
Hits: 163

Guacamole proxy

Apache Guacamole is a free and open-source cross-platform Remote Desktop Gateway maintained by the Apache Software Foundation. It allows a user to take control of a remote computer or virtual machine via a web browser. The server runs on most Linux distributions and the client runs on any modern web browser. Remote access is performed via the guacd component, which uses the RDP, VNC or SSH remote protocols to access resources. Guacamole is clientless and doesn't require an agent to be installed on the resources being accessed. The fact that the client runs on web browsers allows users to connect to their remote desktops without using an installed remote desktop client.[1]

In July 2020, serious reverse RDP vulnerabilities in Guacamole were uncovered, allowing potential attackers to take complete control of a Guacamole gateway, listen in on incoming sessions, see all the credentials used, and start sessions to control computers within the network.[2][3][4] The method of attack was subsequently patched. The hacking has launched a House probe of whether Chinese hackers are taking advantage of the U.S. throughout the 2020 coronavirus pandemic.

 

INSTALL GUACAMOLE 1.1.0 ON DEBIAN 10 WITH DB AUTHENTICATION (PART 1)


Start with a fresh Debian 10.3.0 with latest patches. I just installed vim and open-vm-tools because my server runs on an VMWare cluster

1. Install Tomcat 9

apt install tomcat9 tomcat9-admin tomcat9-common tomcat9-user

If you now open http://<YOUR_SERVER>:8080 you should get an “It works !” website.

2. Install Guacamole Server

2.1 Install required packages

apt install build-essential libcairo2-dev libjpeg62-turbo-dev libtool-bin libossp-uuid-dev libavcodec-dev libavutil-dev libswscale-dev freerdp2-dev libpango1.0-dev libssh2-1-dev libtelnet-dev libvncserver-dev libwebsockets-dev libpulse-dev libssl-dev    libvorbis-dev libwebp-dev

2.2 Download and install Guacamole Server

wget https://mirror.dkd.de/apache/guacamole/1.1.0/source/guacamole-server-1.1.0.tar.gz
tar vfx guacamole-server-1.1.0.tar.gz
cd guacamole-server-1.1.0/


autoreconf -fi
./configure --with-init-dir=/etc/init.d
make
make install

Activate Service and start it:

ldconfig
systemctl enable guacd
systemctl start guacd

3. Install Guacamole Client

3.1 Download

wget http://us.mirrors.quenda.co/apache/guacamole/1.1.0/binary/guacamole-1.1.0.war
mkdir /etc/guacamole
cp guacamole-1.1.0.war /etc/guacamole/guacamole.war
ln -s /etc/guacamole/guacamole.war /var/lib/tomcat9/webapps/ 
mkdir /etc/guacamole/{extensions,lib}
echo "GUACAMOLE_HOME=/etc/guacamole" | tee -a /etc/default/tomcat9

4. Install Database Server

4.1 Install packages

apt install mariadb-server mariadb-client

Note: You should secure your DB installation by running ‘mysql_secure_installation’.

4.2 Create Database and user

 mysql -p


CREATE DATABASE guacamole_db;
CREATE USER 'guacamole_user'@'localhost' IDENTIFIED BY 'passw0rd';
GRANT SELECT,INSERT,UPDATE,DELETE ON guacamole_db.* TO 'guacamole_user'@'localhost';
FLUSH PRIVILEGES;
quit;

4.3 Download jdbc-extension

wget http://apache.mirror.digionline.de/guacamole/1.1.0/binary/guacamole-auth-jdbc-1.1.0.tar.gz

tar vfx guacamole-auth-jdbc-1.1.0.tar.gz

4.4 Import Database

 cat guacamole-auth-jdbc-1.1.0/mysql/schema/*.sql | mysql -u root -p guacamole_db

4.5 Install extension

cp guacamole-auth-jdbc-1.1.0/mysql/guacamole-auth-jdbc-mysql-1.1.0.jar /etc/guacamole/extensions/

4.6 JDBC driver install

wget https://dev.mysql.com/get/Downloads/Connector-J/mysql-connector-java-8.0.13.tar.gz

tar xvzf mysql-connector-java-8.0.13.tar.gz

cp mysql-connector-java-8.0.13/mysql-connector-java-8.0.13.jar /etc/guacamole/lib/

4.7 Configure DB Time zone

See this Issue: https://issues.apache.org/jira/browse/GUACAMOLE-760 to fix the following error after restart you have to configurate the time zone of your DB.

Error querying database. Cause: java.sql.SQLException: The server time zone value 'CEST' is unrecognized or represents more than one time zone. You must configure either the server or JDBC driver (via the serverTimezone configuration property) to use a more specifc time zone value if you want to utilize time zone support.

Import time zones to your database:

mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root -p mysql

Now open ‘/etc/mysql/mariadb.conf.d/50-server.cnf’ with your editor and add the following line:

default_time_zone='Europe/Berlin'

Replace ‘Europe/Berlin’ with your correct time zone! And restart the database:

systemctl restart mariadb.service

5. Configurate Guacamole

vim /etc/guacamole/guacamole.properties


# Hostname and Guacamole server port
guacd-hostname: localhost
guacd-port: 4822

# MySQL properties
mysql-hostname: localhost
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: guacamole_user
mysql-password: passw0rd

After each modification of this file you have to restart your tomcat server.

systemctl restart tomcat9

6. Test

Open http://<YOUR_SERVER>:8080/guacamole in your browser and login with Username: ‘guacadmin’ and Password: ‘guacadmin’.

7. Apache reverse Proxy

7.1 Installation

apt install apache2 -y

7.2 Activate Modules

a2enmod rewrite
a2enmod proxy_http
a2enmod proxy_wstunnel

7.3 Apache config

vim /etc/apache2/sites-enabled/000-default.conf

And insert to the VirtualHost:

ProxyPass / http://127.0.0.1:8080/guacamole/ flushpackets=on
ProxyPassReverse / http://127.0.0.1:8080/guacamole/
ProxyPassReverseCookiePath /guacamole /
<Location /websocket-tunnel>
     Order allow,deny
     Allow from all
     ProxyPass ws://127.0.0.1:8080/guacamole/websocket-tunnel
     ProxyPassReverse ws://127.0.0.1:8080/guacamole/websocket-tunnel
</Location>
SetEnvIf Request_URI "^/tunnel" dontlog
CustomLog  /var/log/apache2/guac.log common env=!dontlog

7.4 Restart Apache

systemctl restart apache2.service

7.5 Test

Now you can access your Guacamole with http://<YOUR_SERVER>. But of course you should put this in an https site!

8. Debugging

Tomcat ist logging to tail /var/log/tomcat9/catalina.out

tail /var/log/tomcat9/catalina.out -f

show you the main log of your guacamole server.

If you need more details create ‘/etc/guacamole/logback.xml’ file:

<configuration>
 <!-- Appender for debugging -->
 <appender name="GUAC-DEBUG" class="ch.qos.logback.core.ConsoleAppender">
    <encoder>
     <pattern>%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n</pattern>
    </encoder>
 </appender>

 <!-- Log at Debug Level -->
 <root level="debug">
     <appender-ref ref="GUAC-DEBUG"/>
 </root>
</configuration>

and restart Tomcat:

systemctl restart tomcat9

 

 

Leon Jehae
Leon Jehae
Vorig artikel: IT Projectmanagement Vorige

Login

Toon
  • Gebruikersnaam vergeten?
  • Wachtwoord vergeten?