From 500607d01a41ca032f421527ff1470111316ce01 Mon Sep 17 00:00:00 2001 From: itiligent Date: Wed, 6 Sep 2023 21:37:21 +1000 Subject: [PATCH] change installer defaults --- 1-setup.sh | 37 +++++++++++++++++------------ 2-install-guacamole.sh | 13 ++++++---- 3-install-nginx.sh | 16 ------------- 4a-install-tls-self-signed-nginx.sh | 8 ------- add-fail2ban.sh | 10 ++++---- upgrade-guac.sh | 2 +- 6 files changed, 37 insertions(+), 49 deletions(-) diff --git a/1-setup.sh b/1-setup.sh index 9a76a03..e9f5393 100644 --- a/1-setup.sh +++ b/1-setup.sh @@ -76,12 +76,12 @@ GITHUB="https://raw.githubusercontent.com/itiligent/Guacamole-Install/main/" # Version of Guacamole to install GUAC_VERSION="1.5.3" +# MySQL Connector/J version to install +MYSQLJCON="8.1.0" + # Set preferred Apache CDN download link) GUAC_SOURCE_LINK="http://apache.org/dyn/closer.cgi?action=download&filename=guacamole/${GUAC_VERSION}" -# MySQL Connector/J version -MYSQLJCON="8.1.0" - # Force a specific MySQL version e.g. 11.1.2 See https://mariadb.org/mariadb/all-releases/ # If MYSQL_VERSION is left blank, script will default to the Linux distro default MYSQL packages. MYSQL_VERSION="" @@ -491,23 +491,23 @@ echo # Prompt the user to install the Quick Connect feature (some higher security use cases may not want this) echo -e "${LGREEN}Guacamole console optional extras:${GREY}" if [[ -z "${INSTALL_QCONNECT}" ]]; then - echo -e -n "${GREY}EXTRAS: Install Quick Connect feature? [Y/n] [default y]: " + echo -e -n "${GREY}EXTRAS: Install Quick Connect feature? [y/N] [default n]: " read PROMPT - if [[ ${PROMPT} =~ ^[Nn]$ ]]; then - INSTALL_QCONNECT=false - else + if [[ ${PROMPT} =~ ^[Yy]$ ]]; then INSTALL_QCONNECT=true + else + INSTALL_QCONNECT=false fi fi # Prompt the user to install the History Recorded Storage feature if [[ -z "${INSTALL_HISTREC}" ]]; then - echo -e -n "${GREY}EXTRAS: Install History Recorded Storage (session replay console integration) [Y/n] [default y]: " + echo -e -n "${GREY}EXTRAS: Install History Recorded Storage (session replay console integration) [y/N] [default n]: " read PROMPT - if [[ ${PROMPT} =~ ^[Nn]$ ]]; then - INSTALL_HISTREC=false - else + if [[ ${PROMPT} =~ ^[Yy]$ ]]; then INSTALL_HISTREC=true + else + INSTALL_HISTREC=false fi fi HISTREC_PATH_DEFAULT=/var/lib/guacamole/recordings # Apache default @@ -527,13 +527,13 @@ echo # Prompt for Guacamole front end reverse proxy option echo -e "${LGREEN}Reverse Proxy & front end options:${GREY}" if [[ -z ${INSTALL_NGINX} ]]; then - echo -e -n "FRONT END: Protect Guacamole behind Nginx reverse proxy [Y/n]? [default y]: " + echo -e -n "FRONT END: Protect Guacamole behind Nginx reverse proxy [y/N]? [default n]: " read PROMPT - if [[ ${PROMPT} =~ ^[Nn]$ ]]; then - INSTALL_NGINX=false - else + if [[ ${PROMPT} =~ ^[Yy]$ ]]; then INSTALL_NGINX=true CHANGE_ROOT=false + else + INSTALL_NGINX=false fi fi @@ -776,6 +776,13 @@ fi mv $USER_HOME_DIR/1-setup.sh $DOWNLOAD_DIR sudo rm -R $TMP_DIR +# Installer and Nginx scripts can't be run standalone without modification, so removing to keep things tidy. +rm -f 1-setup.sh +rm -f 2-install-guacamole.sh +rm -f 3-install-nginx.sh +rm -f 4a-install-tls-self-signed-nginx.sh +rm -f 4b-install-tls-letsencrypt-nginx.sh + # Done echo printf "${LGREEN}Guacamole ${GUAC_VERSION} install complete! \n${NC}" diff --git a/2-install-guacamole.sh b/2-install-guacamole.sh index 5fbdcd3..4915c84 100644 --- a/2-install-guacamole.sh +++ b/2-install-guacamole.sh @@ -95,7 +95,7 @@ if [ $? -ne 0 ]; then echo -e "${GUAC_SOURCE_LINK}/binary/guacamole-${GUAC_VERSION}.war${GREY}" exit 1 fi -echo -e "${LGREEN}Downloaded guacamole-${GUAC_VERSION}.war (Guacamole client web application)${GREY}" +echo -e "${LGREEN}Downloaded guacamole-${GUAC_VERSION}.war (Guacamole client)${GREY}" # Download MySQL connector/j wget -q --show-progress -O mysql-connector-j-${MYSQLJCON}.tar.gz https://dev.mysql.com/get/Downloads/Connector-J/mysql-connector-j-${MYSQLJCON}.tar.gz @@ -122,6 +122,7 @@ echo -e "${LGREEN}Downloaded guacamole-auth-jdbc-${GUAC_VERSION}.tar.gz${GREY}" # Download TOTP extension if [ "${INSTALL_TOTP}" = true ]; then wget -q --show-progress -O guacamole-auth-totp-${GUAC_VERSION}.tar.gz ${GUAC_SOURCE_LINK}/binary/guacamole-auth-totp-${GUAC_VERSION}.tar.gz + rm -f add-auth-totp.sh if [ $? -ne 0 ]; then echo -e "${LRED}Failed to download guacamole-auth-totp-${GUAC_VERSION}.tar.gz" 1>&2 echo -e "${GUAC_SOURCE_LINK}/binary/guacamole-auth-totp-${GUAC_VERSION}.tar.gz" @@ -135,6 +136,7 @@ fi # Download DUO extension if [ "${INSTALL_DUO}" = true ]; then wget -q --show-progress -O guacamole-auth-duo-${GUAC_VERSION}.tar.gz ${GUAC_SOURCE_LINK}/binary/guacamole-auth-duo-${GUAC_VERSION}.tar.gz + rm -f add-auth-duo.sh if [ $? -ne 0 ]; then echo -e "${LRED}Failed to download guacamole-auth-duo-${GUAC_VERSION}.tar.gz" 1>&2 echo -e "${GUAC_SOURCE_LINK}/binary/guacamole-auth-duo-${GUAC_VERSION}.tar.gz" @@ -148,6 +150,7 @@ fi # Download LDAP extension if [ "${INSTALL_LDAP}" = true ]; then wget -q --show-progress -O guacamole-auth-ldap-${GUAC_VERSION}.tar.gz ${GUAC_SOURCE_LINK}/binary/guacamole-auth-ldap-${GUAC_VERSION}.tar.gz + rm -f add-auth-ldap.sh if [ $? -ne 0 ]; then echo -e "${LRED}Failed to download guacamole-auth-ldap-${GUAC_VERSION}.tar.gz" 1>&2 echo -e "${GUAC_SOURCE_LINK}/binary/guacamole-auth-ldap-${GUAC_VERSION}.tar.gz" @@ -161,6 +164,7 @@ fi # Download Guacamole quick-connect extension if [ "${INSTALL_QCONNECT}" = true ]; then wget -q --show-progress -O guacamole-auth-quickconnect-${GUAC_VERSION}.tar.gz ${GUAC_SOURCE_LINK}/binary/guacamole-auth-quickconnect-${GUAC_VERSION}.tar.gz + rm -f add-xtra-quickconnect.sh if [ $? -ne 0 ]; then echo -e "${LRED}Failed to download guacamole-auth-quickconnect-${GUAC_VERSION}.tar.gz" 1>&2 echo -e "${GUAC_SOURCE_LINK}/binary/guacamole-auth-quickconnect-${GUAC_VERSION}.tar.gz" @@ -174,6 +178,7 @@ fi # Download Guacamole history recording storage extension if [ "${INSTALL_HISTREC}" = true ]; then wget -q --show-progress -O guacamole-history-recording-storage-${GUAC_VERSION}.tar.gz ${GUAC_SOURCE_LINK}/binary/guacamole-history-recording-storage-${GUAC_VERSION}.tar.gz + rm -f add-xtra-histrecstor.sh if [ $? -ne 0 ]; then echo -e "${LRED}Failed to download guacamole-history-recording-storage-${GUAC_VERSION}.tar.gz" 1>&2 echo -e "${GUAC_SOURCE_LINK}/binary/guacamole-history-recording-storage-${GUAC_VERSION}.tar.gz" @@ -523,11 +528,11 @@ else echo fi -# Create guacd.conf. This is later changed to 127.0.0.1 during Nginx reverse proxy install. -echo -e "${GREY}Binding guacd to 0.0.0.0 port 4822..." +# Create guacd.conf and locahost IP binding. +echo -e "${GREY}Binding guacd to 127.0.0.1 port 4822..." cat >/etc/guacamole/guacd.conf <<-"EOF" [server] -bind_host = 0.0.0.0 +bind_host = 127.0.0.1 bind_port = 4822 EOF if [ $? -ne 0 ]; then diff --git a/3-install-nginx.sh b/3-install-nginx.sh index fa37659..7594b33 100644 --- a/3-install-nginx.sh +++ b/3-install-nginx.sh @@ -84,22 +84,6 @@ else echo fi -# Bind guacd to localhost and force all Guacamole connections via reverse proxy -echo -e "${GREY}Binding guacd to 127.0.0.1 port 4822..." -cp /etc/guacamole/guacd.conf /etc/guacamole/guacd.conf.bak -cat >/etc/guacamole/guacd.conf <<-"EOF" -[server] -bind_host = 127.0.0.1 -bind_port = 4822 -EOF -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed. See ${LOG_LOCATION}${GREY}" 1>&2 - exit 1 -else - echo -e "${LGREEN}OK${GREY}" - echo -fi - # Update general ufw rules so force traffic via reverse proxy. Only Nginx and SSH will be available over the network. echo -e "${GREY}Updating firewall rules to allow only SSH and tcp 80/443..." sudo ufw default allow outgoing >/dev/null 2>&1 diff --git a/4a-install-tls-self-signed-nginx.sh b/4a-install-tls-self-signed-nginx.sh index 9ed6c0a..193e65f 100644 --- a/4a-install-tls-self-signed-nginx.sh +++ b/4a-install-tls-self-signed-nginx.sh @@ -26,15 +26,7 @@ SSLNAME=$1 SSLDAYS=$2 # Discover IPv4 interface -echo -e "${GREY}Discovering the default route interface and Proxy DNS name to bind with the new TLS certificate..." DEFAULT_IP=$(ip addr show $(ip route | awk '/default/ { print $5 }') | grep "inet" | head -n 1 | awk '/inet/ {print $2}' | cut -d'/' -f1) -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed. See ${LOG_LOCATION}${GREY}" 1>&2 - exit 1 -else - echo -e "${LGREEN}OK${GREY}" - echo -fi echo -e "${GREY}New self signed TLS certificate attributes are shown below...${DGREY}" # Display the new TLS cert parameters. diff --git a/add-fail2ban.sh b/add-fail2ban.sh index f04d2ec..fb1db6d 100644 --- a/add-fail2ban.sh +++ b/add-fail2ban.sh @@ -55,12 +55,12 @@ fi # Prompt to install Guacamole fail2ban config defaults, default of no if [[ -z ${FAIL2BAN_GUAC} ]] && [[ "${FAIL2BAN_BASE}" = true ]]; then - echo -e -n "${GREY}POLICY: Apply Guacamole fail2ban security policy? (y/n) [default n]:${GREY}" + echo -e -n "${GREY}POLICY: Apply Guacamole fail2ban security policy? (Y/n) [default y]:${GREY}" read PROMPT - if [[ ${PROMPT} =~ ^[Yy]$ ]]; then - FAIL2BAN_GUAC=true - else + if [[ ${PROMPT} =~ ^[Nn]$ ]]; then FAIL2BAN_GUAC=false + else + FAIL2BAN_GUAC=true fi fi @@ -236,7 +236,7 @@ REGEX='failregex = ^.*WARN o\.a\.g\.r\.auth\.AuthenticationService - Authentica sed -i -e "/Authentication attempt from/a ${REGEX}" /etc/fail2ban/filter.d/guacamole.conf # Done -echo -e "${LGREEN}Guacamole security policy applied${GREY}\n- ${SED_NETADDR}are whitelisted from all IP bans.\n- To alter this whitelist, edit /etc/fail2ban/jail.local & sudo systemctl restart fail2ban \n \n This script may take a while to complete..." +echo -e "${LGREEN}Guacamole security policy applied${GREY}\n- ${SED_NETADDR}are whitelisted from all IP bans.\n- To alter this whitelist, edit /etc/fail2ban/jail.local & sudo systemctl restart fail2ban \n \n This script may take a while to complete on first run..." # Bounce the service to reload the new config sudo systemctl restart fail2ban diff --git a/upgrade-guac.sh b/upgrade-guac.sh index 55d24aa..ec2fbbb 100644 --- a/upgrade-guac.sh +++ b/upgrade-guac.sh @@ -48,7 +48,7 @@ echo #Setup download and temp directory paths USER_HOME_DIR=$(eval echo ~${SUDO_USER}) -DOWNLOAD_DIR=$USER_HOME_DIR/guac-setup/upgrade +DOWNLOAD_DIR=$USER_HOME_DIR/guac-setup # Setup directory locations mkdir -p $DOWNLOAD_DIR