Short Tutorial – NextCloud + Guacamole

I published a video last year showing a fully functional SSH Client riding inside of my OwnCloud Install but sadly did not include any documentation on how to actually set it up. There was a reason for this as the steps were very involved and required a lot of added code that would break between OwnCloud/NextCloud Updates. I have had several requests over the past several months to revive the project but due to time limitations I have not been able to do it. Instead I have put together a basic tutorial to get your own similar setup running that has even more features than my original demo – This tutorial will be a starting point and you will need to locate the steps for your exact server setup. 

Requirements

  • Dedicated Server or VPS – These instructions require you to have root access to the machine that your NextCloud install is on. I strongly recommend the services of Big Brain Global or Dacentec if you are in need of a server. Your server should have at least 1.5-8 GB of RAM depending on the number of users
  • Server Management Skills – This tutorial will not include any copy and paste code so you should be comfortable with some server management tasks at the command line.
  • A working install of NextCloud or OwnCloud
  • A SSL Certificate

Initial Setup of NextCloud/OwnCloud

You will need to install NextCloud or OwnCloud per the instructions for your distribution of choice. This will also normally involve installing a WebServer (Apache, NginX, etc), PHP7 and a few other dependencies. While setting up the server, it is important to install Apache ModProxy if you use Apache2. Other than that, there are no special steps needed at this time. Ensure that you also setup your NextCloud/OwnCloud to work with a SSL Certificate such as one from LetsEncrypt

Install TomCat and Guacamole

Guacamole is an incredible SSH, VNC and RDP client that runs completely in your browser without the need for browser plugins. Guacamole works on tablets and even in Chromebooks without issue. Guacamole does require the use of Apache TomCat to serve up the application. You will need to locate up to date instructions to set this up according to your distribution of choice.

Setting up the Local Proxy

By default, Guacamole listens on https://ip.address:8080/guacamole – This is not really ideal for use so the next thing you will need to do is to setup a local proxy to tunnel https://hostname.something.com/some-long-url-for-guacamole-bla-bla-0007 to https://ip.address:8080/guacamole. This will help to make your guacamole install harder to find and allow you to use it on networks that only allow port 80 and 443. There are several great tutorials such as this and this. Do not share this URL with anyone.

Once your local proxy is setup, you should restrict access to port 8080 to localhost

Embedding Guacamole in NextCloud/OwnCloud

Within your NextCloud/OwnCloud App Repository, add and enable the “External Sites” application and follow the instructions to configure it using your proxy URL. This will create a shortcut to your Guacamole that will launch it in an embedded frame. All communications will be proxied through that proxy URL but your users will only see the NextCloud/OwnCloud URL in the address bar.

Extra Credit

None of the ideas below are required to do but will make your setup much better.

  • Setup a VPN on the NextCloud/OwnCloud server and connect your remote devices to the VPN. When setting up SSH/VNC/RDP – ensure that you are using your internal VPN IP address in place of a public IP address to ensure that traffic is encrypted. VNC for example is not very secure but when setup to listen on a VPN, the security is greatly enhanced.
  • Block SSH/RDP access on servers to restrict connections not coming from your NextCloud or OwnCloud server
  • Setup 2 Factor Authentication on your NextCloud/OwnCloud Server – you are trusting it with a lot of access so you need to ensure that security is pretty tight.
  • Setup Single Sign-on with Guacamole to reduce the need to log in multiple times.
Facebooktwittergoogle_plusredditpinterestlinkedinmail

Leave a Reply

Your email address will not be published. Required fields are marked *