Configure Guacamole SSL/TLS with Nginx Reverse Proxy

10
7856

Hello there. Today, we are going to learn how to configure Guacamole SSL/TLS with Nginx Reverse Proxy. If you are going to use Guacamole in production environment, then it is highly recommended that it is placed behind a reverse proxy. The proxy can then be configured to provide SSL/TLS encryption that provides a secured connection.

Configure Guacamole SSL/TLS with Nginx Reverse Proxy

Before you can proceed, ensure that you have setup Guacamole and is up and running. In this guide, we are going to use Guacamole running on Ubuntu 18.04. Check our previous guide on how to setup Guacamole on Ubuntu 18.04 by following the link below;

How to Setup Guacamole Web-based Remote Desktop Access Tool on Ubuntu 18.04

Configure Nginx Reverse Proxy

Once you have Guacamole up and running, follow through this guide to have configure Guacamole SSL/TLS with Nginx Reverse Proxy.

Install Nginx web server

Nginx can be simply installed using the command below;

apt install nginx

Enable Nginx to run on system boot. Note that Nginx is set to run automatically after installation.

systemctl enable  nginx

Generate SSL/TLS Self-signed Certificate

In this guide, for demonstration purposes, we are going to use self-signed certificates. You can however obtain the trusted CA certificate, otherwise, this will suffice.

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/guacamole-selfsigned.key -out /etc/ssl/certs/guacamole-selfsigned.crt

This will generate the Self-signed key and certificate. When the command runs, you will be prompted to provide some few information. Enter the appropriate information.

...
Generating a 2048 bit RSA private key
.....................................................................................................+++
.....................+++
writing new private key to '/etc/ssl/private/guacamole-selfsigned.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:KE
State or Province Name (full name) [Some-State]:Nairobi
Locality Name (eg, city) []:Nairobi
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Ltd
Organizational Unit Name (eg, section) []:IT-SOC
Common Name (e.g. server FQDN or YOUR name) []:guacamolesvr.example.com
Email Address []: 

Configure Nginx to use the Certificates

Once you have the keys in place, proceed to configure Nginx to use the SSL/TLS certificates just generated. In this guide, we will use some of the recommendations on the Cipherli.st.

vim /etc/nginx/sites-available/nginx-guacamole-ssl
server {
	listen 80;
	server_name guacamole.example.com;
	return 301 https://$host$request_uri;
}
server {
	listen 443 ssl;
	server_name guacamole.example.com;

	root /var/www/html;

	index index.html index.htm index.nginx-debian.html;
    
    	ssl_certificate /etc/ssl/certs/guacamole-selfsigned.crt;
	ssl_certificate_key /etc/ssl/private/guacamole-selfsigned.key;

	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_prefer_server_ciphers on; 
	ssl_dhparam /etc/nginx/dhparam.pem;
	ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
	ssl_ecdh_curve secp384r1;
	ssl_session_timeout  10m;
	ssl_session_cache shared:SSL:10m;
	resolver 192.168.42.129 8.8.8.8 valid=300s;
	resolver_timeout 5s; 
	add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
	add_header X-Frame-Options DENY;
	add_header X-Content-Type-Options nosniff;
	add_header X-XSS-Protection "1; mode=block";

	access_log  /var/log/nginx/guac_access.log;
	error_log  /var/log/nginx/guac_error.log;

	location / {
		    proxy_pass http://guacamole.example.com:8080/guacamole/;
		    proxy_buffering off;
		    proxy_http_version 1.1;
		    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		    proxy_set_header Upgrade $http_upgrade;
		    proxy_set_header Connection $http_connection;
		    proxy_cookie_path /guacamole/ /;
	}

}

Next, generate Deffie-Hellman certificate to ensure a secured key exchange. The -dsaparam option is added to speed up the generation.

openssl dhparam -dsaparam -out /etc/nginx/dhparam.pem 4096

Once that is done, activate Nginx Guacamole configuration.

ln -s /etc/nginx/sites-available/nginx-guacamole-ssl /etc/nginx/sites-enabled/

Verify Nginx configuration.

nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Restart Nginx if all is good.

systemctl restart nginx

Now, login to Guacamole Dashboard using the URL https://server-hostname. You will see a browser warning. Add an exception and proceed.

Guacamole SSL

Login to your Guacamole.

configure Guacamole SSL/TLS with Nginx Reverse Proxy

Guacamole dashboard.

Guacamole Ubuntu 18.04 dashboard

That is it about how to configure Guacamole SSL/TLS with Nginx Reverse Proxy. Enjoy.

You can read more about Proxying Guacamole here.

Hey, you can also check our previous articles on Elasticsearch by following the links below;

Install Elasticsearch 7.x on Ubuntu 18.04/Debian 9.8

Install Elasticsearch 7.x on CentOS 7/Fedora 29

10 COMMENTS

  1. Your guide is fantastic!
    I think I ran into a slight issue with it though.
    Shouldn’t this:
    ln -s /etc/nginx/sites-available/guacamole-ssl /etc/nginx/sites-enabled/
    be this:
    ln -s /etc/nginx/sites-available/nginx-guacamole-ssl /etc/nginx/sites-enabled/
    ?

    • Am glad you found this helpful Mat.
      You are actually right. Thanks for catching that. Update has been made accordingly.

  2. This is a very neat and excellent guide for activating SSL/TLS on Guacamole Server. Very good Job. Thanks.

  3. Question I have MFA enabled is there a certain configuration I need to use to enable SSL to passthrough

  4. Great walk-through, thanks for sharing the info.
    I am having the same problem as Alexis Llano; The https guac page loads, but it is just blank. Doesn’t show the login prompt. If I go to the http port 8080 page (no nginx) I can login as normal. The html source display on the https page, but it’s just displays blank. Nothing is showing in either the nginx or guac logs. I also tried using firefox and chrome.

LEAVE A REPLY

Please enter your comment!
Please enter your name here