guacd.conf

Advanced configuration for the Guacd service
/etc/guacamole/guacd.conf is the configuration file for Apache Guacamole's proxy daemon, guacd. Editing this file is not normally required unless the circumstances of your deployment require internal communications to be encrypted (not just public-facing communication), the guacd service needs to listen on an external interface or non-standard port, or you need to increase logging verbosity to assist with debugging unexpected behavior.
The guacd.conf file is read only during service startup, and changes to guacd.conf will take effect only after restarting the guacd service.

Organization and general syntax

The guacd.conf file is organized within three distinct sections, each section having special meaning to guacd and containing only parameters specific to that section:
  • "server" - Parameters for configuring the hostname/address and port used by guacd.
  • "daemon" - Parameters for configuring the behavior of the guacd daemon, in particular logging level.
  • "ssl" - Parameters for configuring SSL/TLS encryption of the internal communication between the web application and guacd.
The beginning of each section is denoted with a section name in brackets, and each section ends implicitly with the beginning of a new section, or at the end of the file.
Parameters names and values
Parameters within sections are written as a parameter name, followed by an equals sign, followed by the parameter value, all on one line.
name = value
If special characters need to be placed within a parameter value, such as whitespace, #, ", or \, the entire value must be enclosed in double quotes, and each occurrence of " or \ within the value must be escaped with backslashes:
name = "quoted # value \\ with \" special characters"
Comments
Comments may be placed anywhere, including at the end of a parameter, and consist of arbitrary text following a # symbol until end-of-line:
# Arbitrary comment
name = value # Another arbitrary comment

Server parameters

The parameters within the "server" section define the hostname/address and port that the guacd service should listen on. By default, the guacd service will listen at port 4822 on localhost, and thus will accept connections from a local instance of Guacamole only. If these values are changed, the Guacamole web application will need to be reconfigured to match by editing /etc/guacamole/guacamole.properties.
Parameter name
Default value
Description
bind_host
localhost
The hostname or IP address that the guacd service should listen on.
bind_port
4822
The TCP port that the guacd service should listen on.

Daemon parameters

The parameters within the "daemon" section control how guacd operates as a daemon, in particular the level at which messages should be logged. Greater logging verbosity may be desired if unexpected behavior is encountered.
Parameter name
Default value
Description
log_level
info
The log level that guacd should use when logging messages. In order of increasing verbosity, possible values are:
  • error
  • warning
  • info
  • debug

SSL/TLS parameters

guacd can be configured to communicate with the web application using SSL/TLS. If a certificate and key are specified, guacd will require SSL/TLS for all connections from the web application, and the web application will need to be reconfigured to match by editing /etc/guacamole/guacamole.properties. If the certificate cannot be verified by Java against well-known CA certificates, the certificate will also need to be added to Java's truststore.
By default, internal communication between guacd and the web application is not encrypted.
This DOES NOT affect whether communication between a user's browser and the web application is encrypted. This affects only the internal network communication between the web application and guacd. You DO NOT need to set these values to enable SSL/TLS on the public-facing side of Apache Guacamole.
To encrypt all communication between your users and your Apache Guacamole deployment, look instead at configuring SSL termination.
Parameter name
Default value
Description
server_certificate
N/A
The full, absolute path to the PEM certificate that guacd should use to communicate with the web application.
server_key
N/A
The full, absolute path to the PEM private key that guacd should use to communicate with the web application.