Deployment Overview of Apache Guacamole + Xfce on Server¶
Prerequisites and Basic Requirements¶
The deployment requires a server running either Debian-based (Ubuntu/Xubuntu) or RHEL-based distributions. The following system requirements must be met:
| Requirement | Specification |
|---|---|
| Privileges | Root or sudo access required for package installation and service management |
| Domain | hostkey.in |
| Internal Port | 8080 (Tomcat) |
| External Port | 443 (HTTPS via Nginx/Certbot) |
FQDN of the final panel on the hostkey.in domain¶
The application is accessible via a subdomain following this pattern: <prefix><Server ID>.hostkey.in
Based on the configuration, the path for the Guacamole web interface is set to /guacamole/.
File and Directory Structure¶
The system utilizes specific directories for configuration, binaries, and user data:
| Path | Description |
|---|---|
/etc/guacamole | Main configuration directory (Home) |
/etc/guacamole/extensions | Guacamole extensions |
/etc/guacamole/lib | Guacamole library files |
/var/lib/tomcat9/webapps/ | Tomcat web application deployment folder |
/root/nginx | Nginx and Docker Compose configuration directory |
/data/nginx/user_conf.d | Custom Nginx user configurations |
Application installation process¶
The application is installed by compiling the Guacamole Server from source and deploying the Guacamole Client WAR file via Tomcat 9.
-
Guacamole Server: The latest version of
guacamole-serveris fetched from Apache's official repository, extracted to/root/, configured with--with-init-dir=/etc/init.d, compiled usingmake, and installed on the system. -
Guacamole Client: The corresponding
.warfile is downloaded and deployed to the Tomcat 9 webapps directory asguacamole.war. -
Tomcat 9: Acts as the servlet container for the Guacamole application.
Access Rights and Security¶
Security is managed through several layers:
-
Firewall/Proxy: An Nginx container with Certbot handles SSL termination on port 443.
-
User Authentication: Authentication is configured via
user-mapping.xmlusing MD5 hashed passwords. -
System Users: A dedicated system user named
useris created for Xfce desktop access, belonging to theusergroup andssl-certgroup (for XRDP). -
Service Permissions: The
/etc/guacamoledirectories are restricted with mode0750or0755.
Databases¶
The current implementation utilizes a local configuration file for user mapping:
-
Configuration File:
/etc/guacamole/user-mapping.xml -
Authentication Method: MD5 hashing of passwords within the XML file.
Docker Containers and Their Deployment¶
The deployment uses Docker Compose to manage the reverse proxy and SSL certificate lifecycle via the jonasal/nginx-certbot:latest image.
Deployment is executed from /root/nginx:
Container Configuration:
-
Image:
jonasal/nginx-certbot:latest -
Network Mode:
host -
Volumes:
-
nginx_secrets:/etc/letsencrypt(External volume for SSL certificates) -
/data/nginx/user_conf.d:/etc/nginx/user_conf.d
-
Proxy Servers¶
The system employs a Dockerized Nginx instance acting as a reverse proxy to provide HTTPS capabilities via Let's Encrypt.
-
SSL Management: Handled by Certbot integrated within the Nginx container.
-
Custom Domains: Configured through user-defined files in
/data/nginx/user_conf.d. -
Email for Certbot:
[email protected]
Permission Settings¶
Specific permissions are applied to ensure service stability and security:
| File/Directory | Permissions | Owner/Group |
|---|---|---|
/etc/guacamole | 0750 | root:root |
/etc/guacamole/extensions | 0750 | root:root |
/etc/guacamole/lib | 0750 | root:root |
/etc/guacamole/user-mapping.xml | 0755 | root:root |
/var/lib/tomcat9/webapps/guacamole.war | 0755 | root:root |
Available ports for connection¶
The following ports are utilized by the system components:
-
443 (TCP): External HTTPS access via Nginx.
-
8080 (TCP): Internal Tomcat service port.
-
3389 (TCP): RDP protocol used for Guacamole connections to remote hosts.
Starting, Stopping, and Updating¶
Service management is performed using systemd.
Guacamole Server (guacd):
Tomcat 9:
Nginx Proxy (via Docker):