Install Guacamole on Docker with Traefik and 2FA
Note
I finally found how to get Wake on LAN working from Guacamole in docker, check out this guide.
Note
If you want to install Guacamole with postgres database check out this guide.
Remotely accessing an SSH terminal or graphics session with VNC/RDP can be very useful. Particularly if you have a lot of devices and if you regularly change your workstation. Guacamole is one of the open source solutions on the market. Unfortunately there is not a single docker container to install and it’s not easy to find a complete guide for installation from start to finish.
Below I’ve created a small guide to install Guacamole with a mysql database for user management and integration with Traefik to have an https connection.
Requirements
- Working installation of Traefik and related certificates for https (see basic example)
- Access with SSH to the machine where
dockeris installed
Installation procedure
Mysql database
- Generate initialization file for mysql database (may need sudo)
docker run --rm guacamole/guacamole /opt/guacamole/bin/initdb.sh --mysql > initdb.sql
The generated file must be passed (linked as a volume) to the database to import the structure needed for Guacamole
Launch and create the database container (you may need sudo)
docker-compose up -d guacamole-db
Guacamole
- Create the two Guacamole containers by running the following command (you may need sudo). Given the dependencies of the various containers, both will be created.
docker-compose up -d guacamole
Guacamole is up and running and you can connect to the interface at: https://guacamole.example.com First login details are:
- user: guacadmin
- password: guacadmin
I suggest you duplicate the default account and create a new administrator account. Then login with the new account and delete the default one.
2FA for Guacamole
Since version 1.3.0 TOTP is integrated into the docker container (PR 471), unfortunately the documentation has not been updated yet.
When the Guacamole installation is working, it is recommended to enable 2-factor authentication (2FA).
Add the parameter
TOTP_ENABLED: 'true'to theguacamolecontainer. At the first login you will be presented with the QR to activate 2FA and asked to enter a code to confirm.
Docker compose
guacd:
image: guacamole/guacd
container_name: guacd
hostname: guacd
restart: unless-stopped
volumes:
- /volume1/docker/guacamole/guacd/drive:/drive:rw
- /volume1/docker/guacamole/guacd/record:/record:rw
guacamole:
image: guacamole/guacamole
container_name: guacamole
hostname: guacamole
restart: unless-stopped
depends_on:
- guacd
- guacamole-db
environment:
GUACD_HOSTNAME: guacd
MYSQL_HOSTNAME: guacamole-db
MYSQL_DATABASE: guacamole_db
MYSQL_USER: guacamole_user
MYSQL_PASSWORD: ${GUACAMOLE_PASSWORD}
#TOTP_ENABLED: 'true'
links:
- guacd
labels:
- 'traefik.enable=true'
- 'traefik.http.routers.guacamole.rule=Host(`guacamole.${DOMAIN}`)'
- 'traefik.http.routers.guacamole.entrypoints=web-secure'
- 'traefik.http.routers.guacamole.tls=true'
- "traefik.http.routers.guacamole.tls.certresolver=certificato"
- "traefik.http.routers.guacamole.tls.domains[0].main=*.${DOMAIN}"
#- "traefik.http.routers.guacamole.tls.options=myTLSOptions@file"
- "traefik.http.routers.guacamole.service=guacamoleService"
- "traefik.http.routers.guacamole.middlewares=guacamoleMdl"
- "traefik.http.middlewares.guacamoleMdl.addprefix.prefix=/guacamole"
- "traefik.http.services.guacamoleService.loadBalancer.server.port=8080"
guacamole-db:
image: mysql/mysql-server
container_name: guacamole-db
hostname: guacamole-db
environment:
MYSQL_USER: guacamole_user
MYSQL_PASSWORD: ${GUACAMOLE_PASSWORD}
MYSQL_DATABASE: guacamole_db
restart: unless-stopped
volumes:
- ./initdb.sql:/initdb.sql #DB configuration file
- /volume1/docker/guacamole/database:/var/lib/mysql/:rw
Credits Image Steve Buissinne from Pixabay