SSL

[sciUser <sh...@securitycentric.net>]

I looked at the other topics about SSL and they where not to the point.

If I want to run SSL https://guachere/guacamole do I install it on the nginx
or tomcat?

Thank You



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: SSL

[sciUser <sh...@securitycentric.net>]

The instruction set does mention using your providers ssl either it be comodo
or some other certificate provider.  In our case we are using ssl2buy which
is really comodo.  

Thank You



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: SSL

[Zer0Cool <me...@gmail.com>]

The directions given for setting up SSL are a good start but uses a
self-signed cert instead of a valid cert from say, LetsEncrypt.

The suggested guacamole_ssl.conf configuration is also far from secure for
many reasons. 

1. First your using TLS 1.0 and TLS 1.1. Unless needed for very legacy
clients and connections you should stick with TLS 1.2 and up.
2. Your ciphers list has some insecure ciphers in it from what I can tell.
3. There are many other steps you can use to tighten down security in Nginx
like OSCP Stapling, forward secrecy, etc.

I would highly recommend checking out:
- Mozilla's SSL Configuration Generator at:
https://mozilla.github.io/server-side-tls/ssl-config-generator/
- This config generator at: https://nginxconfig.io/
- This example of a secure config at: https://cipherli.st/

I found that using parts from each gave me the best results. For the
parameters I didnt understand or could not deduce what they did I checked
the Nginx documentation which pretty clearly details what each parameter
does.

You can use a site like https://www.ssllabs.com/ssltest/ and
https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide to test
your configuration and ensure it meets your security requirements.

You did not mention what OS you are using, if its RHEL/CentOS I have written
an install script that is capable of settings everything up from scratch for
Guacamole included SSL using either a self signed cert or one from
LetsEncrypt (with automatic renewal) and many other features. If your
interested I have posted it on github at:
https://github.com/Zer0CoolX/guacamole-install-rhel. If you decide to use
the script be aware that its intended to run from a clean install and should
be tested before trying to use in production.

I use my script at work, actually just setup a new Guac server today. Scores
an A= with 100% on all 4 categories on SSL Labs test using a cert from
Letsencrypt. I scheduled 4 hours to go from nothing to fully setup and
configured Guacamole server. Using my script I was done, including creating
the connections and assigning permissions manually, in about 1 hour :)



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: SSL

[Nick Couchman <vn...@apache.org>]

On Wed, Jan 16, 2019 at 4:19 AM sciUser <sh...@securitycentric.net>
wrote:

> I am going to give a complete step-by-step instruction on how to get SSL on
> guacamole running on CentOS7 build.  I really wish the Guacamole project
> would have more instructions like this, it would help so many.
>
>
Thank you for the detailed instructions.  We do have instructions for
configuring Guacamole behind a proxy, in the Guacamole Manual:

http://guacamole.apache.org/doc/gug/proxying-guacamole.html

Since configuring SSL in either httpd or Nginx is more of an issue for
httpd or Nginx, and there are plenty of sites that describe how to do that,
we tried to keep the manual focused on configuration items specific to
Guacamole.


> Hope this helps some out there.
>
>
Very likely it will.

-Nick

Re: SSL

[sciUser <sh...@securitycentric.net>]

I am going to give a complete step-by-step instruction on how to get SSL on
guacamole running on CentOS7 build.  I really wish the Guacamole project
would have more instructions like this, it would help so many.

Steps as followed:

1. Login to your CentOS7 using SSH you will need root access
    - is you have sudo enabled issue the command *sudo -i* and the users
password
    - if you do not have sudo enabled for users (you should) issue the
command *su* then the root password
2. Navigate to */etc/nginx* issue the command* cd /etc/nginx*
3. Create a directory called ssl (lowercase) issue the command mkdir ssl
from /etc/nginx directory
4. Navigate in to ssl directory , issue the command *cd ssl*
5. Create another directory called *private*, issue the command *mkdir
private*
6. Use the following command to generate your new key csr files , issue the
command: *openssl req -new -newkey rsa:2048 -nodes -keyout
/etc/nginx/ssl/yourdomain_server.key -out /etc/nginx/ssl/yourdomain.csr*

Note1: /Replace yourdomain is YOUR OWN DOMAIN NAME./
Note2: follow the prompts, a description below of the prompts;

*Country Name:* Use the two-letter code without punctuation for country, for
example: US
 
*State or Province:* Spell out the state completely; do not abbreviate the
state or province name, for example: California, not CA
 
*Locality or City: *The Locality field is the city or town name, for
example: Eugene. Do not abbreviate. For example: Mountain View, not Mt. View
 
*Company:* If the company or department has an &, @, or any other symbol
using the shift key in its name, the symbol must be spelled out or omitted,
in order to enroll. Example: XY & Z Corporation would be XYZ Corporation or
XY and Z Corporation.
 
*Organizational Unit:*  The Organizational Unit (OU) field is the name of
the department or organization unit making the request. To skip the OU
field, press Enter\Return on the keyboard.
 
*Common Name: *The Common Name is the Host + Domain Name. It looks like
"*www.company.com*" or "*company.com*" or Wildcard "**.company.com*"

*Support Email:* Enter in the email address of who is responsible for the
certificate,normally this is support or hostmaster@company.com

7. Do not enter in a password or additional company name when prompted. (
you will see it, so dont do it)

8. At this point you will need to copy the contents of the *yourdomain.csr*
file this is the pem code. 
Will look like this below, don't worry this is not a valid pem.  Then go to
your certificate authorities website and enter paste the /yourdomain.csr/
code in to the generator. This will very based on your providers interface.

9. You should get four (4) files from your certificate provider.
*    - TrustExternalCARoot.crt (root file)
    - USERTrustRSAAddTrust.crt (intermediate1 file)
    - RSADomainValidationSecureCA.crt (intermediate2 file)
    - YourDomain_com.crt (Domain file)*
10. You will need to create the following three files using the four files
from the provider and one file from the server.
11. Create your first bundle file using the following crt files, you can use
Notepad or vi or nano as your editors to paste these files in, you must do
them in order below. Name this file *yourdomain-bundle.crt* and it will be
located in the */etc/nginx/ssl* directory.
   
12. Create your private key with entire Trust chain, like before use
notepad, vi or nano as your editor, make sure to save this file as
*yourdomain_priv.key* in */etc/nginx/ssl/private/ *directory.


13. Because this is nginx I highly recommend generating a *dhparam.pem* file
use the following command:
*openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2046*  
Note: this may take up to 45 minutes to generate depending on your system
performance. Mine generated in 120 second or so.

14. Navigate to */etc/nginx/conf.d*
15. vi in to *guacamole_ssl.conf *make the following edits to the file as
seen below.

16. Exit and restart nginx using the following command: *systemctl restart
nginx*
17. The most important part is to secure all the files, make sure you are*
/etc/nginx* then issue the command: *chmod -R 600 ssl/**

Hope this helps some out there.

Thank You



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

Re: SSL

[Nick Couchman <vn...@apache.org>]

On Tue, Jan 15, 2019 at 17:54 sciUser <sh...@securitycentric.net> wrote:

> I looked at the other topics about SSL and they where not to the point.
>
> If I want to run SSL https://guachere/guacamole do I install it on the
> nginx
> or tomcat?
>

Technically you can install SSL/TLS in either place.  It's generally done
on Nginx (or httpd) because you're likely also trying to get Tomcat proxied
to the standard HTTPS port (443), which, until very recent Linux kernels,
would require running Tomcat (read: Java) under the root account (=bad).
There are a few other ways to accomplish that, but proxying Tomcat behind
either httpd or Nginx with SSL/TLS is very widely practiced.

-Nick