gistfile1.txt

cat /etc/httpd/conf.d/guac.dmi3lab.online.conf
<VirtualHost *:80>
    ServerName guac.dmi3lab.online

    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
    RewriteCond %{SERVER_NAME} =guac.dmi3lab.online
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<VirtualHost *:443>
    ServerName guac.dmi3lab.online

    # Reverse proxy based on https://httpd.apache.org/docs/current/mod/mod_proxy_wstunnel.html
    RewriteEngine On
    ProxyPreserveHost On
    AllowEncodedSlashes NoDecode

    ProxyPass / http://192.168.1.55:8080/ nocanon
    ProxyPassReverse / http://192.168.1.55:8080/

    RewriteCond %{HTTP:Upgrade} websocket [NC]
    RewriteCond %{HTTP:Connection} upgrade [NC]
    RewriteCond %{THE_REQUEST} "^[a-zA-Z]+ /(.*) HTTP/\d+(\.\d+)?$"
    RewriteRule .? "ws://localhost:8080/%1" [P,L]

    # Enable h2, h2c and http1.1
    Protocols h2 h2c http/1.1

    # Solves slow upload speeds caused by http2
    H2WindowSize 5242880

    # TLS
    SSLEngine               on
    SSLProtocol             -all +TLSv1.2 +TLSv1.3
    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
    SSLHonorCipherOrder     off
    SSLSessionTickets       off
    SSLCertificateFile /etc/letsencrypt/live/guac.dmi3lab.online/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/guac.dmi3lab.online/privkey.pem

    # Disable HTTP TRACE method.
    TraceEnable off
    <Files ".ht*">
        Require all denied
    </Files>

    # Support big file uploads
    LimitRequestBody 0
</VirtualHost>

playbook.yaml

# configure guacamole server with ansible
# it uses scicore.guacamole collection https://galaxy.ansible.com/scicore/guacamole
# Install it with: # ansible-galaxy collection install scicore.guacamole

- name: Add a guacamole connection and user
  hosts: localhost
  gather_facts: no
  vars:
    base_url: https://guacamoleserver.domain.tld
    adminusername: guacadmin
    adminpassword: <insert guacadmin pass here>
    group_name: GROUP1
    validate_certs: true
    state: present
    users:
      - username: guac-user1
        password: <insert guac-user1 pass here>
        hostname: 10.78.5.161
        allowed_connections:
          - connection_name: guac-user1-rdp
            protocol: rdp
            port: 3389
            rdp_height: 927
            rdp_width: 1920
            username: rpduser
            password: <insert rpduser pass here>
          - connection_name: guac-user1-ssh
            protocol: ssh
            port: 22
            username: sshuser
            password: <insert sshuser pass here>
          - connection_name: guac-user1-vnc
            protocol: vnc
            port: 5900
            username: vncuser
            password: <insert vncuser pass here>

      - username: guac-user2        
        password: <insert guac-user2 pass here>
        hostname: 10.78.5.161
        allowed_connections:
          - connection_name: guac-user2-rdp
            protocol: rdp
            port: 3389
            rdp_height: 927
            rdp_width: 1920
            username: rpduser
            password: <insert rpduser pass here>
          - connection_name: guac-user2-ssh
            protocol: ssh
            port: 22
            username: sshuser
            password: <insert sshuser pass here>
          - connection_name: guac-user2-vnc
            protocol: vnc
            port: 5900
            username: vncuser
            password: <insert vncuser pass here>
  tasks:
    - name: Create a new connections group
      scicore.guacamole.guacamole_connections_group:
        validate_certs: "{{ validate_certs }}"
        base_url: "{{ base_url }}"
        auth_username: "{{ adminusername }}"
        auth_password: "{{ adminpassword }}"
        group_name: "{{ group_name }}"

    - name: Manage connections (rdp, ssh, vnc) for all users
      scicore.guacamole.guacamole_connection:
        validate_certs: "{{ validate_certs }}"
        base_url: "{{ base_url }}"
        auth_username: "{{ adminusername }}"
        auth_password: "{{ adminpassword }}"
        connection_name: "{{ connection.connection_name }}"
        protocol: "{{ connection.protocol }}"
        hostname: "{{ user.hostname }}"
        port: "{{ connection.port }}"
        username: "{{ connection.username }}"
        password: "{{ connection.password }}"
        group_name: "{{ group_name }}"
        state: "{{ state }}"
        rdp_ignore_server_certs: true
        rdp_height: "{{ connection.rdp_height | default(omit) }}"
        rdp_width: "{{ connection.rdp_width | default(omit) }}"
      loop: "{{ users | subelements('allowed_connections') }}"
      loop_control:
        label: "{{ item.0.username }} - {{ item.1.connection_name }}"
      vars:
        user: "{{ item.0 }}"
        connection: "{{ item.1 }}"

    - name: Create guacamole users
      scicore.guacamole.guacamole_user:
        validate_certs: "{{ validate_certs }}"
        base_url: "{{ base_url }}"
        auth_username: "{{ adminusername }}"
        auth_password: "{{ adminpassword }}"
        username: "{{ item.username }}"
        password: "{{ item.password }}"
        allowed_connections: "{{ item.allowed_connections | map(attribute='connection_name') | list }}"
        state: "{{ state }}"
      loop: "{{ users }}"
      loop_control:
        label: "{{ item.username }}"

Set Up Apache Guacamole With Podman.md

Create a pod to hold containers

podman pod create \
  --name YOUR_POD_NAME \
  -p 8080:8080

Create database initialization scripts

# the directory the database container will scan for initialization scripts
mkdir -p "guacamole-db/docker-entrypoint-initdb.d"

chcon -t container_file_t -R $(pwd)/guacamole-db
chown 27:27 -R $(pwd)/guacamole-db

# files are scanned in order
# create the user and database first and initialize it next
# localhost doesn't work for the user with podman; must be 127.0.0.1
echo "CREATE USER 'YOUR_GUACAMOLE_USERNAME'@'127.0.0.1' IDENTIFIED BY 'YOUR_GUACAMOLE_PASSWORD';" > guacamole-db/docker-entrypoint-initdb.d/01_initdb.sql
echo "CREATE DATABASE YOUR_GUACAMOLE_DATABASE_NAME;" >> guacamole-db/docker-entrypoint-initdb.d/01_initdb.sql
echo "GRANT ALL PRIVILEGES ON YOUR_GUACAMOLE_DATABASE_NAME.* TO 'YOUR_GUACAMOLE_USERNAME'@'127.0.0.1';" >> guacamole-db/docker-entrypoint-initdb.d/01_initdb.sql
echo "USE YOUR_GUACAMOLE_DATABASE_NAME;" > guacamole-db/docker-entrypoint-initdb.d/02_initdb.sql
podman run --rm docker.io/guacamole/guacamole /opt/guacamole/bin/initdb.sh --mysql >> guacamole-db/docker-entrypoint-initdb.d/02_initdb.sql

Create the database

# the directory the database stores its data in
mkdir guacamole-db/data

podman run -d \
  --name=YOUR_DATABASE_CONTAINER_NAME \
  --pod=YOUR_POD_NAME \
  -e MARIADB_ROOT_PASSWORD=YOUR_DATABASE_ROOT_PASSWORD \
  -v $(pwd)/guacamole-db/docker-entrypoint-initdb.d:/docker-entrypoint-initdb.d \
  -v $(pwd)/guacamole-db/data:/var/lib/mysql \
  --restart unless-stopped \
  docker.io/mariadb:latest

Start guacd

podman run -d \
  --name=YOUR_GUACD_CONTAINER_NAME \
  --pod=YOUR_POD_NAME \
  --restart unless-stopped \
  -e GUACD_LOG_LEVEL=debug \
  docker.io/guacamole/guacd

Start guacamole

# must specify database and guacd params to connect within a pod
# must use 127.0.0.1, not localhost
podman run -d \
  --name=YOUR_GUACAMOLE_WEBAPP_CONTAINER_NAME \
  --pod=YOUR_POD_NAME \
  -e MYSQL_HOSTNAME=127.0.0.1 \
  -e MYSQL_PORT=3306 \
  -e MYSQL_DATABASE=YOUR_GUACAMOLE_DATABASE_NAME \
  -e MYSQL_USER=YOUR_GUACAMOLE_USERNAME \
  -e MYSQL_PASSWORD=YOUR_GUACAMOLE_PASSWORD \
  -e GUACD_HOSTNAME=127.0.0.1 \
  -e GUACD_PORT=4822 \
  -e WEBAPP_CONTEXT=ROOT \
  --restart unless-stopped \
  docker.io/guacamole/guacamole