keeper/guacamole
guacamole.properties
are stored only in memory by default and all authentication methods supported by the Keeper Connection Manager packages are supported.guacamole.properties
file provided with Keeper Connection Manager can be configured with environment variables. All supported environment variables may alternatively be read from files, including Docker secrets. Arbitrary third-party extensions, such as custom branding or authentication, may be used through volume mounts and setting ADDITIONAL_GUACAMOLE_PROPERTIES
and USE_DEFAULT_BRANDING
variables as needed.some-guacamole
is the name you wish to assign to your container and some-guacd
is the hostname or IP address of your guacd instance or keeper/guacd
container.keeper/guacamole-db-mysql
or keeper/guacamole-db-postgres
images, which provide MySQL and PostgreSQL databases which are automatically initialized for Guacamole.LOG_LEVEL
environment variable.ACCEPT_EULA
ACCEPT_EULA
environment variable must be set to "Y" to indicate your acceptance of the Keeper Connection Manager EULA. This Docker image may not be used except under the terms of the EULA.ADDITIONAL_GUACAMOLE_PROPERTIES
/etc/guacamole/guacamole.properties
during startup. This content is added via guacamole.properties.docker
, thus environment variable substitution will be automatically performed on the content of this variable.ALLOWED_LANGUAGES
ALLOWED_LANGUAGES="en, de"
. As English is the fallback language, used whenever a translation key is missing from the chosen language, English should only be omitted from this list if you are absolutely positive that no strings are missing from your custom translations.API_*
API_
correspond to configuration properties for configuring the Guacamole web application as a whole. These variables control how Guacamole handles user sessions and any HTTP requests that it receives. Note that these variables control only aspects of the Guacamole web application. They do not control the behavior of remote desktop sessions.API_MAX_REQUEST_SIZE
API_SESSION_TIMEOUT
CONTEXT_PATH
http://your-container:8080/
), but this can be overridden by setting CONTEXT_PATH
to the name of a different location.CONTEXT_PATH
may not contain slashes. If you need to serve the web application beneath a more complex nested path, you will need to use a reverse proxy like Nginx or Apache HTTPD.DUO_*
DUO_
correspond to configuration properties for Duo multi-factor authentication which would normally be specified within guacamole.properties
.DUO_API_HOSTNAME
DUO_INTEGRATION_KEY
DUO_SECRET_KEY
DUO_APPLICATION_KEY
EXTENSIONS
guacamole(*)
package capability of the corresponding Keeper Connection Manager package (part of the RPM package's metadata):GUACD_*
GUACD_HOSTNAME
GUACD_PORT
GUACD_SSL
JSON_*
JSON_
correspond to configuration properties for encrypted JSON authentication which would normally be specified within guacamole.properties
.JSON_SECRET_KEY
JSON_TRUSTED_NETWORKS
KSM_*
KSM_*
correspond to configuration properties for Keeper Secrets Manager. See the Keeper Vault Integration guide.KSM_CONFIG
KSM_TOKEN_MAPPING
*_KSM_SECRET
LDAP_*
LDAP_
correspond to configuration properties for LDAP authentication which would normally be specified within guacamole.properties
.LDAP_HOSTNAME
LDAP_USER_BASE_DN
LDAP_SERVERS
ldap-servers.yml
file describing the LDAP servers that Guacamole should use for authentication.LDAP_PORT
LDAP_ENCRYPTION_METHOD
LDAP_NETWORK_TIMEOUT
LDAP_OPERATION_TIMEOUT
, as failover to alternative LDAP servers may need to occur quickly if multiple LDAP servers are configured.LDAP_OPERATION_TIMEOUT
LDAP_USERNAME_ATTRIBUTE
LDAP_SEARCH_BIND_DN
LDAP_SEARCH_BIND_PASSWORD
LDAP_CONFIG_BASE_DN
guacConfigGroup
objects, if the LDAP directory is being used to store connection data.LDAP_GROUP_BASE_DN
guacConfigGroup
access within the LDAP directory via the seeAlso
attribute.LDAP_MAX_SEARCH_RESULTS
LDAP_USER_SEARCH_FILTER
(objectClass=*)
will be used by default.LDAP_GROUP_SEARCH_FILTER
(objectClass=*)
will be used by default.LDAP_DEREFERENCE_ALIASES
LDAP_FOLLOW_REFERRALS
LDAP_MAX_REFERRAL_HOPS
LOG_LEVEL
MYSQL_*
MYSQL_
correspond to configuration properties for MySQL authentication which would normally be specified within guacamole.properties
.keeper/guacamole-db-mysql
image which provides a MySQL database that is automatically initialized for use by Guacamole.MYSQL_HOSTNAME
MYSQL_DATABASE
MYSQL_USERNAME
MYSQL_PASSWORD
MYSQL_PORT
MYSQL_USER_PASSWORD_MIN_LENGTH
MYSQL_USER_PASSWORD_REQUIRE_MULTIPLE_CASE
MYSQL_USER_PASSWORD_REQUIRE_SYMBOL
MYSQL_USER_PASSWORD_REQUIRE_DIGIT
MYSQL_USER_PASSWORD_PROHIBIT_USERNAME
MYSQL_USER_PASSWORD_MIN_AGE
MYSQL_USER_PASSWORD_MAX_AGE
MYSQL_USER_PASSWORD_HISTORY_SIZE
MYSQL_DEFAULT_MAX_CONNECTIONS
MYSQL_DEFAULT_MAX_GROUP_CONNECTIONS
MYSQL_DEFAULT_MAX_CONNECTIONS_PER_USER
MYSQL_DEFAULT_MAX_GROUP_CONNECTIONS_PER_USER
MYSQL_ABSOLUTE_MAX_CONNECTIONS
MYSQL_USER_REQUIRED
OPENID_*
OPENID_AUTHORIZATION_ENDPOINT
OPENID_CLIENT_ID
OPENID_ISSUER
OPENID_JWKS_ENDPOINT
OPENID_REDIRECT_URI
OPENID_ALLOWED_CLOCK_SKEW
OPENID_GROUPS_CLAIM_TYPE
OPENID_MAX_NONCE_VALIDITY
OPENID_MAX_TOKEN_VALIDITY
OPENID_SCOPE
OPENID_USERNAME_CLAIM_TYPE
POSTGRES_*
POSTGRES_
correspond to configuration properties for PostgreSQL authentication which would normally be specified within guacamole.properties
.keeper/guacamole-db-postgres
image which provides a PostgreSQL database that is automatically initialized for use by Guacamole.POSTGRES_HOSTNAME
POSTGRES_DATABASE
POSTGRES_USERNAME
POSTGRES_PASSWORD
POSTGRES_PORT
POSTGRES_USER_PASSWORD_MIN_LENGTH
POSTGRES_USER_PASSWORD_REQUIRE_MULTIPLE_CASE
POSTGRES_USER_PASSWORD_REQUIRE_SYMBOL
POSTGRES_USER_PASSWORD_REQUIRE_DIGIT
POSTGRES_USER_PASSWORD_PROHIBIT_USERNAME
POSTGRES_USER_PASSWORD_MIN_AGE
POSTGRES_USER_PASSWORD_MAX_AGE
POSTGRES_USER_PASSWORD_HISTORY_SIZE
POSTGRES_DEFAULT_MAX_CONNECTIONS
POSTGRES_DEFAULT_MAX_GROUP_CONNECTIONS
POSTGRES_DEFAULT_MAX_CONNECTIONS_PER_USER
POSTGRES_DEFAULT_MAX_GROUP_CONNECTIONS_PER_USER
POSTGRES_ABSOLUTE_MAX_CONNECTIONS
POSTGRES_USER_REQUIRED
SAML_*
SAML_
correspond to configuration properties for SAML Authentication which would normally be specified within guacamole.properties
.SAML_CALLBACK_URL
SAML_COMPRESS_REQUEST
SAML_COMPRESS_RESPONSE
SAML_ENTITY_ID
SAML_GROUP_ATTRIBUTE
SAML_IDP_METADATA_URL
SAML_IDP_URL
SQLSERVER_*
SQLSERVER_
correspond to configuration properties for SQL Server authentication which would normally be specified within guacamole.properties
.SQLSERVER_HOSTNAME
SQLSERVER_DATABASE
SQLSERVER_USERNAME
SQLSERVER_PASSWORD
SQLSERVER_PORT
SQLSERVER_USER_PASSWORD_MIN_LENGTH
SQLSERVER_USER_PASSWORD_REQUIRE_MULTIPLE_CASE
SQLSERVER_USER_PASSWORD_REQUIRE_SYMBOL
SQLSERVER_USER_PASSWORD_REQUIRE_DIGIT
SQLSERVER_USER_PASSWORD_PROHIBIT_USERNAME
SQLSERVER_USER_PASSWORD_MIN_AGE
SQLSERVER_USER_PASSWORD_MAX_AGE
SQLSERVER_USER_PASSWORD_HISTORY_SIZE
SQLSERVER_DEFAULT_MAX_CONNECTIONS
SQLSERVER_DEFAULT_MAX_GROUP_CONNECTIONS
SQLSERVER_DEFAULT_MAX_CONNECTIONS_PER_USER
SQLSERVER_DEFAULT_MAX_GROUP_CONNECTIONS_PER_USER
SQLSERVER_ABSOLUTE_MAX_CONNECTIONS
SQLSERVER_USER_REQUIRED
TOTP_*
TOTP_
correspond to configuration properties for TOTP multi-factor authentication which would normally be specified within guacamole.properties
.TOTP_ISSUER
TOTP_DIGITS
TOTP_PERIOD
TOTP_MODE
UDS_*
UDS_
correspond to configuration properties for integrating with UDS Enterprise that would normally be specified within guacamole.properties
.UDS_BASE_URL
USER_MAPPING
/etc/guacamole/user-mapping.xml
file that can be used to test a Guacamole deployment without configuring a more complex authentication method like MySQL, PostgreSQL, or LDAP. This is the authentication mechanism described within the Keeper Connection Manager installation instructions./dev/shm
) unless the USE_SHM
environment variable is set to "N" as documented below.USE_DEFAULT_BRANDING
USE_DEFAULT_BRANDING
environment variable should be set to "N" to disable the Keeper branding and avoid conflicts with your branding extension.USE_SHM
USE_SHM
to "N".keeper/guacamole
image stores the contents of files that are known to be sensitive within /dev/shm
, thus storing those files only in memory and without potentially persisting sensitive data to disk. As such files are generated by the Docker image from environment variables during startup, this is particularly useful if Docker secrets are being used._FILE
suffix may be added to any environment variable supported by this image to force that variable to be read from the named file within the container. For example, to read /etc/guacamole/user-mapping.xml
from a file:/run/secrets/
within the container, this can be used to load sensitive data from Docker secrets: