Otra entrada que es un apunte.
En esta ocasión, instalaremos guacamole, como gateway de conexión a nuestros server y exponerlo a internet.
Partimos de una debian 9 pelada y instalamos las dependencias:
# apt install tomcat8 libcairo2-dev libossp-uuid-dev libavcodec-dev libavutil-dev libswscale-dev libfreerdp-dev libpango1.0-dev libssh2-1-dev libtelnet-dev libvncserver-dev libpulse-dev libssl-dev libvorbis-dev libwebp-dev libjpeg62-turbo-dev libpng-dev libpng16-16 git
# git clone git://github.com/apache/incubator-guacamole-server.git
autoreconf -fi
./configure --with-init-dir=/etc/init.d
# make
# make install
# ldconfig
# systemctl enable guacd
# /etc/init.d/guacd start
creamos el fichero guacamole.properties
# nano /etc/guacamole/guacamole.properties
# Guacamole - Clientless Remote Desktop
# Copyright (C) 2010 Michael Jumper
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see .
# Hostname and port of guacamole proxy
guacd-hostname: localhost
guacd-port: 4822
# Auth provider class (authenticates user/pass combination, needed if using the provided login screen)
# LDAP properties
ldap-hostname: ldap.craem.net
ldap-port: 389
ldap-user-base-dn: DC=craem,DC=net
ldap-search-bind-dn: CN=admin,DC=craem,DC=net
ldap-search-bind-password: password
ldap-config-base-dn: DC=craem,DC=net
ldap-username-attribute: uid
Creamos el enlace simbólico para la app
# ln -s /etc/guacamole/ /var/lib/tomcat8/.guacamole
Configuramos la parte cliente (la 0.9.14 es la última a fecha 10/2018):
# wget httpss://sourceforge.net/projects/guacamole/files/current/binary/guacamole-0.9.14.war
# mv guacamole-0.9.14.war /var/lib/tomcat8/webapps/guacamole.war
# service tomcat8 restart
Ahora instalamos el cliente ldap
# cd /etc/guacamole
# wget -c https://apache.org/dyn/closer.cgi?action=download&filename=guacamole/0.9.14/binary/guacamole-auth-ldap-0.9.14.tar.gz
# service tomcat8 restart
Ahora nos queda actualizar el schema de open ldap:
# tar -zxvf guacamole-auth-ldap-0.9.14.tar.gz
cp guacamole-auth-ldap-0.9.14.jar /etc/guacamole/
Dentro de la carpeta schema, tenemos la parte de openldap que hemos de incorporar en nuestro server… lo copiamos e importamos
root@ldap:/usr/src# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f guacConfigGroup.ldif
adding new entry "cn=guacConfigGroup,cn=schema,cn=config"
root@ldap:/usr/src#ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn
dn: cn=schema,cn=config
dn: cn={0}core,cn=schema,cn=config
dn: cn={1}cosine,cn=schema,cn=config
dn: cn={2}nis,cn=schema,cn=config
dn: cn={3}inetorgperson,cn=schema,cn=config
dn: cn={4}zarafa,cn=schema,cn=config
dn: cn={5}radius,cn=schema,cn=config
dn: cn={6}guacConfigGroup,cn=schema,cn=config
root@ldap:/usr/src#
Ahora nos queda crear los objetos de nuestros servers…… creamos un fichero, por ejemplo, entrada.ldif
dn: cn=zeus,ou=maquines,dc=craem,dc=net
objectClass: guacConfigGroup
objectClass: groupOfNames
cn: zeus
guacConfigProtocol: ssh
guacConfigParameter: hostname=192.168.1.2
guacConfigParameter: port=22
guacConfigParameter: security=ssh
member: cn=Angel Elena,cn=craem_users,dc=craem,dc=net
Guardamos cambios e importamos el fichero:
# ldapadd -x -D cn=admin,dc=goufone,dc=local -W -f entrada.ldif
El siguiente paso, es añadir el ngix y certbot para hacer de reverse proxy e incorporar el certificado:
# apt-get install nginx
creamos el fichero
# nano /etc/nginx/sites-available/guacamole
y añadimos:
server {
listen 80;
listen [::]:80;
server_name guacamole;
location / {
proxy_pass https://127.0.0.1:8080/guacamole/;
proxy_buffering off;
proxy_https_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $https_upgrade;
proxy_set_header Connection $https_connection;
access_log off;
}
}
Y creamos el enlace simbólico en /etc/nginx/sites-enabled
Reiniciamos el nginx y ya tenemos el servicio preparado 😉
vamos al navegador … https://guacamole