Skip to content

Deployment Overview of Apache Guacamole + Xfce on Server

Prerequisites and Basic Requirements

The deployment requires a Linux server running Debian, Ubuntu, or RHEL-based distributions. The installation process necessitates root privileges to install system dependencies, compile the Guacamole server, and configure the Tomcat web server.

The following system packages are required as dependencies for the Guacamole server compilation: - gawk - curl - dnsutils (Debian/Ubuntu) or bind-utils (RHEL) - make - libcairo2-dev or cairo-devel - libjpeg62-turbo-dev or libjpeg-turbo-devel - libpng-dev or libpng-devel - libtool-bin or libtool - uuid-dev or libuuid-devel - libavcodec-dev, libavformat-dev, libavutil-dev, libswscale-dev (or ffmpeg-devel on RHEL) - freerdp2-dev or freerdp-devel - libpango1.0-dev or pango-devel - libssh2-1-dev or libssh2-devel - libtelnet-dev or libtelnet-devel - libvncserver-dev or libvncserver-devel - libwebsockets-dev or libwebsockets-devel - libpulse-dev or pulseaudio-libs-devel - libssl-dev or openssl-devel - libvorbis-dev or libvorbis-devel - libwebp-dev or libwebp-devel

For the Xfce desktop environment, the following packages are installed: - xubuntu-desktop - xrdp

File and Directory Structure

The application utilizes the following directory structure for configuration, libraries, and web applications:

  • /etc/guacamole/: The primary configuration directory for Guacamole.
  • /etc/guacamole/extensions/: Directory for Guacamole extensions.
  • /etc/guacamole/lib/: Directory for Guacamole libraries.
  • /etc/guacamole/guacd.conf: Configuration file for the Guacamole daemon.
  • /etc/guacamole/user-mapping.xml: User mapping configuration file.
  • /var/lib/tomcat9/webapps/: Directory containing the Tomcat web applications.
  • /var/lib/tomcat9/webapps/guacamole.war: The deployed Guacamole web application.
  • /etc/default/tomcat9: Configuration file for the Tomcat service environment variables.
  • /root/nginx/: Directory containing the Docker Compose configuration for the reverse proxy.
  • /root/nginx/compose.yml: Docker Compose file for Nginx and Certbot.
  • /usr/local/bin/start-xubuntu: Custom script to launch the Xfce session.
  • /home/user/.xsession: User session configuration file for Xrdp.

Application Installation Process

The installation involves compiling the Guacamole server from source and deploying the Guacamole web application via Tomcat. The system automatically detects the latest available version from the Apache repository.

  1. Source Compilation: The guacamole-server source code is downloaded, extracted to /root/, and compiled using the configure, make, and make install commands. The configuration script is executed with the --with-init-dir=/etc/init.d flag.
  2. Tomcat Deployment: The tomcat9 package is installed via the system package manager. The guacamole.war file is downloaded directly from the Apache repository and placed into /var/lib/tomcat9/webapps/.
  3. Environment Configuration: The environment variable GUACAMOLE_HOME=/etc/guacamole is appended to /etc/default/tomcat9 to define the Guacamole home directory.
  4. Daemon Setup: The guacd service is configured and enabled to start on boot.
  5. Xfce Desktop Setup: The xubuntu-desktop and xrdp packages are installed. A system user named user is created with a home directory at /home/user. The start-xubuntu script is copied to /usr/local/bin/, and the .xsession file is configured to launch this script.

Access Rights and Security

The deployment configures specific access controls and security settings for the services:

  • User Management: A system user named user is created with the shell /bin/bash and added to the user group.
  • Xrdp Configuration:
  • The xrdp service is added to the ssl-cert group.
  • The encryption level in /etc/xrdp/xrdp.ini is set to low (crypt_level=low).
  • The color depth is set to 16 bits (xserverbpp=16).
  • The policykit agent helper at /usr/lib/policykit-1/polkit-agent-helper-1 is assigned setuid permissions (5755).
  • File Permissions:
  • Configuration directories /etc/guacamole/extensions and /etc/guacamole/lib are owned by root:root with mode 0750 or 0755.
  • The guacd.conf file is set to mode 0644 or 0755.
  • The user-mapping.xml file is set to mode 0750 or 0755.
  • The guacamole.war file is set to mode 0755.

Docker Containers and Their Deployment

A reverse proxy and SSL certificate management system is deployed using Docker Compose.

  • Image: The deployment uses the jonasal/nginx-certbot:latest image.
  • Configuration: The Docker Compose file is located at /root/nginx/compose.yml.
  • Volumes:
  • nginx_secrets: An external volume mounted to /etc/letsencrypt for storing SSL certificates.
  • /data/nginx/user_conf.d: Mounted to /etc/nginx/user_conf.d for custom Nginx configurations.
  • Environment:
  • The CERTBOT_EMAIL is set to [email protected].
  • An environment file is loaded from /data/nginx/nginx-certbot.env.
  • Network: The container runs in host network mode.
  • Restart Policy: The container is configured with restart: unless-stopped.

Proxy Servers

The Nginx reverse proxy is managed via Docker. It handles SSL termination using Certbot.

  • Service: The Nginx service runs inside a Docker container.
  • SSL/Certificates: Managed automatically by the nginx-certbot image using the nginx_secrets volume.
  • Custom Domains: Custom configurations are placed in the mounted volume /data/nginx/user_conf.d.
  • Deployment Command: The stack is started using docker compose up -d from the /root/nginx directory.

Permission Settings

File and directory permissions are explicitly set during the deployment to ensure proper operation:

  • /etc/guacamole/: Owned by root:root.
  • /etc/guacamole/extensions: Mode 0750 or 0755.
  • /etc/guacamole/lib: Mode 0750 or 0755.
  • /etc/guacamole/guacd.conf: Mode 0644 or 0755.
  • /etc/guacamole/user-mapping.xml: Mode 0750 or 0755.
  • /var/lib/tomcat9/webapps/guacamole.war: Mode 0755.
  • /usr/local/bin/start-xubuntu: Mode 0755, owned by root:root.
  • /home/user/.xsession: Owned by user:user, executable.
  • /usr/lib/policykit-1/polkit-agent-helper-1: Mode 5755.

Starting, Stopping, and Updating

The services are managed using systemd for native components and docker compose for the proxy.

Guacamole Daemon (guacd) - Start: systemctl start guacd - Enable on boot: systemctl enable guacd - Restart: systemctl restart guacd

Tomcat Web Server (tomcat9) - Start: systemctl start tomcat9 - Enable on boot: systemctl enable tomcat9 - Restart: systemctl restart tomcat9

Xrdp Service - Start: systemctl start xrdp - Enable on boot: systemctl enable xrdp - Restart: systemctl restart xrdp

Nginx Proxy (Docker) - Start: docker compose up -d (executed from /root/nginx) - Stop: docker compose down (executed from /root/nginx) - Update: Pull the latest image and restart the container using docker compose up -d.

Library Cache - After installing the Guacamole server, the dynamic linker cache is updated using ldconfig.

question_mark
Is there anything I can help you with?
question_mark
AI Assistant ×