Hi What Nick said: the docs do make decent recommendations with regards setting up and proxying the Tomcat app. You might also look into general security advice with regards Tomcat and host based firewalls.
I keep a pdf dump of my Guacamole installation docs here: https://github.com/gerdesj/Various which notes some security measures. I will be updating that doc withing the next week or so for 1.6.0 but you may find some handy advice anyway. Note that Guacamole requires an older version of Tomcat etc. If you run it on Ubuntu, you are stuck with LTS 22.04 for now. That LTS is still supported until 2027 so all good. To get some more patches you will need a Canonical account, which is free for five machines even for commercial use. If you do that, you will pass security audits via the likes of Nessus. Nessus has a demo which you can use for a one off scan - give it ssh access and a user name and password and it will do a great job of checking things out. Qualys - https://www.ssllabs.com/ssltest/ will do a SSL test for you. In the end, Guac is just a webapp and you should use all your skills to secure it appropriately. If you lack those skills then you will need to buy them in. Cheers Jon On Thu, 2025-11-06 at 11:06 -0500, Nick Couchman wrote: On Thu, Nov 6, 2025 at 11:03 AM openbidaaz <[email protected]> wrote: Hello, Is there any guide or advisory or how to harden Guacamole to secure the setup? You'll have to be more specific about what you're looking for. The Guacamole manual has some suggestions for things like encrypting traffic, but most of the hardening is going to be done either at an O/S level or network level. If there are specific items you're wondering about, though, please feel free to ask those more specifically. https://guacamole.apache.org/doc/gug/ -Nick
