Home / server / Questions / 1165956
Accepted
Corentin
Asked: 2024-10-01 01:51:27 +0800 CST

Security for guacd proxy (Apache Guacamole)

  • 772

Since the Apache Guacamole documentation, it is said in the Docker installation of guacd that leveraging its port to the host (with "docker run --name some-guacd -d -p 4822:4822 guacamole/guacd") would be a potential security issue. My question is: isn't it the same if the daemon is installed without Docker, natively, on the same server?

My aim is to get an Apache Guacamole service that could deal with the RDP of machines that are not on docker (just on the same network as the host [either via docker or natively])

rdp

1 Answers

  1. Best Answer

    Well not really the same, let's say you are behind a router(DHCP) and your IP is 192.168.0.100, I will give you both implementations:

    1. Docker - You have two containers(guacd and the tomcat for guacamole UI), in this case only the tomcat container is exposed with a port(e.g. 8080), the frontend make requests to backend(guacd) and they communicate with each other via docker proxy daemon. In the same docker network.
    2. Host - Almost the same method, but here guacd listens on 127.0.0.1(localhost) which can only be accessed inside the host and only tomcat listens to 192.168.0.100 so it can be accessed from other hosts in the same network.

    The main difference between the two implementations is that in the first docker proxy daemon is placed between the services and the host.

    Here is a quick example:

    prepare.sh

    #!/bin/sh
# check if docker is running
if ! (sudo docker ps >/dev/null 2>&1)
then
        echo "docker daemon not running, will exit"
        exit
fi
echo "Preparing folder init and creating ./init/initdb.sql"
mkdir ./init >/dev/null 2>&1
mkdir ./guac_home >/dev/null 2>&1
chmod -R +x ./init
sudo docker run --rm guacamole/guacamole /opt/guacamole/bin/initdb.sh --postgresql > ./init/initdb.sql
echo "done"

    docker-compose.yml

    networks:
  guacnetwork:
    driver: bridge

services:
  guacd:
    container_name: guacd
    image: guacamole/guacd
    networks:
      guacnetwork:
    restart: unless-stopped
    volumes:
    - ./drive:/drive:rw
    - ./record:/record:rw

  postgres:
    container_name: postgres_guacamole
    environment:
      PGDATA: /var/lib/postgresql/data/guacamole
      POSTGRES_DB: guacamole_db
      POSTGRES_PASSWORD: 'PASSWORD'
      POSTGRES_USER: guacamole_user
    image: postgres
    networks:
      guacnetwork:
    restart: unless-stopped
    volumes:
    - ./init:/docker-entrypoint-initdb.d:z
    - ./data:/var/lib/postgresql/data:Z

  guacamole:
    container_name: guacamole
    depends_on:
    - guacd
    - postgres
    environment:
      GUACD_HOSTNAME: guacd
      POSTGRES_DATABASE: guacamole_db
      POSTGRES_HOSTNAME: postgres
      POSTGRES_PASSWORD: 'PASSWORD'
      POSTGRES_USER: guacamole_user
      REMOTE_IP_VALVE_ENABLED: true
      GUACAMOLE_HOME: /guacamole_home
    image: guacamole/guacamole
    links:
    - guacd
    networks:
      guacnetwork:
    ports:
    - 8080:8080/tcp
    restart: unless-stopped
    volumes:
    - ./guac_home:/guacamole_home:rw
    • 1