Difference between revisions of "Guacamole Server Installation"

From Michael's Information Zone
Jump to navigation Jump to search
 
(11 intermediate revisions by the same user not shown)
Line 18: Line 18:
 
[root@guac guacamole-server-0.9.11-incubating]# make install
 
[root@guac guacamole-server-0.9.11-incubating]# make install
 
[root@guac guacamole-server-0.9.11-incubating]# ldconfig
 
[root@guac guacamole-server-0.9.11-incubating]# ldconfig
 +
 +
[root@guac ~]# cat /etc/systemd/system/guacd.service
 +
[Unit]
 +
After=network.target
 +
 +
[Service]
 +
Type=forking
 +
ExecStart=/root/guacd start
 +
ExecStop=/root/guacd stop
 +
 +
[Install]
 +
WantedBy=multi-user.target
 +
 
</pre>
 
</pre>
 +
 
====Client====
 
====Client====
<ref>https://www.unixmen.com/install-apache-ant-maven-tomcat-centos-76-5</ref><ref>http://maven.apache.org/download.cgi</ref><ref>http://maven.apache.org/install.html</ref>
+
<ref>https://www.unixmen.com/install-apache-ant-maven-tomcat-centos-76-5</ref><ref>http://maven.apache.org/download.cgi</ref><ref>http://maven.apache.org/install.html</ref>Build from source
 
<pre>
 
<pre>
 
[root@guac ~]# yum install java-1.8.0-openjdk java-1.8.0-openjdk-devel tomcat
 
[root@guac ~]# yum install java-1.8.0-openjdk java-1.8.0-openjdk-devel tomcat
Line 36: Line 50:
 
[root@guac ~]# cd guacamole-client-0.9.11-incubating
 
[root@guac ~]# cd guacamole-client-0.9.11-incubating
 
[root@guac guacamole-client-0.9.11-incubating]# mvn package
 
[root@guac guacamole-client-0.9.11-incubating]# mvn package
 +
</pre>
 +
Download binary
 +
<pre>
 +
[root@guac ~]# wget http://apache.org/dyn/closer.cgi?action=download&filename=incubator/guacamole/0.9.11-incubating/binary/guacamole-0.9.11-incubating.war
 +
[root@guac ~]# mv closer.cgi\?action\=download guacamole-0.9.11-incubating.war
 
[root@guac guacamole-client-0.9.11-incubating]# cp guacamole/target/guacamole-0.9.11-incubating.war /var/lib/tomcat/webapps/guacamole.war
 
[root@guac guacamole-client-0.9.11-incubating]# cp guacamole/target/guacamole-0.9.11-incubating.war /var/lib/tomcat/webapps/guacamole.war
 
[root@guac guacamole-client-0.9.11-incubating]# systemctl enable tomcat
 
[root@guac guacamole-client-0.9.11-incubating]# systemctl enable tomcat
 
[root@guac guacamole-client-0.9.11-incubating]# systemctl start tomcat
 
[root@guac guacamole-client-0.9.11-incubating]# systemctl start tomcat
 
</pre>
 
</pre>
 +
 +
====Proxy====
 +
<ref>https://guacamole.incubator.apache.org/doc/gug/proxying-guacamole.html</ref>
 +
<ref>https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html</ref>
 +
<ref>http://freeradius.org/mod_auth_radius/</ref>
 +
<ref>https://www.leaseweb.com/labs/2014/12/tutorial-apache-2-4-transparent-reverse-proxy/</ref>
 +
<ref>https://www.reddit.com/r/apache/comments/3a07us/modauthradius_setup_help/</ref>
 +
<ref>http://blog.warrenstrange.com/2011/09/apache-reverse-proxy-with-ldap.html</ref>
 +
The below is assuming you are dedicating the proxy server for guacamole use. Modify as needed
 +
<pre>
 +
[root@proxy ~]# yum install httpd mod_proxy_html httpd-devel gcc openssl-devel
 +
[root@proxy ~]# nano /etc/httpd/conf.d/guac.conf
 +
 +
<Location />
 +
    Order allow,deny
 +
    Allow from all
 +
    ProxyPass http://192.168.124.166:8080/guacamole/ flushpackets=on
 +
    ProxyPassReverse http://192.168.124.166:8080/guacamole/
 +
</Location>
 +
</pre><s><pre>
 +
[root@proxy ~]# wget ftp://ftp.freeradius.org/pub/radius/mod_auth_radius-1.5.8.tar
 +
[root@proxy ~]# tar xf mod_auth_radius-1.5.8.tar
 +
[root@proxy ~]# cd mod_auth_radius-1.5.8
 +
[root@proxy mod_auth_radius-1.5.8]# apxs -i -a -c mod_auth_radius-2.0.c
 +
</pre></s><pre>
 +
The following is for using a RADIUS server for authentication. In this case I want to use 2FA with Google Authenticator, and allowing the cookie to be valid for eight hours. After a user logs in with their TOTP they still need to log into guacamole and the RDP server they want to access.
 +
[root@proxy ~]# git clone https://github.com/FreeRADIUS/mod_auth_radius.git
 +
[root@proxy ~]# cd mod_auth_radius
 +
[root@proxy mod_auth_radius]# apxs -cia mod_auth_radius.c
 +
LoadModule radius_auth_module /usr/lib64/httpd/modules/mod_auth_radius.so
 +
 +
<IfModule mod_auth_radius.c>
 +
AddRadiusAuth your.radius.server:1812 password 5:3
 +
AddRadiusCookieValid 480
 +
</IfModule>
 +
 +
</pre>
 +
NOTE : Check SELinux for port 8080 access errors.
  
 
===Configuration===
 
===Configuration===
Line 52: Line 109:
 
guacd-host: localhost
 
guacd-host: localhost
  
 +
[root@guac ~]# nano /usr/share/tomcat/.guacamole/user-mapping.xml
 +
<user-mapping>
 +
 +
<authorize username="test" password="test">
 +
 +
<connection name="testRDP">
 +
<protocol>rdp</protocol>
 +
<param name="hostname">192.168.124.169</param>
 +
<param name="security">tls</param>
 +
<param name="ignore-cert">true</param>
 +
</connection>
 +
 +
<connection name="RDS">
 +
<protocol>rdp</protocol>
 +
<param name="hostname">192.168.124.66</param>
 +
<param name="security">tls</param>
 +
<param name="ignore-cert">true</param>
 +
</connection>
 +
 +
</authorize>
 +
 +
</user-mapping>
  
 
</pre>
 
</pre>
Line 59: Line 138:
 
<br>
 
<br>
 
<br>
 
<br>
The user-mapping.xml file is not part of the install. Installing guacamole.war does nothing more than install guacamole.war - no other files will be created. Your servlet container (Tomcat, in this case) may extract that war file, but there is really nothing else that should be happening here.
 
<br>
 
The directories mentioned in the installation documentation, such as GUACAMOLE_HOME, are expected to be created by you if necessary. They will not exist already unless you have previously installed Guacamole, and you should not repurpose an existing directory for GUACAMOLE_HOME.
 
<br>
 
I would highly recommend against using Tomcat's own working directory as GUACAMOLE_HOME. I don't know whether Tomcat is expecting external modifications to its own working data, nor what the effects will be of having two different applications (Tomcat and Guacamole) looking at the same location for two distinct sets of files. Things should not overlap in this way.
 
<br>
 
Guacamole does contain its own logback.xml file, but it's not what you think. We include a copy of this file within the source, and thus within the war, for the sake of providing defaults, but its presence does not indicate that you've found GUACAMOLE_HOME. The directory for GUACAMOLE_HOME will only exist if you yourself created it: http://guac-dev.org/doc/gug/configuring-guacamole.html#guacamole-home
 
<br>
 
I would recommend:
 
<br>
 
    <nowiki>Removing what you have done so far within tomcat7/webapps/. Start over completely if necessary: http://guac-dev.org/doc/gug/installing-guacamole.html#deploying-guacamole
 
    Create a new directory for GUACAMOLE_HOME. I typically use .guacamole within the "tomcat7" user's home directory, as this is easiest, but if you wish to explicitly set GUACAMOLE_HOME to something instead, /etc/guacamole is a good option.
 
    Place your user-mapping.xml file within that directory and try again. If you still get "invalid login", check your Tomcat logs to see what might be going wrong.</nowiki>
 
<br>
 
If you encounter anything confusing, just post back here and we'll try to help. Flailing about randomly will only cause further problems.
 
<br>
 
The chapter on installation is very thorough. If you find yourself veering from the documentation because you encountered something unexpected, then one of two things is happening:
 
<br>
 
    <nowiki>You are doing something wrong in your installation.
 
    We did something wrong in the docs.</nowiki>
 
<br>
 
Either way, just post back here and we'll figure things out.
 

Latest revision as of 11:47, 24 May 2017

Guacamole 0.9.11

CentOS 7

Installation

[1]

Server

For RDP and VNC support (omitting SSH and telnet to reduce attack surface) 

[root@guac ~]# rpm -Uvh http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-5.el7.nux.noarch.rpm
[root@guac ~]# yum install cairo-devel libjpeg-turbo-devel libjpeg-devel libpng-devel uuid-devel ffmpeg-devel freerdp-devel libvncserver-devel pulseaudio-libs-devel openssl-devel libvorbis-devel libwebp-devel gcc 

[root@guac ~]# wget "http://apache.org/dyn/closer.cgi?action=download&filename=incubator/guacamole/0.9.11-incubating/source/guacamole-server-0.9.11-incubating.tar.gz"
[root@guac ~]# mv closer.cgi\?action\=download\&filename\=incubator%2Fguacamole%2F0.9.11-incubating%2Fsource%2Fguacamole-server-0.9.11-incubating.tar.gz guacamole-server-0.9.11-incubating.tar.gz

[root@guac ~]# cd guacamole-server-0.9.11-incubating

[root@guac guacamole-server-0.9.11-incubating]# ./configure --with-init-dir=/root/
[root@guac guacamole-server-0.9.11-incubating]# make
[root@guac guacamole-server-0.9.11-incubating]# make install
[root@guac guacamole-server-0.9.11-incubating]# ldconfig

[root@guac ~]# cat /etc/systemd/system/guacd.service
[Unit]
After=network.target

[Service]
Type=forking
ExecStart=/root/guacd start
ExecStop=/root/guacd stop

[Install]
WantedBy=multi-user.target

Client

[2][3][4]Build from source 

[root@guac ~]# yum install java-1.8.0-openjdk java-1.8.0-openjdk-devel tomcat
[root@guac ~]# wget http://mirror.reverse.net/pub/apache/maven/maven-3/3.3.9/binaries/apache-maven-3.3.9-bin.tar.gz
[root@guac ~]# tar xvf apache-maven-3.3.9-bin.tar.gz 
[root@guac ~]# cd apache-maven-3.3.9
[root@guac ~]# mv apache-maven-3.3.9/ /opt/maven
[root@guac ~]# ln -s /opt/maven/bin/mvn /usr/bin/mvn
[root@guac ~]# export JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-0.b13.el7_3.x86_64/jre

[root@guac ~]# wget "http://apache.org/dyn/closer.cgi?action=download&filename=incubator/guacamole/0.9.11-incubating/source/guacamole-client-0.9.11-incubating.tar.gz"
[root@guac ~]# mv closer.cgi\?action\=download\&filename\=incubator%2Fguacamole%2F0.9.11-incubating%2Fsource%2Fguacamole-client-0.9.11-incubating.tar.gz guacamole-client-0.9.11-incubating.tar.gz

[root@guac ~]# tar xfv guacamole-client-0.9.11-incubating.tar.gz
[root@guac ~]# cd guacamole-client-0.9.11-incubating
[root@guac guacamole-client-0.9.11-incubating]# mvn package

Download binary 

[root@guac ~]# wget http://apache.org/dyn/closer.cgi?action=download&filename=incubator/guacamole/0.9.11-incubating/binary/guacamole-0.9.11-incubating.war
[root@guac ~]# mv closer.cgi\?action\=download guacamole-0.9.11-incubating.war
[root@guac guacamole-client-0.9.11-incubating]# cp guacamole/target/guacamole-0.9.11-incubating.war /var/lib/tomcat/webapps/guacamole.war
[root@guac guacamole-client-0.9.11-incubating]# systemctl enable tomcat
[root@guac guacamole-client-0.9.11-incubating]# systemctl start tomcat

Proxy

[5] [6] [7] [8] [9] [10] The below is assuming you are dedicating the proxy server for guacamole use. Modify as needed 

[root@proxy ~]# yum install httpd mod_proxy_html httpd-devel gcc openssl-devel
[root@proxy ~]# nano /etc/httpd/conf.d/guac.conf

<Location />
    Order allow,deny
    Allow from all
    ProxyPass http://192.168.124.166:8080/guacamole/ flushpackets=on
    ProxyPassReverse http://192.168.124.166:8080/guacamole/
</Location>

[root@proxy ~]# wget ftp://ftp.freeradius.org/pub/radius/mod_auth_radius-1.5.8.tar
[root@proxy ~]# tar xf mod_auth_radius-1.5.8.tar
[root@proxy ~]# cd mod_auth_radius-1.5.8
[root@proxy mod_auth_radius-1.5.8]# apxs -i -a -c mod_auth_radius-2.0.c



The following is for using a RADIUS server for authentication. In this case I want to use 2FA with Google Authenticator, and allowing the cookie to be valid for eight hours. After a user logs in with their TOTP they still need to log into guacamole and the RDP server they want to access.
[root@proxy ~]# git clone https://github.com/FreeRADIUS/mod_auth_radius.git
[root@proxy ~]# cd mod_auth_radius
[root@proxy mod_auth_radius]# apxs -cia mod_auth_radius.c
LoadModule radius_auth_module /usr/lib64/httpd/modules/mod_auth_radius.so

<IfModule mod_auth_radius.c>
AddRadiusAuth your.radius.server:1812 password 5:3
AddRadiusCookieValid 480
</IfModule>

NOTE : Check SELinux for port 8080 access errors.

Configuration

[11][12]

Client Configuration

[root@guac ~]# mkdir /usr/share/tomcat/.guacamole
[root@guac ~]# nano /usr/share/tomcat/.guacamole/guacamole.properties

available-languages: en
guacd-port: 4822
guacd-host: localhost

[root@guac ~]# nano /usr/share/tomcat/.guacamole/user-mapping.xml
<user-mapping>

<authorize username="test" password="test">

<connection name="testRDP">
<protocol>rdp</protocol>
<param name="hostname">192.168.124.169</param>
<param name="security">tls</param>
<param name="ignore-cert">true</param>
</connection>

<connection name="RDS">
<protocol>rdp</protocol>
<param name="hostname">192.168.124.66</param>
<param name="security">tls</param>
<param name="ignore-cert">true</param>
</connection>

</authorize>

</user-mapping>

Troubleshooting Notes

[13]Posted by Michael Jumper


  1. https://guacamole.incubator.apache.org/doc/gug/installing-guacamole.html
  2. https://www.unixmen.com/install-apache-ant-maven-tomcat-centos-76-5
  3. http://maven.apache.org/download.cgi
  4. http://maven.apache.org/install.html
  5. https://guacamole.incubator.apache.org/doc/gug/proxying-guacamole.html
  6. https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html
  7. http://freeradius.org/mod_auth_radius/
  8. https://www.leaseweb.com/labs/2014/12/tutorial-apache-2-4-transparent-reverse-proxy/
  9. https://www.reddit.com/r/apache/comments/3a07us/modauthradius_setup_help/
  10. http://blog.warrenstrange.com/2011/09/apache-reverse-proxy-with-ldap.html
  11. https://guacamole.incubator.apache.org/doc/gug/configuring-guacamole.html
  12. https://sourceforge.net/p/guacamole/discussion/1110833/thread/2d0e4562/
  13. https://sourceforge.net/p/guacamole/discussion/1110834/thread/b311f4c2/?limit=25
Retrieved from "https://wiki.1701technology.com/index.php?title=Guacamole_Server_Installation&oldid=429"