Installation de base Debian 10.3 net install. Ici nous utiliserons une base de données SQL afin d’enregistrer de manière sécuriser les identifiants enregistrer. Cette base permettra également le suivi des connexions utilisateurs.
Les éléments clés sont :
Côté Serveur :
– Serveur Tomcat
– Serveur Guacamole
– Serveur MariaDB (SQL)
Côté Reverse Proxy :
– Proxy local (Ex : apache2)
– Proxy Distant (Ex : nginx)
Côté Client :
– Un navigateur de nouvel génération (Ex: Firefox 75.0 64 Bits – utilisé dans mes tests )
1. Install Tomcat 9
apt install tomcat9 tomcat9-admin tomcat9-common tomcat9-user
Si vous ouvrez [http://IP_Server:8080]
Résultat “It works !”
2. Installer Guacamole Server
2.1 Installer Pré-requis
apt install build-essential libcairo2-dev libjpeg62-turbo-dev libtool-bin libossp-uuid-dev libavcodec-dev libavutil-dev libswscale-dev freerdp2-dev libpango1.0-dev libssh2-1-dev libtelnet-dev libvncserver-dev libwebsockets-dev libpulse-dev libssl-dev libvorbis-dev libwebp-dev
2.2 Télécharger et Installer Guacamole Server
wget https://mirror.dkd.de/apache/guacamole/1.1.0/source/guacamole-server-1.1.0.tar.gz
tar vfx guacamole-server-1.1.0.tar.gz
cd guacamole-server-1.1.0/
autoreconf -fi
./configure --with-init-dir=/etc/init.d
make
make install
Activer le service et le démarrer :
/usr/sbin/ldconfig
systemctl enable guacd
systemctl start guacd
3. Installer Guacamole Client
3.1 Télécharger
wget http://us.mirrors.quenda.co/apache/guacamole/1.1.0/binary/guacamole-1.1.0.war
mkdir /etc/guacamole
cp guacamole-1.1.0.war /etc/guacamole/guacamole.war
ln -s /etc/guacamole/guacamole.war /var/lib/tomcat9/webapps/
mkdir /etc/guacamole/{extensions,lib}
echo "GUACAMOLE_HOME=/etc/guacamole" | tee -a /etc/default/tomcat9
4. Installer MariaDB
4.1 Installer paquets
apt install mariadb-server mariadb-client
Sécuriser mariadb :
mysql_secure_installation
4.2 Créer la BDD de Guacamole et son utilisateur
mysql -p
CREATE DATABASE guacamole_db;
CREATE USER 'guacamole_user'@'localhost' IDENTIFIED BY 'passw0rd';
GRANT SELECT,INSERT,UPDATE,DELETE ON guacamole_db.* TO 'guacamole_user'@'localhost';
FLUSH PRIVILEGES;
quit;
4.3 Télécharger jdbc-extension
wget http://apache.mirror.digionline.de/guacamole/1.1.0/binary/guacamole-auth-jdbc-1.1.0.tar.gz
tar vfx guacamole-auth-jdbc-1.1.0.tar.gz
4.4 Importer la base de données (les tables)
cat guacamole-auth-jdbc-1.1.0/mysql/schema/*.sql | mysql -u root -p guacamole_db
4.5 Ajouter extension mysql
cp guacamole-auth-jdbc-1.1.0/mysql/guacamole-auth-jdbc-mysql-1.1.0.jar /etc/guacamole/extensions/
4.6 JDBC driver installieren
wget https://dev.mysql.com/get/Downloads/Connector-J/mysql-connector-java-8.0.13.tar.gz
tar xvzf mysql-connector-java-8.0.13.tar.gz
cp mysql-connector-java-8.0.13/mysql-connector-java-8.0.13.jar /etc/guacamole/lib/
5. Configurer Guacamole
vim /etc/guacamole/guacamole.properties
Hostname and Guacamole server port
guacd-hostname: localhost
guacd-port: 4822
MySQL properties
mysql-hostname: localhost
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: guacamole_user
mysql-password: passw0rd
Après chaque modification – Redémarrer les serveur tomcat9
systemctl restart tomcat9
6. Test
Ouvrir http://IP_server:8080/guacamole dans votre navigateur et se connecter.
Utilisateur par default : ‘guacadmin’
Mot de passe par default : ‘guacadmin’
A changer dès la première ouverture.
Je conseil de créer un autre administrateur et de désactiver celui là
7.X.a Apache reverse Proxy (utilisation direct)
7.1.a Installation
apt install apache2 -y
7.2.a Activate Modules
/usr/sbin/a2enmod rewrite
/usr/sbin/a2enmod proxy_http
/usr/sbin/a2enmod proxy_wstunnel
7.3.a Apache config
vim /etc/apache2/sites-enabled/000-default.conf
And insert to the VirtualHost:
ProxyPass / http://127.0.0.1:8080/guacamole/ flushpackets=on
ProxyPassReverse / http://127.0.0.1:8080/guacamole/
ProxyPassReverseCookiePath /guacamole /
Order allow,deny
Allow from all
ProxyPass ws://127.0.0.1:8080/guacamole/websocket-tunnel
ProxyPassReverse ws://127.0.0.1:8080/guacamole/websocket-tunnel
SetEnvIf Request_URI "^/tunnel" dontlog
CustomLog /var/log/apache2/guac.log common env=!dontlog
Ma conf
ServerName guacamole.domaine.com
<IfModule mod_rewrite.c>
# Logging disabled by default
# LogLevel mod_rewrite.c:trace2
</IfModule>
<VirtualHost *:80>
ServerAdmin webmaster@unl01.example.com
ErrorLog /var/log/apache2/guacamole.domaine.com/error.txt
CustomLog /var/log/apache2/guacamole.domaine.com/ combined
<Location /html5/>
Order allow,deny
Allow from all
ProxyPass http://127.0.0.1:8080/guacamole/ flushpackets=on
ProxyPassReverse http://127.0.0.1:8080/guacamole/
</Location>
<Location /html5/websocket-tunnel>
Order allow,deny
Allow from all
ProxyPass ws://127.0.0.1:8080/guacamole/websocket-tunnel
ProxyPassReverse ws://127.0.0.1:8080/guacamole/websocket-tunnel
</Location>
</VirtualHost>
7.4.a Redemarrer Apache
systemctl restart apache2.service
7.X.b Nginx reverse Proxy (utilisation distante)
nano /etc/nginx/sites-enabled/guacamole.domaine.com
upstream websocket2 {
server 10.168.50.31:8080;
}
server {
if ($host = guacamole.domaine.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name guacamole.domaine.com;
}
server {
listen 443 ssl;
server_name guacamole.domaine.com;
client_max_body_size 0;
add_header Strict-Transport-Security "max-age=31536000" always;
access_log /var/log/nginx/guacamole.domaine.com/access.log;
error_log /var/log/nginx/guacamole.domaine.com/error.log;
allow 117.20.32.61;
deny all;
location /.well-known {
root /usr/share/nginx/html/;
}
location /html5/ {
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://websocket2/guacamole/;
proxy_cookie_path /guacamole/ /;
}
location /html5/websocket-tunnel {
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://websocket2/guacamole/websocket-tunnel;
}
location / {
proxy_buffering off;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_pass http://websocket2/guacamole/;
}
ssl_certificate /etc/letsencrypt/live/guacamole.domaine.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/guacamole.domaine.com/privkey.pem; # managed by Certbot
}
7.5 Test
Now you can access your Guacamole with http://IP_server.
Vous pouvez rendre HTTPS votre site en ajoutant les certificats (Ex: Let’s Encrypt) à ce vhost
8. Debugging
Voir les logs Tomcat principaux du serveur Guacamole
tail /var/log/tomcat9/catalina.out
tail /var/log/tomcat9/catalina.out -f
Logs détaillés :
nano /etc/guacamole/logback.xml
<configuration>
<!-- Appender for debugging -->
<appender name="GUAC-DEBUG" class="ch.qos.logback.core.ConsoleAppender">
<encoder>
<pattern>%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n</pattern>
</encoder>
</appender>
<!-- Log at Debug Level -->
<root level="debug">
<appender-ref ref="GUAC-DEBUG"/>
</root>
</configuration>
Lors de la mise en place d’un reverse Proxy Nginx en frontal, les adresses IP de connexions sont celle du proxy. Pour changer cela et avoir l’adresse Ip d’origine, il faut :
Reverse Proxy Nginx dans le virtual Host:
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
Redemarrer Nginx
Serveur Tomcat9 guacamole :
Ajout un fichier /etc/tomcat9/server.xml
<Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="X-Forwarded-For" requestAttributesEnabled="true" internalProxies="127\.0\.0\.1" />
Redémarrer Tomcat9
%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} – %msg%n
and restart Tomcat:
systemctl restart tomcat9