**Purpose**: HTML5-based Remote Access Broker for SSH, RDP, and VNC.  Useful for remote access into an environment.

### Docker Compose Stack
=== "docker-compose.yml"

    ```yaml
    version: '3'

    services:
      app:
        image: jasonbean/guacamole
        ports:
          - 8080:8080
        volumes:
          - /srv/containers/guacamole:/config
        environment:
          - OPT_MYSQL=Y
          - OPT_MYSQL_EXTENSION=N
          - OPT_SQLSERVER=N
          - OPT_LDAP=N
          - OPT_DUO=N
          - OPT_CAS=N
          - OPT_TOTP=Y # (1)
          - OPT_QUICKCONNECT=N
          - OPT_HEADER=N
          - OPT_SAML=N
          - PUID=99
          - PGID=100
          - TZ=America/Denver # (2)
        restart: unless-stopped
        networks:
            docker_network:
              ipv4_address: 192.168.5.43

    networks:
      default:
        external:
          name: docker_network
      docker_network:
        external: true
    ```
    
    1.  Enable this if you want multi-factor authentication enabled.  Must be set BEFORE the container is initially deployed.  Cannot be added retroactively.
    2.  Set to your own timezone.

=== "docker-compose.yml (OpenID / Keycloak Integration)"

    ```yaml
    version: '3'

    services:
      app:
        image: jasonbean/guacamole
        ports:
          - 8080:8080
        volumes:
          - /srv/containers/apache-guacamole:/config
        environment:
          - OPT_MYSQL=Y
          - OPT_MYSQL_EXTENSION=N
          - OPT_SQLSERVER=N
          - OPT_LDAP=N
          - OPT_DUO=N
          - OPT_CAS=N
          - OPT_TOTP=N
          - OPT_QUICKCONNECT=N
          - OPT_HEADER=N
          - OPT_SAML=N
          - OPT_OIDC=Y # Enable OpenID Connect
          - OIDC_ISSUER=${OPENID_REALM_URL} # Your Keycloak realm URL
          - OIDC_CLIENT_ID=${OPENID_CLIENT_ID} # Client ID for Guacamole in Keycloak
          - OIDC_CLIENT_SECRET=${OPENID_CLIENT_SECRET} # Client Secret for Guacamole in Keycloak
          - OIDC_REDIRECT_URI=${OPENID_REDIRECT_URI} # Redirect URI for Guacamole
          - PUID=99
          - PGID=100
          - TZ=America/Denver
        restart: unless-stopped
        networks:
          docker_network:
            ipv4_address: 192.168.5.43

    networks:
      default:
        external:
          name: docker_network
      docker_network:
        external: true
    ```
    
    1.  You cannot enable TOTP / Multi-factor authentication if you have OpenID configured.  This is just a known issue.
    2.  Set to your own timezone.

### Environment Variables
=== ".env"

    ``` sh
    N/A
    ```

=== ".env (OpenID / Keycloak Integration)"

    ```yaml
    OPENID_REALM_URL=https://auth.bunny-lab.io/realms/master
    OPENID_CLIENT_ID=apache-guacamole
    OPENID_CLIENT_SECRET=<YOUR-CLIENT-ID-SECRET>
    OPENID_REDIRECT_URI=http://remote.bunny-lab.io
    ```

## Reverse Proxy Configuration

=== "Traefik"

    ``` yaml
    http:
      routers:
          apache-guacamole:
          entryPoints:
              - websecure
          tls:
              certResolver: letsencrypt
          service: apache-guacamole
          rule: Host(`remote.bunny-lab.io`)

      services:
          apache-guacamole:
          loadBalancer:
              servers:
              - url: http://192.168.5.43:8080
              passHostHeader: true
    ```
        
=== "NGINX"

    ```yaml
    server {
      listen 443 ssl;
      server_name remote.bunny-lab.io;
      client_max_body_size 0;
      ssl on;
      location / {
          proxy_pass http://192.168.5.43:8080;
          proxy_buffering off;
          proxy_http_version 1.1;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection $http_connection;
          access_log off;
      }
    }
    ```