Administration

Apache Guacamole

date
Sep 14, 2022
slug
guacamole
author
status
Public
tags
Docs
Open Source
Admin
Cloud
Cloudflare
AWS
summary
type
Post
thumbnail
https://kifarunix.com/wp-content/uploads/2022/04/apache-guacamole.png
category
Administration
updatedAt
Mar 23, 2023 03:32 PM

Apache Guacamole

In today's digital age, remote work has become increasingly common, with more and more companies relying on virtual environments to conduct their business. As a result, system administrators are faced with the challenge of managing multiple servers and computers that are located in different physical locations. This can often be a time-consuming and frustrating process, requiring the use of multiple applications and protocols to access different machines.
Enter Apache Guacamole, a remote desktop application that aims to simplify the process of accessing multiple machines from a single interface. With support for multiple protocols, including RDP, SSH, Kubernetes, VNC, and Telnet, Apache Guacamole offers sysadmins a centralized and streamlined approach to managing their remote desktops. As an open-source project developed by the Apache Software Foundation, it is available to everyone at no cost, making it an attractive option for organizations of all sizes.
By providing a web-facing interface that can be accessed from anywhere with the right configurations, Apache Guacamole offers sysadmins the flexibility to work from anywhere without compromising on security. However, as with any remote connection, it's important to ensure that the necessary security measures are in place to protect against potential threats. By taking the necessary precautions, sysadmins can leverage the power of Apache Guacamole to manage their remote desktops efficiently and securely, ultimately improving their productivity and contributing to the success of their organization.

Setting up the Cloud

One of the first things I needed to do was set up a cloud instance, so I could host my Guacamole instance. Due to my limited budget (of $0), I chose to go with an Amazon EC2 Free Tier instance so that I could host my server. Since the Guacamole server itself doesn't require much in terms of spec requirements or storage, EC2 worked perfectly for my needs.
notion image
Once I set up my cloud instance, I set up my Guacamole server and linked it as a subdomain of an already created domain I owned. Then I had to make sure the SSL certificate for my new website was working and verified, so I used Let's Encrypt to do that.
Once that was done, I setup logged into my Guacamole server through the website that was newly created and encrypted. Used the default password and username. From there, I changed the admin account password and username, along with setting up some security features like enabling TOTP two-factor authentication for accessing my website in-case some sort of leak happens with my passwords. Additionally, I also enabled Database Authentication, so my accounts on the website are connected to a secure database.
Now, while I used those authentication methods, Guacamole does support numerous different methods such as:
  • Database authentication
    • via MySQL, PostgreSQL, or SQL Server databases through extensions available from the project website.
  • LDAP authentication
  • TOTP two-factor authentication
  • HTTP header authentication
  • Encrypted JSON authentication
  • Single Sign ON (SSO) authentication
    • CAS Authentication
    • OpenID Connect Authentication
    • SAML Authentication
  • RADIUS Authentication
Besides authentication, I also set up some time-based restrictions, as my assumption is I won't need to be accessing my systems too late at night.
After that, all I did was connect my different systems to the server, and I would then be able to have access to my system from anywhere.

Security

Naturally, I took great care to ensure that my website was protected against unauthorized access. To achieve this, I utilized Cloudflare Zero Trust and configured it to allow access only to users who successfully passed through a series of robust security checks. To access my website, a user would first need to establish a VPN connection and successfully navigate a multi-factor authentication (MFA) screen. Once past these initial hurdles, the user would then need to successfully authenticate themselves through the Guacamole security system, which requires a username, password, and MFA verification. With these multiple layers of security in place, I can rest assured that my website and its associated resources are well-protected from any potential threats.