Skip to main content

Security

This service will listen for HTTP and HTTPS traffic on port 80 and 443, respectively. Any attempt to connect via port 80 will upgrade the connection to HTTPS. The HTTPS connection is protected with a self-signed certificate.

Best practice is to put an Application Load Balancer (ALB) in front of this instance which allows you to put a properly signed certificate in place. The health check must be configured with protocol HTTPS, port 443 and path /. Please have a look at the Guacamole Cluster which provisions all of these components through a CloudFormation template.

Custom SSL Certificate

Alternatively, the SSL certificate on the server can be replaced as well. The certificate and private key are stored at /home/ec2-user/guaws/nginx/ssl/. Run guawsctl restart nginx to restart the web server.

Let's Encrypt

The AMI ships with the Let's Encrypt certbot client preinstalled. To obtain certificates from Let's Encrypt, execute the following steps:

  1. Log in as ec2-user.
  2. Run guawsctl run certbot certonly --webroot --webroot-path /var/www/letsencrypt and follow the instructions on the screen.
  3. Update the SSL certificates to point at the Let's Encrypt repository (replace {DOMAINNAME} with your domain name). 
    sudo rm -f /home/ec2-user/guaws/nginx/ssl/server.*
    sudo ln -s /etc/letsencrypt/live/{DOMAINNAME}/fullchain.pem /home/ec2-user/guaws/nginx/ssl/server.crt
    sudo ln -s /etc/letsencrypt/live/{DOMAINNAME}/privkey.pem /home/ec2-user/guaws/nginx/ssl/server.key
  4. Restart the nginx service with guawsctl restart nginx
  5. The renewal command is executed automatically on a daily basis (see /etc/cron.daily/certbot.sh). If you want to manually renew the certificates simply execute guawsctl run certbot renew

Screen Recording

Sessions can be recorded graphically. Screen recording needs to be enabled in the connection settings. The recording path needs to be set to /opt/guacamole/recordings. Recordings will be written in a proprietary format that needs to be encoded before it can be played back. Use the guacenc utility to encode the raw stream into a m4v video file.

We recommend that you attach an additional EBS volume to the guacamole if you are using session recording extensively. The raw session recording can become quite large and you will eventually run out of disk space on the root volume which might impact the availability of the service. Mount the additional EBS volume under /opt/guacamole and create a folder recordings with ownership set to ec2-user.

Audit Log

The application will write an Audit Log of users who have signed in and opened connections to AWS CloudWatch Logs (if the instance profile was provided). The audit log contains information about the session start date, end date, instance id, IP and protocol of the session.

audit log