From LinuxIntro
Revision as of 10:17, 13 April 2020 by ThorstenStaerk (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

A Linux desktop in a browser



Guacamole is a program to control a Linux desktop over the network in a browser.

Sometimes in your Linux life, you need to control your servers in the internet with a graphical user interface. This is tedious when you are behind a corporate firewall blocking ssh requests to the public internet. Typical corporate firewalls only allow proxified client access to port 80, 8080 and 443 in the public internet. One way to go is to use a browser to display a Linux desktop. The solution is guacamole.


This will show you

  • how to install guacamole 0.9.3 on Ubuntu (tested with 14.04)
  • how to make this configuration survive a reboot
  • how to secure transmission with SSL
  • how to make the website accessible from behind a firewall (port 80 or 443)

Here's what you do as root user:

  • install software that we will need later:
 apt-get update
 apt-get install tomcat6 tightvncserver gcc make xterm

configure VNC server

Guacamole does the communication between a VNC server and the web browser. So whatever you see in VNC will be in the browser. In this example let's use xfce as desktop environment:

  • install xfce:
 apt-get install xfce4
  • activate gnome for your VNC:
 mkdir .vnc
 cat >> .vnc/xstartup <<EOF
 xfce4-session || xterm
 chmod 777 .vnc/xstartup

deploy guacamole client

 # mv guacamole-0.9.3.war /var/lib/tomcat6/webapps/
  • surf to http://localhost:8080/guacamole-0.9.3. A folder /var/lib/tomcat6/webapps/guacamole-0.9.3 will be created with some content. We will need that later.
  • although login is not yet possible your browser will show a login screen like that:

install guacamole server

  • install some dependencies that the server will need to build with vnc support:
 apt-get install libvncserver-dev libpng-dev libcairo-dev
 tar xvzf guacamole-server-0.9.3.tar.gz
  • build the server:
 cd guacamole-server-0.9.3
 ./configure && make -j8 && make install
  • the following step is ugly; installation and binary do not completely fit so we must do that:
 ln -s /usr/local/lib/* /lib
 ln -s /usr/local/lib/* /lib/
  • now we start the guacamole daemon:
 # guacd
 guacd[17669]: INFO:  Guacamole proxy daemon (guacd) version 0.9.3
 guacd[17669]: INFO:  Successfully bound socket to host ::1, port 4822
 guacd[17669]: INFO:  Exiting and passing control to PID 17671
 root@tstaerk-desktop:/var/log# guacd[17671]: INFO:  Exiting and passing control to PID 17672

configure guacamole

  • create a folder for guacamole's configuration:
 mkdir /etc/guacamole
  • create a file /etc/guacamole/ with the content
 # Hostname and port of guacamole proxy
 guacd-hostname: localhost
 guacd-port:     4822
 # Location to read extra .jar's from
 lib-directory:  /var/lib/tomcat6/webapps/guacamole-0.9.3/WEB-INF/classes
 # Authentication provider class
 # Properties used by BasicFileAuthenticationProvider
 basic-user-mapping: /etc/guacamole/user-mapping.xml
  • create a file /etc/guacamole/user-mapping.xml with the content
    <authorize username="user" password="password">
          <param name="hostname">localhost</param>
          <param name="port">5901</param>
          <param name="password">password</param>

configure tomcat

  • find out your tomcat's user directory:
 # cat /etc/passwd|grep tomcat
in this case it is /usr/share/tomcat6
  • create a folder .guacamole in your tomcat's user directory:
 mkdir /usr/share/tomcat6/.guacamole
  • link into your tomcat's user directories' guacamole folder
 ln -s /etc/guacamole/ /usr/share/tomcat6/.guacamole


  • start a vnc server, as password set password (the vnc password given in user-mappings.xml)
  • restart your tomcat server
 /etc/init.d/tomcat6 restart

Now when you click on "Default" you will see your VNC desktop in your browser.

secure transmission

Set up apache for https so your passwords are not transmitted unencrypted over the internet

make it work from behind a firewall

Most companies will have an internet proxy that does not allow users to access port 8080 on a server outside the company network. So you need a reverse proxy that tells apache if someone calls http://yourserver.yourdomain/guacamole this is forwarded to http://yourserver.yourdomain:8080 internally. To do this,

  • edit /etc/sysconfig/apache2 and add the following words to APACHE_MODULES: proxy proxy_http. In the end your line may read like this:
 APACHE_MODULES="actions alias auth_basic proxy proxy_http authn_file authz_host authz_groupfile authz_default authz_user autoindex cgi dir env expires include log_config mime negotiation setenvif ssl userdir php5"
  • edit /etc/apache2/default-server.conf, add a block
 <IfModule mod_proxy.c>
 <Location /guacamole>

Persist it

You want your configuration to survive a reboot so add the following line to /etc/crontab:

 @reboot root /usr/local/sbin/guacd &


invalid login

  • now the problem is that tomcat does not know where to find the Authentication class:


is not in /etc/guacamole/

  • so add it
  • cat /etc/passwd gives me a line

 ll /usr/share/tomcat6/.guacamole/
 total 8
 drwxr-xr-x 2 root root 4096 Nov 26 07:58 ./
 drwxr-xr-x 6 root root 4096 Nov 26 07:57 ../
 lrwxrwxrwx 1 root root   35 Nov 26 07:58 -> /etc/guacamole/
  • works now. So the thing is:
    • take care that it is called guacamole and not guacamole-0.8.3 (sure?)
    • make sure the classpath in /etc/guacamole/ is correct, e.g.
 # Location to read extra .jar's from
 lib-directory:  /var/lib/tomcat6/webapps/guacamole/WEB-INF/classes

Server error

  • now I got a server error so I straced guacd:
 strace -p 15332

and saw

 [pid 20344] open("/usr/lib/x86_64-linux-gnu/", O_RDONLY) = -1 ENOENT (No such file or directory)

so the problem is that is missing.

  • downloaded java version 1.7.45 and compiled guacamole-client using mvn. But there was no *.so* file in it
  • so installed libvncserver-dev and rebuild and reinstalled guacamole-server
  • and there it is,
  • now the error message changed from "server error" to "unauthorized"

Failed to load

When logging in I got an error message

 Failed to execute 'send' on 'XMLHttpRequest': Failed to load ''.

Solution was to:

 /etc/init.d/tomcat6 restart

Error initializing VNC client

After logging in I got the error message

 Error initializing VNC client

Solution was to start


Could not connect

If you surf to the page and get an error message like

 Unable to connect

It probably means that tomcat is not running. It must be possible to connect to port 8080, a java process for tomcat must be running.

 /etc/init.d/tomcat6 status

must deliver something like

 * Tomcat servlet engine is running with pid 17546

See also