Difference between revisions of "Guacamole"

From Linuxintro
 
(45 intermediate revisions by 8 users not shown)
Line 7: Line 7:
  
 
Sometimes in your Linux life, you need to control your servers in the internet with a graphical user interface. This is tedious when you are behind a corporate firewall blocking ssh requests to the public internet. Typical corporate firewalls only allow proxified client access to port 80, 8080 and 443 in the public internet. One way to go is to use a browser to display a Linux desktop. The solution is [http://guacamole.sourceforge.net/ guacamole].
 
Sometimes in your Linux life, you need to control your servers in the internet with a graphical user interface. This is tedious when you are behind a corporate firewall blocking ssh requests to the public internet. Typical corporate firewalls only allow proxified client access to port 80, 8080 and 443 in the public internet. One way to go is to use a browser to display a Linux desktop. The solution is [http://guacamole.sourceforge.net/ guacamole].
 +
 +
<youtube width="200" height="320">1oT7KWK5Lgs</youtube>
  
 
= Quickstart =
 
= Quickstart =
 
This will show you  
 
This will show you  
* how to install guacamole 0.9.3 on Ubuntu (tested with 14.04)
+
* how to install guacamole 1.5.2 on Ubuntu (tested with 20.04)
 
* how to make this configuration survive a reboot
 
* how to make this configuration survive a reboot
 
* how to secure transmission with SSL
 
* how to secure transmission with SSL
 
* how to make the website accessible from behind a firewall (port 80 or 443)
 
* how to make the website accessible from behind a firewall (port 80 or 443)
  
Here's what you do as root user:
+
Here's what you do:
 +
* become root user
 +
sudo su -
 
* install software that we will need later:
 
* install software that we will need later:
 
  apt-get update
 
  apt-get update
  apt-get install tomcat6 tightvncserver gcc make xterm
+
  apt-get install tomcat9 tightvncserver ubuntu-gnome-desktop xfonts-75dpi xfonts-100dpi gnome-panel
  
 
== configure VNC server ==
 
== configure VNC server ==
Guacamole does the communication between a VNC server and the web browser. So whatever you see in VNC will be in the browser. In this example let's use xfce as desktop environment:
+
Guacamole does the communication between a VNC server and the web browser. So whatever you see in VNC will be in the browser. In this example let's use GNOME as desktop environment:
* install xfce:
+
 
apt-get install xfce4
+
* write the startup for your VNC sessions:
* activate gnome for your VNC:
 
 
  cd
 
  cd
 
  mkdir .vnc
 
  mkdir .vnc
 
  cat >> .vnc/xstartup <<EOF
 
  cat >> .vnc/xstartup <<EOF
 
  #!/bin/sh
 
  #!/bin/sh
  xfce4-session || xterm
+
   
 +
export XKL_XMODMAP_DISABLE=1
 +
export XDG_CURRENT_DESKTOP="GNOME-Flashback:GNOME"
 +
export XDG_MENU_PREFIX="gnome-flashback-"
 +
 +
gnome-session --builtin --session=gnome-flashback-metacity --disable-acceleration-check --debug &
 
  EOF
 
  EOF
  chmod 777 .vnc/xstartup
+
  chmod +x .vnc/xstartup
  
 
== deploy guacamole client ==
 
== deploy guacamole client ==
* download the guacamole webapp from http://sourceforge.net/projects/guacamole/files/current/binary/
+
* download the guacamole webapp, today, 1.5.2 is the latest:
 +
wget https://archive.apache.org/dist/guacamole/1.5.2/binary/guacamole-1.5.2.war
 
* deploy it
 
* deploy it
  # mv guacamole-0.9.3.war /var/lib/tomcat6/webapps/
+
  mv guacamole-1.5.2.war /var/lib/tomcat9/webapps/guacamole.war
* surf to http://localhost:8080/guacamole-0.9.3. A folder /var/lib/tomcat6/webapps/guacamole-0.9.3 will be created with some content. We will need that later.
+
* test it by surfing to http://yourserver:8080/guacamole (don't forget to replace yourserver by your server or your server's IP address ;)
 
* although login is not yet possible your browser will show a login screen like that:
 
* although login is not yet possible your browser will show a login screen like that:
  
[[File:guacamole-login.png]]
+
<pic src=https://linuxintro.org/images/4/44/Screenshot_2023-09-21_2.56.57_PM.png width=25% align=text />
  
 
== install guacamole server ==
 
== install guacamole server ==
 
* install some [[dependencies]] that the server will need to build with vnc support:
 
* install some [[dependencies]] that the server will need to build with vnc support:
  apt-get install libvncserver-dev libpng-dev libcairo-dev
+
  apt-get install gcc make libvncserver-dev libpng-dev libcairo-dev libossp-uuid-dev
* download guacamole-server from http://sourceforge.net/projects/guacamole/files/current/source/
+
* download guacamole-server, in this case version 1.5.2:
* unpack it, in this example 0.9.3:
+
wget https://archive.apache.org/dist/guacamole/1.5.2/source/guacamole-server-1.5.2.tar.gz
  tar xvzf guacamole-server-0.9.3.tar.gz
+
* unpack it:
''shouldn't it be -xvzf  ??''
+
  tar xvzf guacamole-server-1.5.2.tar.gz
 
* build the server:
 
* build the server:
  cd guacamole-server-0.9.3
+
  cd guacamole-server-1.5.2
 
  ./configure && make -j8 && make install
 
  ./configure && make -j8 && make install
 
* the following step is ugly; installation and binary do not completely fit so we must do that:
 
* the following step is ugly; installation and binary do not completely fit so we must do that:
Line 57: Line 66:
 
* now we start the guacamole daemon:
 
* now we start the guacamole daemon:
 
  # guacd
 
  # guacd
  guacd[17669]: INFO: Guacamole proxy daemon (guacd) version 0.9.3
+
  guacd[54873]: INFO:     Guacamole proxy daemon (guacd) version 1.5.2 started
guacd[17669]: INFO:  Successfully bound socket to host ::1, port 4822
 
guacd[17669]: INFO:  Exiting and passing control to PID 17671
 
root@tstaerk-desktop:/var/log# guacd[17671]: INFO:  Exiting and passing control to PID 17672
 
  
 
== configure guacamole ==
 
== configure guacamole ==
Line 71: Line 77:
 
   
 
   
 
  # Location to read extra .jar's from
 
  # Location to read extra .jar's from
  lib-directory:  /var/lib/tomcat6/webapps/guacamole-0.9.3/WEB-INF/classes
+
  lib-directory:  /var/lib/tomcat9/webapps/guacamole-1.3.0/WEB-INF/classes
 
   
 
   
 
  # Authentication provider class
 
  # Authentication provider class
Line 78: Line 84:
 
  # Properties used by BasicFileAuthenticationProvider
 
  # Properties used by BasicFileAuthenticationProvider
 
  basic-user-mapping: /etc/guacamole/user-mapping.xml
 
  basic-user-mapping: /etc/guacamole/user-mapping.xml
 +
 
* create a file /etc/guacamole/user-mapping.xml with the content
 
* create a file /etc/guacamole/user-mapping.xml with the content
 +
 
  <user-mapping>
 
  <user-mapping>
 
     <authorize username="user" password="password">
 
     <authorize username="user" password="password">
Line 87: Line 95:
 
     </authorize>
 
     </authorize>
 
  </user-mapping>
 
  </user-mapping>
 +
  
 
== configure tomcat ==
 
== configure tomcat ==
 
* find out your tomcat's user directory:
 
* find out your tomcat's user directory:
 
  # cat /etc/passwd|grep tomcat
 
  # cat /etc/passwd|grep tomcat
  tomcat6:x:113:116::/usr/share/tomcat6:/bin/false
+
  tomcat6:x:113:116::/usr/share/tomcat9:/bin/false
: in this case it is /usr/share/tomcat6
+
: in this case it is /usr/share/tomcat9
 
* create a folder .guacamole in your tomcat's user directory:
 
* create a folder .guacamole in your tomcat's user directory:
  mkdir /usr/share/tomcat6/.guacamole
+
  mkdir /usr/share/tomcat9/.guacamole
 
* link guacamole.properties into your tomcat's user directories' guacamole folder
 
* link guacamole.properties into your tomcat's user directories' guacamole folder
  ln -s /etc/guacamole/guacamole.properties /usr/share/tomcat6/.guacamole
+
  ln -s /etc/guacamole/guacamole.properties /usr/share/tomcat9/.guacamole
  
 
== finishing ==
 
== finishing ==
 
* start a vnc server, as password set password (the vnc password given in user-mappings.xml)
 
* start a vnc server, as password set password (the vnc password given in user-mappings.xml)
 
  vncserver
 
  vncserver
* restart your tomcat server
+
* if it requires a password, use '''''password'''''. Don't set a view-only password.
/etc/init.d/tomcat6 restart
+
* point your browser to http://localhost:8080/guacamole
* point your browser to http://localhost:8080/guacamole-0.9.3
 
 
* log in as user, password password (the user given in user-mappings.xml)
 
* log in as user, password password (the user given in user-mappings.xml)
 
* you should see a screen like this:
 
* you should see a screen like this:
  
[[File:Guacamole-after-login.png]]
+
<pic src=http://www.linuxintro.org/images/Guacamole-after-login.png width=30% align=text />
  
 
Now when you click on "Default" you will see your VNC desktop in your browser.
 
Now when you click on "Default" you will see your VNC desktop in your browser.
  
* next steps: SSL
+
== secure transmission ==
* next steps: proxypass
+
[[Set up apache for https]] so your passwords are not transmitted unencrypted over the internet
 +
 
 +
== make it work from behind a firewall ==
 +
Most companies will have an internet proxy that does not allow users to access port 8080 on a server outside the company network. So you need a reverse proxy that tells apache if someone calls http://yourserver.yourdomain/guacamole this is forwarded to http://yourserver.yourdomain:8080 internally. To do this,
 +
* edit /etc/sysconfig/apache2 and add the following words to APACHE_MODULES: proxy proxy_http. In the end your line may read like this:
 +
APACHE_MODULES="actions alias auth_basic proxy proxy_http authn_file authz_host authz_groupfile authz_default authz_user autoindex cgi dir env expires include log_config mime negotiation setenvif ssl userdir php5"
 +
 
 +
* edit /etc/apache2/default-server.conf, add a block
 +
<IfModule mod_proxy.c>
 +
<Location /guacamole>
 +
    ProxyPass http://127.0.0.1:8080
 +
</Location>
 +
</IfModule>
  
 
= Persist it =
 
= Persist it =
Add the following line to /etc/crontab:
+
You want your configuration to survive a reboot so add the following lines to /etc/crontab:
 
  @reboot root /usr/local/sbin/guacd &
 
  @reboot root /usr/local/sbin/guacd &
 +
@reboot  thorsten USER=thorsten /usr/bin/vncserver >>/tmp/vnc-startup-error 2>&1
 +
 +
Replace thorsten with the OS user to start vncserver.
 +
 +
= Beautify it =
 +
You may want to run bash as a shell, in this case edit /etc/passwd and enter /bin/bash instead of /bin/sh
  
 
= TroubleShooting =
 
= TroubleShooting =
Line 130: Line 156:
 
* cat /etc/passwd gives me a line
 
* cat /etc/passwd gives me a line
 
  tomcat6:x:113:116::/usr/share/tomcat6:/bin/false
 
  tomcat6:x:113:116::/usr/share/tomcat6:/bin/false
 
+
 
  ll /usr/share/tomcat6/.guacamole/
 
  ll /usr/share/tomcat6/.guacamole/
 
  total 8
 
  total 8
Line 136: Line 162:
 
  drwxr-xr-x 6 root root 4096 Nov 26 07:57 ../
 
  drwxr-xr-x 6 root root 4096 Nov 26 07:57 ../
 
  lrwxrwxrwx 1 root root  35 Nov 26 07:58 guacamole.properties -> /etc/guacamole/guacamole.properties
 
  lrwxrwxrwx 1 root root  35 Nov 26 07:58 guacamole.properties -> /etc/guacamole/guacamole.properties
 +
  
 
* works now. So the thing is:
 
* works now. So the thing is:
Line 157: Line 184:
 
When logging in I got an error message
 
When logging in I got an error message
 
  Failed to execute 'send' on 'XMLHttpRequest': Failed to load 'http://162.209.103.145:8080/guacamole-0.8.3/login'.
 
  Failed to execute 'send' on 'XMLHttpRequest': Failed to load 'http://162.209.103.145:8080/guacamole-0.8.3/login'.
 +
 
Solution was to:
 
Solution was to:
 
  /etc/init.d/tomcat6 restart
 
  /etc/init.d/tomcat6 restart

Latest revision as of 16:51, 30 December 2023


A Linux desktop in a browser

Overview

Guacamole is a program to control a Linux desktop over the network in a browser.

Sometimes in your Linux life, you need to control your servers in the internet with a graphical user interface. This is tedious when you are behind a corporate firewall blocking ssh requests to the public internet. Typical corporate firewalls only allow proxified client access to port 80, 8080 and 443 in the public internet. One way to go is to use a browser to display a Linux desktop. The solution is guacamole.

Quickstart

This will show you

  • how to install guacamole 1.5.2 on Ubuntu (tested with 20.04)
  • how to make this configuration survive a reboot
  • how to secure transmission with SSL
  • how to make the website accessible from behind a firewall (port 80 or 443)

Here's what you do:

  • become root user
sudo su -
  • install software that we will need later:
apt-get update
apt-get install tomcat9 tightvncserver ubuntu-gnome-desktop xfonts-75dpi xfonts-100dpi gnome-panel

configure VNC server

Guacamole does the communication between a VNC server and the web browser. So whatever you see in VNC will be in the browser. In this example let's use GNOME as desktop environment:

  • write the startup for your VNC sessions:
cd
mkdir .vnc
cat >> .vnc/xstartup <<EOF
#!/bin/sh

export XKL_XMODMAP_DISABLE=1
export XDG_CURRENT_DESKTOP="GNOME-Flashback:GNOME"
export XDG_MENU_PREFIX="gnome-flashback-"

gnome-session --builtin --session=gnome-flashback-metacity --disable-acceleration-check --debug &
EOF
chmod +x .vnc/xstartup

deploy guacamole client

  • download the guacamole webapp, today, 1.5.2 is the latest:
wget https://archive.apache.org/dist/guacamole/1.5.2/binary/guacamole-1.5.2.war
  • deploy it
mv guacamole-1.5.2.war /var/lib/tomcat9/webapps/guacamole.war
  • test it by surfing to http://yourserver:8080/guacamole (don't forget to replace yourserver by your server or your server's IP address ;)
  • although login is not yet possible your browser will show a login screen like that:

install guacamole server

  • install some dependencies that the server will need to build with vnc support:
apt-get install gcc make libvncserver-dev libpng-dev libcairo-dev libossp-uuid-dev
  • download guacamole-server, in this case version 1.5.2:
wget https://archive.apache.org/dist/guacamole/1.5.2/source/guacamole-server-1.5.2.tar.gz
  • unpack it:
tar xvzf guacamole-server-1.5.2.tar.gz
  • build the server:
cd guacamole-server-1.5.2
./configure && make -j8 && make install
  • the following step is ugly; installation and binary do not completely fit so we must do that:
ln -s /usr/local/lib/libguac.so* /lib
ln -s /usr/local/lib/libguac-client-vnc.so* /lib/
  • now we start the guacamole daemon:
# guacd
guacd[54873]: INFO:     Guacamole proxy daemon (guacd) version 1.5.2 started

configure guacamole

  • create a folder for guacamole's configuration:
mkdir /etc/guacamole
  • create a file /etc/guacamole/guacamole.properties with the content
# Hostname and port of guacamole proxy
guacd-hostname: localhost
guacd-port:     4822

# Location to read extra .jar's from
lib-directory:  /var/lib/tomcat9/webapps/guacamole-1.3.0/WEB-INF/classes

# Authentication provider class
auth-provider: net.sourceforge.guacamole.net.basic.BasicFileAuthenticationProvider

# Properties used by BasicFileAuthenticationProvider
basic-user-mapping: /etc/guacamole/user-mapping.xml
  • create a file /etc/guacamole/user-mapping.xml with the content
<user-mapping>
   <authorize username="user" password="password">
      <protocol>vnc</protocol>
         <param name="hostname">localhost</param>
         <param name="port">5901</param>
         <param name="password">password</param>
    </authorize>
</user-mapping>


configure tomcat

  • find out your tomcat's user directory:
# cat /etc/passwd|grep tomcat
tomcat6:x:113:116::/usr/share/tomcat9:/bin/false
in this case it is /usr/share/tomcat9
  • create a folder .guacamole in your tomcat's user directory:
mkdir /usr/share/tomcat9/.guacamole
  • link guacamole.properties into your tomcat's user directories' guacamole folder
ln -s /etc/guacamole/guacamole.properties /usr/share/tomcat9/.guacamole

finishing

  • start a vnc server, as password set password (the vnc password given in user-mappings.xml)
vncserver
  • if it requires a password, use password. Don't set a view-only password.
  • point your browser to http://localhost:8080/guacamole
  • log in as user, password password (the user given in user-mappings.xml)
  • you should see a screen like this:

Now when you click on "Default" you will see your VNC desktop in your browser.

secure transmission

Set up apache for https so your passwords are not transmitted unencrypted over the internet

make it work from behind a firewall

Most companies will have an internet proxy that does not allow users to access port 8080 on a server outside the company network. So you need a reverse proxy that tells apache if someone calls http://yourserver.yourdomain/guacamole this is forwarded to http://yourserver.yourdomain:8080 internally. To do this,

  • edit /etc/sysconfig/apache2 and add the following words to APACHE_MODULES: proxy proxy_http. In the end your line may read like this:
APACHE_MODULES="actions alias auth_basic proxy proxy_http authn_file authz_host authz_groupfile authz_default authz_user autoindex cgi dir env expires include log_config mime negotiation setenvif ssl userdir php5"
  • edit /etc/apache2/default-server.conf, add a block
<IfModule mod_proxy.c>
<Location /guacamole>
    ProxyPass http://127.0.0.1:8080
</Location>
</IfModule>

Persist it

You want your configuration to survive a reboot so add the following lines to /etc/crontab:

@reboot root /usr/local/sbin/guacd &
@reboot  thorsten USER=thorsten /usr/bin/vncserver >>/tmp/vnc-startup-error 2>&1

Replace thorsten with the OS user to start vncserver.

Beautify it

You may want to run bash as a shell, in this case edit /etc/passwd and enter /bin/bash instead of /bin/sh

TroubleShooting

invalid login

  • now the problem is that tomcat does not know where to find the Authentication class:

/var/lib/tomcat6/webapps/guacamole/WEB-INF/classes/net/sourceforge/guacamole/net/basic/BasicFileAuthenticationProvider.class

is not in /etc/guacamole/guacamole.properties

  • so add it
  • cat /etc/passwd gives me a line
tomcat6:x:113:116::/usr/share/tomcat6:/bin/false

ll /usr/share/tomcat6/.guacamole/
total 8
drwxr-xr-x 2 root root 4096 Nov 26 07:58 ./
drwxr-xr-x 6 root root 4096 Nov 26 07:57 ../
lrwxrwxrwx 1 root root   35 Nov 26 07:58 guacamole.properties -> /etc/guacamole/guacamole.properties


  • works now. So the thing is:
    • take care that it is called guacamole and not guacamole-0.8.3 (sure?)
    • make sure the classpath in /etc/guacamole/guacamole.properties is correct, e.g.
# Location to read extra .jar's from
lib-directory:  /var/lib/tomcat6/webapps/guacamole/WEB-INF/classes

Server error

  • now I got a server error so I straced guacd:
strace -p 15332

and saw

[pid 20344] open("/usr/lib/x86_64-linux-gnu/libguac-client-vnc.so", O_RDONLY) = -1 ENOENT (No such file or directory)

so the problem is that libguac-client-vnc.so is missing.

  • downloaded java version 1.7.45 and compiled guacamole-client using mvn. But there was no *.so* file in it
  • so installed libvncserver-dev and rebuild and reinstalled guacamole-server
  • and there it is, libguac-client-vnc.so
  • now the error message changed from "server error" to "unauthorized"

Failed to load

When logging in I got an error message

Failed to execute 'send' on 'XMLHttpRequest': Failed to load 'http://162.209.103.145:8080/guacamole-0.8.3/login'.

Solution was to:

/etc/init.d/tomcat6 restart

Error initializing VNC client

After logging in I got the error message

Error initializing VNC client

Solution was to start

vncserver

Could not connect

If you surf to the page and get an error message like

Unable to connect

It probably means that tomcat is not running. It must be possible to connect to port 8080, a java process for tomcat must be running.

/etc/init.d/tomcat6 status

must deliver something like

* Tomcat servlet engine is running with pid 17546

See also