In my previous article I explained how to install guacamole on Debian 8.6, in this article I cover how to publish this over https using Apache2, as well as using fail2ban and ufw in an attempt to protect the service.
First, install required pre-reqs:
apt-get install apache2 libapache2-mod-proxy-html
Now, we will modify the tomcat8 config
vi /etc/tomcat8/server.xml
Uncomment and modify the AJP/1.3 line accordingly:
<Connector port="8009" protocol="AJP/1.3" URIEncoding="UTF-8" redirectPort="8443" />
Now restart tomcat8:
systemctl restart tomcat8.service
Now for Apache2 configuration. Firstly you’ll need to enable the following modules using a2enmod:
a2enmod proxy a2enmod proxy_http a2enmod proxy_wstunnel a2enmod log_config a2enmod ssl
Now for SSL configuration; generate your private key and CSR (yo can then process these with an external, third-part CA such as StartSSL – which is free.
openssl req -newkey rsa:2048 -keyout guac.key -out guac.csr
I’m now assuming you now have the following files:
- Root certificate bundle for your CA (.crt from third-part CA)
- Public key for your certificate (.crt from third-part CA)
- Private key for your certificate (.key file form OpenSSL command)
We’ll now copy these files to /etc/apache2/ssl:
mkdir /etc/apache2/ssl cp 1_root_bundle.crt /etc/apache2/ssl cp 2_guacamole.domain.com.crt /etc/apache2/ssl cp guac.key /etc/apache2/ssl
Note, your .key file (private key) likely has a passphrase, you’ll want to remove this otherwise you’ll have to manually enter this when Apache2 loads:
openssl rsa -in guac.key -out guac-nopass.key
Now, protect those files!
chmod 600 /etc/apache2/ssl/*
Create a root directory for the new HTTPS site and enable mod_ssl:
mkdir /srv/www-guacamole
Now, we’ll configure the site definition in Apache2
vi /etc/apache2/sites-available/guacamole.conf
Contents as below – make sure you change the URL in bold – note the HTTPS definition uses IP address, not hostname. See this URL for more details, but by using hostname you will receive the following errors:
SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG remote client
<VirtualHost guacamole.domain.com:80>
ServerName guacamole.domain.com:80
# Redirect traffic from 80 to 443, and also from / to /guacamole/
Redirect permanent / https://guacamole.domain.com/guacamole/
Redirect permanent /guacamole https://guacamole.domain.com/guacamole/
</VirtualHost>
<VirtualHost 192.168.1.249:443>
# Redirect traffic from / to /guacamole/
Redirect permanent / https://guacamole.domain.com/guacamole/
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCertificateFile /etc/apache2/ssl/2_guacamole.domain.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/guac.key
SSLCertificateChainFile /etc/apache2/ssl/1_root_bundle.crt
SSLCipherSuite ALL:!DH:!EXPORT:!RC4:+HIGH:+MEDIUM:!LOW:!aNULL:!eNULL
ServerName guacamole.domain.com:443
DocumentRoot /srv/www-guacamole
<Location /guacamole/>
Order allow,deny
Allow from all
ProxyPass http://localhost:8080/guacamole/ max=20 flushpackets=on
ProxyPassReverse http://localhost:8080/guacamole/
SetEnvIf Request_URI "^/guacamole/tunnel" dontlog
</Location>
<Location /guacamole/websocket-tunnel>
Order allow,deny
Allow from all
ProxyPass ws://localhost:8080/guacamole/websocket-tunnel
ProxyPassReverse ws://localhost:8080/guacamole/websocket-tunnel
</Location>
</VirtualHost>
CustomLog /var/log/apache2/guac.log common env=!dontlog
Next we need to enable this site using a2ensite:
a2ensite guacamole.conf
Now, restart Apache2:
systemctl restart apache2
Next, configure Apache2 to load on boot:
systemctl enable apache2
You’ll now be able to access your guacamole instance by using the URL: https://<your chosen url>
Now for the fail2ban installation and configuration – first download and install fail2ban:
cd ~ git clone https://github.com/fail2ban/fail2ban cd fail2ban python setup.py install cp files/debian-initd /etc/init.d/fail2ban systemctl daemon-reload cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
No we’ll enable the guacamole by editing /etc/fail2ban/jail.local
vi /etc/fail2ban/jail.local # Add a new line "enabled = true" under [guacamole] [guacamole] enabled = true port = http,https logpath = /var/log/tomcat*/catalina.out # Now save and close /etc/fail2ban/jail.local # Prevent local network from banning - change as per your setup sed -i "s|ignoreip = 127.0.0.1/8 ::1|ignoreip = 127.0.0.1/8 ::1 192.168.1.0/24|" /etc/fail2ban/jail.local
Lastly for fail2ban config, we need to adjust the regexthat detects failures – as per this site (where I found this fix!).
vi /etc/fail2ban/filter.d/guacamole.conf # change this incorrect regex: failregex = ^.*\nWARNING: Authentication attempt from <HOST> for user "[^"]*" failed\.$ to this: failregex = \bAuthentication attempt from \[<HOST>(?:,.*)?\] for user ".*" failed\.
Now, enable fail2ban to start on boot
systemctl enable fail2ban
Home straight now… ufw config. The commands below are specifically designed for the solution outlined in this post – please review and consider rules that apply to your environment. If you lose access to your server it’s not my fault!
# Install Uncomplicated Firewall apt-get install ufw # Allow HTTPS from 192.168.1.0/24 to guacamole/apache2 server ufw allow from 192.168.1.0/24 to 192.168.1.249 port 443 # Allow HTTP from local LAN (for redirect only) ufw allow from 192.168.1.0/24 to 192.168.1.249 port 80 # Enable Firewall ufw enable
5 replies on “Debian 8.6, Proxy guacamole via Apache2 using HTTPS and Fail2Ban”
[…] sure to checkout my posts on how to proxy and secure guacamole as well as using a mysql back-end as opposed to the user-mapping.xml […]
[…] In previous posts I have covered a basic installation of guacamole, using a user-mapping.xml file to define users and connections, I have also covered how to publish guacamole using apache2 over HTTPS whist protecting your deployment with fail2ban and…. […]
Hi, I’m trying to get this working on my test guacamole install, but no luck. I’m just interested on the https side of things ATM I’m lost with the certificates where do you get those two .crt’s also on the apache2 config it thought me an error with your config saying there is a virtual host not closed, and I think there is, looks like you have the last two lines duplicated. Im trying to get this working with apache as I failed to get it working (https) on tomcat8.
Thanks for the heads-up ref the Apache config. You were right, I had duplicated the last two lines w/ copy and paste. So, I have moved all of my config to NGINX. SSL certificate info can be found here (also works with Apache, but you will need to change the config): https://www.cb-net.co.uk/linux/using-lets-encrypt-with-an-nginx-docker-container-plus-bye-bye-startssl/ plus, initial config/ setup : https://www.cb-net.co.uk/linux/running-guacamole-from-a-docker-container-on-ubuntu-16-04-lts-16-10/
If you continue with Apache, use “Let’s Encrypt” to generate the two crt files.
No problem, Thanks for getting back to be on the certificate side of things, I was via proxie route because I wasn’t managing to get tomcat/catalina to work with HTTPS/SSL I have managed to get this working now, so no need for proxies at the time being.
Thanks and Regards
M