someorg/Easy-Guacamole-Installer
1
0
Fork 0
mirror of https://github.com/itiligent/Easy-Guacamole-Installer.git synced 2025-12-14 02:12:31 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Ubuntu 23 and Debian 12 ok

Browse source
This commit is contained in:
itiligent 2023-09-11 14:01:56 +10:00
parent d150332e63
commit 9967087257
21 changed files with 402 additions and 317 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

284
1-setup.sh
View file

@ -17,7 +17,7 @@
# Scripts with "add" in their name can be run post install to add optional features not included in the main install # Scripts with "add" in their name can be run post install to add optional features not included in the main install
# If something isn't working: # If something isn't working:
# tail -f /var/log/syslog /var/log/tomcat*/*.out guac-setup/guacamole_${GUAC_VERSION}_setup.log # tail -f /var/log/syslog /var/log/tomcat*/*.out guac-setup/guacamole_setup.log
# Or for Guacamole debug mode & verbose logs in the console: # Or for Guacamole debug mode & verbose logs in the console:
# sudo systemctl stop guacd && sudo /usr/local/sbin/guacd -L debug -f # sudo systemctl stop guacd && sudo /usr/local/sbin/guacd -L debug -f
@ -70,7 +70,8 @@ fi
USER_HOME_DIR=$(eval echo ~${SUDO_USER}) USER_HOME_DIR=$(eval echo ~${SUDO_USER})
DOWNLOAD_DIR=$USER_HOME_DIR/guac-setup DOWNLOAD_DIR=$USER_HOME_DIR/guac-setup
DB_BACKUP_DIR=$USER_HOME_DIR/mysqlbackups DB_BACKUP_DIR=$USER_HOME_DIR/mysqlbackups
TMP_DIR=$DOWNLOAD_DIR/tmp mkdir -p $DOWNLOAD_DIR
mkdir -p $DB_BACKUP_DIR
# GitHub download branch # GitHub download branch
GITHUB="https://raw.githubusercontent.com/itiligent/Guacamole-Install/main" GITHUB="https://raw.githubusercontent.com/itiligent/Guacamole-Install/main"
@ -87,75 +88,15 @@ GUAC_SOURCE_LINK="http://apache.org/dyn/closer.cgi?action=download&filename=guac
# See https://mariadb.org/mariadb/all-releases/ for available versions. # See https://mariadb.org/mariadb/all-releases/ for available versions.
# Provide a specific MySQL version e.g. 11.1.2 or leave blank to use distro default MySQL packages. # Provide a specific MySQL version e.g. 11.1.2 or leave blank to use distro default MySQL packages.
MYSQL_VERSION="" MYSQL_VERSION=""
if [[ -z "${MYSQL_VERSION}" ]]; then
# Use Linux distro default version.
MYSQLSRV="default-mysql-server default-mysql-client mysql-common" # Server
MYSQLCLIENT="default-mysql-client" # Client
DB_CMD="mysql" # mysql command is depricated
else
# Use official mariadb.org repo
MYSQLSRV="mariadb-server mariadb-client mariadb-common" # Server
MYSQLCLIENT="mariadb-client" # Client
DB_CMD="mariadb" # mysql command is depricated on newer versions
fi
# Install log Location
INSTALL_LOG="${DOWNLOAD_DIR}/guacamole_${GUAC_VERSION}_setup.log"
# Guacamole default install URL # Guacamole default install URL
GUAC_URL=http://localhost:8080/guacamole/ GUAC_URL=http://localhost:8080/guacamole/
# Standardised language used for distro versions and dependencies allows a more maintainable approach should distros diverge. # Get the default route interface IP. Manually update for multi homed systems.
# Here the variables for OS variant and library dependency names are initialised.
source /etc/os-release
OS_FLAVOUR=$ID
OS_VERSION=$VERSION_ID
OS_CODENAME=$VERSION_CODENAME
JPEGTURBO=""
LIBPNG=""
# A default route IP and dns search suffix is needed for initial prompts & default starting values.
# Get the default route interface IP
DEFAULT_IP=$(ip addr show $(ip route | awk '/default/ { print $5 }') | grep "inet" | head -n 1 | awk '/inet/ {print $2}' | cut -d'/' -f1) DEFAULT_IP=$(ip addr show $(ip route | awk '/default/ { print $5 }') | grep "inet" | head -n 1 | awk '/inet/ {print $2}' | cut -d'/' -f1)
get_domain_suffix() {
echo "$1" | awk '{print $2}'
}
# Search for "search" and "domain" entries in /etc/resolv.conf
search_line=$(grep -E '^search[[:space:]]+' /etc/resolv.conf)
domain_line=$(grep -E '^domain[[:space:]]+' /etc/resolv.conf)
# Check if both "search" and "domain" lines exist
if [[ -n "$search_line" ]] && [[ -n "$domain_line" ]]; then
# Both "search" and "domain" lines exist, extract the domain suffix from both
search_suffix=$(get_domain_suffix "$search_line")
domain_suffix=$(get_domain_suffix "$domain_line")
# Print the domain suffix that appears first
if [[ ${#search_suffix} -lt ${#domain_suffix} ]]; then
DOMAIN_SUFFIX=$search_suffix
else
DOMAIN_SUFFIX=$domain_suffix
fi
elif [[ -n "$search_line" ]]; then
# If only "search" line exists
DOMAIN_SUFFIX=$(get_domain_suffix "$search_line")
elif [[ -n "$domain_line" ]]; then
# If only "domain" line exists
DOMAIN_SUFFIX=$(get_domain_suffix "$domain_line")
else
# If no "search" or "domain" lines found
DOMAIN_SUFFIX="local"
fi
# Setup directory locations # Install log Location
mkdir -p $DOWNLOAD_DIR INSTALL_LOG="${DOWNLOAD_DIR}/guacamole_setup.log"
mkdir -p $DB_BACKUP_DIR
mkdir -p $TMP_DIR
# Script branding header
echo
echo -e "${GREYB}Guacamole VDI & Jump Server Appliance Setup."
echo -e " ${LGREEN}Powered by Itiligent"
echo
echo
####################################################################################################################### #######################################################################################################################
# Silent setup options - true/false or specific values below prevents prompt at install. EDIT TO SUIT ################# # Silent setup options - true/false or specific values below prevents prompt at install. EDIT TO SUIT #################
@ -200,9 +141,16 @@ RDP_PRINTER_LABEL="RDP Printer" # Custom Windows RDP printer label
# Download GitHub setup scripts. To prevent overwrite, COMMENT OUT LINES OF ANY SCRIPTS YOU HAVE EDITED. ############## # Download GitHub setup scripts. To prevent overwrite, COMMENT OUT LINES OF ANY SCRIPTS YOU HAVE EDITED. ##############
####################################################################################################################### #######################################################################################################################
# Script branding header
echo
echo -e "${GREYB}Guacamole VDI & Jump Server Appliance Setup."
echo -e " ${LGREEN}Powered by Itiligent"
echo
echo
# Download the set of config scripts from GitHub # Download the set of config scripts from GitHub
cd $DOWNLOAD_DIR cd $DOWNLOAD_DIR
echo -e "${GREY}Downloading setup files...${DGREY}" echo -e "${GREY}Downloading the Guacamole build suite...${DGREY}"
wget -q --show-progress ${GITHUB}/2-install-guacamole.sh -O 2-install-guacamole.sh wget -q --show-progress ${GITHUB}/2-install-guacamole.sh -O 2-install-guacamole.sh
wget -q --show-progress ${GITHUB}/3-install-nginx.sh -O 3-install-nginx.sh wget -q --show-progress ${GITHUB}/3-install-nginx.sh -O 3-install-nginx.sh
wget -q --show-progress ${GITHUB}/4a-install-tls-self-signed-nginx.sh -O 4a-install-tls-self-signed-nginx.sh wget -q --show-progress ${GITHUB}/4a-install-tls-self-signed-nginx.sh -O 4a-install-tls-self-signed-nginx.sh
@ -222,30 +170,24 @@ wget -q --show-progress ${GITHUB}/guac-management/refresh-tls-self-signed.sh -O
# Download the (customisable) dark theme & branding template # Download the (customisable) dark theme & branding template
wget -q --show-progress ${GITHUB}/branding.jar -O branding.jar wget -q --show-progress ${GITHUB}/branding.jar -O branding.jar
chmod +x *.sh chmod +x *.sh
sleep 3
clear
# Script branding header
echo
echo -e "${GREYB}Guacamole VDI & Jump Server Appliance Setup."
echo -e " ${LGREEN}Powered by Itiligent"
echo
echo
# Pause here to optionally customise downloaded scripts before any actual install actions have began # Pause here to optionally customise downloaded scripts before any actual install actions have began
echo -e "${LYELLOW}Ctrl+Z now to exit now if you wish to customise 1-setup.sh options or to setup an unattended install." echo -e "${LYELLOW}Ctrl+Z now to exit now if you wish to customise 1-setup.sh options or to setup an unattended install."
echo echo
echo
# Lets trigger a sudo prompt here for root credentials needed for the install - this keeps the install menu flow neat
# Set permissions for sudo and non sudo access to tmp setup files
sudo chmod -R 770 $TMP_DIR
sudo chown -R $SUDO_USER:root $TMP_DIR
####################################################################################################################### #######################################################################################################################
# Determine the correct version of Tomcat use ######################################################################### # Logic for determining desired packages between distros & database options. Modify as Linux distros diverge ##########
####################################################################################################################### #######################################################################################################################
# First lets trigger a sudo prompt to cache the admin credentials needed for the next installer steps
sudo apt-get update -qq &>>${INSTALL_LOG}
# Standardise the language used for distro versions
source /etc/os-release
OS_NAME=$ID
OS_VERSION=$VERSION_ID
OS_CODENAME=$VERSION_CODENAME
# Check for the latest version of Tomcat currently supported by the distro # Check for the latest version of Tomcat currently supported by the distro
if [[ $(apt-cache show tomcat10 2>/dev/null | egrep "Version: 10" | wc -l) -gt 0 ]]; then if [[ $(apt-cache show tomcat10 2>/dev/null | egrep "Version: 10" | wc -l) -gt 0 ]]; then
TOMCAT_VERSION="tomcat10" TOMCAT_VERSION="tomcat10"
@ -259,24 +201,79 @@ else
fi fi
# Workaround for current Debian 12 & Tomcat 10 incompatibilities # Workaround for current Debian 12 & Tomcat 10 incompatibilities
if [[ ${OS_FLAVOUR,,} = "debian" ]] && [[ ${OS_CODENAME,,} = *"bookworm"* ]]; then #(checks for upper and lower case) if [[ ${OS_NAME,,} = "debian" ]] && [[ ${OS_CODENAME,,} = *"bookworm"* ]]; then #(checks for upper and lower case)
# Add the oldstable repo and downgrade tomcat version install # Add the oldstable repo and downgrade tomcat version install
echo "deb http://deb.debian.org/debian/ bullseye main" | sudo tee /etc/apt/sources.list.d/bullseye.list >/dev/null echo "deb http://deb.debian.org/debian/ bullseye main" | sudo tee /etc/apt/sources.list.d/bullseye.list >/dev/null
TOMCAT_VERSION="tomcat9" TOMCAT_VERSION="tomcat9"
fi fi
# Workaround for Ubuntu 23.x & Tomcat 10 incompatibilities # Workaround for Ubuntu 23.x & Tomcat 10 incompatibilities
if [[ ${OS_FLAVOUR,,} = "ubuntu" ]] && [[ ${OS_CODENAME,,} = *"lunar"* ]]; then #(checks for upper and lower case) if [[ ${OS_NAME,,} = "ubuntu" ]] && [[ ${OS_CODENAME,,} = *"lunar"* ]]; then #(checks for upper and lower case)
TOMCAT_VERSION="tomcat9" TOMCAT_VERSION="tomcat9"
fi fi
# Uncomment to force a specific Tomcat version here. # Uncomment here to force a specific Tomcat version.
# TOMCAT_VERSION="tomcat9" # TOMCAT_VERSION="tomcat9"
# Standardise language for the the install of MySQL packages
if [[ -z "${MYSQL_VERSION}" ]]; then
# Use Linux distro default version.
MYSQLSRV="default-mysql-server default-mysql-client mysql-common" # Server
MYSQLCLIENT="default-mysql-client" # Client
DB_CMD="mysql" # mysql command is depricated
else
# Use official mariadb.org repo
MYSQLSRV="mariadb-server mariadb-client mariadb-common" # Server
MYSQLCLIENT="mariadb-client" # Client
DB_CMD="mariadb" # mysql command is depricated on newer versions
fi
# Standardise differing dependency package names and add any extra distro repositories for these if needed
# Current package names for various distros are referenced at https://guacamole.apache.org/doc/gug/installing-guacamole.html
JPEGTURBO=""
LIBPNG=""
if [[ $OS_NAME == "ubuntu" ]] || [[ $OS_NAME == *"ubuntu"* ]]; then # potentially expand out distro choices here
JPEGTURBO="libjpeg-turbo8-dev"
LIBPNG="libpng-dev"
# Just in case this repo is not added by default in the distro
sudo add-apt-repository -y universe &>>${INSTALL_LOG}
elif [[ $OS_NAME == "debian" ]] || [[ $OS_NAME == "raspbian" ]]; then # expand distro choices here if required
JPEGTURBO="libjpeg62-turbo-dev"
LIBPNG="libpng-dev"
fi
####################################################################################################################### #######################################################################################################################
# DO NOT EDIT PAST THIS POINT ######################################################################################### # DO NOT EDIT PAST THIS POINT! ########################################################################################
####################################################################################################################### #######################################################################################################################
# A default dns suffix is needed for initial prompts & default starting values.
get_domain_suffix() {
echo "$1" | awk '{print $2}'
}
# Search for "search" and "domain" entries in /etc/resolv.conf
search_line=$(grep -E '^search[[:space:]]+' /etc/resolv.conf)
domain_line=$(grep -E '^domain[[:space:]]+' /etc/resolv.conf)
# Check if both "search" and "domain" lines exist
if [[ -n "$search_line" ]] && [[ -n "$domain_line" ]]; then
# Both "search" and "domain" lines exist, extract the domain suffix from both
search_suffix=$(get_domain_suffix "$search_line")
domain_suffix=$(get_domain_suffix "$domain_line")
# Print the domain suffix that appears first
if [[ ${#search_suffix} -lt ${#domain_suffix} ]]; then
DOMAIN_SUFFIX=$search_suffix
else
DOMAIN_SUFFIX=$domain_suffix
fi
elif [[ -n "$search_line" ]]; then
# If only "search" line exists
DOMAIN_SUFFIX=$(get_domain_suffix "$search_line")
elif [[ -n "$domain_line" ]]; then
# If only "domain" line exists
DOMAIN_SUFFIX=$(get_domain_suffix "$domain_line")
else
# If no "search" or "domain" lines found
DOMAIN_SUFFIX="local"
fi
####################################################################################################################### #######################################################################################################################
# Begin install menu prompts ########################################################################################## # Begin install menu prompts ##########################################################################################
####################################################################################################################### #######################################################################################################################
@ -353,19 +350,10 @@ if [[ -z ${RDP_SHARE_HOST} ]]; then
RDP_SHARE_HOST=$SERVER_NAME RDP_SHARE_HOST=$SERVER_NAME
fi fi
clear
# Script branding header
echo
echo -e "${GREYB}Guacamole VDI & Jump Server Appliance Setup."
echo -e " ${LGREEN}Powered by Itiligent"
echo
echo
# Prompt the user to install MySQL # Prompt the user to install MySQL
echo -e "${LGREEN}MySQL setup options:${GREY}" echo -e "${LGREEN}MySQL setup options:${GREY}"
if [[ -z ${INSTALL_MYSQL} ]]; then if [[ -z ${INSTALL_MYSQL} ]]; then
echo -e -n "SQL: Install MySQL locally? (to use a remote MySQL Server select 'n') [Y/n] [default y]: ${GREY}" echo -e -n "SQL: Install MySQL locally? (For a REMOTE MySQL server select 'n') [Y/n] [default y]: ${GREY}"
read PROMPT read PROMPT
if [[ ${PROMPT} =~ ^[Nn]$ ]]; then if [[ ${PROMPT} =~ ^[Nn]$ ]]; then
INSTALL_MYSQL=false INSTALL_MYSQL=false
@ -385,18 +373,6 @@ if [[ -z ${SECURE_MYSQL} ]] && [[ "${INSTALL_MYSQL}" = true ]]; then
fi fi
fi fi
# Prompt the user to apply the Mysql secure installation to remote db
# This may be problematic on remote databases (for one-script upgrades) as this addition removes remote root login access - a good thing.
#if [[ -z ${SECURE_MYSQL} ]] && [[ "${INSTALL_MYSQL}" = false ]]; then
# echo -e -n "${GREY}SQL: Apply MySQL secure installation settings to REMOTE db? [y/N] [default n]: ${GREY}"
# read PROMPT
# if [[ ${PROMPT} =~ ^[Yy]$ ]]; then
# SECURE_MYSQL=true
# else
# SECURE_MYSQL=false
# fi
#fi
# Get additional MYSQL values # Get additional MYSQL values
if [[ "${INSTALL_MYSQL}" = false ]]; then if [[ "${INSTALL_MYSQL}" = false ]]; then
[[ -z "${MYSQL_HOST}" ]] && [[ -z "${MYSQL_HOST}" ]] &&
@ -425,7 +401,6 @@ if [[ -z "${GUAC_USER}" ]]; then
GUAC_USER="guacamole_user" GUAC_USER="guacamole_user"
fi fi
echo -e ${LMAGENTA}
# Get MySQL root password, confirm correct password entry and prevent blank passwords. No root pw needed for remote instances. # Get MySQL root password, confirm correct password entry and prevent blank passwords. No root pw needed for remote instances.
if [[ -z "${MYSQL_ROOT_PWD}" ]] && [[ "${INSTALL_MYSQL}" = true ]]; then if [[ -z "${MYSQL_ROOT_PWD}" ]] && [[ "${INSTALL_MYSQL}" = true ]]; then
while true; do while true; do
@ -438,7 +413,6 @@ if [[ -z "${MYSQL_ROOT_PWD}" ]] && [[ "${INSTALL_MYSQL}" = true ]]; then
done done
fi fi
echo -e ${LCYAN}
# Get Guacamole User password, confirm correct password entry and prevent blank passwords # Get Guacamole User password, confirm correct password entry and prevent blank passwords
if [[ -z "${GUAC_PWD}" ]]; then if [[ -z "${GUAC_PWD}" ]]; then
while true; do while true; do
@ -451,7 +425,6 @@ if [[ -z "${GUAC_PWD}" ]]; then
done done
fi fi
echo -e ${GREY}
# Prompt for preferred backup notification email address # Prompt for preferred backup notification email address
if [[ -z ${BACKUP_EMAIL} ]]; then if [[ -z ${BACKUP_EMAIL} ]]; then
while true; do while true; do
@ -533,6 +506,7 @@ if [[ -z "${INSTALL_HISTREC}" ]]; then
INSTALL_HISTREC=false INSTALL_HISTREC=false
fi fi
fi fi
HISTREC_PATH_DEFAULT=/var/lib/guacamole/recordings # Apache default HISTREC_PATH_DEFAULT=/var/lib/guacamole/recordings # Apache default
if [[ -z ${HISTREC_PATH} ]] && [[ "${INSTALL_HISTREC}" = true ]]; then if [[ -z ${HISTREC_PATH} ]] && [[ "${INSTALL_HISTREC}" = true ]]; then
while true; do while true; do
@ -540,6 +514,7 @@ if [[ -z ${HISTREC_PATH} ]] && [[ "${INSTALL_HISTREC}" = true ]]; then
[[ "${HISTREC_PATH}" = "" ]] || [[ "${HISTREC_PATH}" != "" ]] && break [[ "${HISTREC_PATH}" = "" ]] || [[ "${HISTREC_PATH}" != "" ]] && break
done done
fi fi
# If no custom path is given, lets assume the default path on hitting enter # If no custom path is given, lets assume the default path on hitting enter
if [[ -z "${HISTREC_PATH}" ]]; then if [[ -z "${HISTREC_PATH}" ]]; then
HISTREC_PATH="${HISTREC_PATH_DEFAULT}" HISTREC_PATH="${HISTREC_PATH_DEFAULT}"
@ -561,7 +536,7 @@ fi
# Prompt to remove the trailing /guacamole dir from the default front end url # Prompt to remove the trailing /guacamole dir from the default front end url
if [[ "${INSTALL_NGINX}" = false ]]; then if [[ "${INSTALL_NGINX}" = false ]]; then
echo -e -n "FRONT END: Shorten Guacamole root url to *:8080 (& redirect to /guacamole ) [Y/n]? [default y]: " echo -e -n "FRONT END: Redirect the Tomcat http root url to /guacamole [Y/n]? [default y]: "
read PROMPT read PROMPT
if [[ ${PROMPT} =~ ^[Nn]$ ]]; then if [[ ${PROMPT} =~ ^[Nn]$ ]]; then
GUAC_URL_REDIR=false GUAC_URL_REDIR=false
@ -573,7 +548,7 @@ fi
# We must assign a DNS name for the new proxy site # We must assign a DNS name for the new proxy site
if [[ -z ${PROXY_SITE} ]] && [[ "${INSTALL_NGINX}" = true ]]; then if [[ -z ${PROXY_SITE} ]] && [[ "${INSTALL_NGINX}" = true ]]; then
while true; do while true; do
read -p "FRONT END: Enter proxy local DNS name? [Enter to use ${DEFAULT_FQDN}]: " PROXY_SITE read -p "FRONT END: Enter proxy LOCAL DNS name? [Enter to use ${DEFAULT_FQDN}]: " PROXY_SITE
[[ "${PROXY_SITE}" = "" ]] || [[ "${PROXY_SITE}" != "" ]] && break [[ "${PROXY_SITE}" = "" ]] || [[ "${PROXY_SITE}" != "" ]] && break
# Rather than allow the default value below, un-comment to alternately force user to enter an explicit name instead # Rather than allow the default value below, un-comment to alternately force user to enter an explicit name instead
# [[ "${PROXY_SITE}" != "" ]] && break # [[ "${PROXY_SITE}" != "" ]] && break
@ -598,7 +573,7 @@ if [[ -z ${SELF_SIGN} ]] && [[ "${INSTALL_NGINX}" = true ]]; then
fi fi
fi fi
# Optional prompt to assign the self sign TLS certificate a custom expiry date, un-comment to force a manual entry # Optional prompt to manually enter a self sign TLS certificate expiry date, un-comment to force manual entry
#if [[ "${SELF_SIGN}" = true ]]; then #if [[ "${SELF_SIGN}" = true ]]; then
# read - p "PROXY: Enter number of days till TLS certificate expires [default 3650]: " CERT_DAYS # read - p "PROXY: Enter number of days till TLS certificate expires [default 3650]: " CERT_DAYS
#fi #fi
@ -622,7 +597,7 @@ fi
# Prompt for Let's Encrypt public dns name # Prompt for Let's Encrypt public dns name
if [[ -z ${LE_DNS_NAME} ]] && [[ "${LETS_ENCRYPT}" = true ]]; then if [[ -z ${LE_DNS_NAME} ]] && [[ "${LETS_ENCRYPT}" = true ]]; then
while true; do while true; do
read -p "FRONT END: Enter the FQDN for your public proxy site : " LE_DNS_NAME read -p "FRONT END: Enter the PUBLIC FQDN for your proxy site : " LE_DNS_NAME
[[ "${LE_DNS_NAME}" != "" ]] && break [[ "${LE_DNS_NAME}" != "" ]] && break
echo -e "${LRED}You must enter a public DNS name. Please try again.${GREY}" 1>&2 echo -e "${LRED}You must enter a public DNS name. Please try again.${GREY}" 1>&2
done done
@ -641,9 +616,6 @@ fi
# Start global setup actions ######################################################################################### # Start global setup actions #########################################################################################
####################################################################################################################### #######################################################################################################################
# Ubuntu and Debian each require different dependency packages.
# To adapt this script to other distros, research the correct library package names and reference these with their variable
# names shown here: https://guacamole.apache.org/doc/gug/installing-guacamole.html
clear clear
echo echo
echo -e "${GREYB}Guacamole VDI & Jump Server Appliance Setup." echo -e "${GREYB}Guacamole VDI & Jump Server Appliance Setup."
@ -653,25 +625,10 @@ echo
echo -e "${LGREEN}Beginning Guacamole setup...${GREY}" echo -e "${LGREEN}Beginning Guacamole setup...${GREY}"
echo echo
echo -e "${GREY}Checking Linux distro specific dependencies..."
if [[ $OS_FLAVOUR == "ubuntu" ]] || [[ $OS_FLAVOUR == *"ubuntu"* ]]; then # potentially expand out distro choices here
JPEGTURBO="libjpeg-turbo8-dev"
LIBPNG="libpng-dev"
# Just in case this repo is not added by default in the distro
sudo add-apt-repository -y universe &>>${INSTALL_LOG}
elif [[ $OS_FLAVOUR == "debian" ]] || [[ $OS_FLAVOUR == "raspbian" ]]; then # expand distro choices here if required
JPEGTURBO="libjpeg62-turbo-dev"
LIBPNG="libpng-dev"
fi
if [[ $? -ne 0 ]]; then
echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2
exit 1
else
echo -e "${LGREEN}OK${GREY}"
echo
fi
echo -e "${GREY}Synchronising the install script suite with selected settings for later standalone use..."
# Sync the various manual config scripts with the relevant variables selected at install # Sync the various manual config scripts with the relevant variables selected at install
# This way scripts can be run at a later time without modification to match the original install
sed -i "s|MYSQL_HOST=|MYSQL_HOST='${MYSQL_HOST}'|g" $DOWNLOAD_DIR/backup-guac.sh sed -i "s|MYSQL_HOST=|MYSQL_HOST='${MYSQL_HOST}'|g" $DOWNLOAD_DIR/backup-guac.sh
sed -i "s|MYSQL_PORT=|MYSQL_PORT='${MYSQL_PORT}'|g" $DOWNLOAD_DIR/backup-guac.sh sed -i "s|MYSQL_PORT=|MYSQL_PORT='${MYSQL_PORT}'|g" $DOWNLOAD_DIR/backup-guac.sh
sed -i "s|GUAC_USER=|GUAC_USER='${GUAC_USER}'|g" $DOWNLOAD_DIR/backup-guac.sh sed -i "s|GUAC_USER=|GUAC_USER='${GUAC_USER}'|g" $DOWNLOAD_DIR/backup-guac.sh
@ -696,6 +653,22 @@ sed -i "s|MYSQL_ROOT_PWD=|MYSQL_ROOT_PWD='${MYSQL_ROOT_PWD}'|g" $DOWNLOAD_DIR/up
sed -i "s|GUAC_USER=|GUAC_USER='${GUAC_USER}'|g" $DOWNLOAD_DIR/upgrade-guac.sh sed -i "s|GUAC_USER=|GUAC_USER='${GUAC_USER}'|g" $DOWNLOAD_DIR/upgrade-guac.sh
sed -i "s|GUAC_PWD=|GUAC_PWD='${GUAC_PWD}'|g" $DOWNLOAD_DIR/upgrade-guac.sh sed -i "s|GUAC_PWD=|GUAC_PWD='${GUAC_PWD}'|g" $DOWNLOAD_DIR/upgrade-guac.sh
sed -i "s|PROXY_SITE=|PROXY_SITE='${PROXY_SITE}'|g" $DOWNLOAD_DIR/3-install-nginx.sh
sed -i "s|INSTALL_LOG=|INSTALL_LOG='${INSTALL_LOG}'|g" $DOWNLOAD_DIR/3-install-nginx.sh
sed -i "s|GUAC_URL=|GUAC_URL='${GUAC_URL}'|g" $DOWNLOAD_DIR/3-install-nginx.sh
sed -i "s|DOWNLOAD_DIR=|DOWNLOAD_DIR='${DOWNLOAD_DIR}'|g" $DOWNLOAD_DIR/4a-install-tls-self-signed-nginx.sh
sed -i "s|PROXY_SITE=|PROXY_SITE='${PROXY_SITE}'|g" $DOWNLOAD_DIR/4a-install-tls-self-signed-nginx.sh
sed -i "s|CERT_COUNTRY=|CERT_COUNTRY='${CERT_COUNTRY}'|g" $DOWNLOAD_DIR/4a-install-tls-self-signed-nginx.sh
sed -i "s|CERT_STATE=|CERT_STATE='${CERT_STATE}'|g" $DOWNLOAD_DIR/4a-install-tls-self-signed-nginx.sh
sed -i "s|CERT_LOCATION=|CERT_LOCATION='${CERT_LOCATION=}'|g" $DOWNLOAD_DIR/4a-install-tls-self-signed-nginx.sh
sed -i "s|CERT_ORG=|CERT_ORG='${CERT_ORG}'|g" $DOWNLOAD_DIR/4a-install-tls-self-signed-nginx.sh
sed -i "s|CERT_OU=|CERT_OU='${CERT_OU}'|g" $DOWNLOAD_DIR/4a-install-tls-self-signed-nginx.sh
sed -i "s|CERT_DAYS=|CERT_DAYS='${CERT_DAYS}'|g" $DOWNLOAD_DIR/4a-install-tls-self-signed-nginx.sh
sed -i "s|GUAC_URL=|GUAC_URL='${GUAC_URL}'|g" $DOWNLOAD_DIR/4a-install-tls-self-signed-nginx.sh
sed -i "s|INSTALL_LOG=|INSTALL_LOG='${INSTALL_LOG}'|g" $DOWNLOAD_DIR/4a-install-tls-self-signed-nginx.sh
sed -i "s|DEFAULT_IP=|DEFAULT_IP='${DEFAULT_IP}'|g" $DOWNLOAD_DIR/4a-install-tls-self-signed-nginx.sh
sed -i "s|CERT_COUNTRY=|CERT_COUNTRY='${CERT_COUNTRY}'|g" $DOWNLOAD_DIR/refresh-tls-self-signed.sh sed -i "s|CERT_COUNTRY=|CERT_COUNTRY='${CERT_COUNTRY}'|g" $DOWNLOAD_DIR/refresh-tls-self-signed.sh
sed -i "s|CERT_STATE=|CERT_STATE='${CERT_STATE}'|g" $DOWNLOAD_DIR/refresh-tls-self-signed.sh sed -i "s|CERT_STATE=|CERT_STATE='${CERT_STATE}'|g" $DOWNLOAD_DIR/refresh-tls-self-signed.sh
sed -i "s|CERT_LOCATION=|CERT_LOCATION='${CERT_LOCATION}'|g" $DOWNLOAD_DIR/refresh-tls-self-signed.sh sed -i "s|CERT_LOCATION=|CERT_LOCATION='${CERT_LOCATION}'|g" $DOWNLOAD_DIR/refresh-tls-self-signed.sh
@ -705,9 +678,24 @@ sed -i "s|PROXY_SITE=|PROXY_SITE='${PROXY_SITE}'|g" $DOWNLOAD_DIR/refresh-tls-se
sed -i "s|DEFAULT_IP=|DEFAULT_IP='${DEFAULT_IP}'|g" $DOWNLOAD_DIR/refresh-tls-self-signed.sh sed -i "s|DEFAULT_IP=|DEFAULT_IP='${DEFAULT_IP}'|g" $DOWNLOAD_DIR/refresh-tls-self-signed.sh
sed -i "s|CERT_DAYS=|CERT_DAYS='${CERT_DAYS}'|g" $DOWNLOAD_DIR/refresh-tls-self-signed.sh sed -i "s|CERT_DAYS=|CERT_DAYS='${CERT_DAYS}'|g" $DOWNLOAD_DIR/refresh-tls-self-signed.sh
# Export the relevant variable selections to child install scripts sed -i "s|DOWNLOAD_DIR=|DOWNLOAD_DIR='${DOWNLOAD_DIR}'|g" $DOWNLOAD_DIR/4b-install-tls-letsencrypt-nginx.sh
sed -i "s|PROXY_SITE=|PROXY_SITE='${PROXY_SITE}'|g" $DOWNLOAD_DIR/4b-install-tls-letsencrypt-nginx.sh
sed -i "s|GUAC_URL=|GUAC_URL='${GUAC_URL}'|g" $DOWNLOAD_DIR/4b-install-tls-letsencrypt-nginx.sh
sed -i "s|LE_DNS_NAME=|LE_DNS_NAME='${LE_DNS_NAME}'|g" $DOWNLOAD_DIR/4b-install-tls-letsencrypt-nginx.sh
sed -i "s|LE_EMAIL=|LE_EMAIL='${LE_EMAIL}'|g" $DOWNLOAD_DIR/4b-install-tls-letsencrypt-nginx.sh
sed -i "s|INSTALL_LOG=|INSTALL_LOG='${INSTALL_LOG}'|g" $DOWNLOAD_DIR/4b-install-tls-letsencrypt-nginx.sh
sed -i "s|LOCAL_DOMAIN=|LOCAL_DOMAIN='${LOCAL_DOMAIN}'|g" $DOWNLOAD_DIR/add-smtp-relay-o365.sh
if [[ $? -ne 0 ]]; then
echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2
exit 1
else
echo -e "${LGREEN}OK${GREY}"
echo
fi
# For flexibility, export the relevant variable selections to child install scripts
export DOWNLOAD_DIR="${DOWNLOAD_DIR}" export DOWNLOAD_DIR="${DOWNLOAD_DIR}"
export TMP_DIR=$TMP_DIR
export GUAC_VERSION=$GUAC_VERSION export GUAC_VERSION=$GUAC_VERSION
export GUAC_SOURCE_LINK=$GUAC_SOURCE_LINK export GUAC_SOURCE_LINK=$GUAC_SOURCE_LINK
export MYSQLJCON=$MYSQLJCON export MYSQLJCON=$MYSQLJCON
@ -716,8 +704,8 @@ export MYSQLSRV=$MYSQLSRV
export MYSQLCLIENT=$MYSQLCLIENT export MYSQLCLIENT=$MYSQLCLIENT
export DB_CMD=$DB_CMD export DB_CMD=$DB_CMD
export TOMCAT_VERSION=$TOMCAT_VERSION export TOMCAT_VERSION=$TOMCAT_VERSION
export INSTALL_LOG=$INSTALL_LOG
export GUAC_URL=$GUAC_URL export GUAC_URL=$GUAC_URL
export INSTALL_LOG=$INSTALL_LOG
export JPEGTURBO=$JPEGTURBO export JPEGTURBO=$JPEGTURBO
export LIBPNG=$LIBPNG export LIBPNG=$LIBPNG
export INSTALL_MYSQL=$INSTALL_MYSQL export INSTALL_MYSQL=$INSTALL_MYSQL
@ -738,17 +726,20 @@ export HISTREC_PATH="${HISTREC_PATH}"
export GUAC_URL_REDIR=$GUAC_URL_REDIR export GUAC_URL_REDIR=$GUAC_URL_REDIR
export INSTALL_NGINX=$INSTALL_NGINX export INSTALL_NGINX=$INSTALL_NGINX
export PROXY_SITE=$PROXY_SITE export PROXY_SITE=$PROXY_SITE
export DEFAULT_IP=$DEFAULT_IP
export CERT_COUNTRY=$CERT_COUNTRY export CERT_COUNTRY=$CERT_COUNTRY
export CERT_STATE="${CERT_STATE}" export CERT_STATE="${CERT_STATE}"
export CERT_LOCATION="${CERT_LOCATION}" export CERT_LOCATION="${CERT_LOCATION}"
export CERT_ORG="${CERT_ORG}" export CERT_ORG="${CERT_ORG}"
export CERT_OU="${CERT_OU}" export CERT_OU="${CERT_OU}"
export CERT_DAYS=$CERT_DAYS
export LE_DNS_NAME=$LE_DNS_NAME export LE_DNS_NAME=$LE_DNS_NAME
export LE_EMAIL=$LE_EMAIL export LE_EMAIL=$LE_EMAIL
export BACKUP_EMAIL=$BACKUP_EMAIL export BACKUP_EMAIL=$BACKUP_EMAIL
export RDP_SHARE_HOST="${RDP_SHARE_HOST}" export RDP_SHARE_HOST="${RDP_SHARE_HOST}"
export RDP_SHARE_LABEL="${RDP_SHARE_LABEL}" export RDP_SHARE_LABEL="${RDP_SHARE_LABEL}"
export RDP_PRINTER_LABEL="${RDP_PRINTER_LABEL}" export RDP_PRINTER_LABEL="${RDP_PRINTER_LABEL}"
export LOCAL_DOMAIN=$LOCAL_DOMAIN
# Run the Guacamole install script # Run the Guacamole install script
sudo -E ./2-install-guacamole.sh sudo -E ./2-install-guacamole.sh
@ -761,14 +752,14 @@ else
echo -e "${LGREEN}Guacamole install complete\nhttp://${PROXY_SITE}:8080/guacamole - login user/pass: guacadmin/guacadmin\n${LYELLOW}***Be sure to change the password***${GREY}" echo -e "${LGREEN}Guacamole install complete\nhttp://${PROXY_SITE}:8080/guacamole - login user/pass: guacadmin/guacadmin\n${LYELLOW}***Be sure to change the password***${GREY}"
fi fi
# Add a Guacamole database backup (mon-fri 12:00am) into cron # Add a Guacamole database backup (mon-fri 12:00am) into the current user's cron
mv $DOWNLOAD_DIR/backup-guac.sh $DB_BACKUP_DIR mv $DOWNLOAD_DIR/backup-guac.sh $DB_BACKUP_DIR
crontab -l >cron_1 crontab -l >cron_1
# Remove any existing entry # Remove any existing entry just in case
sed -i '/# backup guacamole/d' cron_1 sed -i '/# backup guacamole/d' cron_1
# Create the job # Create the backup job
echo "0 0 * * 1-5 ${DB_BACKUP_DIR}/backup-guac.sh # backup guacamole" >>cron_1 echo "0 0 * * 1-5 ${DB_BACKUP_DIR}/backup-guac.sh # backup guacamole" >>cron_1
# Overwrite the cron settings and cleanup # Overwrite the old cron settings and cleanup
crontab cron_1 crontab cron_1
rm cron_1 rm cron_1
@ -784,7 +775,7 @@ fi
# Apply self signed TLS certificates to Nginx reverse proxy if option is selected # Apply self signed TLS certificates to Nginx reverse proxy if option is selected
if [[ "${INSTALL_NGINX}" = true ]] && [[ "${SELF_SIGN}" = true ]]; then if [[ "${INSTALL_NGINX}" = true ]] && [[ "${SELF_SIGN}" = true ]]; then
sudo -E ./4a-install-tls-self-signed-nginx.sh ${PROXY_SITE} ${CERT_DAYS} | tee -a ${INSTALL_LOG} sudo -E ./4a-install-tls-self-signed-nginx.sh ${PROXY_SITE} ${CERT_DAYS} ${DEFAULT_IP} | tee -a ${INSTALL_LOG}
echo -e "${LGREEN}Self signed certificate configured for Nginx \n${LYELLOW}https:${LGREEN}//${PROXY_SITE} - admin login: guacadmin pass: guacadmin\n${LYELLOW}***Be sure to change the password***${GREY}" echo -e "${LGREEN}Self signed certificate configured for Nginx \n${LYELLOW}https:${LGREEN}//${PROXY_SITE} - admin login: guacadmin pass: guacadmin\n${LYELLOW}***Be sure to change the password***${GREY}"
fi fi
@ -809,12 +800,7 @@ if [[ $INSTALL_LDAP == "true" ]]; then
fi fi
# Tidy up. (Installer and Nginx scripts can't be run again or standalone without modification, so removing.) # Tidy up. (Installer and Nginx scripts can't be run again or standalone without modification, so removing.)
rm -rf $USER_HOME_DIR/1-setup.sh mv $USER_HOME_DIR/1-setup.sh $DOWNLOAD_DIR
rm -f 2-install-guacamole.sh
rm -f 3-install-nginx.sh
rm -f 4a-install-tls-self-signed-nginx.sh
rm -f 4b-install-tls-letsencrypt-nginx.sh
sudo rm -rf $TMP_DIR
apt-get -y autoremove &>>${INSTALL_LOG} apt-get -y autoremove &>>${INSTALL_LOG}
# Done # Done

44
2-install-guacamole.sh
View file

@ -33,7 +33,6 @@ fi
# Update everything but don't do the annoying prompts during apt installs # Update everything but don't do the annoying prompts during apt installs
echo -e "${GREY}Updating base Linux OS..." echo -e "${GREY}Updating base Linux OS..."
export DEBIAN_FRONTEND=noninteractive export DEBIAN_FRONTEND=noninteractive
apt-get update -qq &>>${INSTALL_LOG}
apt-get upgrade -qq -y &>>${INSTALL_LOG} apt-get upgrade -qq -y &>>${INSTALL_LOG}
if [[ $? -ne 0 ]]; then if [[ $? -ne 0 ]]; then
echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2
@ -43,7 +42,7 @@ else
echo echo
fi fi
# Install Guacamole build dependencies. # Install official MariaDB repo and MariaDB version if a specific version number was provided.
if [[ -n "${MYSQL_VERSION}" ]]; then if [[ -n "${MYSQL_VERSION}" ]]; then
echo -e "${GREY}Adding the official MariaDB repository and installing version ${MYSQL_VERSION}..." echo -e "${GREY}Adding the official MariaDB repository and installing version ${MYSQL_VERSION}..."
# Add the Official MariaDB repo. # Add the Official MariaDB repo.
@ -59,6 +58,7 @@ if [[ -n "${MYSQL_VERSION}" ]]; then
fi fi
fi fi
# Install Guacamole build dependencies.
echo -e "${GREY}Installing dependencies required for building Guacamole, this might take a few minutes..." echo -e "${GREY}Installing dependencies required for building Guacamole, this might take a few minutes..."
apt-get -qq -y install ${MYSQLPKG} ${TOMCAT_VERSION} ${JPEGTURBO} ${LIBPNG} ufw pwgen wget expect \ apt-get -qq -y install ${MYSQLPKG} ${TOMCAT_VERSION} ${JPEGTURBO} ${LIBPNG} ufw pwgen wget expect \
build-essential libcairo2-dev libtool-bin uuid-dev libavcodec-dev libavformat-dev libavutil-dev \ build-essential libcairo2-dev libtool-bin uuid-dev libavcodec-dev libavformat-dev libavutil-dev \
@ -137,7 +137,6 @@ if [[ "${INSTALL_TOTP}" = true ]]; then
exit 1 exit 1
else else
tar -xzf guacamole-auth-totp-${GUAC_VERSION}.tar.gz tar -xzf guacamole-auth-totp-${GUAC_VERSION}.tar.gz
rm -f add-auth-totp.sh
echo -e "${LGREEN}Downloaded guacamole-auth-totp-${GUAC_VERSION}.tar.gz${GREY}" echo -e "${LGREEN}Downloaded guacamole-auth-totp-${GUAC_VERSION}.tar.gz${GREY}"
fi fi
fi fi
@ -151,7 +150,6 @@ if [[ "${INSTALL_DUO}" = true ]]; then
exit 1 exit 1
else else
tar -xzf guacamole-auth-duo-${GUAC_VERSION}.tar.gz tar -xzf guacamole-auth-duo-${GUAC_VERSION}.tar.gz
rm -f add-auth-duo.sh
echo -e "${LGREEN}Downloaded guacamole-auth-duo-${GUAC_VERSION}.tar.gz${GREY}" echo -e "${LGREEN}Downloaded guacamole-auth-duo-${GUAC_VERSION}.tar.gz${GREY}"
fi fi
fi fi
@ -165,7 +163,6 @@ if [[ "${INSTALL_LDAP}" = true ]]; then
exit 1 exit 1
else else
tar -xzf guacamole-auth-ldap-${GUAC_VERSION}.tar.gz tar -xzf guacamole-auth-ldap-${GUAC_VERSION}.tar.gz
rm -f add-auth-ldap.sh
echo -e "${LGREEN}Downloaded guacamole-auth-ldap-${GUAC_VERSION}.tar.gz${GREY}" echo -e "${LGREEN}Downloaded guacamole-auth-ldap-${GUAC_VERSION}.tar.gz${GREY}"
fi fi
fi fi
@ -179,7 +176,6 @@ if [[ "${INSTALL_QCONNECT}" = true ]]; then
exit 1 exit 1
else else
tar -xzf guacamole-auth-quickconnect-${GUAC_VERSION}.tar.gz tar -xzf guacamole-auth-quickconnect-${GUAC_VERSION}.tar.gz
rm -f add-xtra-quickconnect.sh
echo -e "${LGREEN}Downloaded guacamole-auth-quickconnect-${GUAC_VERSION}.tar.gz${GREY}" echo -e "${LGREEN}Downloaded guacamole-auth-quickconnect-${GUAC_VERSION}.tar.gz${GREY}"
fi fi
fi fi
@ -194,7 +190,6 @@ if [[ "${INSTALL_HISTREC}" = true ]]; then
exit 1 exit 1
else else
tar -xzf guacamole-history-recording-storage-${GUAC_VERSION}.tar.gz tar -xzf guacamole-history-recording-storage-${GUAC_VERSION}.tar.gz
rm -f add-xtra-histrecstor.sh
echo -e "${LGREEN}Downloaded guacamole-history-recording-storage-${GUAC_VERSION}.tar.gz${GREY}" echo -e "${LGREEN}Downloaded guacamole-history-recording-storage-${GUAC_VERSION}.tar.gz${GREY}"
fi fi
fi fi
@ -433,6 +428,7 @@ fi
# Set Tomcat to start at boot # Set Tomcat to start at boot
systemctl enable ${TOMCAT_VERSION} systemctl enable ${TOMCAT_VERSION}
# Begin the MySQL database config if this is a local MYSQL install only.
if [[ "${INSTALL_MYSQL}" = true ]]; then if [[ "${INSTALL_MYSQL}" = true ]]; then
# Set MySQL password # Set MySQL password
export MYSQL_PWD=${MYSQL_ROOT_PWD} export MYSQL_PWD=${MYSQL_ROOT_PWD}
@ -493,10 +489,9 @@ ALTER USER 'root'@'localhost' IDENTIFIED BY '$MYSQL_ROOT_PWD';"
echo echo
fi fi
# This should stay as localhost in most local MySQL install situations. This setting determine from WHERE the new ${GUAC_USER} # This should stay as localhost in most local MySQL install situations. This setting determines from WHERE the new ${GUAC_USER}
# will be able to login to the database (either specific remote IPs or localhost only.) # will be able to login to the database (either from specific remote IPs or from localhost only.)
# However this setting can be quick and hacky way to build a backend guacamole database server for use behind another guac application server # However this setting can be a quick and hacky way to build a backend guacamole database server for use behind another guac application server, albeit with the full application suite installed). To do this, set GUAC_USERHost="%" for login access from all IPs, (or e.g. 192.168.1.% for an IP range.)
# (albeit with the full application suite installed). To do this, set GUAC_USERHost="%" for login access from all IPs, or e.g. 192.168.1.% for an IP range.
# You will also need to set the MySQL binding away from the default 127.0.0.1 to 0.0.0.0 or a specific external facing network interface to allow remote login. # You will also need to set the MySQL binding away from the default 127.0.0.1 to 0.0.0.0 or a specific external facing network interface to allow remote login.
if [[ "${MYSQL_HOST}" != "localhost" ]]; then if [[ "${MYSQL_HOST}" != "localhost" ]]; then
GUAC_USERHost="%" GUAC_USERHost="%"
@ -581,7 +576,7 @@ if [[ "${INSTALL_MYSQL}" = true ]]; then
fi fi
fi fi
# Create guacd.conf and locahost IP binding. # Create guacd.conf and localhost IP binding.
echo -e "${GREY}Binding guacd to 127.0.0.1 port 4822..." echo -e "${GREY}Binding guacd to 127.0.0.1 port 4822..."
cat >/etc/guacamole/guacd.conf <<-"EOF" cat >/etc/guacamole/guacd.conf <<-"EOF"
[server] [server]
@ -609,8 +604,9 @@ else
echo echo
fi fi
if [[ "${GUAC_URL_REDIR}" = true ]]; then # Redirect the Tomcat URL to its root to avoid typing the extra /guacamole path (if not using a reverse proxy)
echo -e "${GREY}Shortening the Guacamole root url and setting up redirect...${DGREY}" if [[ "${GUAC_URL_REDIR}" = true ]] && [[ "${INSTALL_NGINX}" = false ]]; then
echo -e "${GREY}Redirecting the Tomcat http root url to /guacamole...${DGREY}"
systemctl stop ${TOMCAT_VERSION} systemctl stop ${TOMCAT_VERSION}
mv /var/lib/${TOMCAT_VERSION}/webapps/ROOT/index.html /var/lib/${TOMCAT_VERSION}/webapps/ROOT/index.html.old mv /var/lib/${TOMCAT_VERSION}/webapps/ROOT/index.html /var/lib/${TOMCAT_VERSION}/webapps/ROOT/index.html.old
touch /var/lib/${TOMCAT_VERSION}/webapps/ROOT/index.jsp touch /var/lib/${TOMCAT_VERSION}/webapps/ROOT/index.jsp
@ -625,14 +621,14 @@ if [[ "${GUAC_URL_REDIR}" = true ]]; then
fi fi
fi fi
# Update Linux firewall
echo -e "${GREY}Updating firewall rules to allow only SSH and tcp 8080..." echo -e "${GREY}Updating firewall rules to allow only SSH and tcp 8080..."
sudo ufw default allow outgoing >/dev/null 2>&1 ufw default allow outgoing >/dev/null 2>&1
sudo ufw default deny incoming >/dev/null 2>&1 ufw default deny incoming >/dev/null 2>&1
sudo ufw allow OpenSSH >/dev/null 2>&1 ufw allow OpenSSH >/dev/null 2>&1
sudo ufw allow 8080/tcp >/dev/null 2>&1 ufw allow 8080/tcp >/dev/null 2>&1
echo "y" | sudo ufw enable >/dev/null 2>&1 echo "y" | sudo ufw enable >/dev/null 2>&1
# Reduce firewall logging noise ufw logging off >/dev/null 2>&1 # Reduce firewall logging noise
sudo ufw logging off >/dev/null 2>&1
if [[ $? -ne 0 ]]; then if [[ $? -ne 0 ]]; then
echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2
exit 1 exit 1
@ -642,16 +638,10 @@ else
fi fi
# Cleanup # Cleanup
echo -e "${GREY}Cleanup install files...${GREY}" echo -e "${GREY}Cleaning up Guacamole source files...${GREY}"
rm -rf guacamole-* rm -rf guacamole-*
rm -rf mysql-connector-j-* rm -rf mysql-connector-j-*
rm -rf mariadb_repo_setup rm -rf mariadb_repo_setup
if [[ "${INSTALL_NGINX}" = false ]]; then
rm -f 3-install-nginx.sh
rm -f 4a-install-tls-self-signed-nginx.sh
rm -f 4b-install-tls-letsencrypt-nginx.sh
rm -f refresh-tls-self-signed.sh
fi
unset MYSQL_PWD unset MYSQL_PWD
apt-get -y remove expect &>>${INSTALL_LOG} apt-get -y remove expect &>>${INSTALL_LOG}
if [[ $? -ne 0 ]]; then if [[ $? -ne 0 ]]; then

44
3-install-nginx.sh
View file

@ -7,6 +7,9 @@
# August 2023 # August 2023
####################################################################################################################### #######################################################################################################################
# If run as standalone and not from the main installer script, check the below variables are correct.
# To run standalone: sudo -E ./3-install-nginx.sh
# Prepare text output colours # Prepare text output colours
GREY='\033[0;37m' GREY='\033[0;37m'
DGREY='\033[0;90m' DGREY='\033[0;90m'
@ -16,13 +19,26 @@ LGREEN='\033[0;92m'
LYELLOW='\033[0;93m' LYELLOW='\033[0;93m'
NC='\033[0m' #No Colour NC='\033[0m' #No Colour
if ! [[ $(id -u) = 0 ]]; then
echo
echo -e "${LRED}Please run this script as sudo or root${NC}" 1>&2
exit 1
fi
echo echo
echo echo
echo -e "${LGREEN}Installing Nginx...${DGREY}" echo -e "${LGREEN}Installing Nginx...${DGREY}"
echo echo
TOMCAT_VERSION=$(ls /etc/ | grep tomcat)
# Below variables are automatically updated by the 1-setup.sh script with the respective values given at install (manually update if blank)
PROXY_SITE=
INSTALL_LOG=
GUAC_URL=
# Install Nginx # Install Nginx
sudo apt-get install nginx -qq -y &>>${INSTALL_LOG} apt-get update -qq &>>${INSTALL_LOG}
apt-get install nginx -qq -y &>>${INSTALL_LOG}
echo -e "${GREY}Configuring Nginx as a reverse proxy for Guacamole's Apache Tomcat front end...${DGREY}" echo -e "${GREY}Configuring Nginx as a reverse proxy for Guacamole's Apache Tomcat front end...${DGREY}"
# Configure /etc/nginx/sites-available/(local dns site name) # Configure /etc/nginx/sites-available/(local dns site name)
@ -52,8 +68,8 @@ else
fi fi
# Force nginx to require tls1.2 and above # Force nginx to require tls1.2 and above
sudo sed -i -e '/ssl_protocols/s/^/#/' /etc/nginx/nginx.conf sed -i -e '/ssl_protocols/s/^/#/' /etc/nginx/nginx.conf
sudo sed -i "/SSL Settings/a \ ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE" /etc/nginx/nginx.conf sed -i "/SSL Settings/a \ ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE" /etc/nginx/nginx.conf
# Symlink from sites-available to sites-enabled # Symlink from sites-available to sites-enabled
ln -s /etc/nginx/sites-available/$PROXY_SITE /etc/nginx/sites-enabled/ ln -s /etc/nginx/sites-available/$PROXY_SITE /etc/nginx/sites-enabled/
@ -63,7 +79,7 @@ unlink /etc/nginx/sites-enabled/default
# Do mandatory Nginx tweaks for logging actual client IPs through a proxy IP of 127.0.0.1 - DO NOT CHANGE COMMAND FORMATING! # Do mandatory Nginx tweaks for logging actual client IPs through a proxy IP of 127.0.0.1 - DO NOT CHANGE COMMAND FORMATING!
echo -e "${GREY}Configuring Apache Tomcat valve for pass through of client IPs to Guacamole logs...${GREY}" echo -e "${GREY}Configuring Apache Tomcat valve for pass through of client IPs to Guacamole logs...${GREY}"
sudo sed -i '/pattern="%h %l %u %t &quot;%r&quot; %s %b"/a \ <!-- Allow host IP to pass through to guacamole.-->\n <Valve className="org.apache.catalina.valves.RemoteIpValve"\n internalProxies="127\.0\.0\.1|0:0:0:0:0:0:0:1"\n remoteIpHeader="x-forwarded-for"\n remoteIpProxiesHeader="x-forwarded-by"\n protocolHeader="x-forwarded-proto" />' /etc/$TOMCAT_VERSION/server.xml sed -i '/pattern="%h %l %u %t &quot;%r&quot; %s %b"/a \ <!-- Allow host IP to pass through to guacamole.-->\n <Valve className="org.apache.catalina.valves.RemoteIpValve"\n internalProxies="127\.0\.0\.1|0:0:0:0:0:0:0:1"\n remoteIpHeader="x-forwarded-for"\n remoteIpProxiesHeader="x-forwarded-by"\n protocolHeader="x-forwarded-proto" />' /etc/$TOMCAT_VERSION/server.xml
if [[ $? -ne 0 ]]; then if [[ $? -ne 0 ]]; then
echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2
exit 1 exit 1
@ -73,8 +89,8 @@ else
fi fi
# Allow large file transfers through Nginx # Allow large file transfers through Nginx
sudo sed -i '/client_max_body_size/d' /etc/nginx/nginx.conf # remove this line if it already exists to prevent duplicates sed -i '/client_max_body_size/d' /etc/nginx/nginx.conf # remove this line if it already exists to prevent duplicates
sudo sed -i "/Basic Settings/a \ client_max_body_size 100000000M;" /etc/nginx/nginx.conf # Add the larger file transfer size sed -i "/Basic Settings/a \ client_max_body_size 100000000M;" /etc/nginx/nginx.conf # Add the larger file transfer size
echo -e "${GREY}Boosting Nginx's 'maximum body size' parameter to allow large file transfers...${GREY}" echo -e "${GREY}Boosting Nginx's 'maximum body size' parameter to allow large file transfers...${GREY}"
if [[ $? -ne 0 ]]; then if [[ $? -ne 0 ]]; then
echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2
@ -86,11 +102,11 @@ fi
# Update general ufw rules so force traffic via reverse proxy. Only Nginx and SSH will be available over the network. # Update general ufw rules so force traffic via reverse proxy. Only Nginx and SSH will be available over the network.
echo -e "${GREY}Updating firewall rules to allow only SSH and tcp 80/443..." echo -e "${GREY}Updating firewall rules to allow only SSH and tcp 80/443..."
sudo ufw default allow outgoing >/dev/null 2>&1 ufw default allow outgoing >/dev/null 2>&1
sudo ufw default deny incoming >/dev/null 2>&1 ufw default deny incoming >/dev/null 2>&1
sudo ufw allow OpenSSH >/dev/null 2>&1 ufw allow OpenSSH >/dev/null 2>&1
sudo ufw allow 80/tcp >/dev/null 2>&1 ufw allow 80/tcp >/dev/null 2>&1
sudo ufw delete allow 8080/tcp >/dev/null 2>&1 ufw delete allow 8080/tcp >/dev/null 2>&1
echo "y" | sudo ufw enable >/dev/null 2>&1 echo "y" | sudo ufw enable >/dev/null 2>&1
if [[ $? -ne 0 ]]; then if [[ $? -ne 0 ]]; then
echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2
@ -102,9 +118,9 @@ fi
# Reload everything # Reload everything
echo -e "${GREY}Restaring Guacamole & Ngnix..." echo -e "${GREY}Restaring Guacamole & Ngnix..."
sudo systemctl restart $TOMCAT_VERSION systemctl restart $TOMCAT_VERSION
sudo systemctl restart guacd systemctl restart guacd
sudo systemctl restart nginx systemctl restart nginx
if [[ $? -ne 0 ]]; then if [[ $? -ne 0 ]]; then
echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2
exit 1 exit 1

134
4a-install-tls-self-signed-nginx.sh
View file

@ -7,6 +7,14 @@
# April 2023 # April 2023
####################################################################################################################### #######################################################################################################################
# This script can be run multiple times to either install or update TLS settings and certificates.
# Change the name of the site or add/renew TLS certs by specifying command line arguments [dns.name] [cert-lifetime] [IP]
# e.g. sudo -E ./4a-install-tls-self-signed-nginx.sh proxy.domain.local 365 192.168.1.50
# Alternatively, run the script without any command arguments and the default variables below will apply
# e.g. sudo - E ./4a-install-tls-self-signed-nginx.sh
# Prepare text output colours # Prepare text output colours
GREY='\033[0;37m' GREY='\033[0;37m'
DGREY='\033[0;90m' DGREY='\033[0;90m'
@ -16,34 +24,62 @@ LGREEN='\033[0;92m'
LYELLOW='\033[0;93m' LYELLOW='\033[0;93m'
NC='\033[0m' #No Colour NC='\033[0m' #No Colour
echo # Check if user is root or sudo
echo if ! [[ $(id -u) = 0 ]]; then
echo -e "${LGREEN}Setting up self signed TLS certificates for Nginx...${GREY}" echo
echo echo -e "${LRED}Please run this script as sudo or root${NC}" 1>&2
exit 1
# Setup script cmd line arguments for proxy site and certificate days fi
TLSNAME=$1
TLSDAYS=$2
# Set default certificate file destinations. # Set default certificate file destinations.
DIR_SSL_CERT="/etc/nginx/ssl/cert" DIR_SSL_CERT="/etc/nginx/ssl/cert"
DIR_SSL_KEY="/etc/nginx/ssl/private" DIR_SSL_KEY="/etc/nginx/ssl/private"
TOMCAT_VERSION=$(ls /etc/ | grep tomcat)
# Below variables are automatically updated by the 1-setup.sh script with the respective values given at install (manually update if blank)
DOWNLOAD_DIR=
CERT_COUNTRY=
CERT_STATE=
CERT_LOCATION=
CERT_ORG=
CERT_OU=
GUAC_URL=
INSTALL_LOG=
PROXY_SITE=
CERT_DAYS=
DEFAULT_IP=
# Setup script cmd line arguments for proxy site and certificate days
TLSNAME=$1
TLSDAYS=$2
TLSIP=$3
# Assume the values set the guacamole installer if the script is run without any command line options
# Assume the values set the guacamole installer if the script is run without any command line options
if [[ -z "$1" ]] | [[ -z "$2" ]] | [[ -z "$3" ]]; then
TLSNAME=$PROXY_SITE
TLSDAYS=$CERT_DAYS
TLSIP=$DEFAULT_IP
fi
echo
echo
echo -e "${LGREEN}Setting up self signed TLS certificates for Nginx...${GREY}"
echo
# Make directories to place TLS Certificate if they don't exist # Make directories to place TLS Certificate if they don't exist
if [[ ! -d $DIR_SSL_KEY ]]; then if [[ ! -d $DIR_SSL_KEY ]]; then
sudo mkdir -p $DIR_SSL_KEY mkdir -p $DIR_SSL_KEY
fi fi
if [[ ! -d $DIR_SSL_CERT ]]; then if [[ ! -d $DIR_SSL_CERT ]]; then
sudo mkdir -p $DIR_SSL_CERT mkdir -p $DIR_SSL_CERT
fi fi
# Discover IPv4 interface
DEFAULT_IP=$(ip addr show $(ip route | awk '/default/ { print $5 }') | grep "inet" | head -n 1 | awk '/inet/ {print $2}' | cut -d'/' -f1)
echo -e "${GREY}New self signed TLS certificate attributes are shown below...${DGREY}" echo -e "${GREY}New self signed TLS certificate attributes are shown below...${DGREY}"
# Display the new TLS cert parameters. # Display the new TLS cert parameters.
cat <<EOF | tee $TMP_DIR/cert_attributes.txt cat <<EOF | tee cert_attributes.txt
[req] [req]
distinguished_name = req_distinguished_name distinguished_name = req_distinguished_name
x509_extensions = v3_req x509_extensions = v3_req
@ -65,12 +101,12 @@ subjectAltName = @alt_names
[alt_names] [alt_names]
DNS.1 = $TLSNAME DNS.1 = $TLSNAME
IP.1 = $DEFAULT_IP IP.1 = $TLSIP
EOF EOF
echo echo
echo "{$GREY}Creating a new Nginx TLS Certificate..." echo "{$GREY}Creating a new Nginx TLS Certificate..."
openssl req -x509 -nodes -newkey rsa:2048 -keyout $TLSNAME.key -out $TLSNAME.crt -days $TLSDAYS -config $TMP_DIR/cert_attributes.txt openssl req -x509 -nodes -newkey rsa:2048 -keyout $TLSNAME.key -out $TLSNAME.crt -days $TLSDAYS -config cert_attributes.txt
if [[ $? -ne 0 ]]; then if [[ $? -ne 0 ]]; then
echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2
exit 1 exit 1
@ -80,12 +116,12 @@ else
fi fi
# Place TLS Certificate into the defined application path # Place TLS Certificate into the defined application path
sudo cp $TLSNAME.key $DIR_SSL_KEY/$TLSNAME.key cp $TLSNAME.key $DIR_SSL_KEY/$TLSNAME.key
sudo cp $TLSNAME.crt $DIR_SSL_CERT/$TLSNAME.crt cp $TLSNAME.crt $DIR_SSL_CERT/$TLSNAME.crt
# Create a PFX formatted key for easier import to Windows hosts and change permissions to enable copying elsewhere # Create a PFX formatted key for easier import to Windows hosts
echo -e "${GREY}Converting client certificates for Windows & Linux...${GREY}" echo -e "${GREY}Converting client certificates for Windows & Linux...${GREY}"
sudo openssl pkcs12 -export -out $TLSNAME.pfx -inkey $TLSNAME.key -in $TLSNAME.crt -password pass:1234 openssl pkcs12 -export -out $TLSNAME.pfx -inkey $TLSNAME.key -in $TLSNAME.crt -password pass:1234
if [[ $? -ne 0 ]]; then if [[ $? -ne 0 ]]; then
echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2
exit 1 exit 1
@ -95,20 +131,21 @@ else
fi fi
# Change of permissions so certs can be copied via WinSCP. # Change of permissions so certs can be copied via WinSCP.
sudo chown $SUDO_USER:root $TLSNAME.pfx chown $SUDO_USER:root $TLSNAME.pfx
sudo chown $SUDO_USER:root $TLSNAME.crt chown $SUDO_USER:root $TLSNAME.crt
sudo chown $SUDO_USER:root $TLSNAME.key chown $SUDO_USER:root $TLSNAME.key
# Backup the current Nginx config before update # Backup the previous configuration
echo -e "${GREY}Backing up previous Nginx proxy to $DOWNLOAD_DIR/$TLSNAME-nginx.bak" if [ -f "/etc/nginx/sites-enabled/${TLSNAME}" ]; then
cp /etc/nginx/sites-enabled/${TLSNAME} $DOWNLOAD_DIR/${TLSNAME}-nginx.bak echo -e "${GREY}Backing up previous Nginx proxy config to $DOWNLOAD_DIR/${PROXY_SITE}-nginx.bak"
cp -f /etc/nginx/sites-enabled/${TLSNAME} $DOWNLOAD_DIR/${TLSNAME}-nginx.bak
if [[ $? -ne 0 ]]; then if [[ $? -ne 0 ]]; then
echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 echo -e "${LRED}Warning: Failed to copy the Nginx site config.${GREY}" 1>&2
exit 1
else else
echo -e "${LGREEN}OK${GREY}" echo -e "${LGREEN}OK${GREY}"
echo echo
fi fi
fi
# Update Nginx config to accept the new certificates # Update Nginx config to accept the new certificates
echo -e "${GREY}Configuring Nginx proxy to use the self signed TLS certificate and setting up HTTP redirect...${DGREY}" echo -e "${GREY}Configuring Nginx proxy to use the self signed TLS certificate and setting up HTTP redirect...${DGREY}"
@ -158,13 +195,33 @@ else
echo echo
fi fi
# Find all enabled sites containing the $GUAC_URL and remove them to avoid conflicts
for x in /etc/nginx/sites-enabled/*; do
# Check inside each site candidate to see if the $GUAC_URL exists.
if [[ -f "${x}" ]]; then
if grep -qE "${GUAC_URL}" "${x}"; then
found_sites+=("${x}")
fi
fi
done
# Unlink all previous sites pointed to $GUAC_URL
if [ "${#found_sites[@]}" -gt 0 ]; then
for guacUrl in "${found_sites[@]}"; do
unlink "${guacUrl}"
done
fi
# Link to enable the new site configuration
ln -s /etc/nginx/sites-available/$TLSNAME /etc/nginx/sites-enabled/ >/dev/null 2>&1
# Update general ufw rules so force traffic via reverse proxy. Only Nginx and SSH will be available over the network. # Update general ufw rules so force traffic via reverse proxy. Only Nginx and SSH will be available over the network.
echo -e "${GREY}Updating firewall rules to allow only SSH and tcp 80/443..." echo -e "${GREY}Updating firewall rules to allow only SSH and tcp 80/443..."
sudo ufw default allow outgoing >/dev/null 2>&1 ufw default allow outgoing >/dev/null 2>&1
sudo ufw default deny incoming >/dev/null 2>&1 ufw default deny incoming >/dev/null 2>&1
sudo ufw allow OpenSSH >/dev/null 2>&1 ufw allow OpenSSH >/dev/null 2>&1
sudo ufw allow 80/tcp >/dev/null 2>&1 ufw allow 80/tcp >/dev/null 2>&1
sudo ufw allow 443/tcp >/dev/null 2>&1 ufw allow 443/tcp >/dev/null 2>&1
echo "y" | sudo ufw enable >/dev/null 2>&1 echo "y" | sudo ufw enable >/dev/null 2>&1
if [[ $? -ne 0 ]]; then if [[ $? -ne 0 ]]; then
echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2
@ -174,11 +231,12 @@ else
echo echo
fi fi
# Reload everything # Reload everything and tidy up
echo -e "${GREY}Restaring Guacamole & Ngnix..." echo -e "${GREY}Restaring Guacamole & Ngnix..."
sudo systemctl restart $TOMCAT_VERSION systemctl restart $TOMCAT_VERSION
sudo systemctl restart guacd systemctl restart guacd
sudo systemctl restart nginx systemctl restart nginx
rm -f cert_attributes.txt
if [[ $? -ne 0 ]]; then if [[ $? -ne 0 ]]; then
echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2
exit 1 exit 1
@ -195,7 +253,7 @@ printf "${GREY}+----------------------------------------------------------------
${LGREEN}+ WINDOWS CLIENT SELF SIGNED TLS BROWSER CONFIG - SAVE THIS BEFORE CONTINUING!${GREY} ${LGREEN}+ WINDOWS CLIENT SELF SIGNED TLS BROWSER CONFIG - SAVE THIS BEFORE CONTINUING!${GREY}
+ +
+ 1. In ${DOWNLOAD_DIR} is a Windows version of the new certificate ${LYELLOW}$TLSNAME.pfx${GREY} + 1. In ${DOWNLOAD_DIR} is a Windows version of the new certificate ${LYELLOW}$TLSNAME.pfx${GREY}
+ 2. Import this PFX file into your Windows client with the below Powershell commands (as Administrator): + 2. Import this PFX file into your Windows client with the below PowerShell commands (as Administrator):
\n" \n"
echo -e "${SHOWASTEXT1} = ConvertTo-SecureString -String "1234" -Force -AsPlainText" echo -e "${SHOWASTEXT1} = ConvertTo-SecureString -String "1234" -Force -AsPlainText"
echo -e "Import-pfxCertificate -FilePath $TLSNAME.pfx -Password "${SHOWASTEXT1}" -CertStoreLocation "${SHOWASTEXT2}"" echo -e "Import-pfxCertificate -FilePath $TLSNAME.pfx -Password "${SHOWASTEXT1}" -CertStoreLocation "${SHOWASTEXT2}""

32
4b-install-tls-letsencrypt-nginx.sh
View file

@ -7,6 +7,9 @@
# April 2023 # April 2023
####################################################################################################################### #######################################################################################################################
# If run as standalone and not from the main installer script, check the below variables are correct.
# To run standalone: sudo ./4b-install-tls-letsencrypt-nginx.sh
# Prepare text output colours # Prepare text output colours
GREY='\033[0;37m' GREY='\033[0;37m'
DGREY='\033[0;90m' DGREY='\033[0;90m'
@ -16,6 +19,15 @@ LGREEN='\033[0;92m'
LYELLOW='\033[0;93m' LYELLOW='\033[0;93m'
NC='\033[0m' #No Colour NC='\033[0m' #No Colour
TOMCAT_VERSION=$(ls /etc/ | grep tomcat)
# Below variables are automatically updated by the 1-setup.sh script with the respective values given at install (manually update if blank)
DOWNLOAD_DIR=
PROXY_SITE=
GUAC_URL=
LE_DNS_NAME=
LE_EMAIL=
INSTALL_LOG=
echo echo
echo echo
echo -e "${LGREEN}Installing Let's Encrypt TLS configuration for Nginx...${GREY}" echo -e "${LGREEN}Installing Let's Encrypt TLS configuration for Nginx...${GREY}"
@ -67,11 +79,11 @@ fi
# Update general ufw rules so force traffic via reverse proxy. Only Nginx and SSH will be available over the network. # Update general ufw rules so force traffic via reverse proxy. Only Nginx and SSH will be available over the network.
echo -e "${GREY}Updating firewall rules to allow only SSH and tcp 80/443..." echo -e "${GREY}Updating firewall rules to allow only SSH and tcp 80/443..."
sudo ufw default allow outgoing >/dev/null 2>&1 ufw default allow outgoing >/dev/null 2>&1
sudo ufw default deny incoming >/dev/null 2>&1 ufw default deny incoming >/dev/null 2>&1
sudo ufw allow OpenSSH >/dev/null 2>&1 ufw allow OpenSSH >/dev/null 2>&1
sudo ufw allow 80/tcp >/dev/null 2>&1 ufw allow 80/tcp >/dev/null 2>&1
sudo ufw allow 443/tcp >/dev/null 2>&1 ufw allow 443/tcp >/dev/null 2>&1
echo "y" | sudo ufw enable >/dev/null 2>&1 echo "y" | sudo ufw enable >/dev/null 2>&1
if [[ $? -ne 0 ]]; then if [[ $? -ne 0 ]]; then
echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2
@ -81,10 +93,10 @@ else
echo echo
fi fi
# Bounce Nginx to reload the new Nginx config so certbot config can continue # Reload the new Nginx config so as certbot can further ajust
systemctl restart nginx systemctl restart nginx
# Run certbot to create and associate certificates with currenly public IP (must have tcp 80 and 443 open to work) # Run certbot to create and associate certificates with current public IP (must have tcp 80 and 443 open to work!)
certbot --nginx -n -d $LE_DNS_NAME --email $LE_EMAIL --agree-tos --redirect --hsts certbot --nginx -n -d $LE_DNS_NAME --email $LE_EMAIL --agree-tos --redirect --hsts
echo -e echo -e
echo -e "${GREY}Let's Encrypt successfully installed, but check for any errors above (DNS & firewall are the usual culprits).${GREY}" echo -e "${GREY}Let's Encrypt successfully installed, but check for any errors above (DNS & firewall are the usual culprits).${GREY}"
@ -120,9 +132,9 @@ fi
# Reload everything once again # Reload everything once again
echo -e "${GREY}Restaring Guacamole & Ngnix..." echo -e "${GREY}Restaring Guacamole & Ngnix..."
sudo systemctl restart $TOMCAT_VERSION systemctl restart $TOMCAT_VERSION
sudo systemctl restart guacd systemctl restart guacd
sudo systemctl restart nginx systemctl restart nginx
if [[ $? -ne 0 ]]; then if [[ $? -ne 0 ]]; then
echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2
exit 1 exit 1

2
ACTIVE-DIRECTORY-HOW-TO.md
View file

@ -1,5 +1,5 @@
# Integrating Guacamole with Active Directory # Integrating Guacamole With Active Directory
## :arrows_clockwise: **Step 1: Ensure two-way LDAP traffic is available to the Guacamole application server** ## :arrows_clockwise: **Step 1: Ensure two-way LDAP traffic is available to the Guacamole application server**

59
README.md
View file

@ -1,10 +1,10 @@
# Guacamole 1.5.3 VDI/Jump Server Appliance Build Script # Guacamole 1.5.3 VDI/Jump Server Appliance Build Script
<img src="https://github.githubassets.com/images/icons/emoji/sparkles.png" width="35"> This repo makes setting up a Guacamole a breeze. Its got installer support for TLS reverse proxy, Active Directory integration, multi-factor authentication, Quick Connect & History Recording Storage UI enhancements, dark mode and custom UI templates, auto database backup, O365 email alerts and even fail2ban and internal daemon security hardening options. There's also code in here to get you up and running with an enterprise high availability deployment too! <img src="https://github.githubassets.com/images/icons/emoji/sparkles.png" width="35"> This repo makes setting up a Guacamole a breeze. Its got installer support for TLS reverse proxy, Active Directory integration, multi-factor authentication, Quick Connect & History Recording Storage UI enhancements, dark mode and custom UI templates, auto database backup, O365 email alerts and even fail2ban and internal daemon security hardening options. There's also code in here to get you up and running with an enterprise high availability deployment if that's your thing!
## Automatic Installation ## Automatic Installation
<img src="https://github.githubassets.com/images/icons/emoji/rocket.png" width="35"> To start building your Guacamole appliance, paste the below link into a terminal and follow the prompts **(no need for sudo, but the user must be a member of the sudo group)**: <img src="https://github.githubassets.com/images/icons/emoji/rocket.png" width="35"> To start building your Guacamole appliance, paste the below link into a terminal and just follow the prompts **(no need for sudo, but the user must be a member of the sudo group)**:
```shell ```shell
wget https://raw.githubusercontent.com/itiligent/Guacamole-Install/main/1-setup.sh && chmod +x 1-setup.sh && ./1-setup.sh wget https://raw.githubusercontent.com/itiligent/Guacamole-Install/main/1-setup.sh && chmod +x 1-setup.sh && ./1-setup.sh
@ -23,8 +23,6 @@ wget https://raw.githubusercontent.com/itiligent/Guacamole-Install/main/1-setup.
- DNS entries matching your default appliance network interface IP (essential for TLS). - DNS entries matching your default appliance network interface IP (essential for TLS).
- Open TCP ports: 22, 80, and 443. - Open TCP ports: 22, 80, and 443.
23.04, 22.04, 20.04 & 18.04
## Installation Menu ## Installation Menu
<img src="https://github.githubassets.com/images/icons/emoji/wrench.png" width="35"> **The main script guides you through the installation process in the following steps:** <img src="https://github.githubassets.com/images/icons/emoji/wrench.png" width="35"> **The main script guides you through the installation process in the following steps:**
@ -35,12 +33,17 @@ wget https://raw.githubusercontent.com/itiligent/Guacamole-Install/main/1-setup.
4. Select optional console features: Quick Connect & History Recorded Storage UI integrations. 4. Select optional console features: Quick Connect & History Recorded Storage UI integrations.
5. Decide on the Guacamole front end: Nginx reverse proxy (http or https) or keep the native Guacamole interface 5. Decide on the Guacamole front end: Nginx reverse proxy (http or https) or keep the native Guacamole interface
**For the more security minded, there's several post-install hardening script options available:**
- `add-fail2ban.sh`: Adds a lockdown policy for Guacamole to guard against brute force attacks. ## Managing self signed TLS certs with Nginx (the easy way!)
- `add-tls-guac-daemon.sh`: Wraps internal server daemon <--> guac application traffic in TLS.
- `add-auth-ldap.sh`: A template script for Active Directory integration. - **To change the reverse proxy dns name or IP:**
- `add-smtp-relay-o365.sh`: A template script for email alerts integrated with MSO65 (BYO app password). - Just re-run ` 4a-install-tls-self-signed-nginx.sh`as many times as you like (accompanying server and browser client certs will also be updated)
- **To renew certificates only, or change IP only:**
- Simply run `refresh-tls-self-signed-nginx.sh` as needed.
- **Above scripts will also:**
- Create and save new client browser certificates to `$HOME/guac-setup`
- Provide on-screen instructions for client certificate import (no more pesky browser warnings and that pro look).
## Active Directory Integration ## Active Directory Integration
@ -50,32 +53,42 @@ wget https://raw.githubusercontent.com/itiligent/Guacamole-Install/main/1-setup.
<img src="https://github.githubassets.com/images/icons/emoji/art.png" width="35"> **Want to give Guacamole your personal touch? Follow the theme and branding instructions** [here](https://github.com/itiligent/Guacamole-Install/tree/main/custom-theme-builder). <img src="https://github.githubassets.com/images/icons/emoji/art.png" width="35"> **Want to give Guacamole your personal touch? Follow the theme and branding instructions** [here](https://github.com/itiligent/Guacamole-Install/tree/main/custom-theme-builder).
## Custom Installation Notes ## Installation Instructions
<img src="https://github.githubassets.com/images/icons/emoji/unicode/2699.png" width="35"> <img src="https://github.githubassets.com/images/icons/emoji/unicode/2699.png" width="35">
1. Paste and run the wget autorun link in your home directory. ### **Paste and the wget autorun link, thats it! *But if* you want to make Guacamole your own and customise...**
2. Exit `1-setup.sh` at the first prompt. (At this point the scripts are downloaded only.) **Exit `1-setup.sh` at the first prompt**. All the configurable options can be found at the start of `1-setup.sh`. Certain combinations of edits will even produce an unattended install!
3. Customise the huge number of installation variables available in `1-setup.sh` as required. All options for customisation are found in the top sections of this script only. (Certain combinations of edits will even produce a fully unattended install!)
4. **Caution: If editing `1-setup.sh`, be aware that running the autorun link again re-downloads and overwrites all changes. You must run setup locally after editing.** (Also be sure to comment out the download links in the setup script for any other edited scripts. There should be little need to edit outside of the setup script's options.) **Other useful install notes:**
5. The **upgrade-guac.sh, add-tls-guac-daemon.sh, refresh-tls-self-signed.sh & backup-guac.sh** scripts are automatically adjusted at installation to match your chosen installation settings. These can be run after install without any modification. - **Caution: Be aware that running the auto-run link again re-downloads the suite of scripts and will overwrite your changes. You must run setup locally after editing the setup script.** (Also be sure to comment out the download links in the setup script for any other scripts you want to edit, but there should be little need to touch these.)
6. If the self-signed TLS proxy option is selected, browser client TLS certificates will be automatically created and saved to `$HOME/guac-setup`. - Many of the scripts in the suite are **automatically adjusted with your chosen installation settings** to form a matched & transportable set. This allows you to add extra features after installation whilst avoiding mismatches with the original install.
7. Note that Nginx is automatically configured to use TLS 1.2 or above (so really old browser versions may not work.) - Nginx is automatically configured to use TLS 1.2 or above (so really old browser versions may not work.)
8. A daily MySQL backup job will be automatically configured under the script owner's crontab. - A daily MySQL backup job will be automatically configured under the script owner's crontab.
9. **Security info:** The Quick Connect and History Recorded Storage options bring a few security implications; so be aware of potential risks in your particular environment. - **Security info:** The Quick Connect and History Recorded Storage options bring a few security implications; so be aware of potential risks in your particular environment.
**For the more security minded, there's several post-install hardening script options available:**
- `add-fail2ban.sh`: Adds a lockdown policy for Guacamole to guard against brute force attacks.
- `add-tls-guac-daemon.sh`: Wraps internal server daemon <--> guac application traffic in TLS.
- `add-auth-ldap.sh`: A template script for Active Directory integration.
- `add-smtp-relay-o365.sh`: A template script for email alerts integrated with MSO65 (BYO app password).
## Upgrading Guacamole ## Upgrading Guacamole
<img src="https://github.githubassets.com/images/icons/emoji/globe_with_meridians.png" width="35"> To upgrade Guacamole, edit `upgrade-guac.sh` to relfect the latest versions of Guacamole and MySQL connector/J before running it. This script will also automatically update the DUO, LDAP, TOTP, Quick Connect & History Recorded Storage extension if they are found to be present. <img src="https://github.githubassets.com/images/icons/emoji/globe_with_meridians.png" width="35"> To upgrade Guacamole, edit `upgrade-guac.sh` to relfect the latest versions of Guacamole and MySQL connector/J before running it. This script will also automatically update the installed extensions.
## Enterprise Scale Out & High Availability ## Enterprise Scale Out & High Availability
<img src="https://github.githubassets.com/images/icons/emoji/unicode/1f454.png" width="35"> For Enterprise deployments, did you know that Guacamole can be run in a load balanced farm? To achieve this, the database, application and front end components are usually **split into 2 or 3 layers.** (VLANs & firewalls between the layers helps with security too.) See [here](https://github.com/itiligent/Guacamole-Install/tree/main/guac-enterprise-build) for how to get started. <img src="https://github.githubassets.com/images/icons/emoji/unicode/1f454.png" width="35"> For Enterprise deployments, did you know that Guacamole can be run in a load balanced farm? To achieve this, the database, application and front end components are usually **split into 2 or 3 layers.** (VLANs & firewalls between the layers helps with security too.) See [here](https://github.com/itiligent/Guacamole-Install/tree/main/guac-enterprise-build) for how to get started.
- **For the DATABASE layer:** Find the included `install-mysql-backend-only.sh` to install a standalone instance of the Guacamole MySQL database for your backend. - **For the DATABASE layer:** Find the included `install-mysql-backend-only.sh` to install a standalone instance of the Guacamole MySQL database for your backend.
- **For the APPLICATION layer:** Simply use the main setup script to build as many application servers as you like. For a true 3 layer load balanced system, make sure to **say no to both the "Install MySQL locally" option and all Nginx front end options** so as only the Guacamole server and Apache Tomcat services are installed. - **For the APPLICATION layer:** Simply use the main setup script to build as many application servers as you like, just use the installer to point these to the backend database, making sure to **say no to both the "Install MySQL locally" option and any Nginx install options**.
- **For the Front end**: There are may choices here. You can slightly modify the Nginx scripts for a separate front end TLS layer, however **HA Proxy** provides far superior session affinity under load balanced conditions when compared to Open Source Nginx, but an Nginx Plus subscription gets you all the good stuff! There's so many possible ways to achieve this in hardware and software. There's plenty of config details in here to help you begin to roll your own HA solution. - **For the Front end**: There are so many choices available that are already very well documented. You could even take the (portable) Nginx scripts to build a separate TLS front end layer. Be aware that [HA Proxy](https://www.haproxy.org/) generally provides far superior session affinity and persistence under load balanced conditions [when compared to Open Source Nginx](https://www.nginx.com/products/nginx/compare-models/) as only Nginx Plus subscribers get all the proper load balancing stuff!)
### Installer script download manifest
## Auto Download Manifest
<img src="https://github.githubassets.com/images/icons/emoji/package.png" width="35"> The autorun link downloads these repo files into `$HOME/guac-setup`: <img src="https://github.githubassets.com/images/icons/emoji/package.png" width="35"> The autorun link downloads these repo files into `$HOME/guac-setup`:

2
guac-custom-theme-builder/README.MD
View file

@ -2,7 +2,7 @@
## Custom branding & theme instructions ## ## Custom branding & theme instructions ##
1. Install the Java JDK: `sudo apt update && sudo apt -y install default-jdk` 1. Install the Java JDK: `sudo apt update && sudo apt -y install default-jdk`
3. Modify `custom-theme.css` ,`guac-manifest.json`, `en.json` & `META-INF` as desired & add your logo .png files to the images directory. 3. Modify `custom-theme.css` ,`guac-manifest.json`, `en.json` & `META-INF` as desired & add your logos to the images directory. (Logos must be .png files.)
4. To commit your changes, run the below commands from within the custom-theme-builder directory, then refresh your browser to re-login to Guacamole: 4. To commit your changes, run the below commands from within the custom-theme-builder directory, then refresh your browser to re-login to Guacamole:
``` ```
# Run within the custom-theme-builder directory # Run within the custom-theme-builder directory

2
guac-enterprise-build/install-mysql-backend-only.sh
View file

@ -51,7 +51,7 @@ DOWNLOAD_DIR=$USER_HOME_DIR/guac-setup
# Setup directory locations # Setup directory locations
mkdir -p $DOWNLOAD_DIR mkdir -p $DOWNLOAD_DIR
sudo chown -R $SUDO_USER:root $DOWNLOAD_DIR chown -R $SUDO_USER:root $DOWNLOAD_DIR
# Version of Guacamole auth jdbc database schema to use # Version of Guacamole auth jdbc database schema to use
GUAC_VERSION="1.5.3" GUAC_VERSION="1.5.3"

2
guac-enterprise-build/upgrade-mysql-backend-only.sh
View file

@ -49,7 +49,7 @@ DOWNLOAD_DIR=$USER_HOME_DIR/guac-setup
# Setup directory locations # Setup directory locations
mkdir -p $DOWNLOAD_DIR mkdir -p $DOWNLOAD_DIR
sudo chown -R $SUDO_USER:root $DOWNLOAD_DIR chown -R $SUDO_USER:root $DOWNLOAD_DIR
# Version of Guacamole to upgrade to. See https://guacamole.apache.org/releases/ for latest version info. # Version of Guacamole to upgrade to. See https://guacamole.apache.org/releases/ for latest version info.
NEW_GUAC_VERSION="1.5.3" NEW_GUAC_VERSION="1.5.3"

2
guac-management/backup-guac.sh
View file

@ -19,7 +19,7 @@ clear
export PATH=/bin:/usr/bin:/usr/local/bin export PATH=/bin:/usr/bin:/usr/local/bin
TODAY=$(date +%Y-%m-%d) TODAY=$(date +%Y-%m-%d)
# Below variables are automatically updated by the 1-setup.sh script with the respective values given at install # Below variables are automatically updated by the 1-setup.sh script with the respective values given at install (manually update if blank)
MYSQL_HOST= MYSQL_HOST=
MYSQL_PORT= MYSQL_PORT=
GUAC_USER= GUAC_USER=

14
guac-management/refresh-tls-self-signed.sh
View file

@ -6,10 +6,10 @@
# September 2023 # September 2023
####################################################################################################################### #######################################################################################################################
# If run with with no command arguments, the ${PROXY_SITE} ${CERT_DAYS} & ${Default_IP) values from original install are applied. # If run with with no command arguments, the ${PROXY_SITE}, ${CERT_DAYS} & ${Default_IP) values used during the
# e.g. sudo ./refresh-tls-self-signed-nginx.sh # the original install are applied. To keep these run: sudo ./refresh-tls-self-signed-nginx.sh
# #
# SCript can also be run with custom command line arguments for use with any TLS application: # This script can also be run with custom command line arguments for use with any TLS application:
# Command arguments are formatted as: [command] [FQDN] [cert-lifetime] [IP] # Command arguments are formatted as: [command] [FQDN] [cert-lifetime] [IP]
# e.g. sudo ./refresh-tls-self-signed-nginx.sh webserver.domain.local 365 192.168.1.1 # e.g. sudo ./refresh-tls-self-signed-nginx.sh webserver.domain.local 365 192.168.1.1
@ -50,7 +50,7 @@ TLSNAME=$1
TLSDAYS=$2 TLSDAYS=$2
TLSIP=$3 TLSIP=$3
# Auto updated values from main installer (manually update if blank) # Below variables are automatically updated by the 1-setup.sh script with the respective values given at install (manually update if blank)
CERT_COUNTRY= CERT_COUNTRY=
CERT_STATE= CERT_STATE=
CERT_LOCATION= CERT_LOCATION=
@ -60,7 +60,7 @@ PROXY_SITE=
CERT_DAYS= CERT_DAYS=
DEFAULT_IP= DEFAULT_IP=
# Assume the values used by the guacamole installer if the script is run without any command line options # Assume the values set the guacamole installer if the script is run without any command line options
if [[ -z "$1" ]] | [[ -z "$2" ]] | [[ -z "$3" ]]; then if [[ -z "$1" ]] | [[ -z "$2" ]] | [[ -z "$3" ]]; then
TLSNAME=$PROXY_SITE TLSNAME=$PROXY_SITE
TLSDAYS=$CERT_DAYS TLSDAYS=$CERT_DAYS
@ -69,11 +69,11 @@ fi
# Make directories to place TLS Certificate if they don't exist # Make directories to place TLS Certificate if they don't exist
if [[ ! -d $DIR_SSL_KEY ]]; then if [[ ! -d $DIR_SSL_KEY ]]; then
sudo mkdir -p $DIR_SSL_KEY mkdir -p $DIR_SSL_KEY
fi fi
if [[ ! -d $DIR_SSL_CERT ]]; then if [[ ! -d $DIR_SSL_CERT ]]; then
sudo mkdir -p $DIR_SSL_CERT mkdir -p $DIR_SSL_CERT
fi fi
echo -e "${GREY}New self signed TLS certificate attributes are shown below...${DGREY}" echo -e "${GREY}New self signed TLS certificate attributes are shown below...${DGREY}"

6
guac-management/upgrade-guac.sh
View file

@ -46,7 +46,7 @@ DOWNLOAD_DIR=$USER_HOME_DIR/guac-setup
# Setup directory locations # Setup directory locations
mkdir -p $DOWNLOAD_DIR mkdir -p $DOWNLOAD_DIR
sudo chown -R $SUDO_USER:root $DOWNLOAD_DIR chown -R $SUDO_USER:root $DOWNLOAD_DIR
# Version of Guacamole to upgrade to. See https://guacamole.apache.org/releases/ for latest version info. # Version of Guacamole to upgrade to. See https://guacamole.apache.org/releases/ for latest version info.
NEW_GUAC_VERSION="1.5.3" NEW_GUAC_VERSION="1.5.3"
@ -66,7 +66,7 @@ GUAC_SOURCE_LINK="http://apache.org/dyn/closer.cgi?action=download&filename=guac
# Install log Location # Install log Location
INSTALL_LOG="${DOWNLOAD_DIR}/guacamole_${NEW_GUAC_VERSION}_upgrade.log" INSTALL_LOG="${DOWNLOAD_DIR}/guacamole_${NEW_GUAC_VERSION}_upgrade.log"
# Auto updated values from main installer (manually update if blank) # Below variables are automatically updated by the 1-setup.sh script with the respective values given at install (manually update if blank)
INSTALL_MYSQL= INSTALL_MYSQL=
MYSQL_HOST= MYSQL_HOST=
MYSQL_PORT= MYSQL_PORT=
@ -85,7 +85,7 @@ echo
# Start upgrade actions ############################################################################################## # Start upgrade actions ##############################################################################################
####################################################################################################################### #######################################################################################################################
sudo apt-get upgrade -qq -y apt-get upgrade -qq -y
# Stop tomcat and guacd # Stop tomcat and guacd
systemctl stop ${TOMCAT_VERSION} systemctl stop ${TOMCAT_VERSION}

4
guac-optional-features/add-auth-duo.sh
View file

@ -6,6 +6,8 @@
# April 2023 # April 2023
####################################################################################################################### #######################################################################################################################
# If run as standalone and not from the main installer script, check the below variables are correct.
# Prepare text output colours # Prepare text output colours
GREY='\033[0;37m' GREY='\033[0;37m'
DGREY='\033[0;90m' DGREY='\033[0;90m'
@ -38,7 +40,7 @@ echo "duo-api-hostname: " >>/etc/guacamole/guacamole.properties
echo "duo-application-key: " >>/etc/guacamole/guacamole.properties echo "duo-application-key: " >>/etc/guacamole/guacamole.properties
echo echo
systemctl restart ${TOMCAT_VERSION} systemctl restart ${TOMCAT_VERSION}
sudo systemctl restart guacd systemctl restart guacd
echo -e "${LYELLOW}You must now set up your online Duo account with a new 'Web SDK' application." echo -e "${LYELLOW}You must now set up your online Duo account with a new 'Web SDK' application."
echo echo

11
guac-optional-features/add-auth-ldap.sh
View file

@ -6,6 +6,8 @@
# April 2023 # April 2023
####################################################################################################################### #######################################################################################################################
# If run as standalone and not from the main installer script, check the below variables are correct.
# Prepare text output colours # Prepare text output colours
GREY='\033[0;37m' GREY='\033[0;37m'
DGREY='\033[0;90m' DGREY='\033[0;90m'
@ -17,10 +19,9 @@ NC='\033[0m' #No Colour
clear clear
# Check if user is root or sudo
if ! [[ $(id -u) = 0 ]]; then if ! [[ $(id -u) = 0 ]]; then
echo echo
echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2 echo -e "${LRED}Please run this script as sudo or root${NC}" 1>&2
exit 1 exit 1
fi fi
@ -49,7 +50,7 @@ echo
wget -q --show-progress -O guacamole-auth-ldap-${GUAC_VERSION}.tar.gz ${GUAC_SOURCE_LINK}/binary/guacamole-auth-ldap-${GUAC_VERSION}.tar.gz wget -q --show-progress -O guacamole-auth-ldap-${GUAC_VERSION}.tar.gz ${GUAC_SOURCE_LINK}/binary/guacamole-auth-ldap-${GUAC_VERSION}.tar.gz
tar -xzf guacamole-auth-ldap-${GUAC_VERSION}.tar.gz tar -xzf guacamole-auth-ldap-${GUAC_VERSION}.tar.gz
mv -f guacamole-auth-ldap-${GUAC_VERSION}/guacamole-auth-ldap-${GUAC_VERSION}.jar /etc/guacamole/extensions/ mv -f guacamole-auth-ldap-${GUAC_VERSION}/guacamole-auth-ldap-${GUAC_VERSION}.jar /etc/guacamole/extensions/
sudo chmod 664 /etc/guacamole/extensions/guacamole-auth-ldap-${GUAC_VERSION}.jar chmod 664 /etc/guacamole/extensions/guacamole-auth-ldap-${GUAC_VERSION}.jar
echo -e "${LGREEN}Installed guacamole-auth-ldap-${GUAC_VERSION}${GREY}" echo -e "${LGREEN}Installed guacamole-auth-ldap-${GUAC_VERSION}${GREY}"
echo echo
echo Adding the below config to /etc/guacamole/guacamole.properties echo Adding the below config to /etc/guacamole/guacamole.properties
@ -66,8 +67,8 @@ ldap-user-search-filter:(objectClass=user)(!(objectCategory=computer))
ldap-max-search-results:200 ldap-max-search-results:200
EOF EOF
sudo systemctl restart ${TOMCAT_VERSION} systemctl restart ${TOMCAT_VERSION}
sudo systemctl restart guacd systemctl restart guacd
rm -rf guacamole-* rm -rf guacamole-*

5
guac-optional-features/add-auth-totp.sh
View file

@ -6,6 +6,8 @@
# April 2023 # April 2023
####################################################################################################################### #######################################################################################################################
# If run as standalone and not from the main installer script, check the below variables are correct.
# Prepare text output colours # Prepare text output colours
GREY='\033[0;37m' GREY='\033[0;37m'
DGREY='\033[0;90m' DGREY='\033[0;90m'
@ -17,10 +19,9 @@ NC='\033[0m' #No Colour
clear clear
# Check if user is root or sudo
if ! [[ $(id -u) = 0 ]]; then if ! [[ $(id -u) = 0 ]]; then
echo echo
echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2 echo -e "${LRED}Please run this script as sudo or root${NC}" 1>&2
exit 1 exit 1
fi fi

10
guac-optional-features/add-fail2ban.sh
View file

@ -44,7 +44,7 @@ rm -f /tmp/fail2ban.update
# Prompt to install fail2ban base package with no policy as yet, default of yes # Prompt to install fail2ban base package with no policy as yet, default of yes
if [[ -z ${FAIL2BAN_BASE} ]]; then if [[ -z ${FAIL2BAN_BASE} ]]; then
echo echo
echo -e -n "${LGREEN}Install Fail2ban? (base package with no policy as yet) [default y]: ${GREY}" echo -e -n "${LGREEN}Install Fail2ban base package? [default y]: ${GREY}"
read PROMPT read PROMPT
if [[ ${PROMPT} =~ ^[Nn]$ ]]; then if [[ ${PROMPT} =~ ^[Nn]$ ]]; then
FAIL2BAN_BASE=false FAIL2BAN_BASE=false
@ -94,8 +94,8 @@ fi
if [[ "${FAIL2BAN_BASE}" = true ]]; then if [[ "${FAIL2BAN_BASE}" = true ]]; then
#Update and install fail2ban (and john for management of config file updates, and not overwrite any existing settings) #Update and install fail2ban (and john for management of config file updates, and not overwrite any existing settings)
sudo apt-get update -qq >/dev/null 2>&1 apt-get update -qq >/dev/null 2>&1
sudo apt-get install fail2ban john -qq -y >/dev/null 2>&1 apt-get install fail2ban john -qq -y >/dev/null 2>&1
# Create the basic jail.local template and local subnet whitelist # Create the basic jail.local template and local subnet whitelist
cat >/tmp/fail2ban.conf <<EOF cat >/tmp/fail2ban.conf <<EOF
@ -192,7 +192,7 @@ if [[ "${FAIL2BAN_BASE}" = true ]]; then
rm -f /tmp/fail2ban.update rm -f /tmp/fail2ban.update
# bounce the service to reload the new config # bounce the service to reload the new config
sudo systemctl restart fail2ban systemctl restart fail2ban
# Done # Done
echo echo
@ -239,7 +239,7 @@ EOF
echo -e "${LGREEN}Guacamole security policy applied${GREY}\n- ${SED_NETADDR}are whitelisted from all IP bans.\n- To alter this whitelist, edit /etc/fail2ban/jail.local & sudo systemctl restart fail2ban \n \n This script may take a while to complete on first run..." echo -e "${LGREEN}Guacamole security policy applied${GREY}\n- ${SED_NETADDR}are whitelisted from all IP bans.\n- To alter this whitelist, edit /etc/fail2ban/jail.local & sudo systemctl restart fail2ban \n \n This script may take a while to complete on first run..."
# Bounce the service to reload the new config # Bounce the service to reload the new config
sudo systemctl restart fail2ban systemctl restart fail2ban
echo echo
fi fi

45
guac-optional-features/add-smtp-relay-o365.sh
View file

@ -6,6 +6,8 @@
# April 2023 # April 2023
####################################################################################################################### #######################################################################################################################
# If run as standalone and not from the main installer script, check the below variables are correct.
# Prerequisites: # Prerequisites:
# An office 365 account with a mailbox (NON ADMIN!!) # An office 365 account with a mailbox (NON ADMIN!!)
# An app password created for the above office 365 user at https://mysignins.microsoft.com/security-info # An app password created for the above office 365 user at https://mysignins.microsoft.com/security-info
@ -20,18 +22,19 @@ LGREEN='\033[0;92m'
LYELLOW='\033[0;93m' LYELLOW='\033[0;93m'
NC='\033[0m' #No Colour NC='\033[0m' #No Colour
# Check if user is root or sudo
if ! [[ $(id -u) = 0 ]]; then
echo
echo -e "${LRED}Please run this script as sudo or root${NC}" 1>&2
exit 1
fi
clear clear
SENDER=$SUDO_USER SENDER=$SUDO_USER
SERVER=$(uname -n) SERVER=$(uname -n)
DOMAIN_SEARCH_SUFFIX=$(grep search /etc/resolv.conf | grep -v "#" | sed 's/'search[[:space:]]'//') # Below variables are automatically updated by the 1-setup.sh script with the respective values given at install (manually update if blank)
LOCAL_DOMAIN=
# Check if user is root or sudo
if ! [[ $(id -u) = 0 ]]; then
echo
echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2
exit 1
fi
echo echo
echo -e "${LYELLOW}SMTP relay for Office365 setup...${LGREEN}" echo -e "${LYELLOW}SMTP relay for Office365 setup...${LGREEN}"
@ -39,7 +42,7 @@ echo -e "${LYELLOW}SMTP relay for Office365 setup...${LGREEN}"
# Install Posfix # Install Posfix
echo echo
echo -e "${GREY}Installing Postfix with non-interactive defaults..." echo -e "${GREY}Installing Postfix with non-interactive defaults..."
sudo apt update -qq >/dev/null 2>&1 apt-get update -qq >/dev/null 2>&1
DEBIAN_FRONTEND="noninteractive" apt-get install postfix mailutils -qq -y >/dev/null 2>&1 DEBIAN_FRONTEND="noninteractive" apt-get install postfix mailutils -qq -y >/dev/null 2>&1
if [[ $? -ne 0 ]]; then if [[ $? -ne 0 ]]; then
echo -e "${LRED}Postfix install failed. ${GREY}" 1>&2 echo -e "${LRED}Postfix install failed. ${GREY}" 1>&2
@ -58,8 +61,8 @@ echo
echo echo
# Remove some default Postifx config items that conflict with new entries # Remove some default Postifx config items that conflict with new entries
sudo sed -i '/relayhost/d' /etc/postfix/main.cf sed -i '/relayhost/d' /etc/postfix/main.cf
sudo sed -i '/smtp_tls_security_level=may/d' /etc/postfix/main.cf sed -i '/smtp_tls_security_level=may/d' /etc/postfix/main.cf
# For simple relay outbound only, limit Postfix to just loopback and IPv4 # For simple relay outbound only, limit Postfix to just loopback and IPv4
sed -i 's/inet_interfaces = all/inet_interfaces = loopback-only/g' /etc/postfix/main.cf sed -i 's/inet_interfaces = all/inet_interfaces = loopback-only/g' /etc/postfix/main.cf
@ -88,28 +91,28 @@ else
fi fi
# Setup the password file and postmap # Setup the password file and postmap
sudo touch /etc/postfix/sasl_passwd touch /etc/postfix/sasl_passwd
cat <<EOF | sudo tee -a /etc/postfix/sasl_passwd >/dev/null 2>&1 cat <<EOF | sudo tee -a /etc/postfix/sasl_passwd >/dev/null 2>&1
[smtp.office365.com]:587 ${SMTP_EMAIL}:${APP_PWD} [smtp.office365.com]:587 ${SMTP_EMAIL}:${APP_PWD}
EOF EOF
sudo chown root:root /etc/postfix/sasl_passwd chown root:root /etc/postfix/sasl_passwd
sudo chmod 0600 /etc/postfix/sasl_passwd chmod 0600 /etc/postfix/sasl_passwd
sudo postmap /etc/postfix/sasl_passwd postmap /etc/postfix/sasl_passwd
# Setup the generic map file # Setup the generic map file
sudo touch /etc/postfix/generic touch /etc/postfix/generic
cat <<EOF | sudo tee -a /etc/postfix/generic >/dev/null 2>&1 cat <<EOF | sudo tee -a /etc/postfix/generic >/dev/null 2>&1
root@${SERVER} ${SMTP_EMAIL} root@${SERVER} ${SMTP_EMAIL}
${SENDER}@${SERVER} ${SMTP_EMAIL} ${SENDER}@${SERVER} ${SMTP_EMAIL}
@${DOMAIN_SEARCH_SUFFIX} ${SMTP_EMAIL} @${LOCAL_DOMAIN} ${SMTP_EMAIL}
EOF EOF
sudo chown root:root /etc/postfix/generic chown root:root /etc/postfix/generic
sudo chmod 0600 /etc/postfix/generic chmod 0600 /etc/postfix/generic
sudo postmap /etc/postfix/generic postmap /etc/postfix/generic
# Restart and test # Restart and test
echo -e "${GREY}Restarting Postfix..." echo -e "${GREY}Restarting Postfix..."
sudo systemctl restart postfix systemctl restart postfix
if [[ $? -ne 0 ]]; then if [[ $? -ne 0 ]]; then
echo -e "${LRED}Postfix restart failed. ${GREY}" 1>&2 echo -e "${LRED}Postfix restart failed. ${GREY}" 1>&2
exit 1 exit 1

5
guac-optional-features/add-tls-guac-daemon.sh
View file

@ -21,14 +21,13 @@ NC='\033[0m' #No Colour
# Check if user is root or sudo # Check if user is root or sudo
if ! [[ $(id -u) = 0 ]]; then if ! [[ $(id -u) = 0 ]]; then
echo echo
echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2 echo -e "${LRED}Please run this script as sudo or root${NC}" 1>&2
exit 1 exit 1
fi fi
TOMCAT_VERSION=$(ls /etc/ | grep tomcat) TOMCAT_VERSION=$(ls /etc/ | grep tomcat)
RSA_KEY_LENGTH=2048 RSA_KEY_LENGTH=2048
# Below variables are automatically updated by the 1-setup.sh script with the respective values given at install (manually update if blank)
# Auto updated values from main installer (manually update if blank)
CERT_COUNTRY= CERT_COUNTRY=
CERT_STATE= CERT_STATE=
CERT_LOCATION= CERT_LOCATION=

4
guac-optional-features/add-xtra-histrecstor.sh
View file

@ -6,6 +6,8 @@
# September 2023 # September 2023
####################################################################################################################### #######################################################################################################################
# If run as standalone and not from the main installer script, check the below variables are correct.
# Prepare text output colours # Prepare text output colours
GREY='\033[0;37m' GREY='\033[0;37m'
DGREY='\033[0;90m' DGREY='\033[0;90m'
@ -20,7 +22,7 @@ clear
# Check if user is root or sudo # Check if user is root or sudo
if ! [[ $(id -u) = 0 ]]; then if ! [[ $(id -u) = 0 ]]; then
echo echo
echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2 echo -e "${LRED}Please run this script as sudo or root${NC}" 1>&2
exit 1 exit 1
fi fi

4
guac-optional-features/add-xtra-quickconnect.sh
View file

@ -6,6 +6,8 @@
# September 2023 # September 2023
####################################################################################################################### #######################################################################################################################
# If run as standalone and not from the main installer script, check the below variables are correct.
# Prepare text output colours # Prepare text output colours
GREY='\033[0;37m' GREY='\033[0;37m'
DGREY='\033[0;90m' DGREY='\033[0;90m'
@ -20,7 +22,7 @@ clear
# Check if user is root or sudo # Check if user is root or sudo
if ! [[ $(id -u) = 0 ]]; then if ! [[ $(id -u) = 0 ]]; then
echo echo
echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2 echo -e "${LRED}Please run this script as sudo or root${NC}" 1>&2
exit 1 exit 1
fi fi