Skip to content

Deployment Overview of Apache Guacamole + Xfce on Server

Prerequisites and Basic Requirements

The deployment requires a server running either Debian-based (Ubuntu/Xubuntu) or RHEL-based distributions. The following system requirements must be met:

Requirement Specification
Privileges Root or sudo access required for package installation and service management
Domain hostkey.in
Internal Port 8080 (Tomcat)
External Port 443 (HTTPS via Nginx/Certbot)

FQDN of the final panel on the hostkey.in domain

The application is accessible via a subdomain following this pattern: <prefix><Server ID>.hostkey.in

Based on the configuration, the path for the Guacamole web interface is set to /guacamole/.

File and Directory Structure

The system utilizes specific directories for configuration, binaries, and user data:

Path Description
/etc/guacamole Main configuration directory (Home)
/etc/guacamole/extensions Guacamole extensions
/etc/guacamole/lib Guacamole library files
/var/lib/tomcat9/webapps/ Tomcat web application deployment folder
/root/nginx Nginx and Docker Compose configuration directory
/data/nginx/user_conf.d Custom Nginx user configurations

Application installation process

The application is installed by compiling the Guacamole Server from source and deploying the Guacamole Client WAR file via Tomcat 9.

  1. Guacamole Server: The latest version of guacamole-server is fetched from Apache's official repository, extracted to /root/, configured with --with-init-dir=/etc/init.d, compiled using make, and installed on the system.

  2. Guacamole Client: The corresponding .war file is downloaded and deployed to the Tomcat 9 webapps directory as guacamole.war.

  3. Tomcat 9: Acts as the servlet container for the Guacamole application.

Access Rights and Security

Security is managed through several layers:

  • Firewall/Proxy: An Nginx container with Certbot handles SSL termination on port 443.

  • User Authentication: Authentication is configured via user-mapping.xml using MD5 hashed passwords.

  • System Users: A dedicated system user named user is created for Xfce desktop access, belonging to the user group and ssl-cert group (for XRDP).

  • Service Permissions: The /etc/guacamole directories are restricted with mode 0750 or 0755.

Databases

The current implementation utilizes a local configuration file for user mapping:

  • Configuration File: /etc/guacamole/user-mapping.xml

  • Authentication Method: MD5 hashing of passwords within the XML file.

Docker Containers and Their Deployment

The deployment uses Docker Compose to manage the reverse proxy and SSL certificate lifecycle via the jonasal/nginx-certbot:latest image.

Deployment is executed from /root/nginx:

docker compose up -d

Container Configuration:

  • Image: jonasal/nginx-certbot:latest

  • Network Mode: host

  • Volumes:

    • nginx_secrets:/etc/letsencrypt (External volume for SSL certificates)

    • /data/nginx/user_conf.d:/etc/nginx/user_conf.d

Proxy Servers

The system employs a Dockerized Nginx instance acting as a reverse proxy to provide HTTPS capabilities via Let's Encrypt.

  • SSL Management: Handled by Certbot integrated within the Nginx container.

  • Custom Domains: Configured through user-defined files in /data/nginx/user_conf.d.

  • Email for Certbot: [email protected]

Permission Settings

Specific permissions are applied to ensure service stability and security:

File/Directory Permissions Owner/Group
/etc/guacamole 0750 root:root
/etc/guacamole/extensions 0750 root:root
/etc/guacamole/lib 0750 root:root
/etc/guacamole/user-mapping.xml 0755 root:root
/var/lib/tomcat9/webapps/guacamole.war 0755 root:root

Available ports for connection

The following ports are utilized by the system components:

  • 443 (TCP): External HTTPS access via Nginx.

  • 8080 (TCP): Internal Tomcat service port.

  • 3389 (TCP): RDP protocol used for Guacamole connections to remote hosts.

Starting, Stopping, and Updating

Service management is performed using systemd.

Guacamole Server (guacd):

systemctl start guacd
systemctl stop guacd
systemctl enable guacd

Tomcat 9:

systemctl restart tomcat9

Nginx Proxy (via Docker):

cd /root/nginx
docker compose up -d
docker compose down

question_mark
Is there anything I can help you with?
question_mark
AI Assistant ×