Linux

Time to configure. Instructions here.

Guacamole is incredibly configurable and can be unforgiving. After going through the instructions I was curious exactly how long the instructions were so I pretended to print it. 56 pages. Lucky for me I’m just in the testing phase and I found that all I really needed to confirm it works was to create user-mapping.xml in /etc/guacamole.

<user-mapping>

    <!-- Per-user authentication and config information -->
    <authorize username="cweb" password="<password>">
            <connection name="SSH to thecweb.com">
                <protocol>ssh</protocol>
                <param name="hostname">localhost</param>
                <param name="port">22</param>
                <param name="username">cweb</param>
                <param name="enable-sftp">true</param>
            </connection>
    </authorize>

</user-mapping>

It took like an hour to get this far. I still need to setup VNC on my one of my Windows systems and go through some steps to secure this colander I call a server. But I’m done for today.

Ok, time to download the source and compline. I’m still following the manual located here.

So I’ll download the client and server tars and decompress them to temp.

cweb@thecweb:/tmp$ tar -xzf guacamole-client-1.5.5.tar.gz
cweb@thecweb:/tmp$ tar -xzf guacamole-server-1.5.5.tar.gz
cweb@thecweb:/tmp$ ls guac*
guacamole-client-1.5.5.tar.gz  guacamole-server-1.5.5.tar.gz

guacamole-client-1.5.5:
CONTRIBUTING  LICENSE  README  extensions  guacamole-common     guacamole-docker  pom.xml
Dockerfile    NOTICE   doc     guacamole   guacamole-common-js  guacamole-ext     src

guacamole-server-1.5.5:
CONTRIBUTING  LICENSE      Makefile.in  README      bin        config.h.in  configure.ac  m4   util
Dockerfile    Makefile.am  NOTICE       aclocal.m4  build-aux  configure    doc           src
cweb@thecweb:/tmp$

It looks to be the standard configure, make, make install that is common in FOSS software. For the server configure got me this,

------------------------------------------------
guacamole-server version 1.5.5
------------------------------------------------

   Library status:

     freerdp2 ............ yes
     pango ............... yes
     libavcodec .......... yes
     libavformat.......... yes
     libavutil ........... yes
     libssh2 ............. yes
     libssl .............. yes
     libswscale .......... yes
     libtelnet ........... yes
     libVNCServer ........ yes
     libvorbis ........... yes
     libpulse ............ yes
     libwebsockets ....... yes
     libwebp ............. yes
     wsock32 ............. no

   Protocol support:

      Kubernetes .... yes
      RDP ........... yes
      SSH ........... yes
      Telnet ........ yes
      VNC ........... yes

   Services / tools:

      guacd ...... yes
      guacenc .... yes
      guaclog .... yes

   FreeRDP plugins: /usr/lib/x86_64-linux-gnu/freerdp2
   Init scripts: no
   Systemd units: no

Type "make" to compile guacamole-server.

so it looks like all the dependencies installed correctly. make completed without errors so now make install.

sudo make install completed without errors, so I just need to sudo ldconfig to update the system library cache. And add the server to systemd.

cweb@thecweb:/tmp/guacamole-server-1.5.5$ sudo guacd
guacd[24340]: INFO:     Guacamole proxy daemon (guacd) version 1.5.5 started

cweb@thecweb:/tmp/guacamole-server-1.5.5$ sudo systemctl enable guacd
Failed to enable unit: Unit file guacd.service does not exist.

Shit. Looks like I didn’t include the option –with-init-dir=/etc/init.d when I ran configure, so we’re going to be repeating a few steps. It’s important to actually read install instructions and not just skim them.

Shit. I want to use systemd not initd. And the instructions don’t say what the option is for that. Rather than guessing we’ll just do this

cweb@thecweb:/tmp/guacamole-server-1.5.5$ cat configure | grep systemd
systemd_dir
with_systemd_dir
  --with-systemd-dir=<path>
                          install systemd units to the given directory
# Check whether --with-systemd_dir was given.
if test ${with_systemd_dir+y}
  withval=$with_systemd_dir; systemd_dir=$withval
 if test "x${systemd_dir}" != "x"; then
  build_systemd="${systemd_dir}"
  build_systemd=no
   Systemd units: ${build_systemd}

I probably could have guessed that.

Now that I’ve got that redone, I was still getting an error because I gave the path as /etc/systemd instead of /etc/systemd/system, but that was easy to fix. We are now in business.

cweb@thecweb:/tmp/guacamole-server-1.5.5$ sudo mv /etc/systemd/guacd.service /etc/systemd/system/guacd.s
ervice
cweb@thecweb:/tmp/guacamole-server-1.5.5$ sudo systemctl enable guacd
Created symlink /etc/systemd/system/multi-user.target.wants/guacd.service → /etc/systemd/system/guacd.service.
cweb@thecweb:/tmp/guacamole-server-1.5.5$ sudo systemctl start guacd
cweb@thecweb:/tmp/guacamole-server-1.5.5$ sudo systemctl status guacd
● guacd.service - Guacamole Server
     Loaded: loaded (/etc/systemd/system/guacd.service; enabled; vendor preset: enabled)
     Active: active (running) since Mon 2024-07-29 20:17:11 UTC; 7s ago
       Docs: man:guacd(8)
   Main PID: 41937 (guacd)
      Tasks: 1 (limit: 9251)
     Memory: 10.0M
        CPU: 10ms
     CGroup: /system.slice/guacd.service
             └─41937 /usr/local/sbin/guacd -f

Jul 29 20:17:11 thecweb.com systemd[1]: Started Guacamole Server.
Jul 29 20:17:11 thecweb.com guacd[41937]: Guacamole proxy daemon (guacd) version 1.5.5 started
Jul 29 20:17:11 thecweb.com guacd[41937]: guacd[41937]: INFO:        Guacamole proxy daemon (guacd) ver>
Jul 29 20:17:11 thecweb.com guacd[41937]: guacd[41937]: INFO:        Listening on host 127.0.0.1, port >
Jul 29 20:17:11 thecweb.com guacd[41937]: Listening on host 127.0.0.1, port 4822
cweb@thecweb:/tmp/guacamole-server-1.5.5$

The guacamole-client files and extensions are just java files that they provide precompiled, so I’m just going to do that. I’m just going to copy over the client without extensions now because I’m not sure which ones I want to use yet.

cweb@thecweb:/tmp$ sudo cp guacamole-1.5.5.war /var/lib/tomcat9/webapps
cweb@thecweb:/tmp$ sudo systemctl restart tomcat9
cweb@thecweb:/tmp$ sudo systemctl restart guacd
cweb@thecweb:/tmp$

Yay! It’s working! No, wait. It’s not started, and starting it gives me an error. I messed around with trying to figure out what was wrong for a little while and then just tried Undeploy and then deployed it through the app manager using the link below, and now it’s started.

Yay!!!!!!!!!!!!!!!!! 🥳🍾🕺

Now I need to configure it behind a reverse proxy using the instructions here. This isn’t required but it enhances the system security by allowing the applet to run without root, and allows be to access Guacamole over port 443 instead of 8080. Which is good because I don’t need to poke another hole in my firewall and it should also help hide the traffic from big brother while I’m at work.

Step one is to add the bolded lines to the Tomcat server config file at /etc/tomcat9/server.xml. This is to handle non-Latin characters. So I probably don’t really NEED it but that is what the docs say.

<Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               URIEncoding="UTF-8"
               redirectPort="8443" />

In the same file I need to add this stuff so Tomcat can get the remote client’s IP address. Without this it will only see the reverse proxy’s IP. If you’re curious why this is needed there are several paragraphs in the proxy instructions explaining it under the heading “Setting up the Remote IP Valve”.

<Valve className="org.apache.catalina.valves.RemoteIpValve"
               internalProxies="127.0.0.1"
               remoteIpHeader="x-forwarded-for"
               remoteIpProxiesHeader="x-forwarded-by"
               protocolHeader="x-forwarded-proto" />

Now I need to enable the modules to add reverse proxy support in Apache.

cweb@thecweb:/etc/tomcat9$ sudo a2enmod proxy
Enabling module proxy.
To activate the new configuration, you need to run:
  systemctl restart apache2
cweb@thecweb:/etc/tomcat9$ sudo a2enmod proxy_http
Considering dependency proxy for proxy_http:
Module proxy already enabled
Enabling module proxy_http.
To activate the new configuration, you need to run:
  systemctl restart apache2
cweb@thecweb:/etc/tomcat9$ sudo a2enmod proxy_wstunnel
Considering dependency proxy for proxy_wstunnel:
Module proxy already enabled
Enabling module proxy_wstunnel.
To activate the new configuration, you need to run:
  systemctl restart apache2
cweb@thecweb:/etc/tomcat9$ sudo systemctl restart apache2
cweb@thecweb:/etc/tomcat9$

For the site configuration I need to add the below to /etc/apache2/sites-enabled/chrisweber.online-le-ssl.conf to tell Apache use the reverse proxy to access Tomcat when the specific URL Location is requested.

<Location /sneakypete/>
                Order allow,deny
                Allow from all
                ProxyPass http://127.0.0.1:8080/sneakypete/ flushpackets=on
                ProxyPassReverse http://127.0.0.1:8080/sneakypete/
        </Location>

        <Location /sneakypete/websocket-tunnel>
                Order allow,deny
                Allow from all
                ProxyPass ws://127.0.0.1:8080/sneakypete/websocket-tunnel
                ProxyPassReverse ws://127.0.0.1:8080/sneakypete//websocket-tunnel

Shit! I’m getting a 404 error when trying to access https://thecweb.com/sneakypete. It’s embarrising how long this took me to fix. Probably half an hour of looking at the Guacamole manuals and the mod_proxy documentation, and then another half an hour of googling with no resolution in site I thought maybe I actually need to create the directory that location is referring to? Yup… I miss understood what the Location directive actually does. I thought it just mapped the URL to the directives without referencing the servers filesystem. Nope. If the directory doesn’t exist, Apache doesn’t even go that far. So a simple “sudo mkdir sneakypete” in the site’s /var/www directory and now I’ve got the login page. Reverse proxy is working!

I think I’m done for the day. If not there will be a 3.5 post after I’ve cleared my head.

Ok, back at it. I’m starting at the dependencies section in the Guacamole manual here. I think I’ll just use this page to build the command to make things easy. I probably already have a bunch of these installed, but apt will sort that out for me. Much quicker than stare and compare. I’m pretty much installing all required and optional dependencies. The optional ones I know I need are for RDP, VNC, and SSH support. I’m not sure if I’ll ever use telenet, session recording, or audio over VNC, but it’s nice to have the option.

$ sudo apt install libcairo2-dev libjpeg-turbo8-dev libpng-dev libtool-bin \
uuid-dev libavcodec-dev libavformat-dev libavutil-dev libswscale-dev \
freerdp2-dev libpango1.0-dev libssh2-1-dev libtelnet-dev libvncserver-dev \
libwebsockets-dev libpulse-dev libssl-dev libvorbis-dev libwebp-dev

And this is what I got. The dependencies have dependencies, which also have dependencies, and those dependencies also have dependencies… I should have just gone with docker, but I’m only working with 100 GB of space, and I need that extra ~1 ms of speed I get from bare metal.

cweb@thecweb:~$ sudo apt install libcairo2-dev libjpeg-turbo8-dev libpng-dev libtool-bin \
uuid-dev libavcodec-dev libavformat-dev libavutil-dev libswscale-dev \
freerdp2-dev libpango1.0-dev libssh2-1-dev libtelnet-dev libvncserver-dev \
libwebsockets-dev libpulse-dev libssl-dev libvorbis-dev libwebp-dev
[sudo] password for cweb:

Reading package lists... Done
Building dependency tree... Done
Reading state information... Done

The following packages were automatically installed and are no longer required:
  libasn1-8-heimdal libcommon-sense-perl libffi7 libgssapi3-heimdal libhcrypto4-heimdal
  libheimbase1-heimdal libheimntlm0-heimdal libhx509-5-heimdal libicu66 libjson-perl libjson-xs-perl
  libkrb5-26-heimdal libldap-2.4-2 libllvm10 libllvm14 libroken18-heimdal libtypes-serialiser-perl
  libwind0-heimdal sysstat
Use 'sudo apt autoremove' to remove them.

The following additional packages will be installed:
  autoconf automake autotools-dev cpp cpp-11 gcc gcc-11 gcc-11-base gir1.2-freedesktop
  gir1.2-harfbuzz-0.0 gir1.2-pango-1.0 i965-va-driver icu-devtools intel-media-va-driver libaacs0
  libasan6 libasyncns0 libatomic1 libavcodec58 libavformat58 libavutil56 libbdplus0 libblkid-dev
  libbluray2 libbrotli-dev libc-dev-bin libc-devtools libc6-dev libcairo-gobject2
  libcairo-script-interpreter2 libcairo2 libcap-dev libcc1-0 libchromaprint1 libcodec2-1.0
  libcrypt-dev libdatrie-dev libdatrie1 libev-dev libev4 libevent-2.1-7 libexpat1-dev libffi-dev
  libflac8 libfontconfig-dev libfontconfig1-dev libfreerdp-client2-2 libfreerdp-server2-2
  libfreerdp-shadow-subsystem2-2 libfreerdp-shadow2-2 libfreerdp2-2 libfreetype-dev libfreetype6-dev
  libfribidi-dev libgcc-11-dev libgcrypt20-dev libgdk-pixbuf-2.0-0 libgdk-pixbuf2.0-bin
  libgdk-pixbuf2.0-common libglib2.0-dev libglib2.0-dev-bin libgme0 libgmp-dev libgmpxx4ldbl
  libgnutls-dane0 libgnutls-openssl27 libgnutls28-dev libgnutlsxx28 libgpg-error-dev libgraphite2-dev
  libgsm1 libharfbuzz-dev libharfbuzz-gobject0 libharfbuzz-icu0 libice-dev libicu-dev libidn2-dev
  libigdgmm12 libisl23 libitm1 liblsan0 libltdl-dev liblzo2-dev libmfx1 libmount-dev libmp3lame0
  libmpc3 libmpg123-0 libnorm1 libnsl-dev libogg-dev libogg0 libopenmpt0 libopus0 libp11-kit-dev
  libpango-1.0-0 libpangocairo-1.0-0 libpangoft2-1.0-0 libpangoxft-1.0-0 libpcre16-3 libpcre2-16-0
  libpcre2-32-0 libpcre2-dev libpcre2-posix3 libpcre3-dev libpcre32-3 libpcrecpp0v5 libpgm-5.3-0
  libpixman-1-0 libpixman-1-dev libpng-tools libpthread-stubs0-dev libpulse-mainloop-glib0 libpulse0
  libquadmath0 librabbitmq4 librsvg2-2 librsvg2-common libsasl2-dev libselinux1-dev libsepol-dev
  libshine3 libsm-dev libsnappy1v5 libsndfile1 libsoxr0 libspeex1 libsrt1.4-gnutls libssh-gcrypt-4
  libssh2-1 libswresample-dev libswresample3 libswscale5 libtasn1-6-dev libtasn1-doc libtelnet2
  libthai-data libthai-dev libthai0 libtheora0 libtirpc-dev libtool libtsan0 libtwolame0 libubsan1
  libudfread0 libunbound8 libuv1 libuv1-dev libva-drm2 libva-x11-2 libva2 libvdpau1 libvncclient1
  libvncserver1 libvorbis0a libvorbisenc2 libvorbisfile3 libvpx7 libwebsockets16 libwinpr-tools2-2
  libwinpr2-2 libwinpr2-dev libx11-dev libx264-163 libxau-dev libxcb-render0 libxcb-render0-dev
  libxcb-shm0-dev libxcb1-dev libxdamage1 libxdmcp-dev libxext-dev libxft-dev libxrender-dev
  libxvidcore4 libzmq5 libzvbi-common libzvbi0 linux-libc-dev m4 manpages-dev mesa-va-drivers
  mesa-vdpau-drivers nettle-dev ocl-icd-libopencl1 pango1.0-tools pkg-config rpcsvc-proto
  va-driver-all vdpau-driver-all winpr-utils x11proto-dev xorg-sgml-doctools xtrans-dev zlib1g-dev

Suggested packages:
  autoconf-archive gnu-standards autoconf-doc gettext cpp-doc gcc-11-locales gcc-multilib make flex
  bison gdb gcc-doc gcc-11-multilib gcc-11-doc i965-va-driver-shaders libcuda1 libnvcuvid1
  libnvidia-encode1 libbluray-bdj glibc-doc libcairo2-doc libdatrie-doc freerdp2-x11 freetype2-doc
  libgcrypt20-doc libgirepository1.0-dev libglib2.0-doc libxml2-utils gmp-doc libgmp10-doc libmpfr-dev
  dns-root-data gnutls-bin gnutls-doc libgraphite2-utils libice-doc icu-doc libtool-doc opus-tools
  p11-kit-doc libpango1.0-doc pulseaudio librsvg2-bin libsm-doc speex libssl-doc libtelnet-utils
  libthai-doc gfortran | fortran95-compiler gcj-jdk libx11-doc libxcb-doc libxext-doc m4-doc
  opencl-icd graphicsmagick dpkg-dev libvdpau-va-gl1

The following NEW packages will be installed:
  autoconf automake autotools-dev cpp cpp-11 freerdp2-dev gcc gcc-11 gcc-11-base gir1.2-freedesktop
  gir1.2-harfbuzz-0.0 gir1.2-pango-1.0 i965-va-driver icu-devtools intel-media-va-driver libaacs0
  libasan6 libasyncns0 libatomic1 libavcodec-dev libavcodec58 libavformat-dev libavformat58
  libavutil-dev libavutil56 libbdplus0 libblkid-dev libbluray2 libbrotli-dev libc-dev-bin
  libc-devtools libc6-dev libcairo-gobject2 libcairo-script-interpreter2 libcairo2 libcairo2-dev
  libcap-dev libcc1-0 libchromaprint1 libcodec2-1.0 libcrypt-dev libdatrie-dev libdatrie1 libev-dev
  libev4 libevent-2.1-7 libexpat1-dev libffi-dev libflac8 libfontconfig-dev libfontconfig1-dev
  libfreerdp-client2-2 libfreerdp-server2-2 libfreerdp-shadow-subsystem2-2 libfreerdp-shadow2-2
  libfreerdp2-2 libfreetype-dev libfreetype6-dev libfribidi-dev libgcc-11-dev libgcrypt20-dev
  libgdk-pixbuf-2.0-0 libgdk-pixbuf2.0-bin libgdk-pixbuf2.0-common libglib2.0-dev libglib2.0-dev-bin
  libgme0 libgmp-dev libgmpxx4ldbl libgnutls-dane0 libgnutls-openssl27 libgnutls28-dev libgnutlsxx28
  libgpg-error-dev libgraphite2-dev libgsm1 libharfbuzz-dev libharfbuzz-gobject0 libharfbuzz-icu0
  libice-dev libicu-dev libidn2-dev libigdgmm12 libisl23 libitm1 libjpeg-turbo8-dev liblsan0
  libltdl-dev liblzo2-dev libmfx1 libmount-dev libmp3lame0 libmpc3 libmpg123-0 libnorm1 libnsl-dev
  libogg-dev libogg0 libopenmpt0 libopus0 libp11-kit-dev libpango-1.0-0 libpango1.0-dev
  libpangocairo-1.0-0 libpangoft2-1.0-0 libpangoxft-1.0-0 libpcre16-3 libpcre2-16-0 libpcre2-32-0
  libpcre2-dev libpcre2-posix3 libpcre3-dev libpcre32-3 libpcrecpp0v5 libpgm-5.3-0 libpixman-1-0
  libpixman-1-dev libpng-dev libpng-tools libpthread-stubs0-dev libpulse-dev libpulse-mainloop-glib0
  libpulse0 libquadmath0 librabbitmq4 librsvg2-2 librsvg2-common libsasl2-dev libselinux1-dev
  libsepol-dev libshine3 libsm-dev libsnappy1v5 libsndfile1 libsoxr0 libspeex1 libsrt1.4-gnutls
  libssh-gcrypt-4 libssh2-1 libssh2-1-dev libssl-dev libswresample-dev libswresample3 libswscale-dev
  libswscale5 libtasn1-6-dev libtasn1-doc libtelnet-dev libtelnet2 libthai-data libthai-dev libthai0
  libtheora0 libtirpc-dev libtool libtool-bin libtsan0 libtwolame0 libubsan1 libudfread0 libunbound8
  libuv1 libuv1-dev libva-drm2 libva-x11-2 libva2 libvdpau1 libvncclient1 libvncserver-dev
  libvncserver1 libvorbis-dev libvorbis0a libvorbisenc2 libvorbisfile3 libvpx7 libwebp-dev
  libwebsockets-dev libwebsockets16 libwinpr-tools2-2 libwinpr2-2 libwinpr2-dev libx11-dev libx264-163
  libxau-dev libxcb-render0 libxcb-render0-dev libxcb-shm0-dev libxcb1-dev libxdamage1 libxdmcp-dev
  libxext-dev libxft-dev libxrender-dev libxvidcore4 libzmq5 libzvbi-common libzvbi0 linux-libc-dev m4
  manpages-dev mesa-va-drivers mesa-vdpau-drivers nettle-dev ocl-icd-libopencl1 pango1.0-tools
  pkg-config rpcsvc-proto uuid-dev va-driver-all vdpau-driver-all winpr-utils x11proto-dev
  xorg-sgml-doctools xtrans-dev zlib1g-dev
0 upgraded, 215 newly installed, 0 to remove and 0 not upgraded.
Need to get 130 MB/131 MB of archives.
After this operation, 459 MB of additional disk space will be used.
Do you want to continue? [Y/n]

Huh, guess I didn’t have any of them already installed.

Better get the suggested packages also. I can always remove them later.

$ sudo apt install autoconf-archive gnu-standards autoconf-doc gettext \
cpp-doc gcc-11-locales gcc-multilib make flex bison gdb gcc-doc \
gcc-11-multilib gcc-11-doc i965-va-driver-shaders \
libbluray-bdj glibc-doc libcairo2-doc libdatrie-doc \
freerdp2-x11 freetype2-doc libgcrypt20-doc libgirepository1.0-dev \
libglib2.0-doc libxml2-utils gmp-doc libgmp10-doc libmpfr-dev dns-root-data \
gnutls-bin gnutls-doc libgraphite2-utils libice-doc icu-doc libtool-doc \ 
speex libssl-doc libtelnet-utils libthai-doc gfortran \
libx11-doc libxcb-doc libxext-doc m4-doc graphicsmagick \
dpkg-dev libvdpau-va-gl1

I had to remove like ten packages from the suggested list because apt couldn’t find them. Crap I didn’t need anyway like nvidia and cuda libraires. Wait, did I just fucking install fortran?

Setting up gfortran-11 (11.4.0-1ubuntu1~22.04) ...
Setting up gfortran (4:11.2.0-1ubuntu1) ...
update-alternatives: using /usr/bin/gfortran to provide /usr/bin/f95 (f95) in auto mode
update-alternatives: using /usr/bin/gfortran to provide /usr/bin/f77 (f77) in auto mode
Processing triggers for libc-bin (2.35-0ubuntu3.8) ...

Guess so…

It’s quarter past ten at night and I’m tired and hungry. And if installing packages was this much of a pain then I really don’t want to start compiling Guacamole from source right now. Glancing over what I’ve wrote it really doesn’t look like it took that long, but there was a lot of trial and error figuring out which packages Ubuntu didn’t have. Probably would have been quicker to just add the nvidia repository instead of playing wack-a-mole by removing the packages one by one. But that would have messed up my pure FOSS system with that evil closed source nvidia software.

Peace! I’m out!