My boring Blog

Mauro Frigerio blog
it en

Install Guacamole on Docker with Traefik and 2FA

13-07-2021 2 min read article

Remotely accessing an SSH terminal or graphics session with VNC/RDP can be very useful. Particularly if you have a lot of devices and if you regularly change your workstation. Guacamole is one of the open source solutions on the market. Unfortunately there is not a single docker container to install and it’s not easy to find a complete guide for installation from start to finish.

Below I’ve created a small guide to install Guacamole with a mysql database for user management and integration with Traefik to have an https connection.

Requirements

  • Working installation of Traefik and related certificates for https (see basic example)
  • Access with SSH to the machine where docker is installed

Installation procedure

Mysql database

  1. Generate initialization file for mysql database (may need sudo)
docker run --rm guacamole/guacamole /opt/guacamole/bin/initdb.sh --mysql > initdb.sql
  1. The generated file must be passed (linked as a volume) to the database to import the structure needed for Guacamole

  2. Launch and create the database container (you may need sudo)

docker-compose up -d guacamole-db

Guacamole

  1. Create the two Guacamole containers by running the following command (you may need sudo). Given the dependencies of the various containers, both will be created.
docker-compose up -d guacamole
  1. Guacamole is up and running and you can connect to the interface at: https://guacamole.example.com First login details are:

    • user: guacadmin
    • password: guacadmin
  2. I suggest you duplicate the default account and create a new administrator account. Then login with the new account and delete the default one.

2FA for Guacamole

Since version 1.3.0 TOTP is integrated into the docker container (PR 471), unfortunately the documentation has not been updated yet.

  1. When the Guacamole installation is working, it is recommended to enable 2-factor authentication (2FA).

  2. Add the parameter TOTP_ENABLED: 'true' to the guacamole container. At the first login you will be presented with the QR to activate 2FA and asked to enter a code to confirm.

Docker compose

  guacd:
    image: guacamole/guacd
    container_name: guacd
    hostname: guacd
    restart: unless-stopped
    volumes:
      - /volume1/docker/guacamole/guacd/drive:/drive:rw
      - /volume1/docker/guacamole/guacd/record:/record:rw


  guacamole:
    image: guacamole/guacamole
    container_name: guacamole
    hostname: guacamole
    restart: unless-stopped
    depends_on:
      - guacd
      - guacamole-db
    environment:
      GUACD_HOSTNAME: guacd
      MYSQL_HOSTNAME: guacamole-db
      MYSQL_DATABASE: guacamole_db
      MYSQL_USER: guacamole_user
      MYSQL_PASSWORD: ${GUACAMOLE_PASSWORD}
      #TOTP_ENABLED: 'true'
    links:
      - guacd
    labels:
      - 'traefik.enable=true'
      - 'traefik.http.routers.guacamole.rule=Host(`guacamole.${DOMAIN}`)'
      - 'traefik.http.routers.guacamole.entrypoints=web-secure'
      - 'traefik.http.routers.guacamole.tls=true'
      - "traefik.http.routers.guacamole.tls.certresolver=certificato"
      - "traefik.http.routers.guacamole.tls.domains[0].main=*.${DOMAIN}"
      #- "traefik.http.routers.guacamole.tls.options=myTLSOptions@file"
      - "traefik.http.routers.guacamole.service=guacamoleService"
      - "traefik.http.routers.guacamole.middlewares=guacamoleMdl"
      - "traefik.http.middlewares.guacamoleMdl.addprefix.prefix=/guacamole"
      - "traefik.http.services.guacamoleService.loadBalancer.server.port=8080"


  guacamole-db:
    image: mysql/mysql-server
    container_name: guacamole-db
    hostname: guacamole-db
    environment:
      MYSQL_USER: guacamole_user
      MYSQL_PASSWORD: ${GUACAMOLE_PASSWORD}
      MYSQL_DATABASE: guacamole_db
    restart: unless-stopped
    volumes:
      - ./initdb.sql:/initdb.sql				#DB configuration file
      - /volume1/docker/guacamole/database:/var/lib/mysql/:rw


Credits Image Steve Buissinne from Pixabay