From 647eedda25cdc64ee0c9eedbead89a8a25d2c46f Mon Sep 17 00:00:00 2001 From: Ronan SALMON Date: Fri, 3 Mar 2023 16:22:48 +0100 Subject: [PATCH 1/3] GUACAMOLE-1746: Docker Allow usage of custom keystore and custom certificat --- guacamole-docker/README.md | 43 +++++++++++++++++++++++++++++++++++ guacamole-docker/bin/start.sh | 12 ++++++++++ 2 files changed, 55 insertions(+) diff --git a/guacamole-docker/README.md b/guacamole-docker/README.md index 0f6200f896..3ad7af1c5c 100644 --- a/guacamole-docker/README.md +++ b/guacamole-docker/README.md @@ -228,6 +228,49 @@ The process for doing this via the `sqlcmd` utilities included with SQLServer is documented in [the Guacamole manual](http://guacamole.apache.org/doc/gug/jdbc-auth.html#jdbc-auth-sqlserver). +Enabling guacd ssl +================ +This explains how to enable ssl between guacamole and guacd using a self signed certificat. + +1. Generate a new certificat +You need to create the new certificat on the guacd host. + +```shell +openssl genrsa -out /etc/guacd/server.key 2048 +openssl req -new -key /etc/guacd/server.key -out /etc/guacd/cert.csr +openssl x509 -in /etc/guacd/cert.csr -out /etc/guacd/server.crt -req -signkey /etc/guacd/server.key -days 3650 +openssl pkcs12 -export -in /etc/guacd/server.crt -inkey /etc/guacd/server.key -out /etc/guacd/server.p12 -CAfile ca.crt -caname root +``` +2. Configure guacd + +On debian, edit /etc/default/guacd and modify the following variables. +``` +# listen on all interface +LISTEN_ADDRESS=0.0.0.0 + +# certificats +DAEMON_ARGS=-C /etc/guacd/server.crt -K /etc/guacd/server.key +``` +restart guacd! + +3. Deploy Guacamole + +```shell +docker run --name some-guacamole \ + -e GUACOMOLE_SSL_KEYSTORE_FILE=/home/guacamole/certs/server.p12 \ + -e GUACOMOLE_SSL_KEYSTORE_PASS=changeme \ + -e GUACD_SSL=true \ + -e GUACD_PORT=4822 \ + -e GUACD_HOSTNAME=hostname \ + -v :/home/guacamole/certs \ + ... + -d -p 8080:8080 guacamole/guacamole +``` + +4. From the guacamole web interface, add a new connexion and enable SSL/TLS whenever using a guacd proxy. + + + Reporting issues ================ diff --git a/guacamole-docker/bin/start.sh b/guacamole-docker/bin/start.sh index 3a93870839..48b49e22a2 100755 --- a/guacamole-docker/bin/start.sh +++ b/guacamole-docker/bin/start.sh @@ -1041,6 +1041,9 @@ fi # Use default guacd port if none specified GUACD_PORT="${GUACD_PORT-4822}" +# guacd ssl is disabled by default +GUACD_SSL="${GUACD_SSL-false}" + # Verify required guacd connection information is present if [ -z "$GUACD_HOSTNAME" -o -z "$GUACD_PORT" ]; then cat < Date: Thu, 23 Mar 2023 10:23:01 +0100 Subject: [PATCH 2/3] GUACAMOLE-1746: moved guacd documentation to guacamole-server repository --- guacamole-docker/README.md | 34 ++++++++-------------------------- 1 file changed, 8 insertions(+), 26 deletions(-) diff --git a/guacamole-docker/README.md b/guacamole-docker/README.md index 3ad7af1c5c..f07382e437 100644 --- a/guacamole-docker/README.md +++ b/guacamole-docker/README.md @@ -228,32 +228,15 @@ The process for doing this via the `sqlcmd` utilities included with SQLServer is documented in [the Guacamole manual](http://guacamole.apache.org/doc/gug/jdbc-auth.html#jdbc-auth-sqlserver). -Enabling guacd ssl +Enabling ssl ================ -This explains how to enable ssl between guacamole and guacd using a self signed certificat. +This explains how to enable ssl between guacamole and guacd using a self signed certificate. -1. Generate a new certificat -You need to create the new certificat on the guacd host. +You need to create the new certificate on the guacd host, see https://github.com/apache/guacamole-server/blob/master/README +or https://github.com/apache/guacamole-server/blob/master/src/guacd-docker/README.md depending +on the version you will use (standalone vs docker). -```shell -openssl genrsa -out /etc/guacd/server.key 2048 -openssl req -new -key /etc/guacd/server.key -out /etc/guacd/cert.csr -openssl x509 -in /etc/guacd/cert.csr -out /etc/guacd/server.crt -req -signkey /etc/guacd/server.key -days 3650 -openssl pkcs12 -export -in /etc/guacd/server.crt -inkey /etc/guacd/server.key -out /etc/guacd/server.p12 -CAfile ca.crt -caname root -``` -2. Configure guacd - -On debian, edit /etc/default/guacd and modify the following variables. -``` -# listen on all interface -LISTEN_ADDRESS=0.0.0.0 - -# certificats -DAEMON_ARGS=-C /etc/guacd/server.crt -K /etc/guacd/server.key -``` -restart guacd! - -3. Deploy Guacamole +Copy the SSL certificate server.p12 to /path/guacamole/certs ```shell docker run --name some-guacamole \ @@ -262,13 +245,12 @@ docker run --name some-guacamole \ -e GUACD_SSL=true \ -e GUACD_PORT=4822 \ -e GUACD_HOSTNAME=hostname \ - -v :/home/guacamole/certs \ + -v /path/guacamole/certs:/home/guacamole/certs \ ... -d -p 8080:8080 guacamole/guacamole ``` -4. From the guacamole web interface, add a new connexion and enable SSL/TLS whenever using a guacd proxy. - +From the guacamole web interface, add a new connection and enable SSL/TLS whenever using a guacd proxy. Reporting issues From fe6828a869994f6555562f1ab3c333c66cf2fadf Mon Sep 17 00:00:00 2001 From: Ronan SALMON Date: Mon, 30 Oct 2023 13:40:21 +0100 Subject: [PATCH 3/3] rename environment variables GUACD_SSL_KEYSTORE_FILE and GUACD_SSL_KEYSTORE_PASS to JAVA_KEYSTORE_FILE and JAVA_KEYSTORE_PASS --- guacamole-docker/bin/start.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/guacamole-docker/bin/start.sh b/guacamole-docker/bin/start.sh index 48b49e22a2..053ed4eeab 100755 --- a/guacamole-docker/bin/start.sh +++ b/guacamole-docker/bin/start.sh @@ -1074,11 +1074,11 @@ set_property "guacd-port" "$GUACD_PORT" set_property "guacd-ssl" "$GUACD_SSL" # guacd ssl keystore -if [ -n "$GUACD_SSL_KEYSTORE_FILE" ]; then - export JAVA_OPTS="${JAVA_OPTS} -Djavax.net.ssl.trustStore=${GUACD_SSL_KEYSTORE_FILE}" +if [ -n "$JAVA_KEYSTORE_FILE" ]; then + export JAVA_OPTS="${JAVA_OPTS} -Djavax.net.ssl.trustStore=${JAVA_KEYSTORE_FILE}" fi -if [ -n "$GUACD_SSL_KEYSTORE_PASS" ]; then - export JAVA_OPTS="${JAVA_OPTS} -Djavax.net.ssl.trustStorePassword=${GUACD_SSL_KEYSTORE_PASS}" +if [ -n "$JAVA_KEYSTORE_PASS" ]; then + export JAVA_OPTS="${JAVA_OPTS} -Djavax.net.ssl.trustStorePassword=${JAVA_KEYSTORE_PASS}" fi # A comma-separated list of the identifiers of authentication providers that