2
submitted 11 months ago by wayne1191@alien.top to c/main@selfhosted.forum

Hello, I installed Apache Guacamole using this script: https://github.com/MysticRyuujin/guac-install

I am using nginx as a reverse proxy to forward to the guacamole host... Nginx conf (redirect to 443 is set in default conf):

server { listen 443 ssl; server_name vm.domain.com;

ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;

location / {
proxy_pass http://IP-ADDRESS:8080/guacamole;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
access_log off;

} }

If I open “vm.domain.com” it shows me the nginx welcome page. If I open “vm.domain.com/guacamole” it shows me the guacamole page, but strange field-names (never seen this before...). When I open it by using the local IP, everything is fine.

So how do I change the tomcat9 default path, that I don't have to use "vm.domain.com/guacamole" just "vm.domain.com" (also with local ip)? And how do I get it shown right?

top 3 comments
sorted by: hot top controversial new old
[-] latkde@alien.top 2 points 11 months ago

So how do I change the tomcat9 default path, that I don't have to use "vm.domain.com/guacamole" just "vm.domain.com"

Unfortunately, you don't. Not even the Guacamole Docker container does this.

I would configure Nginx to redirect from / to /guacamole/. You could also try reconfiguring Tomcat. Perhaps renaming the guacamole.war to ROOT.war is enough, but I vaguely remember that Tomcat is more tricky than that.

Looks like the Guacamole web frontend doesn't know it is being proxied, and generates some links to translation resources using an absolute path.

Also, a security note: absolutely do not run guacd (the guacamole-server component) as unconfined root or on a publicly accessible port. Guacd has no authentication, and could thus be used as an open proxy by attackers (also to look into your network). Guacd is also written in C, and not in an overly security-conscious manner. It is likely that the code contains quite some vulnerabilities.

The easiest way to harden guacd is to run it in a Docker container and to "bind" it to localhost (not 0.0.0.0). So instead of docker run --rm -p 4822:4822 my-guacd-image you might specify the port as -p 127.0.0.1:4822:4822, which only allows incoming connections from within the server. (But you might not want a separate network namespace at all, especially since this affects the destination IP address for your VNC connections. Then, use --net=host for Docker and set localhost in the guacd config file).

Instead of running in a container, it may be acceptable to use Systemd options for hardening, in particular running as a separate user. Use systemd-analyze security to get suggestions about Systemd features that might be beneficial.

[-] akircher@alien.top 1 points 11 months ago

I had a bit of hassle with Guacamole too.

I eventually got it working like this:

location / {
    proxy_pass                             http://guacamole:8080/guacamole/;
    proxy_buffering                        off;
    proxy_http_version                     1.1;
    proxy_cookie_path /guacamole/          /;
    proxy_set_header  X-Forwarded-Host     $host;
    proxy_set_header  X-Forwarded-Server   $host;
    proxy_set_header  X-Forwarded-For      $proxy_add_x_forwarded_for;
    proxy_set_header  X-Forwarded-Proto    $scheme;
    proxy_set_header  Host                 $host;
    proxy_set_header  Upgrade              $http_upgrade;
    proxy_set_header  Connection           $http_connection;
}

Happy to send you my docker-compose.yml if you want a copy.

[-] maximus459@alien.top 1 points 11 months ago

Just want to know, does the copy paste and session recording work for you?

I've tried a couple of docker images, and dinner features are buggy..

  • while you have to use the hosted mode the history function to show the actual use details
  • ...the recording and copy/paste never seems to work, the option is there but the function first work
this post was submitted on 20 Nov 2023
2 points (100.0% liked)

Self-Hosted Main

504 readers
1 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

For Example

We welcome posts that include suggestions for good self-hosted alternatives to popular online services, how they are better, or how they give back control of your data. Also include hints and tips for less technical readers.

Useful Lists

founded 1 year ago
MODERATORS