Difference between revisions of "Guacamole Server Installation"

From Michael's Information Zone
Jump to navigation Jump to search
 
(24 intermediate revisions by the same user not shown)
Line 1: Line 1:
<ref>https://guacamole.incubator.apache.org/doc/gug/installing-guacamole.html</ref>
 
 
Guacamole 0.9.11
 
Guacamole 0.9.11
 
==CentOS 7==
 
==CentOS 7==
===Server===
+
===Installation===
 +
<ref>https://guacamole.incubator.apache.org/doc/gug/installing-guacamole.html</ref>
 +
====Server====
 
For RDP and VNC support (omitting SSH and telnet to reduce attack surface)
 
For RDP and VNC support (omitting SSH and telnet to reduce attack surface)
 
<pre>
 
<pre>
Line 17: Line 18:
 
[root@guac guacamole-server-0.9.11-incubating]# make install
 
[root@guac guacamole-server-0.9.11-incubating]# make install
 
[root@guac guacamole-server-0.9.11-incubating]# ldconfig
 
[root@guac guacamole-server-0.9.11-incubating]# ldconfig
 +
 +
[root@guac ~]# cat /etc/systemd/system/guacd.service
 +
[Unit]
 +
After=network.target
 +
 +
[Service]
 +
Type=forking
 +
ExecStart=/root/guacd start
 +
ExecStop=/root/guacd stop
 +
 +
[Install]
 +
WantedBy=multi-user.target
 +
 
</pre>
 
</pre>
===Client===
+
 
 +
====Client====
 +
<ref>https://www.unixmen.com/install-apache-ant-maven-tomcat-centos-76-5</ref><ref>http://maven.apache.org/download.cgi</ref><ref>http://maven.apache.org/install.html</ref>Build from source
 
<pre>
 
<pre>
 
[root@guac ~]# yum install java-1.8.0-openjdk java-1.8.0-openjdk-devel tomcat
 
[root@guac ~]# yum install java-1.8.0-openjdk java-1.8.0-openjdk-devel tomcat
Line 34: Line 50:
 
[root@guac ~]# cd guacamole-client-0.9.11-incubating
 
[root@guac ~]# cd guacamole-client-0.9.11-incubating
 
[root@guac guacamole-client-0.9.11-incubating]# mvn package
 
[root@guac guacamole-client-0.9.11-incubating]# mvn package
 +
</pre>
 +
Download binary
 +
<pre>
 +
[root@guac ~]# wget http://apache.org/dyn/closer.cgi?action=download&filename=incubator/guacamole/0.9.11-incubating/binary/guacamole-0.9.11-incubating.war
 +
[root@guac ~]# mv closer.cgi\?action\=download guacamole-0.9.11-incubating.war
 +
[root@guac guacamole-client-0.9.11-incubating]# cp guacamole/target/guacamole-0.9.11-incubating.war /var/lib/tomcat/webapps/guacamole.war
 +
[root@guac guacamole-client-0.9.11-incubating]# systemctl enable tomcat
 +
[root@guac guacamole-client-0.9.11-incubating]# systemctl start tomcat
 +
</pre>
 +
 +
====Proxy====
 +
<ref>https://guacamole.incubator.apache.org/doc/gug/proxying-guacamole.html</ref>
 +
<ref>https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html</ref>
 +
<ref>http://freeradius.org/mod_auth_radius/</ref>
 +
<ref>https://www.leaseweb.com/labs/2014/12/tutorial-apache-2-4-transparent-reverse-proxy/</ref>
 +
<ref>https://www.reddit.com/r/apache/comments/3a07us/modauthradius_setup_help/</ref>
 +
<ref>http://blog.warrenstrange.com/2011/09/apache-reverse-proxy-with-ldap.html</ref>
 +
The below is assuming you are dedicating the proxy server for guacamole use. Modify as needed
 +
<pre>
 +
[root@proxy ~]# yum install httpd mod_proxy_html httpd-devel gcc openssl-devel
 +
[root@proxy ~]# nano /etc/httpd/conf.d/guac.conf
 +
 +
<Location />
 +
    Order allow,deny
 +
    Allow from all
 +
    ProxyPass http://192.168.124.166:8080/guacamole/ flushpackets=on
 +
    ProxyPassReverse http://192.168.124.166:8080/guacamole/
 +
</Location>
 +
</pre><s><pre>
 +
[root@proxy ~]# wget ftp://ftp.freeradius.org/pub/radius/mod_auth_radius-1.5.8.tar
 +
[root@proxy ~]# tar xf mod_auth_radius-1.5.8.tar
 +
[root@proxy ~]# cd mod_auth_radius-1.5.8
 +
[root@proxy mod_auth_radius-1.5.8]# apxs -i -a -c mod_auth_radius-2.0.c
 +
</pre></s><pre>
 +
The following is for using a RADIUS server for authentication. In this case I want to use 2FA with Google Authenticator, and allowing the cookie to be valid for eight hours. After a user logs in with their TOTP they still need to log into guacamole and the RDP server they want to access.
 +
[root@proxy ~]# git clone https://github.com/FreeRADIUS/mod_auth_radius.git
 +
[root@proxy ~]# cd mod_auth_radius
 +
[root@proxy mod_auth_radius]# apxs -cia mod_auth_radius.c
 +
LoadModule radius_auth_module /usr/lib64/httpd/modules/mod_auth_radius.so
 +
 +
<IfModule mod_auth_radius.c>
 +
AddRadiusAuth your.radius.server:1812 password 5:3
 +
AddRadiusCookieValid 480
 +
</IfModule>
 +
 +
</pre>
 +
NOTE : Check SELinux for port 8080 access errors.
 +
 +
===Configuration===
 +
<ref>https://guacamole.incubator.apache.org/doc/gug/configuring-guacamole.html</ref><ref>https://sourceforge.net/p/guacamole/discussion/1110833/thread/2d0e4562/</ref>
 +
====Client Configuration====
 +
<pre>
 +
[root@guac ~]# mkdir /usr/share/tomcat/.guacamole
 +
[root@guac ~]# nano /usr/share/tomcat/.guacamole/guacamole.properties
 +
 +
available-languages: en
 +
guacd-port: 4822
 +
guacd-host: localhost
 +
 +
[root@guac ~]# nano /usr/share/tomcat/.guacamole/user-mapping.xml
 +
<user-mapping>
 +
 +
<authorize username="test" password="test">
 +
 +
<connection name="testRDP">
 +
<protocol>rdp</protocol>
 +
<param name="hostname">192.168.124.169</param>
 +
<param name="security">tls</param>
 +
<param name="ignore-cert">true</param>
 +
</connection>
 +
 +
<connection name="RDS">
 +
<protocol>rdp</protocol>
 +
<param name="hostname">192.168.124.66</param>
 +
<param name="security">tls</param>
 +
<param name="ignore-cert">true</param>
 +
</connection>
 +
 +
</authorize>
 +
 +
</user-mapping>
 +
 +
</pre>
 +
 +
====Troubleshooting Notes====
 +
<ref>https://sourceforge.net/p/guacamole/discussion/1110834/thread/b311f4c2/?limit=25</ref>Posted by Michael Jumper
 +
<br>
 +
<br>

Latest revision as of 11:47, 24 May 2017

Guacamole 0.9.11

CentOS 7

Installation

[1]

Server

For RDP and VNC support (omitting SSH and telnet to reduce attack surface)

[root@guac ~]# rpm -Uvh http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-5.el7.nux.noarch.rpm
[root@guac ~]# yum install cairo-devel libjpeg-turbo-devel libjpeg-devel libpng-devel uuid-devel ffmpeg-devel freerdp-devel libvncserver-devel pulseaudio-libs-devel openssl-devel libvorbis-devel libwebp-devel gcc 

[root@guac ~]# wget "http://apache.org/dyn/closer.cgi?action=download&filename=incubator/guacamole/0.9.11-incubating/source/guacamole-server-0.9.11-incubating.tar.gz"
[root@guac ~]# mv closer.cgi\?action\=download\&filename\=incubator%2Fguacamole%2F0.9.11-incubating%2Fsource%2Fguacamole-server-0.9.11-incubating.tar.gz guacamole-server-0.9.11-incubating.tar.gz

[root@guac ~]# cd guacamole-server-0.9.11-incubating

[root@guac guacamole-server-0.9.11-incubating]# ./configure --with-init-dir=/root/
[root@guac guacamole-server-0.9.11-incubating]# make
[root@guac guacamole-server-0.9.11-incubating]# make install
[root@guac guacamole-server-0.9.11-incubating]# ldconfig

[root@guac ~]# cat /etc/systemd/system/guacd.service
[Unit]
After=network.target

[Service]
Type=forking
ExecStart=/root/guacd start
ExecStop=/root/guacd stop

[Install]
WantedBy=multi-user.target

Client

[2][3][4]Build from source

[root@guac ~]# yum install java-1.8.0-openjdk java-1.8.0-openjdk-devel tomcat
[root@guac ~]# wget http://mirror.reverse.net/pub/apache/maven/maven-3/3.3.9/binaries/apache-maven-3.3.9-bin.tar.gz
[root@guac ~]# tar xvf apache-maven-3.3.9-bin.tar.gz 
[root@guac ~]# cd apache-maven-3.3.9
[root@guac ~]# mv apache-maven-3.3.9/ /opt/maven
[root@guac ~]# ln -s /opt/maven/bin/mvn /usr/bin/mvn
[root@guac ~]# export JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-0.b13.el7_3.x86_64/jre

[root@guac ~]# wget "http://apache.org/dyn/closer.cgi?action=download&filename=incubator/guacamole/0.9.11-incubating/source/guacamole-client-0.9.11-incubating.tar.gz"
[root@guac ~]# mv closer.cgi\?action\=download\&filename\=incubator%2Fguacamole%2F0.9.11-incubating%2Fsource%2Fguacamole-client-0.9.11-incubating.tar.gz guacamole-client-0.9.11-incubating.tar.gz

[root@guac ~]# tar xfv guacamole-client-0.9.11-incubating.tar.gz
[root@guac ~]# cd guacamole-client-0.9.11-incubating
[root@guac guacamole-client-0.9.11-incubating]# mvn package

Download binary

[root@guac ~]# wget http://apache.org/dyn/closer.cgi?action=download&filename=incubator/guacamole/0.9.11-incubating/binary/guacamole-0.9.11-incubating.war
[root@guac ~]# mv closer.cgi\?action\=download guacamole-0.9.11-incubating.war
[root@guac guacamole-client-0.9.11-incubating]# cp guacamole/target/guacamole-0.9.11-incubating.war /var/lib/tomcat/webapps/guacamole.war
[root@guac guacamole-client-0.9.11-incubating]# systemctl enable tomcat
[root@guac guacamole-client-0.9.11-incubating]# systemctl start tomcat

Proxy

[5] [6] [7] [8] [9] [10] The below is assuming you are dedicating the proxy server for guacamole use. Modify as needed

[root@proxy ~]# yum install httpd mod_proxy_html httpd-devel gcc openssl-devel
[root@proxy ~]# nano /etc/httpd/conf.d/guac.conf

<Location />
    Order allow,deny
    Allow from all
    ProxyPass http://192.168.124.166:8080/guacamole/ flushpackets=on
    ProxyPassReverse http://192.168.124.166:8080/guacamole/
</Location>

[root@proxy ~]# wget ftp://ftp.freeradius.org/pub/radius/mod_auth_radius-1.5.8.tar [root@proxy ~]# tar xf mod_auth_radius-1.5.8.tar [root@proxy ~]# cd mod_auth_radius-1.5.8 [root@proxy mod_auth_radius-1.5.8]# apxs -i -a -c mod_auth_radius-2.0.c

The following is for using a RADIUS server for authentication. In this case I want to use 2FA with Google Authenticator, and allowing the cookie to be valid for eight hours. After a user logs in with their TOTP they still need to log into guacamole and the RDP server they want to access. [root@proxy ~]# git clone https://github.com/FreeRADIUS/mod_auth_radius.git [root@proxy ~]# cd mod_auth_radius [root@proxy mod_auth_radius]# apxs -cia mod_auth_radius.c LoadModule radius_auth_module /usr/lib64/httpd/modules/mod_auth_radius.so

<IfModule mod_auth_radius.c> AddRadiusAuth your.radius.server:1812 password 5:3 AddRadiusCookieValid 480 </IfModule>

NOTE : Check SELinux for port 8080 access errors.

Configuration

[11][12]

Client Configuration

[root@guac ~]# mkdir /usr/share/tomcat/.guacamole
[root@guac ~]# nano /usr/share/tomcat/.guacamole/guacamole.properties

available-languages: en
guacd-port: 4822
guacd-host: localhost

[root@guac ~]# nano /usr/share/tomcat/.guacamole/user-mapping.xml
<user-mapping>

<authorize username="test" password="test">

<connection name="testRDP">
<protocol>rdp</protocol>
<param name="hostname">192.168.124.169</param>
<param name="security">tls</param>
<param name="ignore-cert">true</param>
</connection>

<connection name="RDS">
<protocol>rdp</protocol>
<param name="hostname">192.168.124.66</param>
<param name="security">tls</param>
<param name="ignore-cert">true</param>
</connection>

</authorize>

</user-mapping>

Troubleshooting Notes

[13]Posted by Michael Jumper