Installing Guacamole with Docker
Guacamole can be deployed using Docker, removing the need to build guacamole-server from source or configure the web application manually. The Guacamole project provides officially-supported Docker images for both Guacamole and guacd which are kept up-to-date with each release.
A typical Docker deployment of Guacamole will involve three separate containers, linked together at creation time:
guacamole/guacd
Provides the guacd daemon, built from the released guacamole-server source with support for VNC, RDP, SSH, telnet, and Kubernetes.
guacamole/guacamole
Provides the Guacamole web application running within Tomcat 8 with support for WebSocket. The configuration necessary to connect to guacd, MySQL, PostgreSQL, LDAP, etc. will be generated automatically when the image starts based on Docker links or environment variables.
mysql
orpostgresql
Provides the database that Guacamole will use for authentication and storage of connection configuration data.
This separation is important, as it facilitates upgrades and maintains proper separation of concerns. With the database separate from Guacamole and guacd, those containers can be freely destroyed and recreated at will. The only container which must persist data through upgrades is the database.
Running the guacd Docker image
The guacd Docker image is built from the released guacamole-server source with support for VNC, RDP, SSH, telnet, and Kubernetes. Common pitfalls like installing the required dependencies, installing fonts for SSH, telnet, or Kubernetes, and ensuring the FreeRDP plugins are installed to the correct location are all taken care of. It will simply just work.
Running guacd for use by the Guacamole Docker image
When running the guacd image with the intent of linking to a Guacamole container, no ports need be exposed on the network. Access to these ports will be handled automatically by Docker during linking, and the Guacamole image will properly detect and configure the connection to guacd.
$ docker run --name some-guacd -d guacamole/guacd
When run in this manner, guacd will be listening on its default port 4822, but
this port will only be available to Docker containers that have been explicitly
linked to some-guacd
.
The log level of guacd can be controlled with the GUACD_LOG_LEVEL
environment
variable. The default value is info
, and can be set to any of the valid
settings for the guacd log flag (-L).
$ docker run -e GUACD_LOG_LEVEL=debug -d guacamole/guacd
Running guacd for use by services outside Docker
If you are not going to use the Guacamole image, you can still leverage the guacd image for ease of installation and maintenance. By exposing the guacd port, 4822, services external to Docker will be able to access guacd.
Important
Take great care when doing this - guacd is a passive proxy and does not perform any kind of authentication.
If you do not properly isolate guacd from untrusted parts of your network, malicious users may be able to use guacd as a jumping point to other systems.
$ docker run --name some-guacd -d -p 4822:4822 guacamole/guacd
guacd will now be listening on port 4822, and Docker will expose this port on the same server hosting Docker. Other services, such as an instance of Tomcat running outside of Docker, will be able to connect to guacd directly.
The Guacamole Docker image
The Guacamole Docker image is built on top of a standard Tomcat 8 image and takes care of all configuration automatically. The configuration information required for guacd and the various authentication mechanisms are specified with environment variables or Docker links given when the container is created.
Important
If using PostgreSQL or MySQL for authentication, you will need to initialize the database manually. Guacamole will not automatically create its own tables, but SQL scripts are provided to do this.
Once the Guacamole image is running, Guacamole will be accessible at
http://HOSTNAME:8080/guacamole/
, where HOSTNAME
is the hostname or
address of the machine hosting Docker.
Configuring Guacamole when using Docker
When running Guacamole using Docker, the traditional approach to configuring
Guacamole by editing guacamole.properties
is less convenient. When using
Docker, you may wish to make use of the enable-environment-properties
configuration property, which allows you to specify values for arbitrary
Guacamole configuration properties using environment variables. This is covered
in Configuring Guacamole.
Connecting Guacamole to guacd
The Guacamole Docker image needs to be able to connect to guacd to establish remote desktop connections, just like any other Guacamole deployment. The connection information needed by Guacamole will be provided either via a Docker link or through environment variables.
If you will be using Docker to provide guacd, and you wish to use a Docker link to connect the Guacamole image to guacd, the connection details are implied by the Docker link:
$ docker run --name some-guacamole \
--link some-guacd:guacd \
...
-d -p 8080:8080 guacamole/guacamole
If you are not using Docker to provide guacd, you will need to provide the network connection information yourself using additional environment variables:
GUACD_HOSTNAME
The hostname of the guacd instance to use to establish remote desktop connections. This is required if you are not using Docker to provide guacd.
GUACD_PORT
The port that Guacamole should use when connecting to guacd. This environment variable is optional. If not provided, the standard guacd port of 4822 will be used.
The GUACD_HOSTNAME
and, if necessary, GUACD_PORT
environment variables can
thus be used in place of a Docker link if using a Docker link is impossible or
undesirable:
$ docker run --name some-guacamole \
-e GUACD_HOSTNAME=172.17.42.1 \
-e GUACD_PORT=4822 \
...
-d -p 8080:8080 guacamole/guacamole
A connection to guacd is not the only thing required for Guacamole to work; some authentication mechanism needs to be configured, as well. MySQL, PostgreSQL, and LDAP are supported for this, and are described in more detail in the sections below. If the required configuration options for at least one authentication mechanism are not provided, the Guacamole image will not be able to start up, and you will see an error.
MySQL authentication
To use Guacamole with the MySQL authentication backend, you will need either a
Docker container running the mysql
image, or network access to a working
installation of MySQL. The connection to MySQL can be specified using either
environment variables or a Docker link.
Initializing the MySQL database
If your database is not already initialized with the Guacamole schema, you will need to do so prior to using Guacamole. A convenience script for generating the necessary SQL to do this is included in the Guacamole image.
To generate a SQL script which can be used to initialize a fresh MySQL database as documented in Database authentication:
$ docker run --rm guacamole/guacamole /opt/guacamole/bin/initdb.sh --mysql > initdb.sql
Alternatively, you can use the SQL scripts included with the database authentication.
Once this script is generated, you must:
Create a database for Guacamole within MySQL, such as
guacamole_db
.Create a user for Guacamole within MySQL with access to this database, such as
guacamole_user
.Run the script on the newly-created database.
The process for doing this via the mysql utility included with MySQL is documented Database authentication.
Connecting Guacamole to MySQL
If your MySQL database is provided by another Docker container, and you wish to use a Docker link to connect the Guacamole image to your database, the connection details are implied by the Docker link itself:
$ docker run --name some-guacamole \
--link some-guacd:guacd \
--link some-mysql:mysql \
...
-d -p 8080:8080 guacamole/guacamole
If you are not using Docker to provide your MySQL database, you will need to provide the network connection information yourself using additional environment variables:
MYSQL_HOSTNAME
The hostname of the database to use for Guacamole authentication. This is required if you are not using Docker to provide your MySQL database.
MYSQL_PORT
The port that Guacamole should use when connecting to MySQL. This environment variable is optional. If not provided, the standard MySQL port of 3306 will be used.
The MYSQL_HOSTNAME
and, if necessary, MYSQL_PORT
environment variables can
thus be used in place of a Docker link if using a Docker link is impossible or
undesirable:
$ docker run --name some-guacamole \
--link some-guacd:guacd \
-e MYSQL_HOSTNAME=172.17.42.1 \
...
-d -p 8080:8080 guacamole/guacamole
Note that a Docker link to guacd (the --link some-guacd:guacd
option above)
is not required any more than a Docker link is required for MySQL. The
connection information for guacd can be specified using environment variables,
as described in Connecting Guacamole to guacd.
Required environment variables
Using MySQL for authentication requires additional configuration parameters specified via environment variables. These variables collectively describe how Guacamole will connect to MySQL:
MYSQL_DATABASE
The name of the database to use for Guacamole authentication.
MYSQL_USER
The user that Guacamole will use to connect to MySQL.
MYSQL_PASSWORD
The password that Guacamole will provide when connecting to MySQL as
MYSQL_USER
.
If any required environment variables are omitted, you will receive an error message in the logs, and the image will stop. You will then need to recreate the container with the proper variables specified.
Optional environment variables
Additional optional environment variables may be used to override Guacamole’s default behavior with respect to concurrent connection use by one or more users. Concurrent use of connections and connection groups can be limited to an overall maximum and/or a per-user maximum:
MYSQL_ABSOLUTE_MAX_CONNECTIONS
The absolute maximum number of concurrent connections to allow at any time, regardless of the Guacamole connection or user involved. If set to “0”, this will be unlimited. Because this limit applies across all Guacamole connections, it cannot be overridden if set.
By default, the absolute total number of concurrent connections is unlimited (“0”).
MYSQL_DEFAULT_MAX_CONNECTIONS
The maximum number of concurrent connections to allow to any one Guacamole connection. If set to “0”, this will be unlimited. This can be overridden on a per-connection basis when editing a connection.
By default, overall concurrent use of connections is unlimited (“0”).
MYSQL_DEFAULT_MAX_GROUP_CONNECTIONS
The maximum number of concurrent connections to allow to any one Guacamole connection group. If set to “0”, this will be unlimited. This can be overridden on a per-group basis when editing a connection group.
By default, overall concurrent use of connection groups is unlimited (“0”).
MYSQL_DEFAULT_MAX_CONNECTIONS_PER_USER
The maximum number of concurrent connections to allow a single user to maintain to any one Guacamole connection. If set to “0”, this will be unlimited. This can be overridden on a per-connection basis when editing a connection.
By default, per-user concurrent use of connections is unlimited (“0”).
MYSQL_DEFAULT_MAX_GROUP_CONNECTIONS_PER_USER
The maximum number of concurrent connections to allow a single user to maintain to any one Guacamole connection group. If set to “0”, this will be unlimited. This can be overridden on a per-group basis when editing a connection group.
By default, per-user concurrent use of connection groups is limited to one (“1”), to prevent a balancing connection group from being completely exhausted by one user alone.
MYSQL_AUTO_CREATE_ACCOUNTS
Whether or not accounts that do not exist in the MySQL database will be automatically created when successfully authenticated through other modules. If set to “true” accounts will be automatically created. Otherwise, and by default, accounts will not be automatically created and will need to be manually created in order for permissions within the MySQL database extension to be assigned to users authenticated with other modules.
PostgreSQL authentication
To use Guacamole with the PostgreSQL authentication backend, you will
need either a Docker container running the postgres
image, or
network access to a working installation of PostgreSQL. The connection
to PostgreSQL can be specified using either environment variables or a
Docker link.
Initializing the PostgreSQL database
If your database is not already initialized with the Guacamole schema, you will need to do so prior to using Guacamole. A convenience script for generating the necessary SQL to do this is included in the Guacamole image.
To generate a SQL script which can be used to initialize a fresh PostgreSQL database as documented in Database authentication:
$ docker run --rm guacamole/guacamole /opt/guacamole/bin/initdb.sh --postgresql > initdb.sql
Alternatively, you can use the SQL scripts included with the database authentication.
Once this script is generated, you must:
Create a database for Guacamole within PostgreSQL, such as
guacamole_db
.Run the script on the newly-created database.
Create a user for Guacamole within PostgreSQL with access to the tables and sequences of this database, such as
guacamole_user
.
The process for doing this via the psql and createdb utilities included with PostgreSQL is documented in Database authentication.
Connecting Guacamole to PostgreSQL
If your PostgreSQL database is provided by another Docker container, and you wish to use a Docker link to connect the Guacamole image to your database, the connection details are implied by the Docker link itself:
$ docker run --name some-guacamole \
--link some-guacd:guacd \
--link some-postgres:postgres \
...
-d -p 8080:8080 guacamole/guacamole
If you are not using Docker to provide your PostgreSQL database, you will need to provide the network connection information yourself using additional environment variables:
POSTGRESQL_HOSTNAME
The hostname of the database to use for Guacamole authentication. This is required if you are not using Docker to provide your PostgreSQL database.
POSTGRESQL_PORT
The port that Guacamole should use when connecting to PostgreSQL. This environment variable is optional. If not provided, the standard PostgreSQL port of 5432 will be used.
The POSTGRESQL_HOSTNAME
and, if necessary, POSTGRESQL_PORT
environment
variables can thus be used in place of a Docker link if using a Docker link is
impossible or undesirable:
$ docker run --name some-guacamole \
--link some-guacd:guacd \
-e POSTGRESQL_HOSTNAME=172.17.42.1 \
...
-d -p 8080:8080 guacamole/guacamole
Note that a Docker link to guacd (the --link some-guacd:guacd
option above)
is not required any more than a Docker link is required for PostgreSQL. The
connection information for guacd can be specified using environment variables,
as described in Connecting Guacamole to guacd.
Required environment variables
Using PostgreSQL for authentication requires additional configuration parameters specified via environment variables. These variables collectively describe how Guacamole will connect to PostgreSQL:
POSTGRESQL_DATABASE
The name of the database to use for Guacamole authentication.
POSTGRESQL_USER
The user that Guacamole will use to connect to PostgreSQL.
POSTGRESQL_PASSWORD
The password that Guacamole will provide when connecting to PostgreSQL as
POSTGRESQL_USER
.
If any required environment variables are omitted, you will receive an error message in the logs, and the image will stop. You will then need to recreate the container with the proper variables specified.
Optional environment variables
Additional optional environment variables may be used to override Guacamole’s default behavior with respect to concurrent connection use by one or more users. Concurrent use of connections and connection groups can be limited to an overall maximum and/or a per-user maximum:
POSTGRESQL_ABSOLUTE_MAX_CONNECTIONS
The absolute maximum number of concurrent connections to allow at any time, regardless of the Guacamole connection or user involved. If set to “0”, this will be unlimited. Because this limit applies across all Guacamole connections, it cannot be overridden if set.
By default, the absolute total number of concurrent connections is unlimited (“0”).
POSTGRESQL_DEFAULT_MAX_CONNECTIONS
The maximum number of concurrent connections to allow to any one Guacamole connection. If set to “0”, this will be unlimited. This can be overridden on a per-connection basis when editing a connection.
By default, overall concurrent use of connections is unlimited (“0”).
POSTGRESQL_DEFAULT_MAX_GROUP_CONNECTIONS
The maximum number of concurrent connections to allow to any one Guacamole connection group. If set to “0”, this will be unlimited. This can be overridden on a per-group basis when editing a connection group.
By default, overall concurrent use of connection groups is unlimited (“0”).
POSTGRESQL_DEFAULT_MAX_CONNECTIONS_PER_USER
The maximum number of concurrent connections to allow a single user to maintain to any one Guacamole connection. If set to “0”, this will be unlimited. This can be overridden on a per-connection basis when editing a connection.
By default, per-user concurrent use of connections is unlimited (“0”).
POSTGRESQL_DEFAULT_MAX_GROUP_CONNECTIONS_PER_USER
The maximum number of concurrent connections to allow a single user to maintain to any one Guacamole connection group. If set to “0”, this will be unlimited. This can be overridden on a per-group basis when editing a connection group.
By default, per-user concurrent use of connection groups is limited to one (“1”), to prevent a balancing connection group from being completely exhausted by one user alone.
POSTGRESQL_AUTO_CREATE_ACCOUNTS
Whether or not accounts that do not exist in the PostgreSQL database will be automatically created when successfully authenticated through other modules. If set to “true”, accounts will be automatically created. Otherwise, and by default, accounts will not be automatically created and will need to be manually created in order for permissions within the PostgreSQL database extension to be assigned to users authenticated with other modules.
Optional environment variables may also be used to override Guacamole’s default behavior with respect to timeouts at the database and network level:
POSTGRESQL_DEFAULT_STATEMENT_TIMEOUT
The number of seconds the driver will wait for a response from the database, before aborting the query. A value of 0 (the default) means the timeout is disabled.
POSTGRESQL_SOCKET_TIMEOUT
The number of seconds to wait for socket read operations. If reading from the server takes longer than this value, the connection will be closed. This can be used to handle network problems such as a dropped connection to the database. Similar to
POSTGRESQL_DEFAULT_STATEMENT_TIMEOUT
, it will also abort queries that take too long. A value of 0 (the default) means the timeout is disabled.
LDAP authentication
To use Guacamole with the LDAP authentication backend, you will need network access to an LDAP directory. Unlike MySQL and PostgreSQL, the Guacamole Docker image does not support Docker links for LDAP; the connection information must be specified using environment variables:
LDAP_HOSTNAME
The hostname or IP address of your LDAP server.
LDAP_PORT
The port your LDAP server listens on. By default, this will be 389 for unencrypted LDAP or LDAP using STARTTLS, and 636 for LDAP over SSL (LDAPS).
LDAP_ENCRYPTION_METHOD
The encryption mechanism that Guacamole should use when communicating with your LDAP server. Legal values are “none” for unencrypted LDAP, “ssl” for LDAP over SSL/TLS (commonly known as LDAPS), or “starttls” for STARTTLS. If omitted, encryption will not be used.
Only the LDAP_HOSTNAME
variable is required, but you may also need to specify
LDAP_PORT
or LDAP_ENCRYPTION_METHOD
if your LDAP directory uses encryption
or listens on a non-standard port:
$ docker run --name some-guacamole \
--link some-guacd:guacd \
-e LDAP_HOSTNAME=172.17.42.1 \
...
-d -p 8080:8080 guacamole/guacamole
Note that a Docker link to guacd (the --link some-guacd:guacd
option above)
is not required. Similar to LDAP, the connection information for guacd can be
specified using environment variables, as described in Connecting Guacamole to guacd.
Required environment variables
Using LDAP for authentication requires additional configuration parameters specified via environment variables. These variables collectively describe how Guacamole will query your LDAP directory:
LDAP_USER_BASE_DN
The base of the DN for all Guacamole users. All Guacamole users that will be authenticating against LDAP must be descendents of this base DN.
As with the other authentication mechanisms, if any required environment variables are omitted (including those required for connecting to the LDAP directory over the network), you will receive an error message in the logs, and the image will stop. You will then need to recreate the container with the proper variables specified.
Optional environment variables
Additional optional environment variables may be used to configure the details of your LDAP directory hierarchy, or to enable more flexible searching for user accounts:
LDAP_GROUP_BASE_DN
The base of the DN for all groups that may be referenced within Guacamole configurations using the standard seeAlso attribute. All groups which will be used to control access to Guacamole configurations must be descendents of this base DN. If this variable is omitted, the seeAlso attribute will have no effect on Guacamole configurations.
LDAP_GROUP_SEARCH_FILTER
The search filter used to query the LDAP tree for groups that may be used by other extensions to define permissions. If this property is omitted the default of
(objectClass=*)
will be used.LDAP_GROUP_NAME_ATTRIBUTE
The attribute or attributes which define the unique name of user groups in the LDAP directory. Usually, and by default, this will simplify be “cn”. If your LDAP directory contains groups whose names are dictated by different attributes, multiple attributes can be specified here, separated by commas.
LDAP_MEMBER_ATTRIBUTE
The attribute which contains the members within all group objects in the LDAP directory. Usually, and by default, this will simply be “member”. If your LDAP directory contains groups whose members are dictated by a different attribute it can be specified, here.
LDAP_MEMBER_ATTRIBUTE_TYPE
Specify whether the attribute defined in
LDAP_MEMBER_ATTRIBUTE
identifies a group member by DN or usercode (user id). Valid values are “dn” (the default, if not specified) or “uid”.LDAP_SEARCH_BIND_DN
The DN (Distinguished Name) of the user to bind as when authenticating users that are attempting to log in. If specified, Guacamole will query the LDAP directory to determine the DN of each user that logs in. If omitted, each user’s DN will be derived directly using the base DN specified with
LDAP_USER_BASE_DN
.LDAP_SEARCH_BIND_PASSWORD
The password to provide to the LDAP server when binding as
LDAP_SEARCH_BIND_DN
to authenticate other users. This variable is only used ifLDAP_SEARCH_BIND_DN
is specified. If omitted, butLDAP_SEARCH_BIND_DN
is specified, Guacamole will attempt to bind with the LDAP server without a password.LDAP_USERNAME_ATTRIBUTE
The attribute or attributes which contain the username within all Guacamole user objects in the LDAP directory. Usually, and by default, this will simply be “uid”. If your LDAP directory contains users whose usernames are dictated by different attributes, multiple attributes can be specified here, separated by commas, but beware: doing so requires that a search DN be provided with
LDAP_SEARCH_BIND_DN
.LDAP_USER_ATTRIBUTES
The attribute or attributes to retrieve from the LDAP directory for users when they log in, with multiple attributes separated by commas. If specified, the attributes listed are retrieved from each authenticated users and dynamically applied to the parameters of that user’s connections as parameter tokens with the prefix
LDAP_
.LDAP_CONFIG_BASE_DN
The base of the DN for all Guacamole configurations. If omitted, the configurations of Guacamole connections will simply not be queried from the LDAP directory, and you will need to store them elsewhere, such as within a MySQL or PostgreSQL database.
LDAP_DEREFERENCE_ALIASES
Controls whether or not the LDAP connection follows (dereferences) aliases as it searches the tree. Possible values for this property are “never” (the default), so that aliases will never be followed, “searching”, to dereference during the search operations after the base object is located, “finding”, to dereference in order to locate the search base but not during the actual search, and “always”, to always dereference aliases.
LDAP_FOLLOW_REFERRALS
This option controls whether or not the LDAP module follows referrals when processing search results. Referrals can be pointers to another part of the current LDAP tree, or to a completely different tree altogether, hosted on a different server and/or port. Valid options are “false” (the default), which means that referrals will be ignored, or “true”, where the client will attempt to follow the referrals in order to continue the search. The referral will be followed with the same credentials used to search the initial tree.
LDAP_MAX_REFERRAL_HOPS
When LDAP referrals are enabled, this option controls how many hops the LDAP client will follow before refusing to continue. The default is 5.
LDAP_MAX_SEARCH_RESULTS
The maximum number of search results that can be returned by a single LDAP query. LDAP queries which exceed this number of results may fail. By default the maximum number of results for a single LDAP query is 1000.
LDAP_OPERATION_TIMEOUT
The timeout, in seconds, of any single LDAP operation, after which the operation will be aborted. The default is 30 seconds.
As documented in LDAP authentication, Guacamole does support combining LDAP with a MySQL or PostgreSQL database, and this can be configured with the Guacamole Docker image, as well. Each of these authentication mechanisms is independently configurable using their respective environment variables, and by providing the required environment variables for multiple systems, Guacamole will automatically be configured to use each when the Docker image starts.
Header Authentication
The header authentication extension can be used to authenticate Guacamole through a trusted third-party server, where the authenticated user’s username is passed back to Guacamole via a specific HTTP header. The following are valid Docker variables for enabling and configuring header authentication:
HEADER_ENABLED
Enables authentication via the header extension, which causes the extension to be loaded when Guacamole starts. By default this is false and the header extension will not be loaded.
HTTP_AUTH_HEADER
Optional environment variable that, if set, configures the name of the HTTP header that will be used used to authenticate the user to Guacamole. If this is not specified the default value of REMOTE_USER will be used.
SAML Authentication
SAML authentication can be configured to allow the Guacamole Client instance running in a Docker container to authentication with a SAML Identity Provider (IdP). The IdP verifies the user authentication and then provides a response back to Guacamole with the name of the user and any other configured attributes contained in the SAML assertion. More details on SAML authentication with Guacamole can be found on the SAML Authentication page.
Required environment variables
Configuration of SAML authentication requires that either a metadata file or a few other basic configuration parameters be provided to the container:
SAML_IDP_METADATA_URL
The URI of a file that provides information about the SAML IdP that will be used to authenticate users. This can either be a local file on the filesystem, or it can be the URL of a file on a remote server. Note that if the file is located on a local filesystem it will have to be made available to the Docker container by either copying the file in or using a file located on a volume that is shared with the container. Metadata files for SAML authentication are generally obtained from the IdP.
SAML_IDP_URL
If a metadata file is not provided, or does not contain the URL of the Identity Provider, then this variable must be present in order to tell Guacamole the location of the IdP, which is where users will be redirected for authentication.
SAML_ENTITY_ID
The SAML Entity Identifier of the Guacamole Client instance that will be provided to the SAML IdP. This is generally the URL of the Guacamole server. If the metadata URL is not provided, or the metadata file does not contain an entity ID, this variable must be provided.
SAML_CALLBACK_URL
The URL of the Guacamole instance that will be given to the SAML IdP, which will be used by the IdP to redirect the user back to the Guacamole instance after the user has been validated. If the metadata file is not provided, or does not contain a callback URL for the Guacamole instance, this variable must be provided.
Optional environment variables
Other environment variables can be provided to adjust the behavior of the SAML authentication extension.
SAML_STRICT
A boolean value that configures whether or not the Guacamole SAML client will perform strict security checks on servers and certificates. This is normally enabled and should never be disabled in a production environment.
SAML_COMPRESS_REQUEST
A boolean value that configures whether or not the Guacamole SAML client will enable compression on requests sent to the IdP. This defaults to enabled (true).
SAML_COMPRESS_RESPONSE
A boolean value that configures whether or not the Guacamole SAML client will request that responses from the IdP be compressed. This defaults to enabled (true).
SAML_GROUP_ATTRIBUTE
The name of the attribute within the SAML assertion that contains the group membership of the user who is being authenticated, if any. This property is optional and defaults to “groups”.
SAML_DEBUG
Whether or not the Guacamole SAML client should provide verbose logging that may be helpful in debugging problems with SAML authentication. This is optional and defaults to false - debugging will not be enabled.
TOTP Authentication
TOTP authentication can be configured to allow the Guacamole Client instance running in a Docker container to use a second layer of authentication using a two factor authenticator application and short one-time codes. More details on TOTP authentication with Guacamole can be found on the TOTP two-factor authentication page.
Required environment variables
Configuration of TOTP authentication requires that the following enviroment variable be provided to the container:
TOTP_ENABLED
If the environment variable is provided with the value of “true” then the extension is enabled inside the docker container.
Optional environment variables
Other environment variables can be provided to adjust the behavior of the TOTP authentication extension.
Important
The duration and/or hash algorithm are not settable in some widely used autenticator apps. Setting these values to something other than the defaults might make the codes unusable if your authenticator app does not support setting these parameters.
TOTP_ISSUER
The human-readable name of the entity issuing user accounts. If not specified, “Apache Guacamole” will be used by default.
TOTP_DIGITS
The number of digits which should be included in each generated TOTP code. Legal values are 6, 7, or 8. By default, 6-digit codes are generated.
TOTP_PERIOD
The duration that each generated code should remain valid, in seconds. By default, each code remains valid for 30 seconds.
TOTP_MODE
The hash algorithm that should be used to generate TOTP codes. Legal values are “sha1”, “sha256”, and “sha512”. By default, “sha1” is used.
History Recording Storage Extension
The extension that enables viewing historical recordings from within the Guacamole Client interface can be enabled by settings the search path variable, as noted below, to a location where the extension will look to find available recordings.
When setting this up in a container environment, you’ll likely need to use volumes to make the same directory available to both the guacd container and the guacamole (client) container. In addition to setting up the volume to share data between the two, you’ll also need to configure permissions on the volume such that the users running each of the containers have access. The guacamole/guacd container, which will need write access to this shared location, runs with an effective UID and GID of 1000. The guacamole/guacamole (client) container, which will require read access to this location, runs with an effective UID and GID of 1001.
For more information on this extension, please see the Viewing session recordings in-browser page in the manual.
Required environment variables
In order to enable this extension you must set the following environment variable in your guacamole container configuration:
RECORDING_SEARCH_PATH
Set to the absolute path of the folder within the guacamole container where the extension should look for past recordings.
Running Guacamole behind a proxy
To run Guacamole behind a reverse proxy, Tomcat’s
RemoteIpValve
must be configured as described in Setting up the Remote IP Valve to ensure that the
user’s IP address can be correctly determined and logged. The Guacamole Docker
image provides environment variables for configuring this.
Required environment variables
The following environment variable must be set in order to configure Tomcat’s
RemoteIpValve
:
REMOTE_IP_VALVE_ENABLED
Set to
true
to enable Tomcat’sRemoteIpValve
. If this is not set, all other variables related toRemoteIpValve
will be ignored.
Optional environment variables
Additional environment variables are available to fine tune the configuration
of RemoteIpValve
. It is not typically necessary to set these variables.
The default values are correct for most deployments.
PROXY_ALLOWED_IPS_REGEX
A regular expression matching only the IP addresses that should be trusted to send proxy headers, corresponding to the
internalProxies
attribute ofRemoteIpValve
. Proxy headers from other addresses will be ignored. The regular expression must conform to the format accepted by Java’sPattern
class, which is largely compatible with Perl.If omitted, Tomcat’s default which matches private IPv4 and IPv6 addresses will be used.
PROXY_BY_HEADER
The HTTP header sent by the proxy that contains the list of proxies that have processed the request. This corresponds to the
proxiesHeader
attribute ofRemoteIpValve
. By default, this will beX-Forwarded-By
.PROXY_IP_HEADER
The HTTP header sent by the proxy that contains the user’s browser’s IP address. This corresponds to the
remoteIpHeader
attribute ofRemoteIpValve
. By default, this will beX-Forwarded-For
.PROXY_PROTOCOL_HEADER
The HTTP header sent by the proxy that contains the protocol used by the user’s browser to connect to the proxy. This corresponds to the
protocolHeader
attribute ofRemoteIpValve
. By default, this will beX-Forwarded-Proto
.
Custom extensions and GUACAMOLE_HOME
If you have your own or third-party extensions for Guacamole which are not
supported by the Guacamole Docker image, but are compatible with the version of
Guacamole within the image, you can still use them by providing a custom base
configuration using the GUACAMOLE_HOME
environment variable:
GUACAMOLE_HOME
The absolute path to the directory within the Docker container to use as a template for the image’s automatically-generated
GUACAMOLE_HOME
. Any configuration generated by the Guacamole Docker image based on other environment variables will be applied to an independent copy of the contents of this directory.
You will still need to follow the steps required to create the contents of
GUACAMOLE_HOME
specific to your extension (placing the
extension itself within GUACAMOLE_HOME/extensions/
, adding any properties to
guacamole.properties
, etc.), but the rest of Guacamole’s configuration will
be handled automatically, overlaid on top of a copy of the GUACAMOLE_HOME
you
provide.
Because the Docker image’s GUACAMOLE_HOME
environment variable must point to
a directory within the container, you will need to expose your custom
GUACAMOLE_HOME
to the container using the -v
option of docker run
. The
container directory chosen can then be referenced in the GUACAMOLE_HOME
environment variable, and the image will handle the rest automatically:
$ docker run --name some-guacamole \
...
-v /local/path:/some-directory \
-e GUACAMOLE_HOME=/some-directory \
-d -p 8080:8080 guacamole/guacamole
Extension priority and load order
Guacamole extensions are loaded and evaluated in a specific, deterministic
order. This order can be important when multiple authentication extensions are
installed, as it dictates which extensions will be given the first chance to
accept or reject a user’s credentials. By default, this order is dictated by
the sort order of their corresponding filenames. If necessary, extension
priority can be overridden with the EXTENSION_PRIORITY
environment variable.
EXTENSION_PRIORITY
A comma-separated list of the namespaces of all extensions that should be loaded in a specific order. The special value
*
can be used in lieu of a namespace to represent all extensions that are not listed. All extensions explicitly listed will be sorted in the order given, while all extensions not explicitly listed will be sorted by their filenames.For example, to ensure support for SAML is loaded first:
-e EXTENSION_PRIORITY="saml"
Or to ensure support for SAML is loaded last:
-e EXTENSION_PRIORITY="*, saml"
If unsure which namespaces apply or the order that your extensions are loaded, check the Guacamole logs. The namespaces and load order of all installed extensions are logged by Guacamole during startup:
... 23:32:06.467 [main] INFO o.a.g.extension.ExtensionModule - Multiple extensions are installed and will be loaded in order of decreasing priority: 23:32:06.468 [main] INFO o.a.g.extension.ExtensionModule - - [postgresql] "PostgreSQL Authentication" (/etc/guacamole/extensions/guacamole-auth-jdbc-postgresql-1.5.5.jar) 23:32:06.468 [main] INFO o.a.g.extension.ExtensionModule - - [ldap] "LDAP Authentication" (/etc/guacamole/extensions/guacamole-auth-ldap-1.5.5.jar) 23:32:06.468 [main] INFO o.a.g.extension.ExtensionModule - - [openid] "OpenID Authentication Extension" (/etc/guacamole/extensions/guacamole-auth-sso-openid-1.5.5.jar) 23:32:06.468 [main] INFO o.a.g.extension.ExtensionModule - - [saml] "SAML Authentication Extension" (/etc/guacamole/extensions/guacamole-auth-sso-saml-1.5.5.jar) 23:32:06.468 [main] INFO o.a.g.extension.ExtensionModule - To change this order, set the "extension-priority" property or rename the extension files. The default priority of extensions is dictated by the sort order of their filenames. ...
Verifying the Guacamole install
Once the Guacamole image is running, Guacamole should be accessible at
http://HOSTNAME:8080/guacamole/
, where HOSTNAME
is the hostname or
address of the machine hosting Docker, and you should see a login screen. If
using MySQL or PostgreSQL, the database initialization scripts will have
created a default administrative user called “guacadmin
” with the password
“guacadmin
”. You should log in and change your password immediately. If
using LDAP, you should be able to log in as any valid user within your LDAP
directory.
If you cannot access Guacamole, or you do not see a login screen, check
Docker’s logs using the docker logs
command to determine if something is
wrong. Configuration parameters may have been given incorrectly, or the
database may be improperly initialized:
$ docker logs some-guacamole