Difference between revisions of "Guacamole Server Installation"
Michael.mast (talk | contribs) |
Michael.mast (talk | contribs) (→Proxy) |
||
(38 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
− | |||
Guacamole 0.9.11 | Guacamole 0.9.11 | ||
==CentOS 7== | ==CentOS 7== | ||
+ | ===Installation=== | ||
+ | <ref>https://guacamole.incubator.apache.org/doc/gug/installing-guacamole.html</ref> | ||
+ | ====Server==== | ||
For RDP and VNC support (omitting SSH and telnet to reduce attack surface) | For RDP and VNC support (omitting SSH and telnet to reduce attack surface) | ||
<pre> | <pre> | ||
− | [root@guac ~]# yum install cairo-devel libjpeg-turbo-devel libjpeg-devel libpng-devel uuid-devel ffmpeg-devel freerdp-devel libvncserver-devel pulseaudio-libs-devel openssl-devel libvorbis-devel libwebp-devel | + | [root@guac ~]# rpm -Uvh http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-5.el7.nux.noarch.rpm |
+ | [root@guac ~]# yum install cairo-devel libjpeg-turbo-devel libjpeg-devel libpng-devel uuid-devel ffmpeg-devel freerdp-devel libvncserver-devel pulseaudio-libs-devel openssl-devel libvorbis-devel libwebp-devel gcc | ||
[root@guac ~]# wget "http://apache.org/dyn/closer.cgi?action=download&filename=incubator/guacamole/0.9.11-incubating/source/guacamole-server-0.9.11-incubating.tar.gz" | [root@guac ~]# wget "http://apache.org/dyn/closer.cgi?action=download&filename=incubator/guacamole/0.9.11-incubating/source/guacamole-server-0.9.11-incubating.tar.gz" | ||
− | |||
[root@guac ~]# mv closer.cgi\?action\=download\&filename\=incubator%2Fguacamole%2F0.9.11-incubating%2Fsource%2Fguacamole-server-0.9.11-incubating.tar.gz guacamole-server-0.9.11-incubating.tar.gz | [root@guac ~]# mv closer.cgi\?action\=download\&filename\=incubator%2Fguacamole%2F0.9.11-incubating%2Fsource%2Fguacamole-server-0.9.11-incubating.tar.gz guacamole-server-0.9.11-incubating.tar.gz | ||
[root@guac ~]# cd guacamole-server-0.9.11-incubating | [root@guac ~]# cd guacamole-server-0.9.11-incubating | ||
+ | [root@guac guacamole-server-0.9.11-incubating]# ./configure --with-init-dir=/root/ | ||
+ | [root@guac guacamole-server-0.9.11-incubating]# make | ||
+ | [root@guac guacamole-server-0.9.11-incubating]# make install | ||
+ | [root@guac guacamole-server-0.9.11-incubating]# ldconfig | ||
+ | |||
+ | [root@guac ~]# cat /etc/systemd/system/guacd.service | ||
+ | [Unit] | ||
+ | After=network.target | ||
+ | |||
+ | [Service] | ||
+ | Type=forking | ||
+ | ExecStart=/root/guacd start | ||
+ | ExecStop=/root/guacd stop | ||
+ | |||
+ | [Install] | ||
+ | WantedBy=multi-user.target | ||
+ | |||
+ | </pre> | ||
+ | |||
+ | ====Client==== | ||
+ | <ref>https://www.unixmen.com/install-apache-ant-maven-tomcat-centos-76-5</ref><ref>http://maven.apache.org/download.cgi</ref><ref>http://maven.apache.org/install.html</ref>Build from source | ||
+ | <pre> | ||
+ | [root@guac ~]# yum install java-1.8.0-openjdk java-1.8.0-openjdk-devel tomcat | ||
+ | [root@guac ~]# wget http://mirror.reverse.net/pub/apache/maven/maven-3/3.3.9/binaries/apache-maven-3.3.9-bin.tar.gz | ||
+ | [root@guac ~]# tar xvf apache-maven-3.3.9-bin.tar.gz | ||
+ | [root@guac ~]# cd apache-maven-3.3.9 | ||
+ | [root@guac ~]# mv apache-maven-3.3.9/ /opt/maven | ||
+ | [root@guac ~]# ln -s /opt/maven/bin/mvn /usr/bin/mvn | ||
+ | [root@guac ~]# export JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-0.b13.el7_3.x86_64/jre | ||
+ | |||
+ | [root@guac ~]# wget "http://apache.org/dyn/closer.cgi?action=download&filename=incubator/guacamole/0.9.11-incubating/source/guacamole-client-0.9.11-incubating.tar.gz" | ||
+ | [root@guac ~]# mv closer.cgi\?action\=download\&filename\=incubator%2Fguacamole%2F0.9.11-incubating%2Fsource%2Fguacamole-client-0.9.11-incubating.tar.gz guacamole-client-0.9.11-incubating.tar.gz | ||
+ | |||
+ | [root@guac ~]# tar xfv guacamole-client-0.9.11-incubating.tar.gz | ||
+ | [root@guac ~]# cd guacamole-client-0.9.11-incubating | ||
+ | [root@guac guacamole-client-0.9.11-incubating]# mvn package | ||
+ | </pre> | ||
+ | Download binary | ||
+ | <pre> | ||
+ | [root@guac ~]# wget http://apache.org/dyn/closer.cgi?action=download&filename=incubator/guacamole/0.9.11-incubating/binary/guacamole-0.9.11-incubating.war | ||
+ | [root@guac ~]# mv closer.cgi\?action\=download guacamole-0.9.11-incubating.war | ||
+ | [root@guac guacamole-client-0.9.11-incubating]# cp guacamole/target/guacamole-0.9.11-incubating.war /var/lib/tomcat/webapps/guacamole.war | ||
+ | [root@guac guacamole-client-0.9.11-incubating]# systemctl enable tomcat | ||
+ | [root@guac guacamole-client-0.9.11-incubating]# systemctl start tomcat | ||
+ | </pre> | ||
+ | |||
+ | ====Proxy==== | ||
+ | <ref>https://guacamole.incubator.apache.org/doc/gug/proxying-guacamole.html</ref> | ||
+ | <ref>https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html</ref> | ||
+ | <ref>http://freeradius.org/mod_auth_radius/</ref> | ||
+ | <ref>https://www.leaseweb.com/labs/2014/12/tutorial-apache-2-4-transparent-reverse-proxy/</ref> | ||
+ | <ref>https://www.reddit.com/r/apache/comments/3a07us/modauthradius_setup_help/</ref> | ||
+ | <ref>http://blog.warrenstrange.com/2011/09/apache-reverse-proxy-with-ldap.html</ref> | ||
+ | The below is assuming you are dedicating the proxy server for guacamole use. Modify as needed | ||
+ | <pre> | ||
+ | [root@proxy ~]# yum install httpd mod_proxy_html httpd-devel gcc openssl-devel | ||
+ | [root@proxy ~]# nano /etc/httpd/conf.d/guac.conf | ||
+ | |||
+ | <Location /> | ||
+ | Order allow,deny | ||
+ | Allow from all | ||
+ | ProxyPass http://192.168.124.166:8080/guacamole/ flushpackets=on | ||
+ | ProxyPassReverse http://192.168.124.166:8080/guacamole/ | ||
+ | </Location> | ||
+ | </pre><s><pre> | ||
+ | [root@proxy ~]# wget ftp://ftp.freeradius.org/pub/radius/mod_auth_radius-1.5.8.tar | ||
+ | [root@proxy ~]# tar xf mod_auth_radius-1.5.8.tar | ||
+ | [root@proxy ~]# cd mod_auth_radius-1.5.8 | ||
+ | [root@proxy mod_auth_radius-1.5.8]# apxs -i -a -c mod_auth_radius-2.0.c | ||
+ | </pre></s><pre> | ||
+ | The following is for using a RADIUS server for authentication. In this case I want to use 2FA with Google Authenticator, and allowing the cookie to be valid for eight hours. After a user logs in with their TOTP they still need to log into guacamole and the RDP server they want to access. | ||
+ | [root@proxy ~]# git clone https://github.com/FreeRADIUS/mod_auth_radius.git | ||
+ | [root@proxy ~]# cd mod_auth_radius | ||
+ | [root@proxy mod_auth_radius]# apxs -cia mod_auth_radius.c | ||
+ | LoadModule radius_auth_module /usr/lib64/httpd/modules/mod_auth_radius.so | ||
+ | <IfModule mod_auth_radius.c> | ||
+ | AddRadiusAuth your.radius.server:1812 password 5:3 | ||
+ | AddRadiusCookieValid 480 | ||
+ | </IfModule> | ||
</pre> | </pre> | ||
+ | NOTE : Check SELinux for port 8080 access errors. | ||
+ | |||
+ | ===Configuration=== | ||
+ | <ref>https://guacamole.incubator.apache.org/doc/gug/configuring-guacamole.html</ref><ref>https://sourceforge.net/p/guacamole/discussion/1110833/thread/2d0e4562/</ref> | ||
+ | ====Client Configuration==== | ||
+ | <pre> | ||
+ | [root@guac ~]# mkdir /usr/share/tomcat/.guacamole | ||
+ | [root@guac ~]# nano /usr/share/tomcat/.guacamole/guacamole.properties | ||
+ | |||
+ | available-languages: en | ||
+ | guacd-port: 4822 | ||
+ | guacd-host: localhost | ||
+ | |||
+ | [root@guac ~]# nano /usr/share/tomcat/.guacamole/user-mapping.xml | ||
+ | <user-mapping> | ||
+ | |||
+ | <authorize username="test" password="test"> | ||
+ | |||
+ | <connection name="testRDP"> | ||
+ | <protocol>rdp</protocol> | ||
+ | <param name="hostname">192.168.124.169</param> | ||
+ | <param name="security">tls</param> | ||
+ | <param name="ignore-cert">true</param> | ||
+ | </connection> | ||
+ | |||
+ | <connection name="RDS"> | ||
+ | <protocol>rdp</protocol> | ||
+ | <param name="hostname">192.168.124.66</param> | ||
+ | <param name="security">tls</param> | ||
+ | <param name="ignore-cert">true</param> | ||
+ | </connection> | ||
+ | |||
+ | </authorize> | ||
+ | |||
+ | </user-mapping> | ||
+ | |||
+ | </pre> | ||
+ | |||
+ | ====Troubleshooting Notes==== | ||
+ | <ref>https://sourceforge.net/p/guacamole/discussion/1110834/thread/b311f4c2/?limit=25</ref>Posted by Michael Jumper | ||
+ | <br> | ||
+ | <br> |
Latest revision as of 11:47, 24 May 2017
Guacamole 0.9.11
Contents
CentOS 7
Installation
Server
For RDP and VNC support (omitting SSH and telnet to reduce attack surface)
[root@guac ~]# rpm -Uvh http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-5.el7.nux.noarch.rpm [root@guac ~]# yum install cairo-devel libjpeg-turbo-devel libjpeg-devel libpng-devel uuid-devel ffmpeg-devel freerdp-devel libvncserver-devel pulseaudio-libs-devel openssl-devel libvorbis-devel libwebp-devel gcc [root@guac ~]# wget "http://apache.org/dyn/closer.cgi?action=download&filename=incubator/guacamole/0.9.11-incubating/source/guacamole-server-0.9.11-incubating.tar.gz" [root@guac ~]# mv closer.cgi\?action\=download\&filename\=incubator%2Fguacamole%2F0.9.11-incubating%2Fsource%2Fguacamole-server-0.9.11-incubating.tar.gz guacamole-server-0.9.11-incubating.tar.gz [root@guac ~]# cd guacamole-server-0.9.11-incubating [root@guac guacamole-server-0.9.11-incubating]# ./configure --with-init-dir=/root/ [root@guac guacamole-server-0.9.11-incubating]# make [root@guac guacamole-server-0.9.11-incubating]# make install [root@guac guacamole-server-0.9.11-incubating]# ldconfig [root@guac ~]# cat /etc/systemd/system/guacd.service [Unit] After=network.target [Service] Type=forking ExecStart=/root/guacd start ExecStop=/root/guacd stop [Install] WantedBy=multi-user.target
Client
[root@guac ~]# yum install java-1.8.0-openjdk java-1.8.0-openjdk-devel tomcat [root@guac ~]# wget http://mirror.reverse.net/pub/apache/maven/maven-3/3.3.9/binaries/apache-maven-3.3.9-bin.tar.gz [root@guac ~]# tar xvf apache-maven-3.3.9-bin.tar.gz [root@guac ~]# cd apache-maven-3.3.9 [root@guac ~]# mv apache-maven-3.3.9/ /opt/maven [root@guac ~]# ln -s /opt/maven/bin/mvn /usr/bin/mvn [root@guac ~]# export JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-0.b13.el7_3.x86_64/jre [root@guac ~]# wget "http://apache.org/dyn/closer.cgi?action=download&filename=incubator/guacamole/0.9.11-incubating/source/guacamole-client-0.9.11-incubating.tar.gz" [root@guac ~]# mv closer.cgi\?action\=download\&filename\=incubator%2Fguacamole%2F0.9.11-incubating%2Fsource%2Fguacamole-client-0.9.11-incubating.tar.gz guacamole-client-0.9.11-incubating.tar.gz [root@guac ~]# tar xfv guacamole-client-0.9.11-incubating.tar.gz [root@guac ~]# cd guacamole-client-0.9.11-incubating [root@guac guacamole-client-0.9.11-incubating]# mvn package
Download binary
[root@guac ~]# wget http://apache.org/dyn/closer.cgi?action=download&filename=incubator/guacamole/0.9.11-incubating/binary/guacamole-0.9.11-incubating.war [root@guac ~]# mv closer.cgi\?action\=download guacamole-0.9.11-incubating.war [root@guac guacamole-client-0.9.11-incubating]# cp guacamole/target/guacamole-0.9.11-incubating.war /var/lib/tomcat/webapps/guacamole.war [root@guac guacamole-client-0.9.11-incubating]# systemctl enable tomcat [root@guac guacamole-client-0.9.11-incubating]# systemctl start tomcat
Proxy
[5] [6] [7] [8] [9] [10] The below is assuming you are dedicating the proxy server for guacamole use. Modify as needed
[root@proxy ~]# yum install httpd mod_proxy_html httpd-devel gcc openssl-devel [root@proxy ~]# nano /etc/httpd/conf.d/guac.conf <Location /> Order allow,deny Allow from all ProxyPass http://192.168.124.166:8080/guacamole/ flushpackets=on ProxyPassReverse http://192.168.124.166:8080/guacamole/ </Location>
[root@proxy ~]# wget ftp://ftp.freeradius.org/pub/radius/mod_auth_radius-1.5.8.tar [root@proxy ~]# tar xf mod_auth_radius-1.5.8.tar [root@proxy ~]# cd mod_auth_radius-1.5.8 [root@proxy mod_auth_radius-1.5.8]# apxs -i -a -c mod_auth_radius-2.0.c
The following is for using a RADIUS server for authentication. In this case I want to use 2FA with Google Authenticator, and allowing the cookie to be valid for eight hours. After a user logs in with their TOTP they still need to log into guacamole and the RDP server they want to access. [root@proxy ~]# git clone https://github.com/FreeRADIUS/mod_auth_radius.git [root@proxy ~]# cd mod_auth_radius [root@proxy mod_auth_radius]# apxs -cia mod_auth_radius.c LoadModule radius_auth_module /usr/lib64/httpd/modules/mod_auth_radius.so
<IfModule mod_auth_radius.c> AddRadiusAuth your.radius.server:1812 password 5:3 AddRadiusCookieValid 480 </IfModule>
NOTE : Check SELinux for port 8080 access errors.
Configuration
Client Configuration
[root@guac ~]# mkdir /usr/share/tomcat/.guacamole [root@guac ~]# nano /usr/share/tomcat/.guacamole/guacamole.properties available-languages: en guacd-port: 4822 guacd-host: localhost [root@guac ~]# nano /usr/share/tomcat/.guacamole/user-mapping.xml <user-mapping> <authorize username="test" password="test"> <connection name="testRDP"> <protocol>rdp</protocol> <param name="hostname">192.168.124.169</param> <param name="security">tls</param> <param name="ignore-cert">true</param> </connection> <connection name="RDS"> <protocol>rdp</protocol> <param name="hostname">192.168.124.66</param> <param name="security">tls</param> <param name="ignore-cert">true</param> </connection> </authorize> </user-mapping>
Troubleshooting Notes
[13]Posted by Michael Jumper
- ↑ https://guacamole.incubator.apache.org/doc/gug/installing-guacamole.html
- ↑ https://www.unixmen.com/install-apache-ant-maven-tomcat-centos-76-5
- ↑ http://maven.apache.org/download.cgi
- ↑ http://maven.apache.org/install.html
- ↑ https://guacamole.incubator.apache.org/doc/gug/proxying-guacamole.html
- ↑ https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html
- ↑ http://freeradius.org/mod_auth_radius/
- ↑ https://www.leaseweb.com/labs/2014/12/tutorial-apache-2-4-transparent-reverse-proxy/
- ↑ https://www.reddit.com/r/apache/comments/3a07us/modauthradius_setup_help/
- ↑ http://blog.warrenstrange.com/2011/09/apache-reverse-proxy-with-ldap.html
- ↑ https://guacamole.incubator.apache.org/doc/gug/configuring-guacamole.html
- ↑ https://sourceforge.net/p/guacamole/discussion/1110833/thread/2d0e4562/
- ↑ https://sourceforge.net/p/guacamole/discussion/1110834/thread/b311f4c2/?limit=25