Reinier I've dumped this page from my company wiki to .pdf: https://github.com/gerdesj/Various/blob/main/Ubuntu%20Server_Apache%20Guacamole.pdf The install is on Ubuntu 22.04 LTS.
By following the procedures in there I get a system that I can support. I've deployed at least four systems from that page without any further changes needed. I don't use a container because I can't get SSL CA certs to import in the way they should according to the docs. I need that for LDAPS connections for authentication. I also compile by hand because the RADIUS plugin is GPL. Hope that helps. If you document everything then you will pass audits etc. The procedure is just for Guacamole, you'll need more for the server setup etc. I recommend your Guac box is in your DMZ and has a host based firewall on it. It should have no internet access except via a proxy. You'll notice I have published "private information" ie a username and password, on the internet - doesn't matter - they are in HIBP already ( https://haveibeenpwned.com/Passwords ) ... and incorrect. Cheers Jon Gerdes PS Download the .pdf rather than use the Github viewer which turns everything into an image. Do ensure your AV is up to date first - trust no-one 8) On Tue, 2024-09-17 at 17:16 +0200, Reinier Post wrote: Wow ... thank you! I was scratching my head, and you really helped me out. Indeed, 10 minutes is perfectly doable, and moving ahead with a container-based solution also seems viable now. Reinier On Tue, Sep 17, 2024 at 5:06 PM Nick Couchman <vn...@apache.org<mailto:vn...@apache.org>> wrote: On Tue, Sep 17, 2024 at 10:46 AM Reinier Post <rp4...@gmail.com<mailto:rp4...@gmail.com>> wrote: On 2024/09/08 11:36:56 "Agranov, Andrey" wrote: > Hello > guacamole/guacamole:1.5.5 Docker image uses Tomcat 8.5.98, which has several > vulnerabilities, particularly CVE-2024-23672 and CVE-2024-24549 > Both of vulnerabilities were fixed in Tomcat 8.5.99 > What is the recommended way to get stable and tested image, with latest > Tomcat 8.5.X ? > a. Wait for official guacamole 1.5.X release? When is it planned? > b. Build an image based on 1.5.5 locally and upgrade Tomcat? > c. Use guacamole/guacamole:latest ? Is it stable and suitable for > production? > Thanks > Andrey I just researched this issue (prompted by our security team) and found this thread on the mailing list. It would be great to see this addressed. Tomcat 8.5.* went EOL on March 31: https://tomcat.apache.org/tomcat-85-eol.html The latest 8.5.* release, 8.5.100, was released before that. So we should be using Tomcat 9.0.* now. Yes, agreed. I am trying to deploy Guacamole in a supported manner. The documentation offers two options: 1. compiling everything manually 2. using the Docker image supplied Clearly, 1 is a no go in production environments. Compiling everything manually is perfectly valid in production environments. You may not want to go that route, and that's fine, but there's nothing wrong with installing Guacamole that way. We need to be able to remedy security issues swiftly. We can't afford the time to manually recompile Guacamole for every Guacamole server whenever needed. Compiling from source does not take very long - both client and server can be compiled in under 10 minutes on reasonable, modern hardware: guacd configure: 13s guacd make: 1m0s guacamole-client clean + build: 2m25s (VMware VM running Rocky 8 with 4 cores and 32GB of RAM) 2 seems viable in principle, but it depends on everything being updated to keep ahead of vulnerabilities. Tomcat 8.5 is no longer receiving any. So we need an image with Tomcat 9.0. I have looked at the existing image here https://hub.docker.com/layers/guacamole/guacamole/latest/images/sha256-edd266c56accc3f432064ac409fb85c9e68c377a670f5cb150817189b0b024bf?context=explore and it is unclear where it gets its Tomcat from, let alone how to change it. Please supply an image based on Tomcat 9. Better still, publish your image definition in full so we can tweak it as desired. The "image definitions" (Dockerfile) are available as part of the source code in our public git repositories. Here's the Dockerfile for 1.5.5: https://github.com/apache/guacamole-client/blob/1.5.5/Dockerfile The next release, 1.6.0, will contain Tomcat 9: https://github.com/apache/guacamole-client/blob/staging/1.6.0/Dockerfile We'll supply the image containing Tomcat 9 when we release 1.6.0, hopefully in the next week or two. -Nick
