From 5185487fb83ecd44d1638dadc79a8573430e691d Mon Sep 17 00:00:00 2001
From: gyurix <gyurix@gmail.com>
Date: Sun, 27 Apr 2025 23:02:49 +0200
Subject: [PATCH] Add Drone CI pipeline configuration and Dockerfile for
 Guacamole client

---
 .drone.yml        |   34 ++
 Dockerfile.alpine |  122 +++++
 start.sh          | 1276 +++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 1432 insertions(+)
 create mode 100644 .drone.yml
 create mode 100644 Dockerfile.alpine
 create mode 100644 start.sh

diff --git a/.drone.yml b/.drone.yml
new file mode 100644
index 000000000..f40c290fd
--- /dev/null
+++ b/.drone.yml
@@ -0,0 +1,34 @@
+kind: pipeline
+type: kubernetes
+name: default
+
+node_selector:
+  physical-node: dev1
+
+trigger:
+  event:
+    - push
+
+workspace:
+  path: /drone/src
+
+steps:
+  - name: pull image to dockerhub
+    image: docker.io/owncloudci/drone-docker-buildx:4
+    privileged: true
+    settings:
+      cache-from: [ "safebox/guacamole-tomcat" ]
+      repo: safebox/guacamole-tomcat
+      dockerfile: Dockerfile.alpine
+      tags: latest
+      username:
+        from_secret: dockerhub-username
+      password: 
+        from_secret: dockerhub-password
+      platforms:
+        - linux/amd64
+        - linux/arm64
+    when:  
+      event:
+        - push
+
diff --git a/Dockerfile.alpine b/Dockerfile.alpine
new file mode 100644
index 000000000..78f352090
--- /dev/null
+++ b/Dockerfile.alpine
@@ -0,0 +1,122 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+#
+# Dockerfile for guacamole-client
+#
+
+# Use args for Tomcat image label to allow image builder to choose alternatives
+# such as `--build-arg TOMCAT_JRE=jre8-alpine`
+#
+ARG TOMCAT_VERSION=9
+ARG TOMCAT_JRE=jdk21
+
+# Use official maven image for the build
+FROM maven:3-eclipse-temurin-21 AS builder
+
+# Use Mozilla's Firefox PPA (newer Ubuntu lacks a "firefox-esr" package and
+# provides only a transitional "firefox" package that actually requires Snap
+# and thus can't be used within Docker)
+RUN    apt-get update                                \
+    && apt-get upgrade -y                            \
+    && apt-get install -y software-properties-common \
+    && add-apt-repository -y ppa:mozillateam/ppa
+
+# Explicitly prefer packages from the Firefox PPA
+COPY guacamole-docker/mozilla-firefox.pref /etc/apt/preferences.d/
+
+# Install firefox browser for sake of JavaScript unit tests
+RUN apt-get update && apt-get install -y firefox
+
+# Arbitrary arguments that can be passed to the maven build. By default, an
+# argument will be provided to explicitly unskip any skipped tests. To, for
+# example, allow the building of the RADIUS auth extension, pass a build profile
+# as well: `--build-arg MAVEN_ARGUMENTS="-P lgpl-extensions -DskipTests=false"`.
+ARG MAVEN_ARGUMENTS="-DskipTests=false"
+
+# Versions of JDBC drivers to bundle within image
+ARG MSSQL_JDBC_VERSION=9.4.1
+ARG MYSQL_JDBC_VERSION=8.3.0
+ARG PGSQL_JDBC_VERSION=42.7.2
+
+# Build environment variables
+ENV \
+    BUILD_DIR=/tmp/guacamole-docker-BUILD
+
+# Add configuration scripts
+COPY guacamole-docker/bin/ /opt/guacamole/bin/
+COPY guacamole-docker/build.d/ /opt/guacamole/build.d/
+COPY guacamole-docker/entrypoint.d/ /opt/guacamole/entrypoint.d/
+COPY guacamole-docker/environment/ /opt/guacamole/environment/
+
+# Copy source to container for sake of build
+COPY . "$BUILD_DIR"
+
+# Run the build itself
+RUN /opt/guacamole/bin/build-guacamole.sh "$BUILD_DIR" /opt/guacamole
+
+RUN rm -rf /opt/guacamole/build.d /opt/guacamole/bin/build-guacamole.sh
+
+# For the runtime image, we start with the official Tomcat distribution
+
+RUN ls -al /opt/guacamole/
+
+FROM alpine
+
+COPY --from=builder /opt/guacamole /opt/guacamole
+
+RUN ls -al /
+
+ENV TOMCAT_MAJOR=9                                                                                    \
+    TOMCAT_VERSION=9.0.78                                                                             \
+    CATALINA_HOME=/opt/guacamole
+
+RUN                                                                                                   \
+    apk add --update --no-cache                                                                      \
+    openjdk8-jre curl mariadb-client bash openssl                                         && \
+    curl -jkSL -o /tmp/apache-tomcat.tar.gz                                                          \
+    http://archive.apache.org/dist/tomcat/tomcat-${TOMCAT_MAJOR}/v${TOMCAT_VERSION}/bin/apache-tomcat-${TOMCAT_VERSION}.tar.gz && \
+    gunzip /tmp/apache-tomcat.tar.gz                                                              && \
+    tar -C /opt -xf /tmp/apache-tomcat.tar                                                        && \
+    ln -s /opt/apache-tomcat-$TOMCAT_VERSION /usr/local/tomcat                                    && \
+    chmod -R a+rx /usr/local/tomcat/
+
+# cleanup
+RUN  apk del curl                                                                           && \
+    rm -rf /tmp/* /var/cache/apk/* /usr/local/tomcat/webapps/*
+
+
+# Create a new user guacamole
+COPY /start.sh /opt/guacamole/bin/
+RUN chmod a+x /opt/guacamole/bin/start.sh
+ARG UID=1001
+ARG GID=1001
+RUN addgroup -g $GID guacamole
+RUN adduser -S -D -s /usr/sbin/nologin -u $UID guacamole --ingroup guacamole
+
+# Run with user guacamole
+USER guacamole
+
+EXPOSE 8080
+
+WORKDIR $CATALINA_HOME
+
+# Start Guacamole under Tomcat, listening on 0.0.0.0:8080
+EXPOSE 8080
+CMD ["/opt/guacamole/bin/start.sh" ]
\ No newline at end of file
diff --git a/start.sh b/start.sh
new file mode 100644
index 000000000..c9b8f7294
--- /dev/null
+++ b/start.sh
@@ -0,0 +1,1276 @@
+#!/bin/bash
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+##
+## @fn start.sh
+##
+## Automatically configures and starts Guacamole under Tomcat. Guacamole's
+## guacamole.properties file will be automatically generated based on the
+## linked database container (either MySQL, PostgreSQL or SQLServer) and the linked guacd
+## container. The Tomcat process will ultimately replace the process of this
+## script, running in the foreground until terminated.
+##
+
+GUACAMOLE_HOME_TEMPLATE="$GUACAMOLE_HOME"
+
+GUACAMOLE_HOME="$HOME/.guacamole"
+GUACAMOLE_EXT="$GUACAMOLE_HOME/extensions"
+GUACAMOLE_LIB="$GUACAMOLE_HOME/lib"
+GUACAMOLE_PROPERTIES="$GUACAMOLE_HOME/guacamole.properties"
+
+##
+## Sets the given property to the given value within guacamole.properties,
+## creating guacamole.properties first if necessary.
+##
+## @param NAME
+##     The name of the property to set.
+##
+## @param VALUE
+##     The value to set the property to.
+##
+set_property() {
+
+    NAME="$1"
+    VALUE="$2"
+
+    # Ensure guacamole.properties exists
+    if [ ! -e "$GUACAMOLE_PROPERTIES" ]; then
+        mkdir -p "$GUACAMOLE_HOME"
+        echo "# guacamole.properties - generated $(date)" >"$GUACAMOLE_PROPERTIES"
+    fi
+
+    # Set property
+    echo "$NAME: $VALUE" >>"$GUACAMOLE_PROPERTIES"
+
+}
+
+##
+## Sets the given property to the given value within guacamole.properties only
+## if a value is provided, creating guacamole.properties first if necessary.
+##
+## @param NAME
+##     The name of the property to set.
+##
+## @param VALUE
+##     The value to set the property to, if any. If omitted or empty, the
+##     property will not be set.
+##
+set_optional_property() {
+
+    NAME="$1"
+    VALUE="$2"
+
+    # Set the property only if a value is provided
+    if [ -n "$VALUE" ]; then
+        set_property "$NAME" "$VALUE"
+    fi
+
+}
+
+# Print error message regarding missing required variables for MySQL authentication
+mysql_missing_vars() {
+    cat <<END
+FATAL: Missing required environment variables
+-------------------------------------------------------------------------------
+If using a MySQL database, you must provide each of the following
+environment variables or their corresponding Docker secrets by appending _FILE
+to the environment variable, and setting the value to the path of the
+corresponding secret:
+
+    MYSQL_USER         The user to authenticate as when connecting to
+                       MySQL.
+
+    MYSQL_PASSWORD     The password to use when authenticating with MySQL as
+                       MYSQL_USER.
+
+    MYSQL_DATABASE     The name of the MySQL database to use for Guacamole
+                       authentication.
+END
+    exit 1
+}
+
+##
+## Adds properties to guacamole.properties which select the MySQL
+## authentication provider, and configure it to connect to the linked MySQL
+## container. If a MySQL database is explicitly specified using the
+## MYSQL_HOSTNAME and MYSQL_PORT environment variables, that will be used
+## instead of a linked container.
+##
+associate_mysql() {
+
+    # Use linked container if specified
+    if [ -n "$MYSQL_NAME" ]; then
+        MYSQL_HOSTNAME="$MYSQL_PORT_3306_TCP_ADDR"
+        MYSQL_PORT="$MYSQL_PORT_3306_TCP_PORT"
+    fi
+
+    # Use default port if none specified
+    MYSQL_PORT="${MYSQL_PORT-3306}"
+
+    # Verify required connection information is present
+    if [ -z "$MYSQL_HOSTNAME" -o -z "$MYSQL_PORT" ]; then
+        cat <<END
+FATAL: Missing MYSQL_HOSTNAME or "mysql" link.
+-------------------------------------------------------------------------------
+If using a MySQL database, you must either:
+
+(a) Explicitly link that container with the link named "mysql".
+
+(b) If not using a Docker container for MySQL, explicitly specify the TCP
+    connection to your database using the following environment variables:
+
+    MYSQL_HOSTNAME     The hostname or IP address of the MySQL server. If not
+                       using a MySQL Docker container and corresponding link,
+                       this environment variable is *REQUIRED*.
+
+    MYSQL_PORT         The port on which the MySQL server is listening for TCP
+                       connections. This environment variable is option. If
+                       omitted, the standard MySQL port of 3306 will be used.
+END
+        exit 1
+    fi
+
+    # Verify that the required Docker secrets are present, else, default to their normal environment variables
+    if [ -n "$MYSQL_USER_FILE" ]; then
+        set_property "mysql-username" "$(cat "$MYSQL_USER_FILE")"
+    elif [ -n "$MYSQL_USER" ]; then
+        set_property "mysql-username" "$MYSQL_USER"
+    else
+        mysql_missing_vars
+        exit 1
+    fi
+
+    if [ -n "$MYSQL_PASSWORD_FILE" ]; then
+        set_property "mysql-password" "$(cat "$MYSQL_PASSWORD_FILE")"
+    elif [ -n "$MYSQL_PASSWORD" ]; then
+        set_property "mysql-password" "$MYSQL_PASSWORD"
+    else
+        mysql_missing_vars
+        exit 1
+    fi
+
+    if [ -n "$MYSQL_DATABASE_FILE" ]; then
+        set_property "mysql-database" "$(cat "$MYSQL_DATABASE_FILE")"
+    elif [ -n "$MYSQL_DATABASE" ]; then
+        set_property "mysql-database" "$MYSQL_DATABASE"
+    else
+        mysql_missing_vars
+        exit 1
+    fi
+
+    # Update config file
+    set_property "mysql-hostname" "$MYSQL_HOSTNAME"
+    set_property "mysql-port" "$MYSQL_PORT"
+
+    set_optional_property \
+        "mysql-absolute-max-connections" \
+        "$MYSQL_ABSOLUTE_MAX_CONNECTIONS"
+
+    set_optional_property \
+        "mysql-default-max-connections" \
+        "$MYSQL_DEFAULT_MAX_CONNECTIONS"
+
+    set_optional_property \
+        "mysql-default-max-group-connections" \
+        "$MYSQL_DEFAULT_MAX_GROUP_CONNECTIONS"
+
+    set_optional_property \
+        "mysql-default-max-connections-per-user" \
+        "$MYSQL_DEFAULT_MAX_CONNECTIONS_PER_USER"
+
+    set_optional_property \
+        "mysql-default-max-group-connections-per-user" \
+        "$MYSQL_DEFAULT_MAX_GROUP_CONNECTIONS_PER_USER"
+
+    set_optional_property \
+        "mysql-user-required" \
+        "$MYSQL_USER_REQUIRED"
+
+    set_optional_property \
+        "mysql-ssl-mode" \
+        "$MYSQL_SSL_MODE"
+
+    set_optional_property \
+        "mysql-ssl-trust-store" \
+        "$MYSQL_SSL_TRUST_STORE"
+
+    # For SSL trust store password, check secrets, first, then standard env variable
+    if [ -n "$MYSQL_SSL_TRUST_PASSWORD_FILE" ]; then
+        set_property "mysql-ssl-trust-password" "$(cat "$MYSQL_SSL_TRUST_PASSWORD_FILE")"
+    elif [ -n "$MYSQL_SSL_TRUST_PASSWORD" ]; then
+        set_property "mysql-ssl-trust-password" "$MYSQL_SSL_TRUST_PASSWORD"
+    fi
+
+    set_optional_property \
+        "mysql-ssl-client-store" \
+        "$MYSQL_SSL_CLIENT_STORE"
+
+    # For SSL trust store password, check secrets, first, then standard env variable
+    if [ -n "$MYSQL_SSL_CLIENT_PASSWORD_FILE" ]; then
+        set_property "mysql-ssl-client-password" "$(cat "$MYSQL_SSL_CLIENT_PASSWORD_FILE")"
+    elif [ -n "$MYSQL_SSL_CLIENT_PASSWORD" ]; then
+        set_property "mysql-ssl-client-password" "$MYSQL_SSL_CLIENT_PASSWORD"
+    fi
+
+    set_optional_property \
+        "mysql-auto-create-accounts" \
+        "$MYSQL_AUTO_CREATE_ACCOUNTS"
+
+    # Add required .jar files to GUACAMOLE_LIB and GUACAMOLE_EXT
+    ln -s /opt/guacamole/mysql/mysql-connector-*.jar "$GUACAMOLE_LIB"
+    ln -s /opt/guacamole/mysql/guacamole-auth-*.jar "$GUACAMOLE_EXT"
+
+}
+
+# Print error message regarding missing required variables for PostgreSQL authentication
+postgresql_missing_vars() {
+    cat <<END
+FATAL: Missing required environment variables
+-------------------------------------------------------------------------------
+If using a PostgreSQL database, you must provide each of the following
+environment variables or their corresponding Docker secrets by appending _FILE
+to the environment variable, and setting the value to the path of the
+corresponding secret:
+
+    POSTGRESQL_USER      The user to authenticate as when connecting to
+                         PostgreSQL.
+
+    POSTGRESQL_PASSWORD  The password to use when authenticating with PostgreSQL
+                         as POSTGRESQL_USER.
+
+    POSTGRESQL_DATABASE  The name of the PostgreSQL database to use for Guacamole
+                         authentication.
+END
+    exit 1
+}
+
+## Provide backward compatibility on POSTGRES_* environment variables
+## In case of new deployment, please use POSTGRESQL_* equivalent variables.
+for VAR_BASE in \
+    HOSTNAME PORT \
+    DATABASE USER PASSWORD \
+    DATABASE_FILE USER_FILE PASSWORD_FILE \
+    ABSOLUTE_MAX_CONNECTIONS DEFAULT_MAX_CONNECTIONS \
+    DEFAULT_MAX_GROUP_CONNECTIONS DEFAULT_MAX_CONNECTIONS_PER_USER \
+    DEFAULT_MAX_GROUP_CONNECTIONS_PER_USER \
+    DEFAULT_STATEMENT_TIMEOUT SOCKET_TIMEOUT \
+    USER_REQUIRED \
+    SSL_KEY_PASSWORD_FILE SSL_KEY_PASSWORD; do
+
+    OLD_VAR="POSTGRES_$VAR_BASE"
+    NEW_VAR="POSTGRESQL_$VAR_BASE"
+
+    if [ -n "${!OLD_VAR}" ]; then
+        printf -v "$NEW_VAR" "%s" "${!OLD_VAR}"
+        echo "WARNING: ${OLD_VAR} detected, please use ${NEW_VAR} for further deployments."
+    fi
+
+done
+
+##
+## Adds properties to guacamole.properties which select the PostgreSQL
+## authentication provider, and configure it to connect to the linked
+## PostgreSQL container. If a PostgreSQL database is explicitly specified using
+## the POSTGRESQL_HOSTNAME and POSTGRESQL_PORT environment variables, that will be
+## used instead of a linked container.
+##
+associate_postgresql() {
+
+    # Use linked container if specified
+    if [ -n "$POSTGRES_NAME" ]; then
+        POSTGRESQL_HOSTNAME="$POSTGRES_PORT_5432_TCP_ADDR"
+        POSTGRESQL_PORT="$POSTGRES_PORT_5432_TCP_PORT"
+    fi
+
+    # Use default port if none specified
+    POSTGRESQL_PORT="${POSTGRESQL_PORT-5432}"
+
+    # Verify required connection information is present
+    if [ -z "$POSTGRESQL_HOSTNAME" -o -z "$POSTGRESQL_PORT" ]; then
+        cat <<END
+FATAL: Missing POSTGRESQL_HOSTNAME or "postgres" link.
+-------------------------------------------------------------------------------
+If using a PostgreSQL database, you must either:
+
+(a) Explicitly link that container with the link named "postgres".
+
+(b) If not using a Docker container for PostgreSQL, explicitly specify the TCP
+    connection to your database using the following environment variables:
+
+    POSTGRESQL_HOSTNAME  The hostname or IP address of the PostgreSQL server. If
+                         not using a PostgreSQL Docker container and
+                         corresponding link, this environment variable is
+                         *REQUIRED*.
+
+    POSTGRESQL_PORT      The port on which the PostgreSQL server is listening for
+                         TCP connections. This environment variable is option. If
+                         omitted, the standard PostgreSQL port of 5432 will be
+                         used.
+END
+        exit 1
+    fi
+
+    # Verify that the required Docker secrets are present, else, default to their normal environment variables
+    if [ -n "$POSTGRESQL_USER_FILE" ]; then
+        set_property "postgresql-username" "$(cat "$POSTGRESQL_USER_FILE")"
+    elif [ -n "$POSTGRESQL_USER" ]; then
+        set_property "postgresql-username" "$POSTGRESQL_USER"
+    else
+        postgresql_missing_vars
+        exit 1
+    fi
+
+    if [ -n "$POSTGRESQL_PASSWORD_FILE" ]; then
+        set_property "postgresql-password" "$(cat "$POSTGRESQL_PASSWORD_FILE")"
+    elif [ -n "$POSTGRESQL_PASSWORD" ]; then
+        set_property "postgresql-password" "$POSTGRESQL_PASSWORD"
+    else
+        postgresql_missing_vars
+        exit 1
+    fi
+
+    if [ -n "$POSTGRESQL_DATABASE_FILE" ]; then
+        set_property "postgresql-database" "$(cat "$POSTGRESQL_DATABASE_FILE")"
+    elif [ -n "$POSTGRESQL_DATABASE" ]; then
+        set_property "postgresql-database" "$POSTGRESQL_DATABASE"
+    else
+        postgresql_missing_vars
+        exit 1
+    fi
+
+    # Update config file
+    set_property "postgresql-hostname" "$POSTGRESQL_HOSTNAME"
+    set_property "postgresql-port" "$POSTGRESQL_PORT"
+
+    set_optional_property \
+        "postgresql-absolute-max-connections" \
+        "$POSTGRESQL_ABSOLUTE_MAX_CONNECTIONS"
+
+    set_optional_property \
+        "postgresql-default-max-connections" \
+        "$POSTGRESQL_DEFAULT_MAX_CONNECTIONS"
+
+    set_optional_property \
+        "postgresql-default-max-group-connections" \
+        "$POSTGRESQL_DEFAULT_MAX_GROUP_CONNECTIONS"
+
+    set_optional_property \
+        "postgresql-default-max-connections-per-user" \
+        "$POSTGRESQL_DEFAULT_MAX_CONNECTIONS_PER_USER"
+
+    set_optional_property \
+        "postgresql-default-max-group-connections-per-user" \
+        "$POSTGRESQL_DEFAULT_MAX_GROUP_CONNECTIONS_PER_USER"
+
+    set_optional_property \
+        "postgresql-default-statement-timeout" \
+        "$POSTGRESQL_DEFAULT_STATEMENT_TIMEOUT"
+
+    set_optional_property \
+        "postgresql-user-required" \
+        "$POSTGRESQL_USER_REQUIRED"
+
+    set_optional_property \
+        "postgresql-socket-timeout" \
+        "$POSTGRESQL_SOCKET_TIMEOUT"
+
+    set_optional_property \
+        "postgresql-ssl-mode" \
+        "$POSTGRESQL_SSL_MODE"
+
+    set_optional_property \
+        "postgresql-ssl-cert-file" \
+        "$POSTGRESQL_SSL_CERT_FILE"
+
+    set_optional_property \
+        "postgresql-ssl-key-file" \
+        "$POSTGRESQL_SSL_KEY_FILE"
+
+    set_optional_property \
+        "postgresql-ssl-root-cert-file" \
+        "$POSTGRESQL_SSL_ROOT_CERT_FILE"
+
+    # For SSL key password, check secrets, first, then standard env variable
+    if [ -n "$POSTGRESQL_SSL_KEY_PASSWORD_FILE" ]; then
+        set_property "postgresql-ssl-key-password" "$(cat "$POSTGRESQL_SSL_KEY_PASSWORD_FILE")"
+    elif [ -n "$POSTGRESQL_SSL_KEY_PASSWORD" ]; then
+        set_property "postgresql-ssl-key-password" "$POSTGRESQL_SSL_KEY_PASSWORD"
+    fi
+
+    set_optional_property \
+        "postgresql-auto-create-accounts" \
+        "$POSTGRESQL_AUTO_CREATE_ACCOUNTS"
+
+    # Add required .jar files to GUACAMOLE_LIB and GUACAMOLE_EXT
+    ln -s /opt/guacamole/postgresql/postgresql-*.jar "$GUACAMOLE_LIB"
+    ln -s /opt/guacamole/postgresql/guacamole-auth-*.jar "$GUACAMOLE_EXT"
+
+}
+
+# Print error message regarding missing required variables for SQLServer authentication
+sqlserver_missing_vars() {
+    cat <<END
+FATAL: Missing required environment variables
+-------------------------------------------------------------------------------
+If using a SQLServer database, you must provide each of the following
+environment variables:
+
+    SQLSERVER_USER     The user to authenticate as when connecting to
+                       SQLServer.
+
+    SQLSERVER_PASSWORD The password to use when authenticating with SQLServer
+                       as SQLSERVER_USER.
+
+    SQLSERVER_DATABASE The name of the SQLServer database to use for Guacamole
+                       authentication.
+
+Alternatively, if you want to store database credentials using Docker secrets,
+set the path of the corresponding secrets in the following three variables:
+
+    SQLSERVER_DATABASE_FILE   The path of the docker secret containing the name
+                              of database to use for Guacamole authentication.
+
+    SQLSERVER_USER_FILE       The path of the docker secret containing the name of
+                              the user that Guacamole will use to connect to SQLServer.
+
+    SQLSERVER_PASSWORD_FILE   The path of the docker secret containing the
+                              password that Guacamole will provide when connecting to
+                              SQLServer as SQLSERVER_USER.
+
+END
+    exit 1
+}
+
+##
+## Adds properties to guacamole.properties which select the SQLServer
+## authentication provider, and configure it to connect to the linked
+## SQLServer container. If a SQLServer database is explicitly specified using
+## the SQLSERVER_HOSTNAME and SQLSERVER_PORT environment variables, that will
+## be used instead of a linked container.
+##
+associate_sqlserver() {
+
+    # Use linked container if specified
+    if [ -n "$SQLSERVER_NAME" ]; then
+        SQLSERVER_HOSTNAME="$SQLSERVER_PORT_1433_TCP_ADDR"
+        SQLSERVER_PORT="$SQLSERVER_PORT_1433_TCP_PORT"
+    fi
+
+    # Use default port if none specified
+    SQLSERVER_PORT="${SQLSERVER_PORT-1433}"
+
+    # Verify required connection information is present
+    if [ -z "$SQLSERVER_HOSTNAME" -o -z "$SQLSERVER_PORT" ]; then
+        cat <<END
+FATAL: Missing SQLSERVER_HOSTNAME or "sqlserver" link.
+-------------------------------------------------------------------------------
+If using a SQLServer database, you must either:
+
+(a) Explicitly link that container with the link named "sqlserver".
+
+(b) If not using a Docker container for SQLServer, explicitly specify the TCP
+    connection to your database using the following environment variables:
+
+    SQLSERVER_HOSTNAME The hostname or IP address of the SQLServer server. If
+                       not using a SQLServer Docker container and
+                       corresponding link, this environment variable is
+                       *REQUIRED*.
+
+    SQLSERVER_PORT     The port on which the SQLServer server is listening for
+                       TCP connections. This environment variable is option. If
+                       omitted, the standard SQLServer port of 1433 will be
+                       used.
+END
+        exit 1
+    fi
+
+    # Verify that the required Docker secrets are present, else, default to their normal environment variables
+    if [ -n "$SQLSERVER_USER_FILE" ]; then
+        set_property "sqlserver-username" "$(cat "$SQLSERVER_USER_FILE")"
+    elif [ -n "$SQLSERVER_USER" ]; then
+        set_property "sqlserver-username" "$SQLSERVER_USER"
+    else
+        sqlserver_missing_vars
+        exit 1
+    fi
+
+    if [ -n "$SQLSERVER_PASSWORD_FILE" ]; then
+        set_property "sqlserver-password" "$(cat "$SQLSERVER_PASSWORD_FILE")"
+    elif [ -n "$SQLSERVER_PASSWORD" ]; then
+        set_property "sqlserver-password" "$SQLSERVER_PASSWORD"
+    else
+        sqlserver_missing_vars
+        exit 1
+    fi
+
+    if [ -n "$SQLSERVER_DATABASE_FILE" ]; then
+        set_property "sqlserver-database" "$(cat "$SQLSERVER_DATABASE_FILE")"
+    elif [ -n "$SQLSERVER_DATABASE" ]; then
+        set_property "sqlserver-database" "$SQLSERVER_DATABASE"
+    else
+        sqlserver_missing_vars
+        exit 1
+    fi
+
+    # Update config file
+    set_property "sqlserver-hostname" "$SQLSERVER_HOSTNAME"
+    set_property "sqlserver-port" "$SQLSERVER_PORT"
+    set_property "sqlserver-driver" "microsoft2005"
+
+    set_optional_property \
+        "sqlserver-absolute-max-connections" \
+        "$SQLSERVER_ABSOLUTE_MAX_CONNECTIONS"
+
+    set_optional_property \
+        "sqlserver-default-max-connections" \
+        "$SQLSERVER_DEFAULT_MAX_CONNECTIONS"
+
+    set_optional_property \
+        "sqlserver-default-max-group-connections" \
+        "$SQLSERVER_DEFAULT_MAX_GROUP_CONNECTIONS"
+
+    set_optional_property \
+        "sqlserver-default-max-connections-per-user" \
+        "$SQLSERVER_DEFAULT_MAX_CONNECTIONS_PER_USER"
+
+    set_optional_property \
+        "sqlserver-default-max-group-connections-per-user" \
+        "$SQLSERVER_DEFAULT_MAX_GROUP_CONNECTIONS_PER_USER"
+
+    set_optional_property \
+        "sqlserver-user-required" \
+        "$SQLSERVER_USER_REQUIRED"
+
+    set_optional_property \
+        "sqlserver-auto-create-accounts" \
+        "$SQLSERVERQL_AUTO_CREATE_ACCOUNTS"
+
+    set_optional_property \
+        "sqlserver-instance" \
+        "$SQLSERVERQL_INSTANCE"
+
+    # Add required .jar files to GUACAMOLE_LIB and GUACAMOLE_EXT
+    ln -s /opt/guacamole/sqlserver/mssql-jdbc-*.jar "$GUACAMOLE_LIB"
+    ln -s /opt/guacamole/sqlserver/guacamole-auth-*.jar "$GUACAMOLE_EXT"
+
+}
+
+##
+## Adds properties to guacamole.properties which select the LDAP
+## authentication provider, and configure it to connect to the specified LDAP
+## directory.
+##
+associate_ldap() {
+
+    # Verify required parameters are present
+    if [ -z "$LDAP_HOSTNAME" -o -z "$LDAP_USER_BASE_DN" ]; then
+        cat <<END
+FATAL: Missing required environment variables
+-------------------------------------------------------------------------------
+If using an LDAP directory, you must provide each of the following environment
+variables:
+
+    LDAP_HOSTNAME      The hostname or IP address of your LDAP server.
+
+    LDAP_USER_BASE_DN  The base DN under which all Guacamole users will be
+                       located. Absolutely all Guacamole users that will
+                       authenticate via LDAP must exist within the subtree of
+                       this DN.
+END
+        exit 1
+    fi
+
+    # Update config file
+    set_property "ldap-hostname" "$LDAP_HOSTNAME"
+    set_property "ldap-user-base-dn" "$LDAP_USER_BASE_DN"
+
+    set_optional_property "ldap-port" "$LDAP_PORT"
+    set_optional_property "ldap-encryption-method" "$LDAP_ENCRYPTION_METHOD"
+    set_optional_property "ldap-max-search-results" "$LDAP_MAX_SEARCH_RESULTS"
+    set_optional_property "ldap-search-bind-dn" "$LDAP_SEARCH_BIND_DN"
+    set_optional_property "ldap-user-attributes" "$LDAP_USER_ATTRIBUTES"
+    set_optional_property "ldap-search-bind-password" "$LDAP_SEARCH_BIND_PASSWORD"
+    set_optional_property "ldap-username-attribute" "$LDAP_USERNAME_ATTRIBUTE"
+    set_optional_property "ldap-member-attribute" "$LDAP_MEMBER_ATTRIBUTE"
+    set_optional_property "ldap-user-search-filter" "$LDAP_USER_SEARCH_FILTER"
+    set_optional_property "ldap-config-base-dn" "$LDAP_CONFIG_BASE_DN"
+    set_optional_property "ldap-group-base-dn" "$LDAP_GROUP_BASE_DN"
+    set_optional_property "ldap-group-search-filter" "$LDAP_GROUP_SEARCH_FILTER"
+    set_optional_property "ldap-member-attribute-type" "$LDAP_MEMBER_ATTRIBUTE_TYPE"
+    set_optional_property "ldap-group-name-attribute" "$LDAP_GROUP_NAME_ATTRIBUTE"
+    set_optional_property "ldap-dereference-aliases" "$LDAP_DEREFERENCE_ALIASES"
+    set_optional_property "ldap-follow-referrals" "$LDAP_FOLLOW_REFERRALS"
+    set_optional_property "ldap-max-referral-hops" "$LDAP_MAX_REFERRAL_HOPS"
+    set_optional_property "ldap-operation-timeout" "$LDAP_OPERATION_TIMEOUT"
+
+    # Add required .jar files to GUACAMOLE_EXT
+    ln -s /opt/guacamole/ldap/guacamole-auth-*.jar "$GUACAMOLE_EXT"
+
+}
+
+##
+## Adds properties to guacamole.properties which select the LDAP
+## authentication provider, and configure it to connect to the specified LDAP
+## directory.
+##
+associate_radius() {
+
+    # Verify required parameters are present
+    if [ -z "$RADIUS_SHARED_SECRET" -o -z "$RADIUS_AUTH_PROTOCOL" ]; then
+        cat <<END
+FATAL: Missing required environment variables
+-------------------------------------------------------------------------------
+If using RADIUS server, you must provide each of the following environment
+variables:
+
+    RADIUS_SHARED_SECRET   The shared secret to use when talking to the
+                           RADIUS server.
+
+    RADIUS_AUTH_PROTOCOL   The authentication protocol to use when talking
+                           to the RADIUS server.
+                           Supported values are:
+                             pap, chap, mschapv1, mschapv2, eap-md5,
+                             eap-tls and eap-ttls.
+END
+        exit 1
+    fi
+
+    # Verify provided files do exist and are readable
+    if [ -n "$RADIUS_KEY_FILE" -a ! -r "$RADIUS_KEY_FILE" ]; then
+        cat <<END
+FATAL: Provided file RADIUS_KEY_FILE=$RADIUS_KEY_FILE does not exist
+       or is not readable!
+-------------------------------------------------------------------------------
+If you provide key or CA files you need to mount those into the container and
+make sure they are readable for the user in the container.
+END
+        exit 1
+    fi
+    if [ -n "$RADIUS_CA_FILE" -a ! -r "$RADIUS_CA_FILE" ]; then
+        cat <<END
+FATAL: Provided file RADIUS_CA_FILE=$RADIUS_CA_FILE does not exist
+       or is not readable!
+-------------------------------------------------------------------------------
+If you provide key or CA files you need to mount those into the container and
+make sure they are readable for the user in the container.
+END
+        exit 1
+    fi
+    if [ "$RADIUS_AUTH_PROTOCOL" = "eap-ttls" -a -z "$RADIUS_EAP_TTLS_INNER_PROTOCOL" ]; then
+        cat <<END
+FATAL: Authentication protocol "eap-ttls" specified but
+       RADIUS_EAP_TTLS_INNER_PROTOCOL is not set!
+-------------------------------------------------------------------------------
+When EAP-TTLS is used, this parameter specifies the inner (tunneled)
+protocol to use talking to the RADIUS server.
+END
+        exit 1
+    fi
+
+    # Update config file
+    set_optional_property "radius-hostname" "$RADIUS_HOSTNAME"
+    set_optional_property "radius-auth-port" "$RADIUS_AUTH_PORT"
+    set_property "radius-shared-secret" "$RADIUS_SHARED_SECRET"
+    set_property "radius-auth-protocol" "$RADIUS_AUTH_PROTOCOL"
+    set_optional_property "radius-key-file" "$RADIUS_KEY_FILE"
+    set_optional_property "radius-key-type" "$RADIUS_KEY_TYPE"
+    set_optional_property "radius-key-password" "$RADIUS_KEY_PASSWORD"
+    set_optional_property "radius-ca-file" "$RADIUS_CA_FILE"
+    set_optional_property "radius-ca-type" "$RADIUS_CA_TYPE"
+    set_optional_property "radius-ca-password" "$RADIUS_CA_PASSWORD"
+    set_optional_property "radius-trust-all" "$RADIUS_TRUST_ALL"
+    set_optional_property "radius-retries" "$RADIUS_RETRIES"
+    set_optional_property "radius-timeout" "$RADIUS_TIMEOUT"
+    set_optional_property "radius-eap-ttls-inner-protocol" "$RADIUS_EAP_TTLS_INNER_PROTOCOL"
+    set_optional_property "radius-nas-ip" "$RADIUS_NAS_IP"
+
+    set_optional_property \
+        "radius-eap-ttls-inner-protocol" \
+        "$RADIUS_EAP_TTLS_INNER_PROTOCOL"
+
+    # Add required .jar files to GUACAMOLE_EXT
+    ln -s /opt/guacamole/radius/guacamole-auth-*.jar "$GUACAMOLE_EXT"
+}
+
+## Adds properties to guacamole.properties which select the OPENID
+## authentication provider, and configure it to connect to the specified OPENID
+## provider.
+##
+associate_openid() {
+
+    # Verify required parameters are present
+    if [ -z "$OPENID_AUTHORIZATION_ENDPOINT" ] ||
+        [ -z "$OPENID_JWKS_ENDPOINT" ] ||
+        [ -z "$OPENID_ISSUER" ] ||
+        [ -z "$OPENID_CLIENT_ID" ] ||
+        [ -z "$OPENID_REDIRECT_URI" ]; then
+        cat <<END
+FATAL: Missing required environment variables
+-------------------------------------------------------------------------------
+If using an openid authentication, you must provide each of the following
+environment variables:
+
+    OPENID_AUTHORIZATION_ENDPOINT   The authorization endpoint (URI) of the OpenID service.
+
+    OPENID_JWKS_ENDPOINT            The endpoint (URI) of the JWKS service which defines
+                                    how received ID tokens (JSON Web Tokens or JWTs)
+                                    shall be validated.
+
+    OPENID_ISSUER                   The issuer to expect for all received ID tokens.
+
+    OPENID_CLIENT_ID                The OpenID client ID which should be submitted
+                                    to the OpenID service when necessary.
+                                    This value is typically provided to you by the OpenID
+                                    service when OpenID credentials are generated for your application.
+
+    OPENID_REDIRECT_URI             The URI that should be submitted to the OpenID service such that
+                                    they can redirect the authenticated user back to Guacamole after
+                                    the authentication process is complete. This must be the full URL
+                                    that a user would enter into their browser to access Guacamole.
+END
+        exit 1
+    fi
+
+    # Update config file
+    set_property "openid-authorization-endpoint" "$OPENID_AUTHORIZATION_ENDPOINT"
+    set_property "openid-jwks-endpoint" "$OPENID_JWKS_ENDPOINT"
+    set_property "openid-issuer" "$OPENID_ISSUER"
+    set_property "openid-client-id" "$OPENID_CLIENT_ID"
+    set_property "openid-redirect-uri" "$OPENID_REDIRECT_URI"
+    set_optional_property "openid-username-claim-type" "$OPENID_USERNAME_CLAIM_TYPE"
+    set_optional_property "openid-groups-claim-type" "$OPENID_GROUPS_CLAIM_TYPE"
+    set_optional_property "openid-scope" "$OPENID_SCOPE"
+    set_optional_property "openid-allowed-clock-skew" "$OPENID_ALLOWED_CLOCK_SKEW"
+    set_optional_property "openid-max-token-validity" "$OPENID_MAX_TOKEN_VALIDITY"
+    set_optional_property "openid-max-nonce-validity" "$OPENID_MAX_NONCE_VALIDITY"
+
+    # Add required .jar files to GUACAMOLE_EXT
+    # "1-{}" make it sorted as a first provider (only authentication)
+    # so it can work together with the database providers (authorization)
+    find /opt/guacamole/openid/ -name "*.jar" | awk -F/ '{print $NF}' |
+        xargs -I '{}' ln -s "/opt/guacamole/openid/{}" "${GUACAMOLE_EXT}/1-{}"
+
+}
+
+##
+## Adds properties to guacamole.properties which select the SAML
+## authentication provider, and configure it to connect to the specified SAML
+## provider.
+##
+
+associate_saml() {
+
+    # Verify required parameters are present
+    if [ -z "$SAML_IDP_METADATA_URL" ] &&
+        [ -z "$SAML_ENTITY_ID" -o -z "$SAML_CALLBACK_URL" -o -z "$SAML_IDP_URL" ]; then
+        cat <<END
+FATAL: Missing required environment variables
+-------------------------------------------------------------------------------
+If using a SAML authentication, you must provide either SAML_IDP_METADATA_URL
+or SAML_IDP_URL,  SAML_ENTITY_ID and SAML_CALLBACK_URL environment variables:
+
+    SAML_IDP_METADATA_URL   The URI of the XML metadata file that from the SAML Identity
+                            Provider that contains all of the information the SAML
+                            extension needs in order to know how to authenticate with
+                            the IdP. This URI can either be a remote server (e.g. https://)
+                            or a local file on the filesystem (e.g. file://).
+
+    SAML_IDP_URL            The URL of the Identity Provider (IdP), which the user
+                            will be redirected to in order to authenticate.
+
+    SAML_ENTITY_ID          The entity ID of the Guacamole SAML client, which is
+                            generally the URL of the Guacamole server.
+
+    SAML_CALLBACK_URL       The URL that the IdP will use once authentication has
+                            succeeded to return to the Guacamole web application and
+                            provide the authentication details to the SAML extension.
+END
+        exit 1
+    fi
+
+    # Update config file
+    set_optional_property "saml-idp-metadata-url" "$SAML_IDP_METADATA_URL"
+    set_optional_property "saml-idp-url" "$SAML_IDP_URL"
+    set_optional_property "saml-entity-id" "$SAML_ENTITY_ID"
+    set_optional_property "saml-callback-url" "$SAML_CALLBACK_URL"
+    set_optional_property "saml-strict" "$SAML_STRICT"
+    set_optional_property "saml-debug" "$SAML_DEBUG"
+    set_optional_property "saml-compress-request" "$SAML_COMPRESS_REQUEST"
+    set_optional_property "saml-compress-response" "$SAML_COMPRESS_RESPONSE"
+    set_optional_property "saml-group-attribute" "$SAML_GROUP_ATTRIBUTE"
+
+    # Add required .jar files to GUACAMOLE_EXT
+    # "1-{}" make it sorted as a first provider (only authentication)
+    # so it can work together with the database providers (authorization)
+    find /opt/guacamole/saml/ -name "*.jar" | awk -F/ '{print $NF}' |
+        xargs -I '{}' ln -s "/opt/guacamole/saml/{}" "${GUACAMOLE_EXT}/1-{}"
+
+}
+
+##
+## Adds properties to guacamole.properties which configure the TOTP two-factor
+## authentication mechanism.
+##
+associate_totp() {
+    # Update config file
+    set_optional_property "totp-issuer" "$TOTP_ISSUER"
+    set_optional_property "totp-digits" "$TOTP_DIGITS"
+    set_optional_property "totp-period" "$TOTP_PERIOD"
+    set_optional_property "totp-mode" "$TOTP_MODE"
+
+    # Add required .jar files to GUACAMOLE_EXT
+    ln -s /opt/guacamole/totp/guacamole-auth-*.jar "$GUACAMOLE_EXT"
+}
+
+##
+## Adds properties to guacamole.properties which configure the Duo two-factor
+## authentication service. Checks to see if all variables are defined and makes sure
+## DUO_APPLICATION_KEY is >= 40 characters.
+##
+associate_duo() {
+    # Verify required parameters are present
+    if [ -z "$DUO_INTEGRATION_KEY" ] ||
+        [ -z "$DUO_SECRET_KEY" ] ||
+        [ ${#DUO_APPLICATION_KEY} -lt 40 ]; then
+        cat <<END
+FATAL: Missing required environment variables
+-------------------------------------------------------------------------------
+If using the Duo authentication extension, you must provide each of the
+following environment variables:
+
+    DUO_API_HOSTNAME        The hostname of the Duo API endpoint.
+
+    DUO_INTEGRATION_KEY     The integration key provided for Guacamole by Duo.
+
+    DUO_SECRET_KEY          The secret key provided for Guacamole by Duo.
+
+    DUO_APPLICATION_KEY     An arbitrary, random key.
+                            This value must be at least 40 characters.
+END
+        exit 1
+    fi
+
+    # Update config file
+    set_property "duo-api-hostname" "$DUO_API_HOSTNAME"
+    set_property "duo-integration-key" "$DUO_INTEGRATION_KEY"
+    set_property "duo-secret-key" "$DUO_SECRET_KEY"
+    set_property "duo-application-key" "$DUO_APPLICATION_KEY"
+
+    # Add required .jar files to GUACAMOLE_EXT
+    ln -s /opt/guacamole/duo/guacamole-auth-*.jar "$GUACAMOLE_EXT"
+}
+
+##
+## Adds properties to guacamole.properties which configure the header
+## authentication provider.
+##
+associate_header() {
+    # Update config file
+    set_optional_property "http-auth-header" "$HTTP_AUTH_HEADER"
+
+    # Add required .jar files to GUACAMOLE_EXT
+    ln -s /opt/guacamole/header/guacamole-auth-*.jar "$GUACAMOLE_EXT"
+}
+
+##
+## Adds properties to guacamole.properties witch configure the CAS
+## authentication service.
+##
+associate_cas() {
+    # Verify required parameters are present
+    if [ -z "$CAS_AUTHORIZATION_ENDPOINT" ] ||
+        [ -z "$CAS_REDIRECT_URI" ]; then
+        cat <<END
+FATAL: Missing required environment variables
+-----------------------------------------------------------------------------------
+If using the CAS authentication extension, you must provide each of the
+following environment variables:
+
+    CAS_AUTHORIZATION_ENDPOINT      The URL of the CAS authentication server.
+
+    CAS_REDIRECT_URI                The URI to redirect back to upon successful authentication.
+
+END
+        exit 1
+    fi
+
+    # Update config file
+    set_property "cas-authorization-endpoint" "$CAS_AUTHORIZATION_ENDPOINT"
+    set_property "cas-redirect-uri" "$CAS_REDIRECT_URI"
+    set_optional_property "cas-clearpass-key" "$CAS_CLEARPASS_KEY"
+    set_optional_property "cas-group-attribute" "$CAS_GROUP_ATTRIBUTE"
+    set_optional_property "cas-group-format" "$CAS_GROUP_FORMAT"
+    set_optional_property "cas-group-ldap-base-dn" "$CAS_GROUP_LDAP_BASE_DN"
+    set_optional_property "cas-group-ldap-attribute" "$CAS_GROUP_LDAP_ATTRIBUTE"
+
+    # Add required .jar files to GUACAMOLE_EXT
+    ln -s /opt/guacamole/cas/guacamole-auth-*.jar "$GUACAMOLE_EXT"
+}
+
+##
+## Adds properties to guacamole.properties which configure the json
+## authentication provider.
+##
+associate_json() {
+    # Update config file
+    set_property "json-secret-key" "$JSON_SECRET_KEY"
+    set_optional_property "json-trusted-networks" "$JSON_TRUSTED_NETWORKS"
+
+    # Add required .jar files to GUACAMOLE_EXT
+    ln -s /opt/guacamole/json/guacamole-auth-*.jar "$GUACAMOLE_EXT"
+}
+
+##
+## Adds properties to guacamole.properties which configure the recording
+## storage extension.
+##
+associate_recordings() {
+    # Update config file
+    set_property "recording-search-path" "$RECORDING_SEARCH_PATH"
+
+    # Add required .jar files to GUACAMOLE_EXT
+    ln -s /opt/guacamole/recordings/guacamole-history-recording-storage-*.jar "$GUACAMOLE_EXT"
+}
+
+##
+## Sets up Tomcat's remote IP valve that allows gathering the remote IP
+## from headers set by a remote proxy
+## Upstream documentation: https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valves/RemoteIpValve.html
+##
+enable_remote_ip_valve() {
+    # Add <Valve> element
+    xmlstarlet edit --inplace \
+        --insert '/Server/Service/Engine/Host/*' --type elem -n Valve \
+        --insert '/Server/Service/Engine/Host/Valve[not(@className)]' --type attr -n className -v org.apache.catalina.valves.RemoteIpValve \
+        $CATALINA_BASE/conf/server.xml
+
+    # Allowed IPs
+    if [ -z "$PROXY_ALLOWED_IPS_REGEX" ]; then
+        echo "Using default Tomcat allowed IPs regex"
+    else
+        xmlstarlet edit --inplace \
+            --insert '/Server/Service/Engine/Host/Valve[@className="org.apache.catalina.valves.RemoteIpValve"]' \
+            --type attr -n internalProxies -v "$PROXY_ALLOWED_IPS_REGEX" \
+            $CATALINA_BASE/conf/server.xml
+    fi
+
+    # X-Forwarded-For
+    if [ -z "$PROXY_IP_HEADER" ]; then
+        echo "Using default Tomcat proxy IP header"
+    else
+        xmlstarlet edit --inplace \
+            --insert "/Server/Service/Engine/Host/Valve[@className='org.apache.catalina.valves.RemoteIpValve']" \
+            --type attr -n remoteIpHeader -v "$PROXY_IP_HEADER" \
+            $CATALINA_BASE/conf/server.xml
+    fi
+
+    # X-Forwarded-Proto
+    if [ -z "$PROXY_PROTOCOL_HEADER" ]; then
+        echo "Using default Tomcat proxy protocol header"
+    else
+        xmlstarlet edit --inplace \
+            --insert "/Server/Service/Engine/Host/Valve[@className='org.apache.catalina.valves.RemoteIpValve']" \
+            --type attr -n protocolHeader -v "$PROXY_PROTOCOL_HEADER" \
+            $CATALINA_BASE/conf/server.xml
+    fi
+
+    # X-Forwarded-By
+    if [ -z "$PROXY_BY_HEADER" ]; then
+        echo "Using default Tomcat proxy forwarded by header"
+    else
+        xmlstarlet edit --inplace \
+            --insert "/Server/Service/Engine/Host/Valve[@className='org.apache.catalina.valves.RemoteIpValve']" \
+            --type attr -n remoteIpProxiesHeader -v "$PROXY_BY_HEADER" \
+            $CATALINA_BASE/conf/server.xml
+    fi
+}
+
+##
+## Adds api-session-timeout to guacamole.properties
+##
+associate_apisessiontimeout() {
+    set_optional_property "api-session-timeout" "$API_SESSION_TIMEOUT"
+}
+
+##
+## Starts Guacamole under Tomcat, replacing the current process with the
+## Tomcat process. As the current process will be replaced, this MUST be the
+## last function run within the script.
+##
+start_guacamole() {
+
+    # User-only writable CATALINA_BASE
+    CATALINA_BASE=$HOME/tomcat
+    CATALINA_HOME=/usr/local/tomcat
+    export CATALINA_BASE=$HOME/tomcat
+    export CATALINA_HOME=/usr/local/tomcat
+    for dir in logs temp webapps work; do
+        mkdir -p $CATALINA_BASE/$dir
+    done
+    cp -R /usr/local/tomcat/conf $CATALINA_BASE
+
+    # Set up Tomcat RemoteIPValve
+    if [ "$REMOTE_IP_VALVE_ENABLED" = "true" ]; then
+        enable_remote_ip_valve
+    fi
+
+    # Install webapp
+    ln -sf /opt/guacamole/guacamole.war $CATALINA_BASE/webapps/${WEBAPP_CONTEXT:-guacamole}.war
+
+    # Start tomcat
+    cd /usr/local/tomcat
+    exec bin/catalina.sh run
+
+}
+
+#
+# Start with a fresh GUACAMOLE_HOME
+#
+
+rm -Rf "$GUACAMOLE_HOME"
+
+#
+# Copy contents of provided GUACAMOLE_HOME template, if any
+#
+
+if [ -n "$GUACAMOLE_HOME_TEMPLATE" ]; then
+    cp -a "$GUACAMOLE_HOME_TEMPLATE/." "$GUACAMOLE_HOME/"
+fi
+
+#
+# Create and define Guacamole lib and extensions directories
+#
+
+mkdir -p "$GUACAMOLE_EXT"
+mkdir -p "$GUACAMOLE_LIB"
+
+#
+# Point to associated guacd
+#
+
+# Use linked container for guacd if specified
+if [ -n "$GUACD_NAME" ]; then
+    GUACD_HOSTNAME="$GUACD_PORT_4822_TCP_ADDR"
+    GUACD_PORT="$GUACD_PORT_4822_TCP_PORT"
+fi
+
+# Use default guacd port if none specified
+GUACD_PORT="${GUACD_PORT-4822}"
+
+# Verify required guacd connection information is present
+if [ -z "$GUACD_HOSTNAME" -o -z "$GUACD_PORT" ]; then
+    cat <<END
+FATAL: Missing GUACD_HOSTNAME or "guacd" link.
+-------------------------------------------------------------------------------
+Every Guacamole instance needs a corresponding copy of guacd running. To
+provide this, you must either:
+
+(a) Explicitly link that container with the link named "guacd".
+
+(b) If not using a Docker container for guacd, explicitly specify the TCP
+    connection information using the following environment variables:
+
+GUACD_HOSTNAME     The hostname or IP address of guacd. If not using a guacd
+                   Docker container and corresponding link, this environment
+                   variable is *REQUIRED*.
+
+GUACD_PORT         The port on which guacd is listening for TCP connections.
+                   This environment variable is optional. If omitted, the
+                   standard guacd port of 4822 will be used.
+END
+    exit 1
+fi
+
+# Update config file
+set_property "guacd-hostname" "$GUACD_HOSTNAME"
+set_property "guacd-port" "$GUACD_PORT"
+
+# A comma-separated list of the identifiers of authentication providers that
+# should be allowed to fail internally without aborting the authentication process
+set_optional_property "skip-if-unavailable" "$SKIP_IF_UNAVAILABLE"
+
+#
+# Track which authentication backends are installed
+#
+
+INSTALLED_AUTH=""
+
+# Use MySQL if database specified
+if [ -n "$MYSQL_DATABASE" -o -n "$MYSQL_DATABASE_FILE" ]; then
+    associate_mysql
+    INSTALLED_AUTH="$INSTALLED_AUTH mysql"
+fi
+
+# Use PostgreSQL if database specified
+if [ -n "$POSTGRESQL_DATABASE" -o -n "$POSTGRESQL_DATABASE_FILE" ]; then
+    associate_postgresql
+    INSTALLED_AUTH="$INSTALLED_AUTH postgresql"
+fi
+
+# Use SQLServer if database specified
+if [ -n "$SQLSERVER_DATABASE" -o -n "$SQLSERVER_DATABASE_FILE" ]; then
+    associate_sqlserver
+    INSTALLED_AUTH="$INSTALLED_AUTH sqlserver"
+fi
+
+# Use LDAP directory if specified
+if [ -n "$LDAP_HOSTNAME" ]; then
+    associate_ldap
+    INSTALLED_AUTH="$INSTALLED_AUTH ldap"
+fi
+
+# Use RADIUS server if specified
+if [ -n "$RADIUS_SHARED_SECRET" ]; then
+    associate_radius
+    INSTALLED_AUTH="$INSTALLED_AUTH radius"
+fi
+
+# Use OPENID if specified
+if [ -n "$OPENID_AUTHORIZATION_ENDPOINT" ]; then
+    associate_openid
+    INSTALLED_AUTH="$INSTALLED_AUTH openid"
+fi
+
+# Use SAML if specified
+if [ -n "$SAML_IDP_METADATA_URL" ] || [ -n "$SAML_ENTITY_ID" -a -n "$SAML_CALLBACK_URL" ]; then
+    associate_saml
+    INSTALLED_AUTH="$INSTALLED_AUTH saml"
+fi
+
+# Use TOTP if specified.
+if [ "$TOTP_ENABLED" = "true" ]; then
+    associate_totp
+fi
+
+# Use Duo if specified.
+if [ -n "$DUO_API_HOSTNAME" ]; then
+    associate_duo
+fi
+
+# Use header if specified.
+if [ "$HEADER_ENABLED" = "true" ]; then
+    associate_header
+fi
+
+# Use CAS if specified.
+if [ -n "$CAS_AUTHORIZATION_ENDPOINT" ]; then
+    associate_cas
+fi
+
+# Use json-auth if specified.
+if [ -n "$JSON_SECRET_KEY" ]; then
+    associate_json
+    INSTALLED_AUTH="$INSTALLED_AUTH json"
+fi
+
+# Add in the history recording storage extension if configured
+if [ -n "$RECORDING_SEARCH_PATH" ]; then
+    associate_recordings
+fi
+
+#
+# Validate that at least one authentication backend is installed
+#
+
+if [ -z "$INSTALLED_AUTH" -a -z "$GUACAMOLE_HOME_TEMPLATE" ]; then
+    cat <<END
+FATAL: No authentication configured
+-------------------------------------------------------------------------------
+The Guacamole Docker container needs at least one authentication mechanism in
+order to function, such as a MySQL database, PostgreSQL database, SQLServer
+database, LDAP directory or RADIUS server. Please specify at least the
+MYSQL_DATABASE or POSTGRESQL_DATABASE or SQLSERVER_DATABASE environment variables,
+or check Guacamole's Docker documentation regarding configuring LDAP and/or
+custom extensions.
+END
+    exit 1
+fi
+
+# Set extension priority if specified
+set_optional_property "extension-priority" "$EXTENSION_PRIORITY"
+
+# Use api-session-timeout if specified.
+if [ -n "$API_SESSION_TIMEOUT" ]; then
+    associate_apisessiontimeout
+fi
+
+# Maximum number of bytes to accept within the entity body of any particular HTTP request
+set_optional_property "api-max-request-size" "$API_MAX_REQUEST_SIZE"
+
+# A comma-separated list of language keys to allow as display language
+# choices within the Guacamole interface
+set_optional_property "allowed-languages" "$ALLOWED_LANGUAGES"
+
+# If set to “true”, Guacamole will first evaluate its environment to obtain the value
+# for any given configuration property, before using a value specified in
+# guacamole.properties or falling back to a default value
+set_optional_property "enable-environment-properties" "$ENABLE_ENVIRONMENT_PROPERTIES"
+
+# Apply any overrides for default address ban behavior
+set_optional_property "ban-address-duration" "$BAN_ADDRESS_DURATION"
+set_optional_property "ban-max-addresses" "$BAN_MAX_ADDRESSES"
+set_optional_property "ban-max-invalid-attempts" "$BAN_MAX_INVALID_ATTEMPTS"
+
+# Always load guacamole-auth-ban extension (automatic banning can be disabled
+# through seting BAN_ADDRESS_DURATION to 0). As guacamole-auth-ban performs
+# its banning by handling a pre-authentication event, it is guaranteed to
+# perform its checks before all other auth processing and load order does not
+# matter.
+ln -s /opt/guacamole/ban/guacamole-auth-*.jar "$GUACAMOLE_EXT"
+
+# Set logback level if specified
+if [ -n "$LOGBACK_LEVEL" ]; then
+    unzip -o -j /opt/guacamole/guacamole.war WEB-INF/classes/logback.xml -d $GUACAMOLE_HOME
+    sed -i "s/level=\"info\"/level=\"$LOGBACK_LEVEL\"/" $GUACAMOLE_HOME/logback.xml
+fi
+
+# Automaticaly setup mysql if not exists
+
+if [[ "$MYSQL_USER" != "" && "$MYSQL_PASSWORD" != "" && "$MYSQL_DATABASE" != "" && "$MYSQL_HOSTNAME" != "" ]]; then
+    if [ "$MYSQL_PORT" == "" ]; then
+        MYSQL_PORT=3306
+    fi
+
+    UUID=$(openssl rand -hex 16)
+    SALT=$(echo ${UUID:0:8}-${UUID:8:4}-${UUID:12:4}-${UUID:16:4}-${UUID:20:12} | openssl sha256 -hex | awk '{print toupper($2)}')
+    #HASH=$(echo -n "$ADMIN_PASSWORD$SALT" | sha256sum | awk '{print toupper($1)}');
+    HASH=$(echo -n "$ADMIN_PASSWORD$SALT" | openssl sha256 -hex | awk '{print toupper($2)}')
+    cp /opt/guacamole/mysql/schema/*.sql /tmp/
+    sed -i "s/guacadmin/$ADMIN_NAME/g" /tmp/002-create-admin-user.sql
+    sed -i "s/FE24ADC5E11E2B25288D1704ABE67A79E342ECC26064CE69C5B3177795A82264/$SALT/" /tmp/002-create-admin-user.sql
+    sed -i "s/CA458A7D494E3BE824F5E1E175A1556C0F8EEF2C2D7DF3633BEC4A29C4411960/$HASH/" /tmp/002-create-admin-user.sql
+
+    for i in $(ls /tmp/*.sql); do
+        CREATE_MYSQL_DATABASE=$(/usr/bin/mariadb -u $MYSQL_USER -p$MYSQL_PASSWORD $MYSQL_DATABASE -h $MYSQL_HOSTNAME --port $MYSQL_PORT <$i 2>/dev/null)
+        if [[ "$(echo $?)" == "1" ]]; then
+            echo "Database already exists"
+            /usr/bin/mariadb -u $MYSQL_USER -p$MYSQL_PASSWORD $MYSQL_DATABASE -h $MYSQL_HOSTNAME --port $MYSQL_PORT <$i
+            break
+        else
+            echo "MYSQL database automaticaly initialized."
+        fi
+    done
+fi
+
+#
+# Finally start Guacamole (under Tomcat)
+#
+
+start_guacamole