Debian 11 64 Bits - Installation Guacamole

Gérer ses connexions à distance via un navigateur Web

Auteur : Vince NADUS
Date de publication : Sept. 16, 2021
serveurs GUACAMOLE APACHE nginx web

Installation de base sur un conteneur LXC (unprivileged et neted) Debian 11 Bullseye.

Sources de l'article :

Installation Guacamole

Guacamole LDAP

Mode d'authentification :

Ici nous utiliserons une base de données SQL afin d’enregistrer de manière sécuriser les identifiants enregistrer. Cette base permettra également le suivi des connexions utilisateurs.

Nous utiliserons également l'authentification via LDAP.

Liste des services clés :

Côté Serveur :

– Serveur Tomcat

– Serveur Guacamole

– Serveur MariaDB (SQL)

Côté Reverse Proxy :

– Proxy local (Ex : apache2)

– Proxy Distant (Ex : nginx)

Côté Client :

– Un navigateur de nouvel génération (Ex: Firefox 78.14.0esr (64-bit) – utilisé dans mes tests )

Source de téléchargement Guacamole

1 Install Tomcat 9

apt install tomcat9 tomcat9-admin tomcat9-common tomcat9-user

Si vous ouvrez http://IP_Server:8080

Résultat “It works !”

2 Installer Guacamole Server

2.1 Installer Pré-requis

apt install build-essential libcairo2-dev libjpeg62-turbo-dev libtool-bin libossp-uuid-dev libavcodec-dev libavformat-dev libavutil-dev libswscale-dev freerdp2-dev libpango1.0-dev libssh2-1-dev libtelnet-dev libvncserver-dev libwebsockets-dev libpulse-dev libssl-dev libvorbis-dev libwebp-dev

2.2 Télécharger et Installer Guacamole Server

https://dlcdn.apache.org/guacamole/1.3.0/source/guacamole-server-1.3.0.tar.gz
tar vfx guacamole-server-1.3.0.tar.gz
cd guacamole-server-1.3.0/
autoreconf -fi
./configure --with-init-dir=/etc/init.d
make
make install

2.3 Activer le service et le démarrer :

/sbin/ldconfig
systemctl enable guacd
systemctl start guacd

3 Installer Guacamole Client

3.1 Télécharger

wget https://dlcdn.apache.org/guacamole/1.3.0/binary/guacamole-1.3.0.war
mkdir /etc/guacamole
cp guacamole-1.3.0.war /etc/guacamole/guacamole.war
ln -s /etc/guacamole/guacamole.war /var/lib/tomcat9/webapps/
mkdir /etc/guacamole/{extensions,lib}
echo "GUACAMOLE_HOME=/etc/guacamole" | tee -a /etc/default/tomcat9

4 Installer MariaDB

4.1 Installer paquets

apt install mariadb-server mariadb-client

Sécuriser mariadb :

mysql_secure_installation

4.2 Créer la BDD de Guacamole et son utilisateur

mysql -p
 CREATE DATABASE guacamole_db;
CREATE USER 'guacamole_user'@'localhost' IDENTIFIED BY 'passw0rd';
GRANT SELECT,INSERT,UPDATE,DELETE ON guacamole_db.* TO 'guacamole_user'@'localhost';
FLUSH PRIVILEGES;
quit;

5 Ajout des extensions de Guacamole

5.1 Télécharger jdbc-extension

wget https://dlcdn.apache.org/guacamole/1.3.0/binary/guacamole-auth-jdbc-1.3.0.tar.gz
tar vfx guacamole-auth-jdbc-1.3.0.tar.gz

5.2 Importer la base de données (les tables)

cat guacamole-auth-jdbc-1.3.0/mysql/schema/*.sql | mysql -u root -p guacamole_db

5.3 Ajouter extension mysql

cp guacamole-auth-jdbc-1.3.0/mysql/guacamole-auth-jdbc-mysql-1.3.0.jar /etc/guacamole/extensions/

5.4 JDBC driver install

MySQL - Connector J

wget https://dev.mysql.com/get/Downloads/Connector-J/mysql-connector-java-8.0.26.tar.gz
tar xvzf mysql-connector-java-8.0.26.tar.gz
cp mysql-connector-java-8.0.26/mysql-connector-java-8.0.26.jar /etc/guacamole/lib/

5.5 Ajouter extension LDAP

wget https://downloads.apache.org/guacamole/1.3.0/binary/guacamole-auth-ldap-1.3.0.tar.gz
tar xvzf guacamole-auth-ldap-1.3.0.tar.gz
cp guacamole-auth-ldap-1.3.0/guacamole-auth-ldap-1.3.0.jar /etc/guacamole/extensions/

6 Configurer les propriétés de Guacamole

nano /etc/guacamole/guacamole.properties

guacd-hostname: localhost
guacd-port: 4822
mysql-hostname: localhost
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: guacamole_user
mysql-password: passw0rd
auth-provider: net.sourceforge.guacamole.net.auth.ldap.LDAPAuthenticationProvider
ldap-hostname: samba.domain.com
ldap-port: 389
ldap-encryption-method: none
ldap-user-base-dn: DC=domain,DC=com
ldap-search-bind-dn:CN=Administrator,CN=Users,DC=domain,DC=com
ldap-search-bind-password: mdp_Samba
ldap-username-attribute: sAMAccountName
Après chaque modification – Redémarrer les serveur tomcat9
systemctl restart tomcat9

7 Test de l'instance Guacamole

Ouvrir http://IP_server:8080/guacamole dans votre navigateur et se connecter.

Utilisateur par default : ‘guacadmin’

Mot de passe par default : ‘guacadmin’

A changer dès la première ouverture.

Je conseil de créer un autre administrateur et de désactiver celui là

8 Apache reverse Proxy (utilisation direct)

8.1 Installation

apt install apache2 -y

8.2 Activate Modules

/usr/sbin/a2enmod rewrite
/usr/sbin/a2enmod proxy_http
/usr/sbin/a2enmod proxy_wstunnel

8.3 Apache config

vim /etc/apache2/sites-enabled/000-default.conf

And insert to the VirtualHost:

ProxyPass / http://127.0.0.1:8080/guacamole/ flushpackets=on
ProxyPassReverse / http://127.0.0.1:8080/guacamole/
ProxyPassReverseCookiePath /guacamole /
Order allow,deny
Allow from all
ProxyPass ws://127.0.0.1:8080/guacamole/websocket-tunnel
ProxyPassReverse ws://127.0.0.1:8080/guacamole/websocket-tunnel
SetEnvIf Request_URI "^/tunnel" dontlog
CustomLog /var/log/apache2/guac.log common env=!dontlog

Ma conf

ServerName guacamole.domaine.com

<IfModule mod_rewrite.c>
 # Logging disabled by default
 # LogLevel mod_rewrite.c:trace2
</IfModule>

<VirtualHost *:80>
 ServerAdmin webmaster@unl01.example.com

 ErrorLog /var/log/apache2/guacamole.domaine.com/error.txt
 CustomLog /var/log/apache2/guacamole.domaine.com/ combined

 <Location /html5/>
 Order allow,deny
 Allow from all
 ProxyPass http://127.0.0.1:8080/guacamole/ flushpackets=on
 ProxyPassReverse http://127.0.0.1:8080/guacamole/
 </Location>

 <Location /html5/websocket-tunnel>
 Order allow,deny
 Allow from all
 ProxyPass ws://127.0.0.1:8080/guacamole/websocket-tunnel
 ProxyPassReverse ws://127.0.0.1:8080/guacamole/websocket-tunnel
 </Location>
</VirtualHost>

8.4 Redemarrer Apache

systemctl restart apache2.service

9 Nginx reverse Proxy (utilisation distante)

9.1 Configuration du VirtualHost

nano /etc/nginx/sites-enabled/guacamole.domaine.com

upstream websocket2 {
 server 10.168.50.31:8080;
}

server {
 if ($host = guacamole.domaine.com) {
 return 301 https://$host$request_uri;
 } # managed by Certbot

 listen 80;
 server_name guacamole.domaine.com;
}

server {
 listen 443 ssl;
 server_name guacamole.domaine.com;
 client_max_body_size 0;
 add_header Strict-Transport-Security "max-age=31536000" always;

 access_log /var/log/nginx/guacamole.domaine.com/access.log;
 error_log /var/log/nginx/guacamole.domaine.com/error.log;

 location /.well-known {
 root /usr/share/nginx/html/;
 }

 location /html5/ {
 proxy_http_version 1.1;
 proxy_buffering off;
 proxy_set_header Upgrade $http_upgrade;
 proxy_set_header Connection "upgrade";
 proxy_set_header X-Forwarded-Host $host:$server_port;
 proxy_set_header X-Forwarded-Server $host;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Real-IP $remote_addr;
 proxy_pass http://websocket2/guacamole/;
 proxy_cookie_path /guacamole/ /;
 }

 location /html5/websocket-tunnel {
 proxy_http_version 1.1;
 proxy_buffering off;
 proxy_set_header Upgrade $http_upgrade;
 proxy_set_header Connection "upgrade";
 proxy_set_header X-Forwarded-Host $host:$server_port;
 proxy_set_header X-Forwarded-Server $host;
 proxy_set_header X-Real-IP $remote_addr;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_pass http://websocket2/guacamole/websocket-tunnel;
 }

 location / {
 proxy_buffering off;
 proxy_set_header X-Forwarded-Host $host;
 proxy_set_header X-Forwarded-Server $host;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Forwarded-Proto $scheme;
 proxy_set_header X-Real-IP $remote_addr;
 proxy_set_header Host $host;
 proxy_pass http://websocket2/guacamole/;
 }

 ssl_certificate /etc/letsencrypt/live/guacamole.domaine.com/fullchain.pem; # managed by Certbot
 ssl_certificate_key /etc/letsencrypt/live/guacamole.domaine.com/privkey.pem; # managed by Certbot
}

9.2 Accès via HTTPS

Now you can access your Guacamole with http://IP_server.

Vous pouvez rendre HTTPS votre site en ajoutant les certificats (Ex: Let’s Encrypt) à ce vhost

10 Debugging

10.1 Voir les logs Tomcat principaux du serveur Guacamole

tail /var/log/tomcat9/catalina.out

tail /var/log/tomcat9/catalina.out -f

10.2 Logs détaillés de Guacamole

nano /etc/guacamole/logback.xml

<configuration>
 <!-- Appender for debugging -->
 <appender name="GUAC-DEBUG" class="ch.qos.logback.core.ConsoleAppender">
 <encoder>
 <pattern>%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n</pattern>
 </encoder>
 </appender>

 <!-- Log at Debug Level -->
 <root level="debug">
 <appender-ref ref="GUAC-DEBUG"/>
 </root>
</configuration>

11 Aller plus loin

Lors de la mise en place d’un reverse Proxy Nginx en frontal, les adresses IP de connexions sont celle du proxy. Pour changer cela et avoir l’adresse Ip d’origine, il faut :

Reverse Proxy Nginx dans le virtual Host:

proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

Redemarrer Nginx

systemctl restart nginx

Serveur Tomcat9 guacamole

Ajout un fichier /etc/tomcat9/server.xml

<Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="X-Forwarded-For" requestAttributesEnabled="true" internalProxies="127\.0\.0\.1" />

Redémarrer Tomcat9

%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} – %msg%n

and restart Tomcat:

systemctl restart tomcat9