└── Readme.md


/Readme.md:
--------------------------------------------------------------------------------
  1 | # Setting up Apache Guacamole with Proxmox LXC Container
  2 | 
  3 | ## Download - [Debian 10 Buster](https://www.debian.org/News/2019/20190706)
  4 | 
  5 | **Click** `local` under your pve host once logged in.
  6 | 
  7 | **Click** `Templates` and **Download** `Debian 10`
  8 | 
  9 | Once `Task OK` displays, exit the Dowload window and **Click** `New CT` on the top right of the Proxmox page.
 10 | 
 11 | - **Hostname:** guac
 12 | - **Cores:** 1
 13 | - **RAM:** 1024MB
 14 | 
 15 | ### Login into the container: `root@guac:#`. 
 16 | 
 17 | **_Note:_** Debian LXC containers don't include sudo by default.
 18 | 
 19 | ```Bash
 20 | apt update && apt upgrade
 21 | apt install software-properties-common gnupg
 22 | add-apt-repository ppa:remmina-ppa-team/freerdp-daily
 23 | apt update && apt install freerdp2-dev freerdp2-x11 sudo
 24 | adduser remotegod
 25 | usermod -aG sudo remotegod
 26 | systemctl reboot
 27 | ```
 28 | 
 29 | ### Now log in as `remotegod@guac:$`
 30 | ```Bash
 31 | wget https://raw.githubusercontent.com/MysticRyuujin/guac-install/master/guac-install.sh
 32 | chmod +x guac-install.sh
 33 | sudo ./guac-install.sh
 34 | ```
 35 | 
 36 | **NOTE:** Answer N to TOTP and DUO. Y to mysql install. **YOU MUST PROVIDE PASSWORDS**
 37 | 
 38 | ##  nginx Reverse Proxy Setup 
 39 | 
 40 | ```Bash
 41 | sudo apt install nginx certbot python-certbot-nginx apache2-utils
 42 | ```
 43 | 
 44 | ### Replace $USERNAME with a username of your choice, then it'll prompt you for a password.
 45 | 
 46 | ```Bash
 47 | sudo htpasswd -c /etc/nginx/.htpasswd $USERNAME
 48 | ```
 49 | 
 50 | ### Now let's setup our nginx guac config
 51 | 
 52 | ```Bash
 53 | sudo nano /etc/nginx/sites-available/guac
 54 | ```
 55 | 
 56 | ### nginx Configuration for Guacamole
 57 | 
 58 | `$CODENAME` = subdomain, if you setup your domain/network that way.
 59 | 
 60 | `$DOMAIN` = domain that you purchased.
 61 | 
 62 | ```nginx
 63 | server {
 64 |     # Initial configuration
 65 |       server_name $CODENAME.$DOMAIN.com;
 66 |       #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
 67 |       #add_header X-Frame-Options DENY always;
 68 |       #add_header X-Content-Type-Options nosniff always;
 69 |       #add_header X-Xss-Protection "1; mode=block" always;
 70 |       location / {
 71 |            proxy_pass http://127.0.0.1:8080/guacamole/;
 72 |            proxy_buffering off;
 73 |            proxy_http_version 1.1;
 74 |            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 75 |            proxy_set_header Upgrade $http_upgrade;
 76 |            proxy_set_header Connection $http_connection;
 77 |            auth_basic "Authorized Users Only!"; # Will prompt you for a username and password before you're always to get to this location.
 78 |            auth_basic_user_file /etc/nginx/.htpasswd; # passwd file for authentication
 79 |         }
 80 |     listen 80; # We'll setup our redirect after we have certs
 81 | }
 82 | ```
 83 | 
 84 | ### Cool, assuming your portforwarding is setup correctly on your router, now we're good to get certs.
 85 | 
 86 | ```Bash
 87 | sudo nginx -t
 88 | sudo ln -s /etc/nginx/sites-available/guac /etc/nginx/sites-enabled/
 89 | sudo systemctl reload nginx
 90 | sudo certbot --nginx
 91 | ```
 92 | 
 93 | Follow the prompts, and ask it to auto redirect...DONE!
 94 | 
 95 | ## Couple more edits/hardening.
 96 | 
 97 | Change your nginx config to look something like this now..
 98 | 
 99 | ```Bash
100 | sudo nano /etc/nginx/sites-available/guac
101 | ```
102 | 
103 | ```nginx
104 | server {
105 |         # SSL configuration
106 |         server_name $CODENAME.$DOMAIN.com;
107 |         add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
108 |         add_header X-Frame-Options DENY always;
109 |         add_header X-Content-Type-Options nosniff always;
110 |         add_header X-Xss-Protection "1; mode=block" always;
111 |         location / {
112 |                 proxy_pass http://127.0.0.1:8080/guacamole/;
113 |                 proxy_buffering off;
114 |                 proxy_http_version 1.1;
115 |                 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
116 |                 proxy_set_header Upgrade $http_upgrade;
117 |                 proxy_set_header Connection $http_connection;
118 |                 auth_basic "Authorized Users Only!";
119 |                 auth_basic_user_file /etc/nginx/.htpasswd;
120 |         }
121 | 
122 |     listen 443 ssl; # managed by Certbot
123 |     ssl_certificate /etc/letsencrypt/live/$CODENAME.$DOMAIN.com/fullchain.pem; # managed by Certbot
124 |     ssl_certificate_key /etc/letsencrypt/live/$CODENAME.$DOMAIN.com/privkey.pem; # managed by Certbot
125 |     include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
126 |     ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
127 | }
128 | 
129 | 
130 | server {
131 |     if ($host = $CODENAME.$DOMAIN.com) {
132 |         return 301 https://$host$request_uri;
133 |     } # managed by Certbot
134 |     listen 80;
135 |     server_name $CODENAME.$DOMAIN.com;
136 |     return 404; # managed by Certbot
137 | }
138 | ```
139 | 
140 | ### There are some nginx defaults to change as well.
141 | 
142 | -- Honestly, anything that's commented.. I'd just delete.
143 | 
144 | ```Bash
145 | sudo nano /etc/nginx/nginx.conf
146 | ```
147 | 
148 | ```nginx
149 | user www-data;
150 | worker_processes auto;
151 | pid /run/nginx.pid;
152 | include /etc/nginx/modules-enabled/*.conf;
153 | 
154 | events {
155 |         worker_connections 768;
156 |         # multi_accept on;
157 | }
158 | 
159 | http {
160 | 
161 |         ##
162 |         # Basic Settings
163 |         ##
164 | 
165 |         sendfile on;
166 |         tcp_nopush on;
167 |         tcp_nodelay on;
168 |         keepalive_timeout 65;
169 |         types_hash_max_size 2048;
170 |         server_tokens off;   <---------- Change this to off
171 | 
172 |         # server_names_hash_bucket_size 64;
173 |         # server_name_in_redirect off;
174 | 
175 |         include /etc/nginx/mime.types;
176 |         default_type application/octet-stream;
177 | 
178 |         ##
179 |         # SSL Settings
180 |         ##
181 | 
182 |         ssl_protocols TLSv1.2; # Dropping SSLv3, ref: POODLE
183 |         ssl_prefer_server_ciphers on;
184 | 
185 |         ##
186 |         # Logging Settings
187 |         ##
188 | 
189 |         access_log /var/log/nginx/access.log;
190 |         error_log /var/log/nginx/error.log;
191 | 
192 |         ##
193 |         # Gzip Settings
194 |         ##
195 | 
196 |         gzip on;
197 | 
198 |         # gzip_vary on;
199 |         # gzip_proxied any;
200 |         # gzip_comp_level 6;
201 |         # gzip_buffers 16 8k;
202 |         # gzip_http_version 1.1;
203 |         # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
204 | 
205 |         ##
206 |         # Virtual Host Configs
207 |         ##
208 | 
209 |         include /etc/nginx/conf.d/*.conf;
210 |         include /etc/nginx/sites-enabled/*;
211 | }
212 | 
213 | #mail { <----------------- delete this whole block.
214 | #       # See sample authentication script at:
215 | #       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
216 | #
217 | #       # auth_http localhost/auth.php;
218 | #       # pop3_capabilities "TOP" "USER";
219 | #       # imap_capabilities "IMAP4rev1" "UIDPLUS";
220 | #
221 | #       server {
222 | #               listen     localhost:110;
223 | #               protocol   pop3;
224 | #               proxy      on;
225 | #       }
226 | #
227 | #       server {
228 | #               listen     localhost:143;
229 | #               protocol   imap;
230 | #               proxy      on;
231 | #       }
232 | #}
233 | ```
234 | 
235 | ### Next we need to remove weak SSL ciphers. You can just delete everything from that file and add the content below.
236 | 
237 | ```Bash
238 | sudo nano /etc/letsencrypt/options-ssl-nginx.conf
239 | ```
240 | 
241 | -- This file contains important security parameters. If you modify this file manually, Certbot will be unable to automatically provide future security updates. Instead, Certbot will print and log an error message with a path to the up-to-date file that you will need to refer to when manually updating this file.
242 | 
243 | ```nginx
244 | ssl_stapling on;
245 | ssl_stapling_verify on;
246 | 
247 | ssl_session_cache shared:le_nginx_SSL:1m;
248 | ssl_session_timeout 10m;
249 | 
250 | ssl_protocols TLSv1.2;
251 | ssl_prefer_server_ciphers on;
252 | 
253 | ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:!DSS";
254 | ```
255 | 
256 | ### Okay, that pretty much covers it. Make sure we didn't make any mistakes..
257 | 
258 | ```Bash
259 | sudo nginx -t
260 | sudo systemctl reload nginx
261 | ```
262 | 
263 | DONE!!
264 | 


--------------------------------------------------------------------------------