Apache Guacamole

Purpose: HTML5-based Remote Access Broker for SSH, RDP, and VNC. Useful for remote access into an environment.

Docker Compose Stack¶

docker-compose.ymldocker-compose.yml (OpenID / Keycloak Integration)

version: '3'

services:
  app:
    image: jasonbean/guacamole
    ports:
      - 8080:8080
    volumes:
      - /srv/containers/guacamole:/config
    environment:
      - OPT_MYSQL=Y
      - OPT_MYSQL_EXTENSION=N
      - OPT_SQLSERVER=N
      - OPT_LDAP=N
      - OPT_DUO=N
      - OPT_CAS=N
      - OPT_TOTP=Y # (1)
      - OPT_QUICKCONNECT=N
      - OPT_HEADER=N
      - OPT_SAML=N
      - PUID=99
      - PGID=100
      - TZ=America/Denver # (2)
    restart: unless-stopped
    networks:
        docker_network:
          ipv4_address: 192.168.5.43

networks:
  default:
    external:
      name: docker_network
  docker_network:
    external: true

Enable this if you want multi-factor authentication enabled. Must be set BEFORE the container is initially deployed. Cannot be added retroactively.
Set to your own timezone.

version: '3'

services:
  app:
    image: jasonbean/guacamole
    ports:
      - 8080:8080
    volumes:
      - /srv/containers/apache-guacamole:/config
    environment:
      - OPT_MYSQL=Y
      - OPT_MYSQL_EXTENSION=N
      - OPT_SQLSERVER=N
      - OPT_LDAP=N
      - OPT_DUO=N
      - OPT_CAS=N
      - OPT_TOTP=N
      - OPT_QUICKCONNECT=N
      - OPT_HEADER=N
      - OPT_SAML=N
      - OPT_OIDC=Y # Enable OpenID Connect
      - OIDC_ISSUER=${OPENID_REALM_URL} # Your Keycloak realm URL
      - OIDC_CLIENT_ID=${OPENID_CLIENT_ID} # Client ID for Guacamole in Keycloak
      - OIDC_CLIENT_SECRET=${OPENID_CLIENT_SECRET} # Client Secret for Guacamole in Keycloak
      - OIDC_REDIRECT_URI=${OPENID_REDIRECT_URI} # Redirect URI for Guacamole
      - PUID=99
      - PGID=100
      - TZ=America/Denver
    restart: unless-stopped
    networks:
      docker_network:
        ipv4_address: 192.168.5.43

networks:
  default:
    external:
      name: docker_network
  docker_network:
    external: true

You cannot enable TOTP / Multi-factor authentication if you have OpenID configured. This is just a known issue.
Set to your own timezone.

Environment Variables¶

.env.env (OpenID / Keycloak Integration)

N/A

OPENID_REALM_URL=https://auth.bunny-lab.io/realms/master
OPENID_CLIENT_ID=apache-guacamole
OPENID_CLIENT_SECRET=<YOUR-CLIENT-ID-SECRET>
OPENID_REDIRECT_URI=http://remote.bunny-lab.io

Reverse Proxy Configuration¶

TraefikNGINX

http:
  routers:
      apache-guacamole:
      entryPoints:
          - websecure
      tls:
          certResolver: letsencrypt
      service: apache-guacamole
      rule: Host(`remote.bunny-lab.io`)

  services:
      apache-guacamole:
      loadBalancer:
          servers:
          - url: http://192.168.5.43:8080
          passHostHeader: true

server {
  listen 443 ssl;
  server_name remote.bunny-lab.io;
  client_max_body_size 0;
  ssl on;
  location / {
      proxy_pass http://192.168.5.43:8080;
      proxy_buffering off;
      proxy_http_version 1.1;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection $http_connection;
      access_log off;
  }
}