So you just built your CCIE lab but you can't access it from work because VPNs are restricted? No problem! Guacamole solves this issue, below is a quick dirty method of implementing it properly.
I highly recommend that you use the most current Guacamole release always (not Git). Once you have compiled Guacamole from source (binaries generally do not work as well and I run my portal on a 7watt ARM dev board). You can simply follow the guide off the Guacamole site:
https://guacamole.incubator.apache.org/ you may have unmet dependencies prior to doing this. For Ubuntu, the following is done:
add-apt-repository ppa:webupd8team/java
apt -y update
apt -y upgrade
apt -y dist-upgrade
apt -y install libcairo2-dev libjpeg-turbo8-dev libpng12-dev libossp-uuid-dev \
libfreerdp-dev libpango1.0-dev libssh2-1-dev libtelnet-dev libvncserver-dev \
libpulse-dev libssl-dev libvorbis-dev libwebp-dev git build-essential autoconf \
libtool oracle-java8-installer tomcat8 tomcat8-admin tomcat8-common tomcat8-docs \
tomcat8-user maven mysql-server mysql-client mysql-common mysql-utilities \
libpulse-dev libvorbis-dev freerdp ghostscript wget
Once this is complete you should be good. Next, you will need to get Letsencrypt:
git clone https://github.com/letsencrypt/letsencrypt ~/letsencrypt
cd ~/letsencrypt
./letsencrypt-auto certonly --expand --webroot --webroot-path \
/<CATALINA_HOME>/webapps/ROOT/ -d <YOURDOMAIN> --staging
Ensure you are using staging until successful, once successful, drop the --staging and rerun. At this point we now have our certificate issued by LetsEncrypt. For Tomcat, it's easiest to convert it into a .jks Once you get the success, cd into the proper directory where your certs are stored.
Then do the following:
openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out cert_and_key.p12 \
-name tomcat -CAfile chain.pem -caname root
fullchain.pem should be the host and the intermediate certificate in a single file, or else you will only present a single certificate, which is a security risk.
Convert the pkcs12 into a jks now:
keytool -importkeystore -deststorepass <changeit> -destkeypass <changeit> \
-destkeystore myKeyStore.jks -srckeystore cert_and_key.p12 -srcstoretype \
PKCS12 -srcstorepass <PasswordUsedAbove> -alias tomcat
Now edit your
/<CATALINA_HOME>/server.xml
with the following connector options:
scheme="https" secure="true" SSLEnabled="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/etc/letsencrypt/live/<YOURDOMAIN>/myKeyStore.jks"
keystorePass="<changeit>" keyAlias="tomcat" keyPass="<changeit>"
Next, lets forward port 443 to 8443 since tomcat doesn't always run on 443 and it's much quicker to do it this way:
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8443
Test your connection from an outside source and done!
I recommend using
https://www.ssllabs.com/ssltest/
If you want to install Tomcat 8 from source, use this guide:
https://www.digitalocean.com/community/tutorials/how-to-install-apache-tomcat-8-on-ubuntu-14-04
And if you need an init.d script, here's mine:
#!/bin/bash
export CATALINA_HOME=/opt/tomcat
export JAVA_HOME=<WHATEVERYOURJAVAHOMEIS>
export PATH=$JAVA_HOME/bin:$PATH
start() {
echo "Starting Tomcat 8..."
sh $CATALINA_HOME/bin/startup.sh
}
stop() {
echo "Stopping Tomcat 8..."
sh $CATALINA_HOME/bin/shutdown.sh
}
case $1 in
start|stop) $1;;
restart) stop; start;;
*) echo "Usage : $0 <start|stop|restart>"; exit 1;;
esac
exit 0