starred/ProxmoxVE
1
0
Fork 0
mirror of https://github.com/community-scripts/ProxmoxVE.git synced 2026-02-05 00:29:55 +03:00
Code Issues 11 Packages Projects Releases 10 Wiki Activity

Found a fix for Apache Guacamole script #221

New Issue
Closed
opened 2026-02-04 17:12:34 +03:00 by OVERLORD · 5 comments
OVERLORD commented 2026-02-04 17:12:34 +03:00
Owner
Copy Link

Originally created by @sannier3 on GitHub (Dec 27, 2024).

Have you read and understood the above guidelines?

yes

📜 What is the name of the script you are using?

apache-guacamole

📂 What was the exact command used to execute the script?

bash -c "$(wget -qLO - https://github.com/community-scripts/ProxmoxVE/raw/main/ct/apache-guacamole.sh)"

📝 Provide a clear and concise description of the issue.

Hello there,
In my initial issue regarding Apache Guacamole (#968), I conducted an investigation to identify why we encounter an internal error when trying to initiate a connection to a server.

Context :
By default, Apache Guacamole (guacd) listens on port 4822 but only on IPv6 when no valid configuration file is present. When Tomcat attempts to contact the Guacamole instance using an IPv4 address, the connection fails, resulting in an internal error.

Solution :
To resolve this issue, it is crucial to create a valid configuration file for guacd. Follow these steps:

  • Create a file named guacd.conf in the /etc/guacamole/ directory.
  • Add the following content to the file:
[server]
bind_host = 0.0.0.0
bind_port = 4822

Explanation:

  • bind_host = 0.0.0.0 ensures that the Guacamole instance accepts connections over all network interfaces (IPv4).
  • If you prefer to restrict connections to localhost only, you can use bind_host = 127.0.0.1.

Updated Installation Script:
To simplify this process, I have also provided an updated version of the installation script for Apache Guacamole, which includes the creation of the necessary configuration file (guacd.conf) with the corrected settings. This should prevent the issue from occurring during future installations.

Notes:
After applying this fix, SSH, RDP, Telnet, and VNC connections are now functional. However, there are still significant challenges when attempting to establish RDP connections. While some connections work successfully, many fail with errors such as "Server refused connection" or "Disconnected."

The root cause of these RDP connection issues seems to vary depending on the target server configuration (e.g., security settings, certificate handling).

I am actively investigating these RDP issues and will provide updates as I identify potential solutions.

Fixed script:

#!/usr/bin/env bash
#Copyright (c) 2021-2024 community-scripts ORG
# Author: Michel Roegl-Brunner (michelroegl-brunner) | MickLesk (CanbiZ)
# License: MIT
# https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE

source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
color
verb_ip6
catch_errors
setting_up_container
network_check
update_os

msg_info "Installing Dependencies"
$STD apt-get install -y \
   build-essential \
   curl \
   jq \
   libcairo2-dev \
   libturbojpeg0 \
   libpng-dev \
   libtool-bin \
   libossp-uuid-dev \
   libvncserver-dev \
   freerdp2-dev \
   libssh2-1-dev \
   libtelnet-dev \
   libwebsockets-dev \
   libpulse-dev \
   libvorbis-dev \
   libwebp-dev \
   libssl-dev \
   libpango1.0-dev \
   libswscale-dev \
   libavcodec-dev \
   libavutil-dev \
   libavformat-dev \
   mariadb-server \
   default-jdk
msg_ok "Installed Dependencies"

msg_info "Setup Apache Tomcat"
RELEASE=$(wget -qO- https://dlcdn.apache.org/tomcat/tomcat-9/ | grep -oP '(?<=href=")v[^"/]+(?=/")' | sed 's/^v//')
mkdir -p /opt/apache-guacamole/tomcat9
mkdir -p /opt/apache-guacamole/server
wget -qO- "https://dlcdn.apache.org/tomcat/tomcat-9/v${RELEASE}/bin/apache-tomcat-${RELEASE}.tar.gz" | tar -xz -C /opt/apache-guacamole/tomcat9 --strip-components=1
useradd -r -d /opt/apache-guacamole/tomcat9 -s /bin/false tomcat
chown -R tomcat: /opt/apache-guacamole/tomcat9
chmod -R g+r /opt/apache-guacamole/tomcat9/conf
chmod g+x /opt/apache-guacamole/tomcat9/conf
msg_ok "Setup Apache Tomcat"

msg_info "Creating guacd.conf"
cat <<EOF >/etc/guacamole/guacd.conf
[server]
bind_host = 0.0.0.0
bind_port = 4822
EOF
msg_ok "Created guacd.conf"

msg_info "Setup Apache Guacamole"
mkdir -p /etc/guacamole/{extensions,lib}
RELEASE_SERVER=$(curl -sL https://api.github.com/repos/apache/guacamole-server/tags | jq -r '.[0].name')
wget -qO- https://api.github.com/repos/apache/guacamole-server/tarball/refs/tags/${RELEASE_SERVER} | tar -xz --strip-components=1 -C /opt/apache-guacamole/server
cd /opt/apache-guacamole/server
$STD autoreconf -fi
$STD ./configure --with-init-dir=/etc/init.d --enable-allow-freerdp-snapshots
$STD make
$STD make install
$STD ldconfig
RELEASE_CLIENT=$(curl -sL https://api.github.com/repos/apache/guacamole-client/tags | jq -r '.[0].name')
wget -q -O /opt/apache-guacamole/tomcat9/webapps/guacamole.war https://downloads.apache.org/guacamole/${RELEASE_CLIENT}/binary/guacamole-${RELEASE_CLIENT}.war
cd /root
wget -q --directory-prefix=/root/ https://dev.mysql.com/get/Downloads/Connector-J/mysql-connector-java-8.0.26.tar.gz
$STD tar -xf ~/mysql-connector-java-8.0.26.tar.gz
mv ~/mysql-connector-java-8.0.26/mysql-connector-java-8.0.26.jar /etc/guacamole/lib/
wget -q --directory-prefix=/root/ https://downloads.apache.org/guacamole/1.5.5/binary/guacamole-auth-jdbc-1.5.5.tar.gz
$STD tar -xf ~/guacamole-auth-jdbc-1.5.5.tar.gz
mv ~/guacamole-auth-jdbc-1.5.5/mysql/guacamole-auth-jdbc-mysql-1.5.5.jar /etc/guacamole/extensions/
msg_ok "Setup Apache Guacamole"

msg_info "Setup Database"
DB_NAME=guacamole_db
DB_USER=guacamole_user
DB_PASS=$(openssl rand -base64 18 | tr -dc 'a-zA-Z0-9' | head -c13)
mysql -u root -e "CREATE DATABASE $DB_NAME;"
mysql -u root -e "CREATE USER '$DB_USER'@'localhost' IDENTIFIED WITH mysql_native_password AS PASSWORD('$DB_PASS');"
mysql -u root -e "GRANT ALL ON $DB_NAME.* TO '$DB_USER'@'localhost'; FLUSH PRIVILEGES;"
{
    echo "Guacamole-Credentials"
    echo "Database User: $DB_USER"
    echo "Database Password: $DB_PASS"
    echo "Database Name: $DB_NAME"
} >> ~/guacamole.creds
cd guacamole-auth-jdbc-1.5.5/mysql/schema
cat *.sql | mysql -u root ${DB_NAME}
{
    echo "mysql-hostname: 127.0.0.1"
    echo "mysql-port: 3306"
    echo "mysql-database: $DB_NAME"
    echo "mysql-username: $DB_USER"
    echo "mysql-password: $DB_PASS"

} >> /etc/guacamole/guacamole.properties
msg_ok "Setup Database"

msg_info "Setup Service"
JAVA_HOME=$(update-alternatives --query javadoc | grep Value: | head -n1 | sed 's/Value: //' | sed 's@bin/javadoc$@@')
cat <<EOF >/etc/systemd/system/tomcat.service
[Unit]
Description=Apache Tomcat Web Application Container
After=network.target
[Service]
Type=forking
Environment="JAVA_HOME=${JAVA_HOME}"
Environment="CATALINA_PID=/opt/apache-guacamole/tomcat9/temp/tomcat.pid"
Environment="CATALINA_HOME=/opt/apache-guacamole/tomcat9/"
Environment="CATALINA_BASE=/opt/apache-guacamole/tomcat9/"
Environment="CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC"
Environment="JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom"
ExecStart=/opt/apache-guacamole/tomcat9/bin/startup.sh
ExecStop=/opt/apache-guacamole/tomcat9/bin/shutdown.sh
User=tomcat
Group=tomcat
UMask=0007
RestartSec=10
Restart=always
[Install]
WantedBy=multi-user.target
EOF
systemctl -q enable --now tomcat guacd mysql
msg_ok "Setup Service"

motd_ssh
customize

msg_info "Cleaning up"
rm -rf ~/mysql-connector-java-8.0.26{,.tar.gz} 
rm -rf ~/guacamole-auth-jdbc-1.5.5{,.tar.gz}
$STD apt-get -y autoremove
$STD apt-get -y autoclean
msg_ok "Cleaned"

⚙️ What settings are you using?

  • Default Settings
  • Advanced Settings

🖥️ Which Linux distribution are you using?

Debian 12

🔄 Steps to reproduce the issue.

Paste the full error output (if available).

🖼️ Additional context (optional).

No response

Originally created by @sannier3 on GitHub (Dec 27, 2024). ### ✅ Have you read and understood the above guidelines? yes ### 📜 What is the name of the script you are using? apache-guacamole ### 📂 What was the exact command used to execute the script? bash -c "$(wget -qLO - https://github.com/community-scripts/ProxmoxVE/raw/main/ct/apache-guacamole.sh)" ### 📝 Provide a clear and concise description of the issue. Hello there, In my initial issue regarding Apache Guacamole (#968), I conducted an investigation to identify why we encounter an internal error when trying to initiate a connection to a server. Context : By default, Apache Guacamole (guacd) listens on port 4822 but only on IPv6 when no valid configuration file is present. When Tomcat attempts to contact the Guacamole instance using an IPv4 address, the connection fails, resulting in an internal error. Solution : To resolve this issue, it is crucial to create a valid configuration file for `guacd`. Follow these steps: - Create a file named `guacd.conf` in the `/etc/guacamole/` directory. - Add the following content to the file: ```config [server] bind_host = 0.0.0.0 bind_port = 4822 ``` Explanation: - bind_host = 0.0.0.0 ensures that the Guacamole instance accepts connections over all network interfaces (IPv4). - If you prefer to restrict connections to localhost only, you can use bind_host = 127.0.0.1. Updated Installation Script: To simplify this process, I have also provided an updated version of the installation script for Apache Guacamole, which includes the creation of the necessary configuration file (`guacd.conf`) with the corrected settings. This should prevent the issue from occurring during future installations. Notes: After applying this fix, SSH, RDP, Telnet, and VNC connections are now functional. However, there are still significant challenges when attempting to establish RDP connections. While some connections work successfully, many fail with errors such as "Server refused connection" or "Disconnected." The root cause of these RDP connection issues seems to vary depending on the target server configuration (e.g., security settings, certificate handling). I am actively investigating these RDP issues and will provide updates as I identify potential solutions. Fixed script: ```sh #!/usr/bin/env bash #Copyright (c) 2021-2024 community-scripts ORG # Author: Michel Roegl-Brunner (michelroegl-brunner) | MickLesk (CanbiZ) # License: MIT # https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE source /dev/stdin <<<"$FUNCTIONS_FILE_PATH" color verb_ip6 catch_errors setting_up_container network_check update_os msg_info "Installing Dependencies" $STD apt-get install -y \ build-essential \ curl \ jq \ libcairo2-dev \ libturbojpeg0 \ libpng-dev \ libtool-bin \ libossp-uuid-dev \ libvncserver-dev \ freerdp2-dev \ libssh2-1-dev \ libtelnet-dev \ libwebsockets-dev \ libpulse-dev \ libvorbis-dev \ libwebp-dev \ libssl-dev \ libpango1.0-dev \ libswscale-dev \ libavcodec-dev \ libavutil-dev \ libavformat-dev \ mariadb-server \ default-jdk msg_ok "Installed Dependencies" msg_info "Setup Apache Tomcat" RELEASE=$(wget -qO- https://dlcdn.apache.org/tomcat/tomcat-9/ | grep -oP '(?<=href=")v[^"/]+(?=/")' | sed 's/^v//') mkdir -p /opt/apache-guacamole/tomcat9 mkdir -p /opt/apache-guacamole/server wget -qO- "https://dlcdn.apache.org/tomcat/tomcat-9/v${RELEASE}/bin/apache-tomcat-${RELEASE}.tar.gz" | tar -xz -C /opt/apache-guacamole/tomcat9 --strip-components=1 useradd -r -d /opt/apache-guacamole/tomcat9 -s /bin/false tomcat chown -R tomcat: /opt/apache-guacamole/tomcat9 chmod -R g+r /opt/apache-guacamole/tomcat9/conf chmod g+x /opt/apache-guacamole/tomcat9/conf msg_ok "Setup Apache Tomcat" msg_info "Creating guacd.conf" cat <<EOF >/etc/guacamole/guacd.conf [server] bind_host = 0.0.0.0 bind_port = 4822 EOF msg_ok "Created guacd.conf" msg_info "Setup Apache Guacamole" mkdir -p /etc/guacamole/{extensions,lib} RELEASE_SERVER=$(curl -sL https://api.github.com/repos/apache/guacamole-server/tags | jq -r '.[0].name') wget -qO- https://api.github.com/repos/apache/guacamole-server/tarball/refs/tags/${RELEASE_SERVER} | tar -xz --strip-components=1 -C /opt/apache-guacamole/server cd /opt/apache-guacamole/server $STD autoreconf -fi $STD ./configure --with-init-dir=/etc/init.d --enable-allow-freerdp-snapshots $STD make $STD make install $STD ldconfig RELEASE_CLIENT=$(curl -sL https://api.github.com/repos/apache/guacamole-client/tags | jq -r '.[0].name') wget -q -O /opt/apache-guacamole/tomcat9/webapps/guacamole.war https://downloads.apache.org/guacamole/${RELEASE_CLIENT}/binary/guacamole-${RELEASE_CLIENT}.war cd /root wget -q --directory-prefix=/root/ https://dev.mysql.com/get/Downloads/Connector-J/mysql-connector-java-8.0.26.tar.gz $STD tar -xf ~/mysql-connector-java-8.0.26.tar.gz mv ~/mysql-connector-java-8.0.26/mysql-connector-java-8.0.26.jar /etc/guacamole/lib/ wget -q --directory-prefix=/root/ https://downloads.apache.org/guacamole/1.5.5/binary/guacamole-auth-jdbc-1.5.5.tar.gz $STD tar -xf ~/guacamole-auth-jdbc-1.5.5.tar.gz mv ~/guacamole-auth-jdbc-1.5.5/mysql/guacamole-auth-jdbc-mysql-1.5.5.jar /etc/guacamole/extensions/ msg_ok "Setup Apache Guacamole" msg_info "Setup Database" DB_NAME=guacamole_db DB_USER=guacamole_user DB_PASS=$(openssl rand -base64 18 | tr -dc 'a-zA-Z0-9' | head -c13) mysql -u root -e "CREATE DATABASE $DB_NAME;" mysql -u root -e "CREATE USER '$DB_USER'@'localhost' IDENTIFIED WITH mysql_native_password AS PASSWORD('$DB_PASS');" mysql -u root -e "GRANT ALL ON $DB_NAME.* TO '$DB_USER'@'localhost'; FLUSH PRIVILEGES;" { echo "Guacamole-Credentials" echo "Database User: $DB_USER" echo "Database Password: $DB_PASS" echo "Database Name: $DB_NAME" } >> ~/guacamole.creds cd guacamole-auth-jdbc-1.5.5/mysql/schema cat *.sql | mysql -u root ${DB_NAME} { echo "mysql-hostname: 127.0.0.1" echo "mysql-port: 3306" echo "mysql-database: $DB_NAME" echo "mysql-username: $DB_USER" echo "mysql-password: $DB_PASS" } >> /etc/guacamole/guacamole.properties msg_ok "Setup Database" msg_info "Setup Service" JAVA_HOME=$(update-alternatives --query javadoc | grep Value: | head -n1 | sed 's/Value: //' | sed 's@bin/javadoc$@@') cat <<EOF >/etc/systemd/system/tomcat.service [Unit] Description=Apache Tomcat Web Application Container After=network.target [Service] Type=forking Environment="JAVA_HOME=${JAVA_HOME}" Environment="CATALINA_PID=/opt/apache-guacamole/tomcat9/temp/tomcat.pid" Environment="CATALINA_HOME=/opt/apache-guacamole/tomcat9/" Environment="CATALINA_BASE=/opt/apache-guacamole/tomcat9/" Environment="CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC" Environment="JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom" ExecStart=/opt/apache-guacamole/tomcat9/bin/startup.sh ExecStop=/opt/apache-guacamole/tomcat9/bin/shutdown.sh User=tomcat Group=tomcat UMask=0007 RestartSec=10 Restart=always [Install] WantedBy=multi-user.target EOF systemctl -q enable --now tomcat guacd mysql msg_ok "Setup Service" motd_ssh customize msg_info "Cleaning up" rm -rf ~/mysql-connector-java-8.0.26{,.tar.gz} rm -rf ~/guacamole-auth-jdbc-1.5.5{,.tar.gz} $STD apt-get -y autoremove $STD apt-get -y autoclean msg_ok "Cleaned" ``` ### ⚙️ What settings are you using? - [X] Default Settings - [X] Advanced Settings ### 🖥️ Which Linux distribution are you using? Debian 12 ### 🔄 Steps to reproduce the issue. - ### ❌ Paste the full error output (if available). - ### 🖼️ Additional context (optional). _No response_
OVERLORD commented 2026-02-04 17:12:40 +03:00
Author
Owner
Copy Link

@sannier3 commented on GitHub (Dec 27, 2024):

Clarification Regarding the Bind Address Configuration for guacd

It's important to note that the choice of bind address (bind_host) in the guacd.conf file applies specifically to guacd, not to the Tomcat web interface. This setting determines whether Tomcat (or any other web server) can communicate with the guacd instance.

By default, guacd and the Tomcat interface are installed on the same server. In such cases, guacd does not need to listen to external servers unless you have a separate Tomcat Guacamole instance running on a different server.

For this reason, after further reflection, it is recommended to set the bind_host to 127.0.0.1. This ensures that guacd is only accessible locally, enhancing security without affecting functionality when both guacd and Tomcat are on the same server.

If you have specific requirements where guacd needs to be accessed from other servers, you can set bind_host to 0.0.0.0 to allow connections from all interfaces. However, this should be done with careful consideration of your network's security requirements.

@sannier3 commented on GitHub (Dec 27, 2024): Clarification Regarding the Bind Address Configuration for guacd It's important to note that the choice of bind address (`bind_host`) in the `guacd.conf` file applies specifically to guacd, not to the Tomcat web interface. This setting determines whether Tomcat (or any other web server) can communicate with the `guacd` instance. By default, ``guacd`` and the Tomcat interface are installed on the same server. In such cases, ``guacd`` does not need to listen to external servers unless you have a separate Tomcat Guacamole instance running on a different server. For this reason, after further reflection, it is recommended to set the `bind_host` to `127.0.0.1`. This ensures that `guacd` is only accessible locally, enhancing security without affecting functionality when both `guacd` and Tomcat are on the same server. If you have specific requirements where ``guacd`` needs to be accessed from other servers, you can set `bind_host` to `0.0.0.0` to allow connections from all interfaces. However, this should be done with careful consideration of your network's security requirements.
OVERLORD commented 2026-02-04 17:12:46 +03:00
Author
Owner
Copy Link

@michelroegl-brunner commented on GitHub (Dec 27, 2024):

Can you make a pull request with this changes please?

@michelroegl-brunner commented on GitHub (Dec 27, 2024): Can you make a pull request with this changes please?
OVERLORD commented 2026-02-04 17:12:48 +03:00
Author
Owner
Copy Link

@sannier3 commented on GitHub (Dec 27, 2024):

Here is the pull request: #1039.
Should I look into adding automatic updates to the script?

@sannier3 commented on GitHub (Dec 27, 2024): Here is the pull request: #1039. Should I look into adding automatic updates to the script?
OVERLORD commented 2026-02-04 17:12:53 +03:00
Author
Owner
Copy Link

@michelroegl-brunner commented on GitHub (Dec 27, 2024):

Merged.

@michelroegl-brunner commented on GitHub (Dec 27, 2024): Merged.
OVERLORD commented 2026-02-04 17:12:56 +03:00
Author
Owner
Copy Link

@MickLesk commented on GitHub (Dec 27, 2024):

merged

@MickLesk commented on GitHub (Dec 27, 2024): merged
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Implemented in VED waiting push to Main
breaking change
bug
bug
bugfix
deferred
delete script
dependencies
enhancement
external
feature
github
help wanted
in project pipeline
invalid
investigation
json
maintenance
needs triage
new script
new script
nice to have
not a script issue
not planned
organization
pull-request
Mirrored from GitHub Pull Request
 question
refactor
rename script
security
update script
website
wontdo
🛑 Failure to comply with the guidelines
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/ProxmoxVE#221
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?