Building a Guacamole Server on Debian 11
This setup uses:
- Debian 11
- Guacamole 1.5.2
- PostgreSQL 13 as authentication database
- Tomcat 9
- Nginx
Steps
- Install Postgres
- Download the required components
- guacamole-server
- guacamole-auth-jdbc-postgresql extension
- postgres jdbc driver
- guacamole client war
- Install dependencies
- Install tomcat9
- Compile and install guacamole server
- Create configuration files and directories for guacamole
- Create database and import database schema
- Copy guacamole-auth-jdbc-postgresql to /etc/guacamole/extensions
- Copy postgres jdbc driver to /etc/guacamole/lib
- Add database configuration to /etc/guacamole/guacamole.properties
- Add configuration to /etc/guacamole/guacd.conf
- Install guacamole client war file
- Start services
- Access server
- Install and configure nginx
- Enable tomcat manager
Deployment
Install Postgres
apt update
apt install postgresql postgresql-client postgresql-contrib
su - postgres
psql -d template1 -c "ALTER USER postgres WITH PASSWORD 'SomePassword';"
exit
Adding to /etc/postgresql/13/main/pg_hba.conf
# To allow remote connection
host all all 192.168.122.0/24 trust
host all all 192.168.123.0/24 trust
Adding to /etc/postgresql/13/main/postgresql.conf
listen_addresses = '*'
systemctl enable postgresql
systemctl start postgresql && systemctl status postgresql
Download required components
From Apache Guacamole 1.5.2 :
- guacamole-server
- guacamole-auth-jdbc-postgresql extension
- guacamole client war
From pgJDBC :
- postgres jdbc driver
Directories and files:
tree -L 2
.
├── guacamole-1.5.2
│ ├── guacamole-1.5.2.war
│ ├── guacamole-auth-jdbc-1.5.2.tar.gz
│ └── guacamole-server-1.5.2.tar.gz
└── postgres-jdbc-driver
└── postgresql-42.5.4.jar
2 directories, 4 files
Install dependencies
apt install build-essential libcairo2-dev libjpeg62-turbo-dev \
libpng-dev libtool-bin uuid-dev libossp-uuid-dev libavcodec-dev \
libavformat-dev libavutil-dev libswscale-dev freerdp2-dev \
libpango1.0-dev libssh2-1-dev libtelnet-dev libvncserver-dev \
libwebsockets-dev libpulse-dev libssl-dev libvorbis-dev libwebp-dev
Install tomcat9
apt install tomcat9 tomcat9-admin tomcat9-common tomcat9-user
systemctl enable tomcat9
Compile and install guacamole server
cd guacamole-1.5.2
tar -xzf guacamole-server-1.5.2.tar.gz
cd guacamole-server-1.5.2
./configure --with-systemd-dir=/etc/systemd/system/ --disable-dependency-tracking
------------------------------------------------
guacamole-server version 1.5.2
------------------------------------------------
Library status:
freerdp2 ............ yes
pango ............... yes
libavcodec .......... yes
libavformat.......... yes
libavutil ........... yes
libssh2 ............. yes
libssl .............. yes
libswscale .......... yes
libtelnet ........... yes
libVNCServer ........ yes
libvorbis ........... yes
libpulse ............ yes
libwebsockets ....... yes
libwebp ............. yes
wsock32 ............. no
Protocol support:
Kubernetes .... yes
RDP ........... yes
SSH ........... yes
Telnet ........ yes
VNC ........... yes
Services / tools:
guacd ...... yes
guacenc .... yes
guaclog .... yes
FreeRDP plugins: /usr/lib/x86_64-linux-gnu/freerdp2
Init scripts: no
Systemd units: /etc/systemd/system/
make
make install
ldconfig
Creating guacd user
useradd -M -d /var/lib/guacd/ -r -s /sbin/nologin -c "Guacd User" guacd
mkdir /var/lib/guacd
chown -R guacd: /var/lib/guacd
Changing guacd process to run as user guacd instead of daemon
sed -i 's/daemon/guacd/' /etc/systemd/system/guacd.service
systemctl daemon-reload
systemctl enable guacd
Create configuration files and directories for guacamole
echo GUACAMOLE_HOME=/etc/guacamole >> /etc/default/tomcat9
mkdir -p /etc/guacamole/{extensions,lib}
touch /etc/guacamole/{guacamole.properties,guacd.conf}
Create database and import database schema
Create database
su - postgres
psql
CREATE DATABASE guacamole_db;
CREATE USER guacamole_user WITH PASSWORD 'DbPassword';
\q
exit
Import database schema
cd guacamole-1.5.2
tar -xzf guacamole-auth-jdbc-1.5.2.tar.gz
cd guacamole-auth-jdbc-1.5.2/postgresql
psql -f schema/001-create-schema.sql --host=localhost --port=5432 --username=postgres --dbname=guacamole_db
psql -f schema/002-create-admin-user.sql --host=localhost --port=5432 --username=postgres --dbname=guacamole_db
su - postgres
psql
\c guacamole_db
GRANT SELECT,INSERT,UPDATE,DELETE ON ALL TABLES IN SCHEMA public TO guacamole_user;
GRANT SELECT,USAGE ON ALL SEQUENCES IN SCHEMA public TO guacamole_user;
\q
exit
Copy guacamole-auth-jdbc-postgresql to /etc/guacamole/extensions
cp guacamole-auth-jdbc-postgresql-1.5.2.jar /etc/guacamole/extensions/guacamole-auth-jdbc-postgresql.jar
Copy postgres jdbc driver to /etc/guacamole/lib
cd postgres-jdbc-driver
cp postgresql-42.5.4.jar /etc/guacamole/lib/postgresql-connector.jar
Add database configuration to /etc/guacamole/guacamole.properties
Adding to /etc/guacamole/guacamole.properties
# PostgreSQL properties
postgresql-hostname: localhost
postgresql-database: guacamole_db
postgresql-username: guacamole_user
postgresql-password: 8Iunie2008
Add configuration to /etc/guacamole/guacd.conf
Adding to /etc/guacamole/guacd.conf
[server]
bind_host = 0.0.0.0
bind_port = 4822
Install guacamole client war file
cd guacamole-1.5.2
cp guacamole-1.5.2.war /var/lib/tomcat9/webapps/guacamole.war
Start services
systemctl start guacd
systemctl status guacd
systemctl start tomcat9
systemctl status tomcat9
Access server
Access server on port 8080:
http://192.168.122.125:8080/guacamole with credentials guacadmin/guacadmin
Install and configure nginx
apt install nginx
systemctl enable nginx
Nginx configuration file: /etc/nginx/conf.d/guacamole.conf
server {
listen 80;
server_name guacamole.domain.dom;
access_log /var/log/nginx/guacamole_access.log;
error_log /var/log/nginx/guacamole_error.log;
location / {
proxy_pass http://192.168.122.125:8080/guacamole/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_cookie_path /guacamole/ /guacamole/;
}
}
Enable tomcat manager
Adding users to /etc/tomcat9/tomcat-users.xml
<role rolename="admin"/>
<role rolename="admin-gui"/>
<role rolename="manager"/>
<role rolename="manager-gui"/>
<user username="admin" password="admin" roles="admin,admin-gui,manager,manager-gui"/>
Enabling remote access
Coomenting out in /usr/share/tomcat9-admin/manager/META-INF/context.xml
<Context antiResourceLocking="false" privileged="true" >
<CookieProcessor className="org.apache.tomcat.util.http.Rfc6265CookieProcessor"
sameSiteCookies="strict" />
<!--<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />-->
<Manager sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|Long|Number|String)|org\.apache\.catalina\.filters\.CsrfPreventionFilter\$LruCache(?:\$1)?|java\.util\.(?:Linked)?HashMap"/>
</Context>
and commenting out in /usr/share/tomcat9-admin/host-manager/META-INF/context.xml
<Context antiResourceLocking="false" privileged="true" >
<CookieProcessor className="org.apache.tomcat.util.http.Rfc6265CookieProcessor"
sameSiteCookies="strict" />
<!--<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />-->
<Manager sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|Long|Number|String)|org\.apache\.catalina\.filters\.CsrfPreventionFilter\$LruCache(?:\$1)?|java\.util\.(?:Linked)?HashMap"/>
</Context>
Then
systemctl restart tomcat9
And access both:
http://192.168.122.125:8080/manager/html
http://192.168.122.125:8080/host-manager/html