For my homeserver, which is running ESXI free edition, I’m using Apacha Guacamole to access the virtual machines. Apache Guacamole makes it possible to control all PC’s on my server without exposing RDP or VNC ports on the internet.

Currently I’m using a non-dockerized, outdated, installation of Apache Guacamole. Instead of just updating Guacamole I’m going for a new, dockerized installation. This will make future updates very easy.

As a starting point I use a fresh Ubuntu 18.04 LTS server edition virtual machine. During installation you can select docker to be installed. How great is that!

Installing Apache Guacamole with Docker

Get the docker images for Apache Guacamole:

1
2
3
sudo docker pull guacamole/guacd
sudo docker pull guacamole/guacamole
sudo docker pull mysql/mysql-server

Spin up a MySQL docker:

1
sudo docker run --name=mysqld -d mysql/mysql-server:5.7

You can check the status of the mysql server with

1
sudo docker ps

Onse the mysql server is running we nood to create a database for Guacamole. You can generate a script to do so using the following command:

1
sudo docker run --rm guacamole/guacamole /opt/guacamole/bin/initdb.sh --mysql > initdb.sql

After running the command a file ‘initdb.sql’ should be available in the current working directory.

Now we need a database and a user to run the script.

A password for mysql has been generated when you first started the docker image. You can find it with the following command:

1
sudo docker logs mysqld 2>&1 | grep GENERATED

Open a sql console in the docker image:

1
sudo docker exec -it mysqld mysql -uroot -p

Enter the password you found in the previous step.

Once logged in change the password and create a root user that can access the server from anywhere.

1
2
3
4
ALTER USER 'root'@'localhost' IDENTIFIED BY 'root_password';
CREATE USER 'root'@'%' IDENTIFIED BY 'root_password';
GRANT ALL PRIVILEGES ON * . * TO 'root'@'%' WITH GRANT OPTION;
FLUSH PRIVILEGES;

With root_password your password of choice.

Create a database and exit the shell:

1
2
CREATE DATABASE guacamole;
exit;

Now run the initialization script on the mysql docker.

1
2
3
4
5
6
7
8
9
sudo docker exec -i mysqld mysql -uroot -ppeter guacamole< initdb.sql
sudo docker run --name my-guacd -d guacamole/guacd

sudo docker run --name my-guacamole --link my-guacd:guacd \
    --link mysqld:mysql         \
    -e MYSQL_DATABASE=guacamole  \
    -e MYSQL_USER=root    \
    -e MYSQL_PASSWORD=root_password \
    -d -p 8080:8080 guacamole/guacamole

Now you can open a browser and go to

http://guacaomleip:8080/guacamole

You can login with the credentials guacadmin/guacadmin.

Install ngnix as reverse proxy

The next (optional) step is to get the guacamole server behind a reverse nginx proxy. That way it will be possible to introduce a ssl (https) connection.

Some steps below are based on this gereat tutorial: https://www.humankode.com/ssl/how-to-set-up-free-ssl-certificates-from-lets-encrypt-using-docker-and-nginx It’s worth reading if you want to go a litte more into details.

1
sudo docker pull nginx

We don’t want to maintain our configuration and files inside the docker so upon creation of the instance we map the directories to the host.

1
sudo docker run --name my-nginx -v /home/peter/docker/nginx/www:/usr/share/nginx/html -v /home/peter/docker/nginx/conf/nginx.conf:/etc/nginx/conf.d/default.conf -p 80:80 -d --network="host" nginx

Change ‘peter’ with your username.

Making the the directories outside the home directory did not work for me. This could be solved by reinstalling docker manually but I don’t want to go through that hassle. Therefor I keep it with the docker installation that comes with ubuntu.

Because I will use the server also as a reverse proxy for other servers on my network I will configure the root directory as a landing page and configure subdirectories for the different services (home assistant, node-red, zone minder,…).

1
nano docker/nginx/conf/nginx.conf

Make the conf file contain the following configuration:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}


server {
    listen 80;
    listen [::]:80;
    server_name yourdomain.com localhost;

    location /guacamole/ {
        proxy_pass http://127.0.0.1:8080/guacamole/;
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        proxy_cookie_path /guacamole/ /guacamole/;
        access_log off;
    }


    root /usr/share/nginx/html;
    index index.html;
}

If you want you can create a simple landing page in your docker/nginx/www directory

1
2
3
4
5
6
7
8
9
10
11
12
13
<html>
<head>
<title>Reverse proxy landing page</title>
<style>
body,html {
    font:12px/16px verdana,arial,sans;
}
</style>
</head>
<body>
<a href="/guacamole">Guacamole</a>
</body>
</html>

After restarting the docker you should now be able to access guacamole on the default webserver port 80 instead of 8080.

1
2
sudo docker stop my-nginx
sudo docker start my-nginx

Now open a browser and go to the ipadress of the server (or your configured domain). Click on the link to open the guacamole login page.

The next step is to get the server running on https. In a next post I’ll show you how this can be done.

Leave a Reply

Your email address will not be published. Required fields are marked *

Name *
Email *
Website

This site uses Akismet to reduce spam. Learn how your comment data is processed.