From ca966a5a00cdc09d1b1535a980609ec826b316cf Mon Sep 17 00:00:00 2001
From: Ronan SALMON <ronan.s@lmon.io>
Date: Thu, 23 Mar 2023 10:31:02 +0100
Subject: [PATCH 1/2] GUACAMOLE-1746: docker enable usage of custom certificate

---
 Dockerfile                     | 12 ++++----
 README                         | 27 ++++++++++++++++++
 src/guacd-docker/README.md     | 23 +++++++++++++++
 src/guacd-docker/sbin/start.sh | 51 ++++++++++++++++++++++++++++++++++
 4 files changed, 107 insertions(+), 6 deletions(-)
 create mode 100755 src/guacd-docker/sbin/start.sh

diff --git a/Dockerfile b/Dockerfile
index ff96cde2c..690163696 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -167,6 +167,7 @@ COPY --from=builder ${PREFIX_DIR} ${PREFIX_DIR}
 
 # Bring runtime environment up to date and install runtime dependencies
 RUN apk add --no-cache                \
+        bash                          \
         ca-certificates               \
         ghostscript                   \
         netcat-openbsd                \
@@ -192,10 +193,9 @@ USER guacd
 # Expose the default listener port
 EXPOSE 4822
 
-# Start guacd, listening on port 0.0.0.0:4822
-#
-# Note the path here MUST correspond to the value specified in the 
-# PREFIX_DIR build argument.
-#
-CMD /opt/guacamole/sbin/guacd -b 0.0.0.0 -L $GUACD_LOG_LEVEL -f
+# Add configuration scripts
+COPY src/guacd-docker/sbin /opt/guacamole/sbin/
+
+# Start guacd
+CMD [ "/opt/guacamole/sbin/start.sh" ]
 
diff --git a/README b/README
index 8446d97dc..9dad431b4 100644
--- a/README
+++ b/README
@@ -173,6 +173,33 @@ guacd currently takes several command-line options:
 Additional information can be found in the guacd man page:
 
     $ man guacd
+    
+    
+------------------------------------------------------------
+Enabling guacd ssl
+------------------------------------------------------------
+
+This explains how to enable ssl between guacamole and guacd using a self signed certificate.
+
+1. Generate a new certificate
+You need to create the new certificate on the guacd host.
+
+    $ openssl genrsa -out /etc/guacd/server.key 2048
+    $ openssl req -new -key /etc/guacd/server.key -out /etc/guacd/cert.csr
+    $ openssl x509 -in /etc/guacd/cert.csr -out /etc/guacd/server.crt -req -signkey /etc/guacd/server.key -days 3650
+    $ openssl pkcs12 -export -in /etc/guacd/server.crt -inkey /etc/guacd/server.key  -out /etc/guacd/server.p12 -CAfile ca.crt -caname root
+
+2. Configure guacd
+
+On debian, edit /etc/default/guacd and modify the following variables.
+    # listen on all interface
+    LISTEN_ADDRESS=0.0.0.0
+
+    # certificates
+    DAEMON_ARGS=-C /etc/guacd/server.crt -K /etc/guacd/server.key
+
+Restart guacd! 
+You may now enable, within Guacamole, guacd/proxy ssl connexion.
 
 ------------------------------------------------------------
  Reporting problems
diff --git a/src/guacd-docker/README.md b/src/guacd-docker/README.md
index b6235a334..14cfe2101 100644
--- a/src/guacd-docker/README.md
+++ b/src/guacd-docker/README.md
@@ -38,6 +38,29 @@ Connecting to guacd from an application
 
     docker run --name some-app --link some-guacd:guacd -d application-that-uses-guacd
 
+
+Enabling guacd ssl
+------------------
+This explains how to enable ssl between guacamole and guacd using a self signed certificate.
+
+1. Generate a new certificate
+You need to create the new certificate on the guacd host.
+
+    $ openssl genrsa -out /path/guacd/server.key 2048
+    $ openssl req -new -key /path/guacd/server.key -out /path/guacd/cert.csr
+    $ openssl x509 -in /path/guacd/cert.csr -out /path/guacd/server.crt -req -signkey /path/guacd/server.key -days 3650
+    $ openssl pkcs12 -export -in /path/guacd/server.crt -inkey /path/guacd/server.key  -out /path/guacd/server.p12 -CAfile ca.crt -caname root
+
+2. run guacd
+
+    docker run --name some-guacd -d -p 4822:4822 \
+      --env GUACD_CERTIFICATE_CRT=/etc/guacd/server.crt \
+      --env GUACD_CERTIFICATE_KEY=/etc/guacd/server.key \
+      --volume /path/guacd:/etc/guacd \
+      guacamole/guacd
+
+You may now enable, within Guacamole, guacd/proxy ssl connexion.
+
 Reporting issues
 ================
 
diff --git a/src/guacd-docker/sbin/start.sh b/src/guacd-docker/sbin/start.sh
new file mode 100755
index 000000000..ab10f8734
--- /dev/null
+++ b/src/guacd-docker/sbin/start.sh
@@ -0,0 +1,51 @@
+#!/bin/bash
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+##
+## @fn start.sh
+##
+## Automatically configures and starts GUACD.
+##
+
+
+# guacd default value if not overridden
+
+if [ -z "$GUACD_LISTEN_ADDRESS" ]; then
+    export GUACD_LISTEN_ADDRESS=0.0.0.0
+fi
+if [ -z "$GUACD_PORT" ]; then
+    export GUACD_PORT=4822
+fi
+if [ -z "$GUACD_LOG_LEVEL" ]; then
+    export GUACD_LOG_LEVEL=info
+fi
+
+args=( -b "${GUACD_LISTEN_ADDRESS}" -L "${GUACD_LOG_LEVEL}" -l "${GUACD_PORT}" -f )
+
+# guacd certificate files
+if [ -n "$GUACD_CERTIFICATE_CRT" ]; then
+    args+=( -C "$GUACD_CERTIFICATE_CRT" )
+fi
+if [ -n "$GUACD_CERTIFICATE_KEY" ]; then
+    args+=( -K "$GUACD_CERTIFICATE_KEY" )
+fi
+
+/opt/guacamole/sbin/guacd "${args[@]}"
+

From a3fc847408f05bbc7630bb4c71fe264ae1f8f19a Mon Sep 17 00:00:00 2001
From: Ronan SALMON <ronan.s@lmon.io>
Date: Thu, 13 Apr 2023 09:15:52 +0200
Subject: [PATCH 2/2] GUACAMOLE-1746: SSL variables are both required for SSL
 to function

---
 src/guacd-docker/sbin/start.sh | 31 ++++++++++++++++++++++++-------
 1 file changed, 24 insertions(+), 7 deletions(-)

diff --git a/src/guacd-docker/sbin/start.sh b/src/guacd-docker/sbin/start.sh
index ab10f8734..7b5075fe1 100755
--- a/src/guacd-docker/sbin/start.sh
+++ b/src/guacd-docker/sbin/start.sh
@@ -25,8 +25,27 @@
 ##
 
 
-# guacd default value if not overridden
+##
+## Adds SSL command-line options to guacd
+##
+enable_ssl() {
+    if [ -z "$GUACD_CERTIFICATE_CRT" ] || [ -z "$GUACD_CERTIFICATE_KEY" ]; then
+        cat <<END
+FATAL: Missing required environment variables
+-------------------------------------------------------------------------------
+If using a SSL encryption, you must provide both GUACD_CERTIFICATE_CRT
+and GUACD_CERTIFICATE_KEY environment variables.
+
+END
+        exit 1;
+    fi
+    
+    args+=( -C "$GUACD_CERTIFICATE_CRT" )
+    args+=( -K "$GUACD_CERTIFICATE_KEY" )
+}
 
+
+# guacd default value if not overridden
 if [ -z "$GUACD_LISTEN_ADDRESS" ]; then
     export GUACD_LISTEN_ADDRESS=0.0.0.0
 fi
@@ -39,13 +58,11 @@ fi
 
 args=( -b "${GUACD_LISTEN_ADDRESS}" -L "${GUACD_LOG_LEVEL}" -l "${GUACD_PORT}" -f )
 
-# guacd certificate files
-if [ -n "$GUACD_CERTIFICATE_CRT" ]; then
-    args+=( -C "$GUACD_CERTIFICATE_CRT" )
-fi
-if [ -n "$GUACD_CERTIFICATE_KEY" ]; then
-    args+=( -K "$GUACD_CERTIFICATE_KEY" )
+# guacd certificate files
+if [ -n "$GUACD_CERTIFICATE_CRT" ] || [ -n "$GUACD_CERTIFICATE_KEY" ]; then
+    enable_ssl
 fi
 
+
 /opt/guacamole/sbin/guacd "${args[@]}"