Security
This service will listen for HTTP and HTTPS traffic on port 80 and 443, respectively. Any attempt to connect via port 80 will upgrade the connection to HTTPS. The HTTPS connection is protected with a self-signed certificate.
Best practice is to put an Application Load Balancer (ALB) in front of this instance which allows you to put a properly signed certificate in place. The health check must be configured with protocol HTTPS
, port 443
and path /
. Please have a look at the Guacamole Cluster which provisions all of these components through a CloudFormation template.
Custom SSL Certificate
Alternatively, the SSL certificate on the server can be replaced as well. The certificate and private key are stored at /home/ec2-user/guaws/nginx/ssl/
. Run guawsctl restart nginx
to restart the web server.
Let's Encrypt
The AMI ships with the Let's Encrypt certbot
client preinstalled. To obtain certificates from Let's Encrypt, execute the following steps:
- Log in as
ec2-user
. - Run
guawsctl run certbot certonly --webroot --webroot-path /var/www/letsencrypt
and follow the instructions on the screen. - Update the SSL certificates to point at the Let's Encrypt repository (replace
{DOMAINNAME}
with your domain name).sudo rm -f /home/ec2-user/guaws/nginx/ssl/server.*
sudo ln -s /etc/letsencrypt/live/{DOMAINNAME}/fullchain.pem /home/ec2-user/guaws/nginx/ssl/server.crt
sudo ln -s /etc/letsencrypt/live/{DOMAINNAME}/privkey.pem /home/ec2-user/guaws/nginx/ssl/server.key - Restart the nginx service with
guawsctl restart nginx
- The renewal command is executed automatically on a daily basis (see
/etc/cron.daily/certbot.sh
). If you want to manually renew the certificates simply executeguawsctl run certbot renew
Screen Recording
Sessions can be recorded graphically. Screen recording needs to be enabled in the connection settings. The recording path needs to be set to /opt/guacamole/recordings
. Recordings will be written in a proprietary format that needs to be encoded before it can be played back. Use the guacenc
utility to encode the raw stream into a m4v
video file.
We recommend that you attach an additional EBS volume to the guacamole if you are using session recording extensively. The raw session recording can become quite large and you will eventually run out of disk space on the root volume which might impact the availability of the service. Mount the additional EBS volume under /opt/guacamole
and create a folder recordings
with ownership set to ec2-user
.
Audit Log
The application will write an Audit Log of users who have signed in and opened connections to AWS CloudWatch Logs (if the instance profile was provided). The audit log contains information about the session start date, end date, instance id, IP and protocol of the session.