Unfortunately, you don’t. Not even the Guacamole Docker container does this.
I would configure Nginx to redirect from / to /guacamole/. You could also try reconfiguring Tomcat. Perhaps renaming the guacamole.war to ROOT.war is enough, but I vaguely remember that Tomcat is more tricky than that.
Looks like the Guacamole web frontend doesn’t know it is being proxied, and generates some links to translation resources using an absolute path.
Also, a security note: absolutely do not run guacd (the guacamole-server component) as unconfined root or on a publicly accessible port. Guacd has no authentication, and could thus be used as an open proxy by attackers (also to look into your network). Guacd is also written in C, and not in an overly security-conscious manner. It is likely that the code contains quite some vulnerabilities.
The easiest way to harden guacd is to run it in a Docker container and to “bind” it to localhost (not 0.0.0.0). So instead of docker run --rm -p4822:4822 my-guacd-image you might specify the port as -p127.0.0.1:4822:4822, which only allows incoming connections from within the server. (But you might not want a separate network namespace at all, especially since this affects the destination IP address for your VNC connections. Then, use --net=host for Docker and set localhost in the guacd config file).
Instead of running in a container, it may be acceptable to use Systemd options for hardening, in particular running as a separate user. Use systemd-analyze security to get suggestions about Systemd features that might be beneficial.
Unfortunately, you don’t. Not even the Guacamole Docker container does this.
I would configure Nginx to redirect from
/
to/guacamole/
. You could also try reconfiguring Tomcat. Perhaps renaming theguacamole.war
toROOT.war
is enough, but I vaguely remember that Tomcat is more tricky than that.Looks like the Guacamole web frontend doesn’t know it is being proxied, and generates some links to translation resources using an absolute path.
Also, a security note: absolutely do not run
guacd
(the guacamole-server component) as unconfined root or on a publicly accessible port. Guacd has no authentication, and could thus be used as an open proxy by attackers (also to look into your network). Guacd is also written in C, and not in an overly security-conscious manner. It is likely that the code contains quite some vulnerabilities.The easiest way to harden guacd is to run it in a Docker container and to “bind” it to localhost (not 0.0.0.0). So instead of
docker run --rm -p 4822:4822 my-guacd-image
you might specify the port as-p 127.0.0.1:4822:4822
, which only allows incoming connections from within the server. (But you might not want a separate network namespace at all, especially since this affects the destination IP address for your VNC connections. Then, use--net=host
for Docker and setlocalhost
in the guacd config file).Instead of running in a container, it may be acceptable to use Systemd options for hardening, in particular running as a separate user. Use
systemd-analyze security
to get suggestions about Systemd features that might be beneficial.