someorg/Easy-Guacamole-Installer
1
0
Fork 0
mirror of https://github.com/itiligent/Easy-Guacamole-Installer.git synced 2025-12-14 02:12:31 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
Easy-Guacamole-Installer/guac-optional-features/add-tls-guac-daemon.sh

105 lines
3 KiB
Bash
Raw Normal View History

rebase 1.5.3
2023-08-14 14:12:08 +10:00
#!/bin/bash
#######################################################################################################################
ssl labels now tls and other tidy ups
2023-08-21 01:27:46 +10:00
# Harden Guacd <-> Guac client traffic in TLS wrapper
rebase 1.5.3
2023-08-14 14:12:08 +10:00
# For Ubuntu / Debian / Raspbian
# David Harrop
# April 2023
#######################################################################################################################
Improve tls hardening flow & options
2023-09-06 19:59:44 +10:00
# To delete and reissue a new cert
# sudo keytool -delete -alias guacd -noprompt -cacerts -storepass changeit -file guacd.crt
rebase 1.5.3
2023-08-14 14:12:08 +10:00
# Prepare text output colours
GREY='\033[0;37m'
DGREY='\033[0;90m'
GREYB='\033[1;37m'
LRED='\033[0;91m'
LGREEN='\033[0;92m'
LYELLOW='\033[0;93m'
NC='\033[0m' #No Colour
Improve tls hardening flow & options
2023-09-06 19:59:44 +10:00
# Check if user is root or sudo
Fixed for Debian 12 and Ubuntu 23.04 Debian 12 ready, Ubuntu 23.04 ready code final review normalized to uniform [[ ]] use, and shfmt to 4 space indents Changes redirect variable name fixed db installing server and client for client installs small tidy ups
2023-09-10 22:39:54 +10:00
if ! [[ $(id -u) = 0 ]]; then
echo
Ubuntu 23 and Debian 12 ok
2023-09-11 14:01:56 +10:00
echo -e "${LRED}Please run this script as sudo or root${NC}" 1>&2
Fixed for Debian 12 and Ubuntu 23.04 Debian 12 ready, Ubuntu 23.04 ready code final review normalized to uniform [[ ]] use, and shfmt to 4 space indents Changes redirect variable name fixed db installing server and client for client installs small tidy ups
2023-09-10 22:39:54 +10:00
exit 1
Improve tls hardening flow & options
2023-09-06 19:59:44 +10:00
fi
TOMCAT_VERSION=$(ls /etc/ | grep tomcat)
RSA_KEY_LENGTH=2048
Ubuntu 23 and Debian 12 ok
2023-09-11 14:01:56 +10:00
# Below variables are automatically updated by the 1-setup.sh script with the respective values given at install (manually update if blank)
rebase 1.5.3
2023-08-14 14:12:08 +10:00
CERT_COUNTRY=
CERT_STATE=
CERT_LOCATION=
CERT_ORG=
CERT_OU=
Improve tls hardening flow & options
2023-09-06 19:59:44 +10:00
CERT_DAYS=
rebase 1.5.3
2023-08-14 14:12:08 +10:00
clear
ssl labels now tls and other tidy ups
2023-08-21 01:27:46 +10:00
# Create the special directory for guacd tls certificate and key.
Improve tls hardening flow & options
2023-09-06 19:59:44 +10:00
mkdir -p /etc/guacamole/ssl
rebase 1.5.3
2023-08-14 14:12:08 +10:00
echo
Improve tls hardening flow & options
2023-09-06 19:59:44 +10:00
cat <<EOF | tee cert_attributes.txt
rebase 1.5.3
2023-08-14 14:12:08 +10:00
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
string_mask = utf8only
[req_distinguished_name]
C = $CERT_COUNTRY
ST = $CERT_STATE
L = $CERT_LOCATION
O = $CERT_ORG
OU = $CERT_OU
CN = localhost
[v3_req]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
IP.1 = 127.0.0.1
EOF
ssl labels now tls and other tidy ups
2023-08-21 01:27:46 +10:00
# Create the self signing request, certificate & key
Improve tls hardening flow & options
2023-09-06 19:59:44 +10:00
openssl req -x509 -nodes -days $CERT_DAYS -newkey rsa:$RSA_KEY_LENGTH -keyout /etc/guacamole/ssl/guacd.key -out /etc/guacamole/ssl/guacd.crt -config cert_attributes.txt
rebase 1.5.3
2023-08-14 14:12:08 +10:00
rm -f cert_attributes.txt
ssl labels now tls and other tidy ups
2023-08-21 01:27:46 +10:00
# Point Guacamole config file to certificate and key
Improve tls hardening flow & options
2023-09-06 19:59:44 +10:00
cp /etc/guacamole/guacd.conf /etc/guacamole/guacd.conf.bak
cat <<EOF | sudo tee /etc/guacamole/guacd.conf
rebase 1.5.3
2023-08-14 14:12:08 +10:00
[server]
bind_host = 127.0.0.1
bind_port = 4822
[ssl]
server_certificate = /etc/guacamole/ssl/guacd.crt
server_key = /etc/guacamole/ssl/guacd.key
EOF
ssl labels now tls and other tidy ups
2023-08-21 01:27:46 +10:00
# Enable TLS backend
Improve tls hardening flow & options
2023-09-06 19:59:44 +10:00
cat <<EOF | sudo tee -a /etc/guacamole/guacamole.properties
rebase 1.5.3
2023-08-14 14:12:08 +10:00
guacd-ssl: true
EOF
# Fix required permissions as guacd only runs as daemon
Improve tls hardening flow & options
2023-09-06 19:59:44 +10:00
chown daemon:daemon /etc/guacamole/ssl
chown daemon:daemon /etc/guacamole/ssl/guacd.key
chown daemon:daemon /etc/guacamole/ssl/guacd.crt
chmod 644 /etc/guacamole/ssl/guacd.crt
chmod 644 /etc/guacamole/ssl/guacd.key
rebase 1.5.3
2023-08-14 14:12:08 +10:00
# Add the new certificate into the Java Runtime certificate store and set JRE to trust it.
cd /etc/guacamole/ssl
Improve tls hardening flow & options
2023-09-06 19:59:44 +10:00
keytool -importcert -alias guacd -noprompt -cacerts -storepass changeit -file guacd.crt
systemctl restart guacd
systemctl restart ${TOMCAT_VERSION}
rebase 1.5.3
2023-08-14 14:12:08 +10:00
echo
echo "Done!"
echo -e ${NC}
Reference in a new issue Copy permalink