Access to a remote server is one of the integral parts of most system admins. There are several ways to get remote access to systems, the most popular one being SSH. Guacamole is a web-based application that can also be used to gain remote access to a system. One of the cool features is that it supports several protocols that include RDP, SSH, and VNC. It can be used to gain access to multiple devices such as computers, tablets and phones

In our previous guides, we have walked through how to install the Guacamole Remote Desktop. To achieve that, follow any of the below guides:

Securing the traffic to the Guacamole web application is so vital more so if it is running in a production environment. It helps protect the traffic against travelling through an unprotected wire. There are several other benefits of protecting Guacamole, some of them are, meeting the compliance requirements in production environments, authentication and trust, data integrity, data confidentiality etc.

By following this guide, you should be able to configure Nginx Proxy For Guacamole With Let’s Encrypt SSL.

1. Install and Configure Nginx Proxy

Before we begin you need to install the Nginx web server on your system. This can be done using the below commands:

##On Debian/Ubuntu
sudo apt update -y
sudo apt install nginx -y

##On Rhel/Rocky Linux/Alma Linux/CentOS
sudo yum install nginx -y

Once installed, you need to create a reverse proxy for Guacamole.

sudo vim /etc/nginx/conf.d/guacamole.conf

In the file, add the below lines and replace the server name correctly:

server {
	listen 80;
	server_name guacamole.computingforgeeks.com;

	access_log  /var/log/nginx/guac_access.log;
	error_log  /var/log/nginx/guac_error.log;

	location / {
		    proxy_pass http://localhost:8080/guacamole/;
		    proxy_buffering off;
		    proxy_http_version 1.1;
		    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		    proxy_set_header Upgrade $http_upgrade;
		    proxy_set_header Connection $http_connection;
		    proxy_cookie_path /guacamole/ /;
	}

}

Save the file and restart nginx.

sudo systemctl restart nginx

Allow HTTP traffic on port 80 through the firewall:

##For UFW
sudo ufw allow 80/tcp

##For Firewalld
sudo firewall-cmd --add-service=http --permanent
sudo firewall-cmd --reload

You should now be able to access Guacamole using your domain name as shown:

Configure Nginx Proxy For Guacamole With Lets Encrypt SSL

2. Generate SSL Certificates for Guacamole

To able to secure the site, we need to generate SSL certs. Here, there are two options depending on your setup.

  • Using Let’s Encrypt
  • Using Self-signed certs

Option 1: Generate Let’s Encrypt SSL certs

This option is for those who have an FQDN. Let’s Encrypt issues free trusted SSL certificates for the domain name. But first, we need to install certbot

##On RHEL/CentOS/Rocky Linux/Fedora
sudo yum install epel-release -y
sudo dnf install certbot python3-certbot-nginx

##On Debian/Ubuntu
sudo apt update
sudo apt install certbot python3-certbot-nginx

Now you can issue the certs for the domain name with the command:

sudo certbot --nginx

Proceed and generate the trusted certs as shown:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): Enter a valid Email address here          

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
Account registered.

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: guacamole.computingforgeeks.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1

Requesting a certificate for guacamole.computingforgeeks.com
Performing the following challenges:
http-01 challenge for guacamole.computingforgeeks.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/conf.d/guacamole.conf
Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/guacamole.conf

Successfully received certificate.
Certificate is saved at: a2enmod ssl
/etc/letsencrypt/live/guacamole.computingforgeeks.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/guacamole.computingforgeeks.com/privkey.pem
This certificate expires on 2022-01-09.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

After this, the Guacamole config file will be updated with the SSL certs and you can proceed to access the site via HTTPS.

Option 2: Generate Self-signed SSL certs

This option can be vital for those who do not have a Full Qualified domain name. To generate self-signed certs install openssl and proceed as shown:

vim guacamole_ssl.conf

In the file, add the below lines, replacing values where required:

[req]
default_bits       = 2048
default_keyfile    = bitwarden_ssl.key
distinguished_name = req_distinguished_name
req_extensions     = req_ext
x509_extensions    = v3_ca

[req_distinguished_name]
countryName                 = Country Name (2 letter code)
countryName_default         = KE
stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = Nairobi
localityName                = Locality Name (eg, city)
localityName_default        = Nairobi
organizationName            = Organization Name (eg, company)
organizationName_default    = Computingforgeeks
organizationalUnitName      = organizationalunit
organizationalUnitName_default = Development
commonName                  = guacamole.computingforgeeks.com
commonName_default          = Your_IP-Address
commonName_max              = 64

[req_ext]
subjectAltName = @alt_names

[v3_ca]
subjectAltName = @alt_names

[alt_names]
DNS.1   = localhost
DNS.2   = Your_IP-Address

Once replaced, generate the certs with the command:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout guacamole_ssl.key -out guacamole_ssl.crt -config guacamole_ssl.conf

Once generated, copy the certs to the /etc/ssl/certs directory:

sudo cp  guacamole_ssl.crt /etc/ssl/certs/guacamole_ssl.crt
sudo mkdir -p /etc/ssl/private/
sudo cp  guacamole_ssl.key /etc/ssl/private/guacamole_ssl.key

Now modify your Nginx Configuration to accommodate the certs:

sudo vim /etc/nginx/conf.d/guacamole.conf

In the file, add the lines:

server {
	listen 80;
	server_name guacamole.computingforgeeks.com;
	return 301 https://$host$request_uri;
}
server {
	listen 443 ssl;
	server_name guacamole.computingforgeeks.com;
	root /var/www/html;
	index index.html index.htm index.nginx-debian.html;

	access_log  /var/log/nginx/guac_access.log;
	error_log  /var/log/nginx/guac_error.log;

        ssl_certificate /etc/ssl/certs/guacamole_ssl.crt;
        ssl_certificate_key /etc/ssl/private/guacamole_ssl.key;
	ssl_protocols TLSv1.2 TLSv1.1 TLSv1;

	location / {
		    proxy_pass http://localhost:8080/guacamole/;
		    proxy_buffering off;
		    proxy_http_version 1.1;
		    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		    proxy_set_header Upgrade $http_upgrade;
		    proxy_set_header Connection $http_connection;
		    proxy_cookie_path /guacamole/ /;
	}

}

Save the changes and restart Nginx:

sudo systemctl restart nginx

3. Access Guacamole Using HTTPS

Once the above configs have been made, ensure that you allow HTTPS traffic through your firewall if you have it enabled:

##For UFW 
sudo ufw allow 443/tcp

##For Firewalld
sudo firewall-cmd --add-service=https --permanent
sudo firewall-cmd --reload

Now access the service using the URL https://domain_name. If all is okay, you should see this:

Configure Nginx Proxy For Guacamole With Lets Encrypt SSL 1

Final Thoughts

That is it! You have successfully secured the Guacamole traffic using the Nginx proxy. In this guide, we have seen how to generate certs with Let’s Encrypt as well as generating self-signed certs for dev environments. I hope this was elaborate enough.

See more:

RELATED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here