Difference between revisions of "Guacamole Server Installation"

From Michael's Information Zone
Jump to navigation Jump to search
 
(7 intermediate revisions by the same user not shown)
Line 18: Line 18:
 
[root@guac guacamole-server-0.9.11-incubating]# make install
 
[root@guac guacamole-server-0.9.11-incubating]# make install
 
[root@guac guacamole-server-0.9.11-incubating]# ldconfig
 
[root@guac guacamole-server-0.9.11-incubating]# ldconfig
 +
 +
[root@guac ~]# cat /etc/systemd/system/guacd.service
 +
[Unit]
 +
After=network.target
 +
 +
[Service]
 +
Type=forking
 +
ExecStart=/root/guacd start
 +
ExecStop=/root/guacd stop
 +
 +
[Install]
 +
WantedBy=multi-user.target
 +
 
</pre>
 
</pre>
 +
 
====Client====
 
====Client====
<ref>https://www.unixmen.com/install-apache-ant-maven-tomcat-centos-76-5</ref><ref>http://maven.apache.org/download.cgi</ref><ref>http://maven.apache.org/install.html</ref>
+
<ref>https://www.unixmen.com/install-apache-ant-maven-tomcat-centos-76-5</ref><ref>http://maven.apache.org/download.cgi</ref><ref>http://maven.apache.org/install.html</ref>Build from source
 
<pre>
 
<pre>
 
[root@guac ~]# yum install java-1.8.0-openjdk java-1.8.0-openjdk-devel tomcat
 
[root@guac ~]# yum install java-1.8.0-openjdk java-1.8.0-openjdk-devel tomcat
Line 36: Line 50:
 
[root@guac ~]# cd guacamole-client-0.9.11-incubating
 
[root@guac ~]# cd guacamole-client-0.9.11-incubating
 
[root@guac guacamole-client-0.9.11-incubating]# mvn package
 
[root@guac guacamole-client-0.9.11-incubating]# mvn package
 +
</pre>
 +
Download binary
 +
<pre>
 +
[root@guac ~]# wget http://apache.org/dyn/closer.cgi?action=download&filename=incubator/guacamole/0.9.11-incubating/binary/guacamole-0.9.11-incubating.war
 +
[root@guac ~]# mv closer.cgi\?action\=download guacamole-0.9.11-incubating.war
 
[root@guac guacamole-client-0.9.11-incubating]# cp guacamole/target/guacamole-0.9.11-incubating.war /var/lib/tomcat/webapps/guacamole.war
 
[root@guac guacamole-client-0.9.11-incubating]# cp guacamole/target/guacamole-0.9.11-incubating.war /var/lib/tomcat/webapps/guacamole.war
 
[root@guac guacamole-client-0.9.11-incubating]# systemctl enable tomcat
 
[root@guac guacamole-client-0.9.11-incubating]# systemctl enable tomcat
Line 50: Line 69:
 
The below is assuming you are dedicating the proxy server for guacamole use. Modify as needed
 
The below is assuming you are dedicating the proxy server for guacamole use. Modify as needed
 
<pre>
 
<pre>
[root@proxy ~]# yum install httpd mod_proxy_html
+
[root@proxy ~]# yum install httpd mod_proxy_html httpd-devel gcc openssl-devel
 
[root@proxy ~]# nano /etc/httpd/conf.d/guac.conf
 
[root@proxy ~]# nano /etc/httpd/conf.d/guac.conf
  
Line 59: Line 78:
 
     ProxyPassReverse http://192.168.124.166:8080/guacamole/
 
     ProxyPassReverse http://192.168.124.166:8080/guacamole/
 
</Location>
 
</Location>
 +
</pre><s><pre>
 
[root@proxy ~]# wget ftp://ftp.freeradius.org/pub/radius/mod_auth_radius-1.5.8.tar
 
[root@proxy ~]# wget ftp://ftp.freeradius.org/pub/radius/mod_auth_radius-1.5.8.tar
 +
[root@proxy ~]# tar xf mod_auth_radius-1.5.8.tar
 +
[root@proxy ~]# cd mod_auth_radius-1.5.8
 +
[root@proxy mod_auth_radius-1.5.8]# apxs -i -a -c mod_auth_radius-2.0.c
 +
</pre></s><pre>
 +
The following is for using a RADIUS server for authentication. In this case I want to use 2FA with Google Authenticator, and allowing the cookie to be valid for eight hours. After a user logs in with their TOTP they still need to log into guacamole and the RDP server they want to access.
 +
[root@proxy ~]# git clone https://github.com/FreeRADIUS/mod_auth_radius.git
 +
[root@proxy ~]# cd mod_auth_radius
 +
[root@proxy mod_auth_radius]# apxs -cia mod_auth_radius.c
 +
LoadModule radius_auth_module /usr/lib64/httpd/modules/mod_auth_radius.so
 +
 +
<IfModule mod_auth_radius.c>
 +
AddRadiusAuth your.radius.server:1812 password 5:3
 +
AddRadiusCookieValid 480
 +
</IfModule>
 +
 
</pre>
 
</pre>
 +
NOTE : Check SELinux for port 8080 access errors.
  
 
===Configuration===
 
===Configuration===

Latest revision as of 11:47, 24 May 2017

Guacamole 0.9.11

CentOS 7

Installation

[1]

Server

For RDP and VNC support (omitting SSH and telnet to reduce attack surface)

[root@guac ~]# rpm -Uvh http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-5.el7.nux.noarch.rpm
[root@guac ~]# yum install cairo-devel libjpeg-turbo-devel libjpeg-devel libpng-devel uuid-devel ffmpeg-devel freerdp-devel libvncserver-devel pulseaudio-libs-devel openssl-devel libvorbis-devel libwebp-devel gcc 

[root@guac ~]# wget "http://apache.org/dyn/closer.cgi?action=download&filename=incubator/guacamole/0.9.11-incubating/source/guacamole-server-0.9.11-incubating.tar.gz"
[root@guac ~]# mv closer.cgi\?action\=download\&filename\=incubator%2Fguacamole%2F0.9.11-incubating%2Fsource%2Fguacamole-server-0.9.11-incubating.tar.gz guacamole-server-0.9.11-incubating.tar.gz

[root@guac ~]# cd guacamole-server-0.9.11-incubating

[root@guac guacamole-server-0.9.11-incubating]# ./configure --with-init-dir=/root/
[root@guac guacamole-server-0.9.11-incubating]# make
[root@guac guacamole-server-0.9.11-incubating]# make install
[root@guac guacamole-server-0.9.11-incubating]# ldconfig

[root@guac ~]# cat /etc/systemd/system/guacd.service
[Unit]
After=network.target

[Service]
Type=forking
ExecStart=/root/guacd start
ExecStop=/root/guacd stop

[Install]
WantedBy=multi-user.target

Client

[2][3][4]Build from source

[root@guac ~]# yum install java-1.8.0-openjdk java-1.8.0-openjdk-devel tomcat
[root@guac ~]# wget http://mirror.reverse.net/pub/apache/maven/maven-3/3.3.9/binaries/apache-maven-3.3.9-bin.tar.gz
[root@guac ~]# tar xvf apache-maven-3.3.9-bin.tar.gz 
[root@guac ~]# cd apache-maven-3.3.9
[root@guac ~]# mv apache-maven-3.3.9/ /opt/maven
[root@guac ~]# ln -s /opt/maven/bin/mvn /usr/bin/mvn
[root@guac ~]# export JAVA_HOME=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-0.b13.el7_3.x86_64/jre

[root@guac ~]# wget "http://apache.org/dyn/closer.cgi?action=download&filename=incubator/guacamole/0.9.11-incubating/source/guacamole-client-0.9.11-incubating.tar.gz"
[root@guac ~]# mv closer.cgi\?action\=download\&filename\=incubator%2Fguacamole%2F0.9.11-incubating%2Fsource%2Fguacamole-client-0.9.11-incubating.tar.gz guacamole-client-0.9.11-incubating.tar.gz

[root@guac ~]# tar xfv guacamole-client-0.9.11-incubating.tar.gz
[root@guac ~]# cd guacamole-client-0.9.11-incubating
[root@guac guacamole-client-0.9.11-incubating]# mvn package

Download binary

[root@guac ~]# wget http://apache.org/dyn/closer.cgi?action=download&filename=incubator/guacamole/0.9.11-incubating/binary/guacamole-0.9.11-incubating.war
[root@guac ~]# mv closer.cgi\?action\=download guacamole-0.9.11-incubating.war
[root@guac guacamole-client-0.9.11-incubating]# cp guacamole/target/guacamole-0.9.11-incubating.war /var/lib/tomcat/webapps/guacamole.war
[root@guac guacamole-client-0.9.11-incubating]# systemctl enable tomcat
[root@guac guacamole-client-0.9.11-incubating]# systemctl start tomcat

Proxy

[5] [6] [7] [8] [9] [10] The below is assuming you are dedicating the proxy server for guacamole use. Modify as needed

[root@proxy ~]# yum install httpd mod_proxy_html httpd-devel gcc openssl-devel
[root@proxy ~]# nano /etc/httpd/conf.d/guac.conf

<Location />
    Order allow,deny
    Allow from all
    ProxyPass http://192.168.124.166:8080/guacamole/ flushpackets=on
    ProxyPassReverse http://192.168.124.166:8080/guacamole/
</Location>

[root@proxy ~]# wget ftp://ftp.freeradius.org/pub/radius/mod_auth_radius-1.5.8.tar [root@proxy ~]# tar xf mod_auth_radius-1.5.8.tar [root@proxy ~]# cd mod_auth_radius-1.5.8 [root@proxy mod_auth_radius-1.5.8]# apxs -i -a -c mod_auth_radius-2.0.c

The following is for using a RADIUS server for authentication. In this case I want to use 2FA with Google Authenticator, and allowing the cookie to be valid for eight hours. After a user logs in with their TOTP they still need to log into guacamole and the RDP server they want to access. [root@proxy ~]# git clone https://github.com/FreeRADIUS/mod_auth_radius.git [root@proxy ~]# cd mod_auth_radius [root@proxy mod_auth_radius]# apxs -cia mod_auth_radius.c LoadModule radius_auth_module /usr/lib64/httpd/modules/mod_auth_radius.so

<IfModule mod_auth_radius.c> AddRadiusAuth your.radius.server:1812 password 5:3 AddRadiusCookieValid 480 </IfModule>

NOTE : Check SELinux for port 8080 access errors.

Configuration

[11][12]

Client Configuration

[root@guac ~]# mkdir /usr/share/tomcat/.guacamole
[root@guac ~]# nano /usr/share/tomcat/.guacamole/guacamole.properties

available-languages: en
guacd-port: 4822
guacd-host: localhost

[root@guac ~]# nano /usr/share/tomcat/.guacamole/user-mapping.xml
<user-mapping>

<authorize username="test" password="test">

<connection name="testRDP">
<protocol>rdp</protocol>
<param name="hostname">192.168.124.169</param>
<param name="security">tls</param>
<param name="ignore-cert">true</param>
</connection>

<connection name="RDS">
<protocol>rdp</protocol>
<param name="hostname">192.168.124.66</param>
<param name="security">tls</param>
<param name="ignore-cert">true</param>
</connection>

</authorize>

</user-mapping>

Troubleshooting Notes

[13]Posted by Michael Jumper