150 lines
3.8 KiB
Markdown
150 lines
3.8 KiB
Markdown
**Purpose**: HTML5-based Remote Access Broker for SSH, RDP, and VNC. Useful for remote access into an environment.
|
|
|
|
### Docker Compose Stack
|
|
=== "docker-compose.yml"
|
|
|
|
```yaml
|
|
version: '3'
|
|
|
|
services:
|
|
app:
|
|
image: jasonbean/guacamole
|
|
ports:
|
|
- 8080:8080
|
|
volumes:
|
|
- /srv/containers/guacamole:/config
|
|
environment:
|
|
- OPT_MYSQL=Y
|
|
- OPT_MYSQL_EXTENSION=N
|
|
- OPT_SQLSERVER=N
|
|
- OPT_LDAP=N
|
|
- OPT_DUO=N
|
|
- OPT_CAS=N
|
|
- OPT_TOTP=Y # (1)
|
|
- OPT_QUICKCONNECT=N
|
|
- OPT_HEADER=N
|
|
- OPT_SAML=N
|
|
- PUID=99
|
|
- PGID=100
|
|
- TZ=America/Denver # (2)
|
|
restart: unless-stopped
|
|
networks:
|
|
docker_network:
|
|
ipv4_address: 192.168.5.43
|
|
|
|
networks:
|
|
default:
|
|
external:
|
|
name: docker_network
|
|
docker_network:
|
|
external: true
|
|
```
|
|
|
|
1. Enable this if you want multi-factor authentication enabled. Must be set BEFORE the container is initially deployed. Cannot be added retroactively.
|
|
2. Set to your own timezone.
|
|
|
|
=== "docker-compose.yml (OpenID / Keycloak Integration)"
|
|
|
|
```yaml
|
|
version: '3'
|
|
|
|
services:
|
|
app:
|
|
image: jasonbean/guacamole
|
|
ports:
|
|
- 8080:8080
|
|
volumes:
|
|
- /srv/containers/apache-guacamole:/config
|
|
environment:
|
|
- OPT_MYSQL=Y
|
|
- OPT_MYSQL_EXTENSION=N
|
|
- OPT_SQLSERVER=N
|
|
- OPT_LDAP=N
|
|
- OPT_DUO=N
|
|
- OPT_CAS=N
|
|
- OPT_TOTP=N
|
|
- OPT_QUICKCONNECT=N
|
|
- OPT_HEADER=N
|
|
- OPT_SAML=N
|
|
- OPT_OIDC=Y # Enable OpenID Connect
|
|
- OIDC_ISSUER=${OPENID_REALM_URL} # Your Keycloak realm URL
|
|
- OIDC_CLIENT_ID=${OPENID_CLIENT_ID} # Client ID for Guacamole in Keycloak
|
|
- OIDC_CLIENT_SECRET=${OPENID_CLIENT_SECRET} # Client Secret for Guacamole in Keycloak
|
|
- OIDC_REDIRECT_URI=${OPENID_REDIRECT_URI} # Redirect URI for Guacamole
|
|
- PUID=99
|
|
- PGID=100
|
|
- TZ=America/Denver
|
|
restart: unless-stopped
|
|
networks:
|
|
docker_network:
|
|
ipv4_address: 192.168.5.43
|
|
|
|
networks:
|
|
default:
|
|
external:
|
|
name: docker_network
|
|
docker_network:
|
|
external: true
|
|
```
|
|
|
|
1. You cannot enable TOTP / Multi-factor authentication if you have OpenID configured. This is just a known issue.
|
|
2. Set to your own timezone.
|
|
|
|
### Environment Variables
|
|
=== ".env"
|
|
|
|
``` sh
|
|
N/A
|
|
```
|
|
|
|
=== ".env (OpenID / Keycloak Integration)"
|
|
|
|
```yaml
|
|
OPENID_REALM_URL=https://auth.bunny-lab.io/realms/master
|
|
OPENID_CLIENT_ID=apache-guacamole
|
|
OPENID_CLIENT_SECRET=<YOUR-CLIENT-ID-SECRET>
|
|
OPENID_REDIRECT_URI=http://remote.bunny-lab.io
|
|
```
|
|
|
|
## Reverse Proxy Configuration
|
|
|
|
=== "Traefik"
|
|
|
|
``` yaml
|
|
http:
|
|
routers:
|
|
apache-guacamole:
|
|
entryPoints:
|
|
- websecure
|
|
tls:
|
|
certResolver: letsencrypt
|
|
service: apache-guacamole
|
|
rule: Host(`remote.bunny-lab.io`)
|
|
|
|
services:
|
|
apache-guacamole:
|
|
loadBalancer:
|
|
servers:
|
|
- url: http://192.168.5.43:8080
|
|
passHostHeader: true
|
|
```
|
|
|
|
=== "NGINX"
|
|
|
|
```yaml
|
|
server {
|
|
listen 443 ssl;
|
|
server_name remote.bunny-lab.io;
|
|
client_max_body_size 0;
|
|
ssl on;
|
|
location / {
|
|
proxy_pass http://192.168.5.43:8080;
|
|
proxy_buffering off;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection $http_connection;
|
|
access_log off;
|
|
}
|
|
}
|
|
``` |