typos

1-setup.sh

@@ -43,7 +43,7 @@ if [[ $EUID -eq 0 ]]; then
     exit 1
 fi
 
-# Check if sudo is installed. (Debian does not always include sudo by default.)
+# Check if sudo is installed. (Debian does not always include sudo by default)
 if ! command -v sudo &> /dev/null; then
     echo "${LRED}Sudo is not installed. Please install sudo."
     echo -e ${NC}
@@ -57,7 +57,7 @@ if ! id -nG "$USER" | grep -qw "sudo"; then
     exit 1
 fi
 
-# Check to see if any previous version of build/install files exist, if so stop and check to be safe.
+# Check to see if any previous version of build files exist, if so stop and check to be safe.
 if [[ "$(find . -maxdepth 1 \( -name 'guacamole-*' -o -name 'mysql-connector-j-*' \))" != "" ]]; then
     echo
     echo -e "${LRED}Possible previous install files detected in current build path. Please review and remove old guacamole install files before proceeding.${GREY}, exiting..." 1>&2
@@ -110,16 +110,16 @@ INSTALL_LOG="${DOWNLOAD_DIR}/guacamole_install.log"
 #######################################################################################################################
 # Silent setup options - true/false or specific values below will skip prompt at install. EDIT TO SUIT ################
 #######################################################################################################################
-SERVER_NAME=""                  # Server hostname. (Blank = use the current hostname.)
-LOCAL_DOMAIN=""                 # Local DNS namespace/domain suffix. (Blank = keep the current suffix.)
+SERVER_NAME=""                  # Server hostname (blank = use the current hostname)
+LOCAL_DOMAIN=""                 # Local DNS namespace/domain suffix (blank = keep the current suffix)
 INSTALL_MYSQL=""                # Install MySQL locally (true/false)
 SECURE_MYSQL=""                 # Apply mysql secure configuration tool (true/false)
-MYSQL_HOST=""                   # Blank "" = localhost MySQL install, adding a specific IP address will assume a remote MySQL instance.
+MYSQL_HOST=""                   # Blank "" = localhost MySQL install, adding a specific IP address will assume a remote MySQL instance
 MYSQL_PORT=""                   # If blank "" default is 3306
 GUAC_DB=""                      # If blank "" default is guacamole_db
 GUAC_USER=""                    # If blank "" default is guacamole_user
-MYSQL_ROOT_PWD=""               # Manadatory entry here or at script prompt.
-GUAC_PWD=""                     # Manadatory entry here or at script prompt.
+MYSQL_ROOT_PWD=""               # Manadatory entry here or at script prompt
+GUAC_PWD=""                     # Manadatory entry here or at script prompt
 DB_TZ=$(cat /etc/timezone)      # Blank "" defaults to UTC, for local timezone: $(cat /etc/timezone)
 INSTALL_TOTP=""                 # Add TOTP MFA extension (true/false), can't be installed simultaneously with DUO)
 INSTALL_DUO=""                  # Add DUO MFA extension (true/false, can't be installed simultaneously with TOTP)
@@ -129,10 +129,10 @@ INSTALL_HISTREC=""              # Add Guacamole history recording storage featur
 HISTREC_PATH=""                 # If blank "" sets the Apache's default path of /var/lib/guacamole/recordings
 GUAC_URL_REDIR=""               # Auto redirect of host root URL http://xxx:8080 to http://xxx:8080/guacamole  (true/false)
 INSTALL_NGINX=""                # Install & configure Nginx reverse proxy http:80 frontend (true/false)
-PROXY_SITE=""                   # Local DNS name for reverse proxy site and/or self signed TLS certificates (Blank "" defaults to $DEFAULT_FQDN)
+PROXY_SITE=""                   # Local DNS name for reverse proxy site and/or self signed TLS certificates (blank "" defaults to $DEFAULT_FQDN)
 SELF_SIGN=""                    # Add self signed TLS/https support to Nginx (true/false, Let's Encrypt not available with this option)
-RSA_KEYLENGTH="2048"            # Self signed RSA TLS key length. At least 2048, must not be blank.
-CERT_COUNTRY="AU"               # Self signed cert setup, 2 character country code only, must not be blank.
+RSA_KEYLENGTH="2048"            # Self signed RSA TLS key length. At least 2048, must not be blank
+CERT_COUNTRY="AU"               # Self signed cert setup, 2 character country code only, must not be blank
 CERT_STATE="Victoria"           # Self signed cert setup, must not be blank
 CERT_LOCATION="Melbourne"       # Self signed cert setup, must not be blank
 CERT_ORG="Itiligent"            # Self signed cert setup, must not be blank
@@ -158,7 +158,7 @@ echo -e "              ${LGREEN}Powered by Itiligent"
 echo
 echo
 
-# Download the set of config scripts from GitHub
+# Download the suite of install scripts from GitHub
 cd $DOWNLOAD_DIR
 echo -e "${GREY}Downloading the Guacamole build suite...${DGREY}"
 wget -q --show-progress ${GITHUB}/2-install-guacamole.sh -O 2-install-guacamole.sh
@@ -166,7 +166,7 @@ wget -q --show-progress ${GITHUB}/3-install-nginx.sh -O 3-install-nginx.sh
 wget -q --show-progress ${GITHUB}/4a-install-tls-self-signed-nginx.sh -O 4a-install-tls-self-signed-nginx.sh
 wget -q --show-progress ${GITHUB}/4b-install-tls-letsencrypt-nginx.sh -O 4b-install-tls-letsencrypt-nginx.sh
 
-# Download the Guacamole optional feature scripts
+# Download the suite of optional feature adding scripts
 wget -q --show-progress ${GITHUB}/guac-optional-features/add-auth-duo.sh -O add-auth-duo.sh
 wget -q --show-progress ${GITHUB}/guac-optional-features/add-auth-ldap.sh -O add-auth-ldap.sh
 wget -q --show-progress ${GITHUB}/guac-optional-features/add-auth-totp.sh -O add-auth-totp.sh
@@ -178,7 +178,7 @@ wget -q --show-progress ${GITHUB}/guac-optional-features/add-fail2ban.sh -O add-
 wget -q --show-progress ${GITHUB}/guac-management/backup-guacamole.sh -O backup-guacamole.sh
 wget -q --show-progress ${GITHUB}/upgrade-guacamole.sh -O upgrade-guacamole.sh
 
-# Download the (customisable) dark theme & branding template
+# Download the dark theme & branding template
 wget -q --show-progress ${GITHUB}/branding.jar -O branding.jar
 chmod +x *.sh
 
@@ -234,19 +234,19 @@ fi
 # Ongoing fixes and workarounds as distros diverge/change #############################################################
 #######################################################################################################################
 
-# Workaround for Debian incompatibilities with latest Tomcat versions. (Adds the oldstable repo and downgrades the Tomcat version to be installed)
+# Workaround for Debian incompatibilities with later Tomcat versions. (Adds the oldstable repo and downgrades the Tomcat version)
 if [[ ${ID,,} = "debian" && ${VERSION_CODENAME,,} = *"bookworm"* ]] || [[ ${ID,,} = "debian" && ${VERSION_CODENAME,,} = *"trixie"* ]]; then #(checks for upper and lower case)
     echo "deb http://deb.debian.org/debian/ bullseye main" | sudo tee /etc/apt/sources.list.d/bullseye.list &> /dev/null
     sudo apt-get update -qq &> /dev/null
     TOMCAT_VERSION="tomcat9"
 fi
 
-# Workaround for Ubuntu 23.x Tomcat 10 incompatibilities. Force older version 9 also found in the Lunar repo.
+# Workaround for Ubuntu 23.x Tomcat 10 incompatibilities. Downgrades Tomcat to version 9 which is available from the Lunar repo.
 if [[ ${ID,,} = "ubuntu" ]] && [[ ${VERSION_CODENAME,,} = *"lunar"* ]]; then
     TOMCAT_VERSION="tomcat9"
 fi
 
-# Workaround for Ubuntu 24.x Tomcat 10 incompatibilities. (Adds old Jammy repo and downgrades the Tomcat version to be installed)
+# Workaround for Ubuntu 24.x Tomcat 10 incompatibilities. (Adds old Jammy repo and downgrades the Tomcat version)
 if [[ ${ID,,} = "ubuntu" && ${VERSION_CODENAME,,} = *"noble"* ]]; then
     echo "deb http://archive.ubuntu.com/ubuntu/ jammy universe" | sudo tee /etc/apt/sources.list.d/jammy.list &> /dev/null
     sudo apt-get update -qq &> /dev/null
@@ -273,7 +273,7 @@ fi
 # DO NOT EDIT PAST THIS POINT! ########################################################################################
 #######################################################################################################################
 
-# An intitial dns suffix is needed as a starting value for the script prompts.
+# An intitial dns suffix is needed as a starting value for the script prompts
 get_domain_suffix() {
     echo "$1" | awk '{print $2}'
 }
@@ -783,7 +783,7 @@ export RDP_PRINTER_LABEL="${RDP_PRINTER_LABEL}"
 export LOCAL_DOMAIN=$LOCAL_DOMAIN
 export DOMAIN_SUFFIX=$DOMAIN_SUFFIX
 
-# Run the Guacamole install script keeping all exported variables from the current shell
+# Run the Guacamole install script (with all exported variables from this current shell)
 sudo -E ./2-install-guacamole.sh
 if [[ $? -ne 0 ]]; then
     echo -e "${LRED}2-install-guacamole.sh FAILED. See ${INSTALL_LOG}${GREY}" 1>&2
@@ -809,19 +809,19 @@ rm cron_1
 # Start optional setup actions   ######################################################################################
 #######################################################################################################################
 
-# Install Nginx reverse proxy front end to Guacamole if option is selected keeping all exported variables from the current shell
+# Install Nginx reverse proxy front end to Guacamole if option is selected (with all exported variables from this current shell)
 if [[ "${INSTALL_NGINX}" = true ]]; then
     sudo -E ./3-install-nginx.sh
     echo -e "${LGREEN}Nginx install complete\nhttp://${PROXY_SITE} - admin login: guacadmin pass: guacadmin\n${LYELLOW}***Be sure to change the password***${GREY}"
 fi
 
-# Apply self signed TLS certificates to Nginx reverse proxy if option is selected keeping all exported variables from the current shell
+# Apply self signed TLS certificates to Nginx reverse proxy if option is selected (with all exported variables from this current shell)
 if [[ "${INSTALL_NGINX}" = true ]] && [[ "${SELF_SIGN}" = true ]] && [[ "${LETS_ENCRYPT}" != true ]]; then
     sudo -E ./4a-install-tls-self-signed-nginx.sh ${PROXY_SITE} ${CERT_DAYS} ${DEFAULT_IP} | tee -a ${INSTALL_LOG} # Logged to capture client cert import instructions
     echo -e "${LGREEN}Self signed certificate configured for Nginx \n${LYELLOW}https:${LGREEN}//${PROXY_SITE}  - login user/pass: guacadmin/guacadmin\n${LYELLOW}***Be sure to change the password***${GREY}"
 fi
 
-# Apply Let's Encrypt TLS certificates to Nginx reverse proxy if option is selected keeping all exported variables from the current shell
+# Apply Let's Encrypt TLS certificates to Nginx reverse proxy if option is selected (with all exported variables from this current shell)
 if [[ "${INSTALL_NGINX}" = true ]] && [[ "${LETS_ENCRYPT}" = true ]] && [[ "${SELF_SIGN}" != true ]]; then
     sudo -E ./4b-install-tls-letsencrypt-nginx.sh
     echo -e "${LGREEN}Let's Encrypt TLS configured for Nginx \n${LYELLOW}https:${LGREEN}//${LE_DNS_NAME}  - login user/pass: guacadmin/guacadmin\n${LYELLOW}***Be sure to change the password***${GREY}"

ACTIVE-DIRECTORY-HOW-TO.md

@@ -95,7 +95,7 @@ sudo $USER_HOME_DIR/guac-setup/add-ldap-auth-guacamole.sh
 
 - If not using the **mysql-auto-create-accounts** directive, manually re-create the exact user account names in Guacamole as those in the directory that you wish to give specific local adminstrative permissions and/or provision Guacamole's MFA access. **DO NOT configure a Guacamole password for any users that will be exclusively authenticating via Active directory**. Guacamole database local user accounts without a password are first given an MFA challenge by the local Guacamole application (Only where the local passwordless Guacamole account is configured for MFA) and then will be brokered to Active Directory for their Kerberos authentication challenge. Guacamole database local user accounts that are given passwords in Guacamole will always refer to the local database account for authentication, never Active Directory. This design allows for a matrix of local, domain, MFA & non-MFA access use cases to be deployed.
 
-### :key: **Logging using Gucamole local vs. domain guacbind-ad account**
+### :key: **Logging in using Gucamole local vs. domain guacbind-ad account**
 
 - As described above, logging on with the Guacamole admin user password will authenticate with the local Guacamole admin account, conversely if the Guacamole admin domain account password is given, the domain account is authenticated via Active Directory and then passed through as authorized to administer Guacamole. It may sometimes be necessary to log on with the local Guacamole admin account to manage some application functions, but be aware that when doing so you will not be able to view and search the user list from Active Directory. Only when logged on with the domain version of the Guacamole admin account can domain user permissions to various Guacamole sessions and objects be delegated and managed.
 

README.md

@@ -6,14 +6,14 @@
 </a>
 </p>
 
-This suite of build and management scripts makes setting up a secure Guacamole jump server a breeze. It supports TLS reverse proxy (self-signed or Let's Encrypt), Active Directory integration, multi-factor authentication, Quick Connect & History Recording Storage UI enhancements, a custom UI theme creation tool & template (dark themed), auto database backup, email alerts, internal security hardening options, and a fail2ban policy for defence against brute force attacks. The suite also includes code for an enterprise deployment similar to [Amazon's Guacamole Bastion Cluster](http://netcubed-ami.s3-website-us-east-1.amazonaws.com/guaws/v2.3.1/cluster/).
+This modular suite of build and management scripts makes provisioning a secure Guacamole jump server a breeze. It supports TLS reverse proxy (self-signed or Let's Encrypt), Active Directory integration, multi-factor authentication, Quick Connect & History Recording Storage UI enhancements, a custom UI theme creation tool & template (dark themed), auto database backup, email alerts, internal security hardening options, and a fail2ban policy for defence against brute force attacks. The suite also includes code for an enterprise deployment similar to [Amazon's Guacamole Bastion Cluster](http://netcubed-ami.s3-website-us-east-1.amazonaws.com/guaws/v2.3.1/cluster/).
 
 ## Automatic Installation
 
 🚀 To start building your Guacamole appliance, paste the below link into a terminal & follow the prompts (**A secure build requires that you do NOT run this script as sudo or root, however the script will prompt for sudo as needed**): 
 
 ```shell
-wget https://raw.githubusercontent.com/itiligent/Guacamole-Install/main/1-setup.sh && chmod +x 1-setup.sh && ./1-setup.sh
+curl -sSL https://raw.githubusercontent.com/itiligent/Guacamole-Install/main/1-setup.sh | bash
 ```
 
 ## Prerequisites
@@ -28,7 +28,7 @@ wget https://raw.githubusercontent.com/itiligent/Guacamole-Install/main/1-setup.
   - **1 CPU core + 2GB RAM for every 25 users (plus minimum RAM & disk space for your selected OS).**
 - **Open TCP ports: 22, 80, and 443 (no other services using 80, 8080 & 443)**
 - **If selecting either of the TLS reverse proxy options, you must create a PRIVATE DNS record for the internal proxy site, and an additional PUBLIC DNS record if selecting the Let's Encrypt option.**
-- **Sudo & wget packages installed**
+- **Sudo & curl packages installed**
 - **The user running the 1-setup.sh script must have sudo permissions**
 
 ## Setup Script Menu