Re: I seem to be misconfiguring guacamole (or apache virtual host for guacamole), can anyone help?

Thu, 22 Dec 2022 13:12:22 -0800 

Now that I have apache configured properly, I am trying to get guacamole to 
connect to a vnc server (tightvnc) running on the remote machine. Here is the 
listen toplogy:

[sudo] password for dnessett:
systemd-r  761 systemd-resolve   13u  IPv4  21740      0t0  TCP 127.0.0.53:53 
(LISTEN)
cupsd      841            root    6u  IPv6  21239      0t0  TCP [::1]:631 
(LISTEN)
cupsd      841            root    7u  IPv4  21240      0t0  TCP 127.0.0.1:631 
(LISTEN)
sslh      1013            sslh    3u  IPv4  22309      0t0  TCP *:443 (LISTEN)
vsftpd    1034            root    3u  IPv6  22988      0t0  TCP *:21 (LISTEN)
sslh      1065            sslh    3u  IPv4  22309      0t0  TCP *:443 (LISTEN)
sshd      1120            root    3u  IPv4  26823      0t0  TCP *:22 (LISTEN)
sshd      1120            root    4u  IPv6  26825      0t0  TCP *:22 (LISTEN)
mysqld    1159           mysql   27u  IPv4  25725      0t0  TCP 127.0.0.1:3306 
(LISTEN)
guacd     1312            root    4u  IPv4  23546      0t0  TCP 127.0.0.1:4822 
(LISTEN)
java      4413          tomcat   41u  IPv6  50060      0t0  TCP *:8080 (LISTEN)
Xtightvnc 5990        dnessett    0u  IPv4  59523      0t0  TCP *:6001 (LISTEN)
Xtightvnc 5990        dnessett    3u  IPv4  59525      0t0  TCP *:5901 (LISTEN)
apache2   6163            root    4u  IPv6  57230      0t0  TCP *:4443 (LISTEN)
apache2   6164        www-data    4u  IPv6  57230      0t0  TCP *:4443 (LISTEN)
apache2   6165        www-data    4u  IPv6  57230      0t0  TCP *:4443 (LISTEN)
apache2   6166        www-data    4u  IPv6  57230      0t0  TCP *:4443 (LISTEN)
apache2   6167        www-data    4u  IPv6  57230      0t0  TCP *:4443 (LISTEN)
apache2   6168        www-data    4u  IPv6  57230      0t0  TCP *:4443 (LISTEN)
apache2   6173        www-data    4u  IPv6  57230      0t0  TCP *:4443 (LISTEN)
apache2   6175        www-data    4u  IPv6  57230      0t0  TCP *:4443 (LISTEN)
apache2   6176        www-data    4u  IPv6  57230      0t0  TCP *:4443 (LISTEN)
apache2   6193        www-data    4u  IPv6  57230      0t0  TCP *:4443 (LISTEN)
apache2   6320        www-data    4u  IPv6  57230      0t0  TCP *:4443 (LISTEN)

This shows that tightvnc is listening on 5901, guacd is listening on 4822, and 
tomcat on 8080.

In /etc/guacamole, the guacamole properties are:

# MySQL properties
mysql-hostname: 127.0.0.1
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: guacamole_user
mysql-password:  xxxxxxxxxxxxx

hostname: 127.0.0.1
port: 5901
color-depth: 8

And user-mapping.xml is:

<user-mapping>

    <!-- Per-user authentication and config information -->
    <authorize
            username="dnessett"
            password="xxxxxxxxxx"

        <!-- First authorized connection -->
        <connection name="localhost">
            <protocol>vnc</protocol>
            <param name="hostname">localhost</param>
            <param name="port">5901</param>
            <param name="password">VNCPASS</param>
        </connection>

    </authorize>

</user-mapping

The username and password are copied to the connection settings when I 
create/modify the connection for a user I created using 
https://server.mountolive.com:22553/guacamole. The connection settings are 
shown in the attached screenshot.

Note that the user on the remote machine I am attempting to login to is also 
called dnessett. I am perhaps getting confused between the guacd user and the 
remote machine user.

Anyway, syslog indicates an authentication failure (I have elided syslog 
messages not pertaining to the guacd problem):

Dec 22 13:40:37 Mount guacd[1312]: Creating new client for protocol "vnc"
Dec 22 13:40:37 Mount guacd[1312]: Connection ID is 
"$bb639d6b-2dde-4dd6-9b98-f2a9d676f896"
Dec 22 13:40:37 Mount guacd[6306]: Cursor rendering: local
Dec 22 13:40:37 Mount guacd[6306]: User "@52065c88-03c8-4e6d-b71b-8178c5b5f5e7" 
joined connection "$bb639d6b-2dde-4dd6-9b98-f2a9d676f896" (1 users now present)
Dec 22 13:40:37 Mount guacd[6306]: VNC server supports protocol version 3.8 
(viewer 3.8)
Dec 22 13:40:37 Mount guacd[6306]: We have 2 security types to read
Dec 22 13:40:37 Mount guacd[6306]: 0) Received security type 2
Dec 22 13:40:37 Mount guacd[6306]: Selecting security type 2 (0/2 in the list)
Dec 22 13:40:37 Mount guacd[6306]: 1) Received security type 16
Dec 22 13:40:37 Mount tomcat9[4413]: 13:40:37.623 [http-nio-8080-exec-8] INFO  
o.a.g.tunnel.TunnelRequestService - User "dnessett" connected to connection "2".
Dec 22 13:40:37 Mount tomcat9[4413]: 13:40:37.624 [http-nio-8080-exec-8] INFO  
o.a.g.t.h.RestrictedGuacamoleHTTPTunnelServlet - Using HTTP tunnel (not 
WebSocket). Performance may be sub-optimal.
Dec 22 13:40:37 Mount guacd[6306]: Selected Security Scheme 2

...

Dec 22 13:40:37 Mount guacd[6306]: VNC connection failed: Authentication failed

...

Dec 22 13:40:37 Mount guacd[6306]: Unable to connect to VNC server.

...

Dec 22 13:40:37 Mount guacd[6306]: User "@52065c88-03c8-4e6d-b71b-8178c5b5f5e7" 
disconnected (0 users remain)
Dec 22 13:40:37 Mount guacd[6306]: Last user of connection 
"$bb639d6b-2dde-4dd6-9b98-f2a9d676f896" disconnected
Dec 22 13:40:37 Mount guacd[1312]: Connection 
"$bb639d6b-2dde-4dd6-9b98-f2a9d676f896" removed.
Dec 22 13:40:52 Mount tomcat9[4413]: 13:40:52.700 [http-nio-8080-exec-6] INFO  
o.a.g.tunnel.TunnelRequestService - User "dnessett" disconnected from 
connection "2". Duration: 15076 milliseconds
Dec 22 13:40:52 Mount tomcat9[4413]: 13:40:52.705 [http-nio-8080-exec-6] ERROR 
o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request failed: Connection to 
guacd timed out.

Also note that guacamole is not using websockets, but is using an http tunnel. 
However, the apache VH block specifies:

<VirtualHost *:4443>
        ServerName server.mountolive.com
        DocumentRoot /mnt/raid5/webserver/sites/MOserver
        Header always unset X-Frame-Options

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        RewriteEngine on
        RewriteRule "^/guacamole$" "/guacamole/" [R=302]

        <Directory "/mnt/raid5/webserver/sites/MOserver">
            Require all granted
        </Directory>

        <Location /guacamole/>
         ProxyPass http://127.0.0.1:8080/guacamole/ flushpackets=on
         ProxyPassReverse http://127.0.0.1:8080/guacamole/
        </Location>

        <Location /websocket-tunnel>
         ProxyPass ws://127.0.0.1:8080/guacamole/websocket-tunnel
         ProxyPassReverse  ws://127.0.0.1:8080/guacamole/websocket-tunnel
        </Location>

        SSLEngine on
        SSLCertificateFile /root/.acme.sh/*.mountolive.com/fullchain.cer
        SSLCertificateKeyFile 
/root/.acme.sh/*.mountolive.com/*.mountolive.com.key
</VirtualHost>

[Note that I put the two <Location> blocks in the right order, as given in the 
mod_proxy instructions]

I am getting really confused about how to configure the correct authentication 
information. Do I supply the username and password of the user on the remote 
machine in  user-mapping.xml and the connection setup or do I supply the 
guacamole username and password?

Reply via email to