Configuring VNC was pretty trivial. I went with TigerVNC server on my Gaming(it’s named gaming, but is no longer fit for gaming as it’s 10 years old) computer. The setup was trivial. Install, poke holes in firewall, set password, and configure the connection in Guacamole. It doesn’t really perform that bad, but I’m guessing RDP would be better, but I don’t have Windows professional, and this PC is Windows 10 and I’m not going to pay to upgrade now because support for it ends in a little over a year.
I just ran the check for Windows 11 and it’s too old for it, which I assumed but had yet to actually check. I don’t really feel the need to replace this one though, so I’ll probably be switching to Linux for it at some point. My laptop is only a year old so that will be my only Windows system for now.
Guacamole is incredibly configurable and can be unforgiving. After going through the instructions I was curious exactly how long the instructions were so I pretended to print it. 56 pages. Lucky for me I’m just in the testing phase and I found that all I really needed to confirm it works was to create user-mapping.xml in /etc/guacamole.
<user-mapping>
<!-- Per-user authentication and config information -->
<authorize username="cweb" password="<password>">
<connection name="SSH to thecweb.com">
<protocol>ssh</protocol>
<param name="hostname">localhost</param>
<param name="port">22</param>
<param name="username">cweb</param>
<param name="enable-sftp">true</param>
</connection>
</authorize>
</user-mapping>
It took like an hour to get this far. I still need to setup VNC on my one of my Windows systems and go through some steps to secure this colander I call a server. But I’m done for today.
I finally replaced the horrible Shark vacuum I got to replace my original Roomba. This one is the s9+. So far it seems much smarter than the last two. It’s going through a making procedure, and it apparently has the ability to move without the vacuum on, so it’s pretty quiet. I haven’t actually seen the cleaning power yet. One thing I’m concerned about is the size of the dust bin. It’s tiny. It also got stuck on the time in front of my fireplace. I guess we’ll see how it does. It will certainly do a better job of keeping the house vacuumed than I.
so it looks like all the dependencies installed correctly. make completed without errors so now make install.
sudo make install completed without errors, so I just need to sudo ldconfig to update the system library cache. And add the server to systemd.
cweb@thecweb:/tmp/guacamole-server-1.5.5$ sudo guacd
guacd[24340]: INFO: Guacamole proxy daemon (guacd) version 1.5.5 started
cweb@thecweb:/tmp/guacamole-server-1.5.5$ sudo systemctl enable guacd
Failed to enable unit: Unit file guacd.service does not exist.
Shit. Looks like I didn’t include the option –with-init-dir=/etc/init.d when I ran configure, so we’re going to be repeating a few steps. It’s important to actually read install instructions and not just skim them.
Shit. I want to use systemd not initd. And the instructions don’t say what the option is for that. Rather than guessing we’ll just do this
cweb@thecweb:/tmp/guacamole-server-1.5.5$ cat configure | grep systemd
systemd_dir
with_systemd_dir
--with-systemd-dir=<path>
install systemd units to the given directory
# Check whether --with-systemd_dir was given.
if test ${with_systemd_dir+y}
withval=$with_systemd_dir; systemd_dir=$withval
if test "x${systemd_dir}" != "x"; then
build_systemd="${systemd_dir}"
build_systemd=no
Systemd units: ${build_systemd}
I probably could have guessed that.
Now that I’ve got that redone, I was still getting an error because I gave the path as /etc/systemd instead of /etc/systemd/system, but that was easy to fix. We are now in business.
cweb@thecweb:/tmp/guacamole-server-1.5.5$ sudo mv /etc/systemd/guacd.service /etc/systemd/system/guacd.s
ervice
cweb@thecweb:/tmp/guacamole-server-1.5.5$ sudo systemctl enable guacd
Created symlink /etc/systemd/system/multi-user.target.wants/guacd.service β /etc/systemd/system/guacd.service.
cweb@thecweb:/tmp/guacamole-server-1.5.5$ sudo systemctl start guacd
cweb@thecweb:/tmp/guacamole-server-1.5.5$ sudo systemctl status guacd
β guacd.service - Guacamole Server
Loaded: loaded (/etc/systemd/system/guacd.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2024-07-29 20:17:11 UTC; 7s ago
Docs: man:guacd(8)
Main PID: 41937 (guacd)
Tasks: 1 (limit: 9251)
Memory: 10.0M
CPU: 10ms
CGroup: /system.slice/guacd.service
ββ41937 /usr/local/sbin/guacd -f
Jul 29 20:17:11 thecweb.com systemd[1]: Started Guacamole Server.
Jul 29 20:17:11 thecweb.com guacd[41937]: Guacamole proxy daemon (guacd) version 1.5.5 started
Jul 29 20:17:11 thecweb.com guacd[41937]: guacd[41937]: INFO: Guacamole proxy daemon (guacd) ver>
Jul 29 20:17:11 thecweb.com guacd[41937]: guacd[41937]: INFO: Listening on host 127.0.0.1, port >
Jul 29 20:17:11 thecweb.com guacd[41937]: Listening on host 127.0.0.1, port 4822
cweb@thecweb:/tmp/guacamole-server-1.5.5$
The guacamole-client files and extensions are just java files that they provide precompiled, so I’m just going to do that. I’m just going to copy over the client without extensions now because I’m not sure which ones I want to use yet.
Yay! It’s working! No, wait. It’s not started, and starting it gives me an error. I messed around with trying to figure out what was wrong for a little while and then just tried Undeploy and then deployed it through the app manager using the link below, and now it’s started.
Yay!!!!!!!!!!!!!!!!! π₯³πΎπΊ
Now I need to configure it behind a reverse proxy using the instructions here. This isn’t required but it enhances the system security by allowing the applet to run without root, and allows be to access Guacamole over port 443 instead of 8080. Which is good because I don’t need to poke another hole in my firewall and it should also help hide the traffic from big brother while I’m at work.
Step one is to add the bolded lines to the Tomcat server config file at /etc/tomcat9/server.xml. This is to handle non-Latin characters. So I probably don’t really NEED it but that is what the docs say.
In the same file I need to add this stuff so Tomcat can get the remote client’s IP address. Without this it will only see the reverse proxy’s IP. If you’re curious why this is needed there are several paragraphs in the proxy instructions explaining it under the heading “Setting up the Remote IP Valve”.
Now I need to enable the modules to add reverse proxy support in Apache.
cweb@thecweb:/etc/tomcat9$ sudo a2enmod proxy
Enabling module proxy.
To activate the new configuration, you need to run:
systemctl restart apache2
cweb@thecweb:/etc/tomcat9$ sudo a2enmod proxy_http
Considering dependency proxy for proxy_http:
Module proxy already enabled
Enabling module proxy_http.
To activate the new configuration, you need to run:
systemctl restart apache2
cweb@thecweb:/etc/tomcat9$ sudo a2enmod proxy_wstunnel
Considering dependency proxy for proxy_wstunnel:
Module proxy already enabled
Enabling module proxy_wstunnel.
To activate the new configuration, you need to run:
systemctl restart apache2
cweb@thecweb:/etc/tomcat9$ sudo systemctl restart apache2
cweb@thecweb:/etc/tomcat9$
For the site configuration I need to add the below to /etc/apache2/sites-enabled/chrisweber.online-le-ssl.conf to tell Apache use the reverse proxy to access Tomcat when the specific URL Location is requested.
<Location /sneakypete/>
Order allow,deny
Allow from all
ProxyPass http://127.0.0.1:8080/sneakypete/ flushpackets=on
ProxyPassReverse http://127.0.0.1:8080/sneakypete/
</Location>
<Location /sneakypete/websocket-tunnel>
Order allow,deny
Allow from all
ProxyPass ws://127.0.0.1:8080/sneakypete/websocket-tunnel
ProxyPassReverse ws://127.0.0.1:8080/sneakypete//websocket-tunnel
Shit! I’m getting a 404 error when trying to access https://thecweb.com/sneakypete. It’s embarrising how long this took me to fix. Probably half an hour of looking at the Guacamole manuals and the mod_proxy documentation, and then another half an hour of googling with no resolution in site I thought maybe I actually need to create the directory that location is referring to? Yup… I miss understood what the Location directive actually does. I thought it just mapped the URL to the directives without referencing the servers filesystem. Nope. If the directory doesn’t exist, Apache doesn’t even go that far. So a simple “sudo mkdir sneakypete” in the site’s /var/www directory and now I’ve got the login page. Reverse proxy is working!
I think I’m done for the day. If not there will be a 3.5 post after I’ve cleared my head.
Ok, back at it. I’m starting at the dependencies section in the Guacamole manual here. I think I’ll just use this page to build the command to make things easy. I probably already have a bunch of these installed, but apt will sort that out for me. Much quicker than stare and compare. I’m pretty much installing all required and optional dependencies. The optional ones I know I need are for RDP, VNC, and SSH support. I’m not sure if I’ll ever use telenet, session recording, or audio over VNC, but it’s nice to have the option.
And this is what I got. The dependencies have dependencies, which also have dependencies, and those dependencies also have dependencies… I should have just gone with docker, but I’m only working with 100 GB of space, and I need that extra ~1 ms of speed I get from bare metal.
I had to remove like ten packages from the suggested list because apt couldn’t find them. Crap I didn’t need anyway like nvidia and cuda libraires. Wait, did I just fucking install fortran?
Setting up gfortran-11 (11.4.0-1ubuntu1~22.04) ...
Setting up gfortran (4:11.2.0-1ubuntu1) ...
update-alternatives: using /usr/bin/gfortran to provide /usr/bin/f95 (f95) in auto mode
update-alternatives: using /usr/bin/gfortran to provide /usr/bin/f77 (f77) in auto mode
Processing triggers for libc-bin (2.35-0ubuntu3.8) ...
Guess so…
It’s quarter past ten at night and I’m tired and hungry. And if installing packages was this much of a pain then I really don’t want to start compiling Guacamole from source right now. Glancing over what I’ve wrote it really doesn’t look like it took that long, but there was a lot of trial and error figuring out which packages Ubuntu didn’t have. Probably would have been quicker to just add the nvidia repository instead of playing wack-a-mole by removing the packages one by one. But that would have messed up my pure FOSS system with that evil closed source nvidia software.
So… Now that I’m back at it I can load the test page but the highlighted links give me a Tomcat 404 error page, so something is wrong. I found this guide to setting up Tomcat on Ubuntu LTS 22 here. First I need to a user setup in /etc/tomcat9/tomcat-users.xml.
That should do the ticket for testing purposes. So ‘systemctl restart tomcat9’ and see what we get!
Nope. Still 404. I browsed through the server.xml config file and didn’t see anything wrong… Maybe I should confirm those files actually exist. I checked /var/www but nothing there, although I did notice that for some reason all users had write access to /var/www/thecweb.com (which is something a fucking moron would do if they ran into a permissions issue setting up their website…) So ‘chmod go-w thecweb.com’.
Back to tomcat! After some googling to find out where the missing files should be on disk I found that they simply weren’t in /usr/share like they should be. And ‘apt list –installed | grep tomcat’ finally gave me my answer!
cweb@thecweb:/var/lib/tomcat9/webapps/ROOT/META-INF$ apt list --installed | grep tomcat
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
libtomcat9-java/jammy-updates,now 9.0.58-1ubuntu0.1 all [installed,automatic]
tomcat9-common/jammy-updates,now 9.0.58-1ubuntu0.1 all [installed,automatic]
tomcat9/jammy-updates,now 9.0.58-1ubuntu0.1 all [installed]
I somehow only managed to install tomcat9 and tomcat9-common packages. So I installed the missing packages and voila!
I’m going to take a break for now, but there is a small change I’ll jump back in later. It’s only 1 pm… And I’d like to get this running before my next work week starts.
Looks like the first step is to have a working Java Servlet, which I don’t have. I’m going with Apache Tomcat as it’s been around forever so there is lots of documentation. Also, Ubuntu has package files which always makes things easier.
‘apt search tomcat’ shows me that Tomcat 9 is the version that Ubuntu has included with LTS 22. So I’ll just do ‘apt install tomcat9’, and see how far that gets me.
The following NEW packages will be installed:
ca-certificates-java default-jre-headless java-common libeclipse-jdt-core-java libgraphite2-3 libharfbuzz0b libpcsclite1 libtcnative-1 libtomcat9-java openjdk-11-jre-headless tomcat9 tomcat9-common
0 upgraded, 12 newly installed, 0 to remove and 0 not upgraded.
That gets me the above packages, and once that install is finished, I’m going to install the suggested packages. They all look useful…
After that finished I confirm that Tomcat is running with ‘systemctl status tomcat9’, and then point my browser to the webserver’s internal IP on port 8080 and I see this lovely message.
That was much easier than I expected. I think that’s it for day one as it’s 6 am and I’m almost done with my shift.
Looking at the logs it’s been down since October 22, 2023. I’m not sure if that is when my fiber IP changed, or when the line from the fiber jack to the router in the basement broke. The line quite working right before I had to work from home, so I just put the wifi router directly into the fiber jack so I could work, and I just yesterday got around to fixing that. I ended up just replacing RJ45 connectors on both ends of the cable.
After the box was back on the internet, I updated my current public IP with namecheap and started running updates on Ubuntu. I didn’t realize when you run ‘apt upgrade’ that it will move you to the latest LTS version, so I spent about half an hour figuring out why Apache would not start. Turns out one of the several warning messages I clicked through was telling me it was going to install PHP 8.1, and remove 7.6. Since I made sure to tell it not to update any of my config files, this caused Apache to crash when trying to start. I just had to disable the old module and enable the new one.
So the site is back up but just a quick run through certbot and it’s secure again too!
All this is in preparation for me to setup Apache Guacamole on the site. This should allow be to get around all the filtering at work so I can remote into my home computer and work on things I can’t on my work PC. My next post will probably be about setting that up. It i fairly complicated. No prebuilt apt packages.
