change installer defaults

1-setup.sh

@@ -76,12 +76,12 @@ GITHUB="https://raw.githubusercontent.com/itiligent/Guacamole-Install/main/"
 # Version of Guacamole to install
 GUAC_VERSION="1.5.3"
 
+# MySQL Connector/J version to install
+MYSQLJCON="8.1.0"
+
 # Set preferred Apache CDN download link)
 GUAC_SOURCE_LINK="http://apache.org/dyn/closer.cgi?action=download&filename=guacamole/${GUAC_VERSION}"
 
-# MySQL Connector/J version
-MYSQLJCON="8.1.0"
-
 # Force a specific MySQL version e.g. 11.1.2 See https://mariadb.org/mariadb/all-releases/
 # If MYSQL_VERSION is left blank, script will default to the Linux distro default MYSQL packages.
 MYSQL_VERSION=""
@@ -491,23 +491,23 @@ echo
 # Prompt the user to install the Quick Connect feature (some higher security use cases may not want this)
 echo -e "${LGREEN}Guacamole console optional extras:${GREY}"
 if [[ -z "${INSTALL_QCONNECT}" ]]; then
-    echo -e -n "${GREY}EXTRAS: Install Quick Connect feature? [Y/n] [default y]: "
+    echo -e -n "${GREY}EXTRAS: Install Quick Connect feature? [y/N] [default n]: "
     read PROMPT
-    if [[ ${PROMPT} =~ ^[Nn]$ ]]; then
-        INSTALL_QCONNECT=false
-    else
+    if [[ ${PROMPT} =~ ^[Yy]$ ]]; then
         INSTALL_QCONNECT=true
+    else
+        INSTALL_QCONNECT=false
     fi
 fi
 
 # Prompt the user to install the History Recorded Storage feature
 if [[ -z "${INSTALL_HISTREC}" ]]; then
-    echo -e -n "${GREY}EXTRAS: Install History Recorded Storage (session replay console integration) [Y/n] [default y]: "
+    echo -e -n "${GREY}EXTRAS: Install History Recorded Storage (session replay console integration) [y/N] [default n]: "
     read PROMPT
-    if [[ ${PROMPT} =~ ^[Nn]$ ]]; then
-        INSTALL_HISTREC=false
-    else
+    if [[ ${PROMPT} =~ ^[Yy]$ ]]; then
         INSTALL_HISTREC=true
+    else
+        INSTALL_HISTREC=false
     fi
     fi
     HISTREC_PATH_DEFAULT=/var/lib/guacamole/recordings # Apache default
@@ -527,13 +527,13 @@ echo
 # Prompt for Guacamole front end reverse proxy option
 echo -e "${LGREEN}Reverse Proxy & front end options:${GREY}"
 if [[ -z ${INSTALL_NGINX} ]]; then
-    echo -e -n "FRONT END: Protect Guacamole behind Nginx reverse proxy [Y/n]? [default y]: "
+    echo -e -n "FRONT END: Protect Guacamole behind Nginx reverse proxy [y/N]? [default n]: "
     read PROMPT
-    if [[ ${PROMPT} =~ ^[Nn]$ ]]; then
-        INSTALL_NGINX=false
-    else
+    if [[ ${PROMPT} =~ ^[Yy]$ ]]; then
         INSTALL_NGINX=true
         CHANGE_ROOT=false
+    else
+        INSTALL_NGINX=false
     fi
 fi
 
@@ -776,6 +776,13 @@ fi
 mv $USER_HOME_DIR/1-setup.sh $DOWNLOAD_DIR
 sudo rm -R $TMP_DIR
 
+# Installer and Nginx scripts can't be run standalone without modification, so removing to keep things tidy.
+rm -f 1-setup.sh
+rm -f 2-install-guacamole.sh
+rm -f 3-install-nginx.sh 
+rm -f 4a-install-tls-self-signed-nginx.sh 
+rm -f 4b-install-tls-letsencrypt-nginx.sh
+
 # Done
 echo
 printf "${LGREEN}Guacamole ${GUAC_VERSION} install complete! \n${NC}"

2-install-guacamole.sh

@@ -95,7 +95,7 @@ if [ $? -ne 0 ]; then
     echo -e "${GUAC_SOURCE_LINK}/binary/guacamole-${GUAC_VERSION}.war${GREY}"
     exit 1
 fi
-echo -e "${LGREEN}Downloaded guacamole-${GUAC_VERSION}.war (Guacamole client web application)${GREY}"
+echo -e "${LGREEN}Downloaded guacamole-${GUAC_VERSION}.war (Guacamole client)${GREY}"
 
 # Download MySQL connector/j
 wget -q --show-progress -O mysql-connector-j-${MYSQLJCON}.tar.gz https://dev.mysql.com/get/Downloads/Connector-J/mysql-connector-j-${MYSQLJCON}.tar.gz
@@ -122,6 +122,7 @@ echo -e "${LGREEN}Downloaded guacamole-auth-jdbc-${GUAC_VERSION}.tar.gz${GREY}"
 # Download TOTP extension
 if [ "${INSTALL_TOTP}" = true ]; then
     wget -q --show-progress -O guacamole-auth-totp-${GUAC_VERSION}.tar.gz ${GUAC_SOURCE_LINK}/binary/guacamole-auth-totp-${GUAC_VERSION}.tar.gz
+    rm -f add-auth-totp.sh 
     if [ $? -ne 0 ]; then
         echo -e "${LRED}Failed to download guacamole-auth-totp-${GUAC_VERSION}.tar.gz" 1>&2
         echo -e "${GUAC_SOURCE_LINK}/binary/guacamole-auth-totp-${GUAC_VERSION}.tar.gz"
@@ -135,6 +136,7 @@ fi
 # Download DUO extension
 if [ "${INSTALL_DUO}" = true ]; then
     wget -q --show-progress -O guacamole-auth-duo-${GUAC_VERSION}.tar.gz ${GUAC_SOURCE_LINK}/binary/guacamole-auth-duo-${GUAC_VERSION}.tar.gz
+    rm -f add-auth-duo.sh
     if [ $? -ne 0 ]; then
         echo -e "${LRED}Failed to download guacamole-auth-duo-${GUAC_VERSION}.tar.gz" 1>&2
         echo -e "${GUAC_SOURCE_LINK}/binary/guacamole-auth-duo-${GUAC_VERSION}.tar.gz"
@@ -148,6 +150,7 @@ fi
 # Download LDAP extension
 if [ "${INSTALL_LDAP}" = true ]; then
     wget -q --show-progress -O guacamole-auth-ldap-${GUAC_VERSION}.tar.gz ${GUAC_SOURCE_LINK}/binary/guacamole-auth-ldap-${GUAC_VERSION}.tar.gz
+    rm -f add-auth-ldap.sh  
     if [ $? -ne 0 ]; then
         echo -e "${LRED}Failed to download guacamole-auth-ldap-${GUAC_VERSION}.tar.gz" 1>&2
         echo -e "${GUAC_SOURCE_LINK}/binary/guacamole-auth-ldap-${GUAC_VERSION}.tar.gz"
@@ -161,6 +164,7 @@ fi
 # Download Guacamole quick-connect extension
 if [ "${INSTALL_QCONNECT}" = true ]; then
     wget -q --show-progress -O guacamole-auth-quickconnect-${GUAC_VERSION}.tar.gz ${GUAC_SOURCE_LINK}/binary/guacamole-auth-quickconnect-${GUAC_VERSION}.tar.gz
+    rm -f add-xtra-quickconnect.sh 
     if [ $? -ne 0 ]; then
         echo -e "${LRED}Failed to download guacamole-auth-quickconnect-${GUAC_VERSION}.tar.gz" 1>&2
         echo -e "${GUAC_SOURCE_LINK}/binary/guacamole-auth-quickconnect-${GUAC_VERSION}.tar.gz"
@@ -174,6 +178,7 @@ fi
 # Download Guacamole history recording storage extension
 if [ "${INSTALL_HISTREC}" = true ]; then
     wget -q --show-progress -O guacamole-history-recording-storage-${GUAC_VERSION}.tar.gz ${GUAC_SOURCE_LINK}/binary/guacamole-history-recording-storage-${GUAC_VERSION}.tar.gz
+    rm -f add-xtra-histrecstor.sh 
     if [ $? -ne 0 ]; then
         echo -e "${LRED}Failed to download guacamole-history-recording-storage-${GUAC_VERSION}.tar.gz" 1>&2
         echo -e "${GUAC_SOURCE_LINK}/binary/guacamole-history-recording-storage-${GUAC_VERSION}.tar.gz"
@@ -523,11 +528,11 @@ else
     echo
 fi
 
-# Create guacd.conf. This is later changed to 127.0.0.1 during Nginx reverse proxy install.
-echo -e "${GREY}Binding guacd to 0.0.0.0 port 4822..."
+# Create guacd.conf and locahost IP binding.
+echo -e "${GREY}Binding guacd to 127.0.0.1 port 4822..."
 cat >/etc/guacamole/guacd.conf <<-"EOF"
 [server]
-bind_host = 0.0.0.0
+bind_host = 127.0.0.1
 bind_port = 4822
 EOF
 if [ $? -ne 0 ]; then

3-install-nginx.sh

@@ -84,22 +84,6 @@ else
     echo
 fi
 
-# Bind guacd to localhost and force all Guacamole connections via reverse proxy
-echo -e "${GREY}Binding guacd to 127.0.0.1 port 4822..."
-cp /etc/guacamole/guacd.conf /etc/guacamole/guacd.conf.bak
-cat >/etc/guacamole/guacd.conf <<-"EOF"
-[server]
-bind_host = 127.0.0.1
-bind_port = 4822
-EOF
-if [ $? -ne 0 ]; then
-    echo -e "${LRED}Failed. See ${LOG_LOCATION}${GREY}" 1>&2
-    exit 1
-else
-    echo -e "${LGREEN}OK${GREY}"
-    echo
-fi
-
 # Update general ufw rules so force traffic via reverse proxy. Only Nginx and SSH will be available over the network.
 echo -e "${GREY}Updating firewall rules to allow only SSH and tcp 80/443..."
 sudo ufw default allow outgoing >/dev/null 2>&1

4a-install-tls-self-signed-nginx.sh

@@ -26,15 +26,7 @@ SSLNAME=$1
 SSLDAYS=$2
 
 # Discover IPv4 interface
-echo -e "${GREY}Discovering the default route interface and Proxy DNS name to bind with the new TLS certificate..."
 DEFAULT_IP=$(ip addr show $(ip route | awk '/default/ { print $5 }') | grep "inet" | head -n 1 | awk '/inet/ {print $2}' | cut -d'/' -f1)
-if [ $? -ne 0 ]; then
-    echo -e "${LRED}Failed. See ${LOG_LOCATION}${GREY}" 1>&2
-    exit 1
-else
-    echo -e "${LGREEN}OK${GREY}"
-    echo
-fi
 
 echo -e "${GREY}New self signed TLS certificate attributes are shown below...${DGREY}"
 # Display the new TLS cert parameters.

add-fail2ban.sh

@@ -55,12 +55,12 @@ fi
 
 # Prompt to install Guacamole fail2ban config defaults, default of no
 if [[ -z ${FAIL2BAN_GUAC} ]] && [[ "${FAIL2BAN_BASE}" = true ]]; then
-    echo -e -n "${GREY}POLICY: Apply Guacamole fail2ban security policy? (y/n) [default n]:${GREY}"
+    echo -e -n "${GREY}POLICY: Apply Guacamole fail2ban security policy? (Y/n) [default y]:${GREY}"
     read PROMPT
-    if [[ ${PROMPT} =~ ^[Yy]$ ]]; then
-        FAIL2BAN_GUAC=true
-    else
+    if [[ ${PROMPT} =~ ^[Nn]$ ]]; then
         FAIL2BAN_GUAC=false
+    else
+        FAIL2BAN_GUAC=true
     fi
 fi
 
@@ -236,7 +236,7 @@ REGEX='failregex = ^.*WARN  o\.a\.g\.r\.auth\.AuthenticationService - Authentica
 sed -i -e "/Authentication attempt from/a ${REGEX}" /etc/fail2ban/filter.d/guacamole.conf
 
 # Done
-echo -e "${LGREEN}Guacamole security policy applied${GREY}\n- ${SED_NETADDR}are whitelisted from all IP bans.\n- To alter this whitelist, edit /etc/fail2ban/jail.local & sudo systemctl restart fail2ban \n \n This script may take a while to complete..."
+echo -e "${LGREEN}Guacamole security policy applied${GREY}\n- ${SED_NETADDR}are whitelisted from all IP bans.\n- To alter this whitelist, edit /etc/fail2ban/jail.local & sudo systemctl restart fail2ban \n \n This script may take a while to complete on first run..."
 
 # Bounce the service to reload the new config
 sudo systemctl restart fail2ban

upgrade-guac.sh

@@ -48,7 +48,7 @@ echo
 
 #Setup download and temp directory paths
 USER_HOME_DIR=$(eval echo ~${SUDO_USER})
-DOWNLOAD_DIR=$USER_HOME_DIR/guac-setup/upgrade
+DOWNLOAD_DIR=$USER_HOME_DIR/guac-setup
 
 # Setup directory locations
 mkdir -p $DOWNLOAD_DIR