someorg/Easy-Guacamole-Installer
1
0
Fork 0
mirror of https://github.com/itiligent/Easy-Guacamole-Installer.git synced 2025-12-13 18:02:32 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Ubuntu 23 and Debian 12 ok

Browse source
This commit is contained in:
itiligent 2023-09-11 14:01:56 +10:00
parent d150332e63
commit 9967087257
21 changed files with 402 additions and 317 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

286
1-setup.sh
View file

@ -17,7 +17,7 @@
# Scripts with "add" in their name can be run post install to add optional features not included in the main install
# If something isn't working:
# tail -f /var/log/syslog /var/log/tomcat*/*.out guac-setup/guacamole_${GUAC_VERSION}_setup.log
# tail -f /var/log/syslog /var/log/tomcat*/*.out guac-setup/guacamole_setup.log
# Or for Guacamole debug mode & verbose logs in the console:
# sudo systemctl stop guacd && sudo /usr/local/sbin/guacd -L debug -f
@ -70,7 +70,8 @@ fi
USER_HOME_DIR=$(eval echo ~${SUDO_USER})
DOWNLOAD_DIR=$USER_HOME_DIR/guac-setup
DB_BACKUP_DIR=$USER_HOME_DIR/mysqlbackups
TMP_DIR=$DOWNLOAD_DIR/tmp
mkdir -p $DOWNLOAD_DIR
mkdir -p $DB_BACKUP_DIR
# GitHub download branch
GITHUB="https://raw.githubusercontent.com/itiligent/Guacamole-Install/main"
@ -87,75 +88,15 @@ GUAC_SOURCE_LINK="http://apache.org/dyn/closer.cgi?action=download&filename=guac
# See https://mariadb.org/mariadb/all-releases/ for available versions.
# Provide a specific MySQL version e.g. 11.1.2 or leave blank to use distro default MySQL packages.
MYSQL_VERSION=""
if [[ -z "${MYSQL_VERSION}" ]]; then
# Use Linux distro default version.
MYSQLSRV="default-mysql-server default-mysql-client mysql-common" # Server
MYSQLCLIENT="default-mysql-client" # Client
DB_CMD="mysql" # mysql command is depricated
else
# Use official mariadb.org repo
MYSQLSRV="mariadb-server mariadb-client mariadb-common" # Server
MYSQLCLIENT="mariadb-client" # Client
DB_CMD="mariadb" # mysql command is depricated on newer versions
fi
# Install log Location
INSTALL_LOG="${DOWNLOAD_DIR}/guacamole_${GUAC_VERSION}_setup.log"
# Guacamole default install URL
GUAC_URL=http://localhost:8080/guacamole/
# Standardised language used for distro versions and dependencies allows a more maintainable approach should distros diverge.
# Here the variables for OS variant and library dependency names are initialised.
source /etc/os-release
OS_FLAVOUR=$ID
OS_VERSION=$VERSION_ID
OS_CODENAME=$VERSION_CODENAME
JPEGTURBO=""
LIBPNG=""
# A default route IP and dns search suffix is needed for initial prompts & default starting values.
# Get the default route interface IP
# Get the default route interface IP. Manually update for multi homed systems.
DEFAULT_IP=$(ip addr show $(ip route | awk '/default/ { print $5 }') | grep "inet" | head -n 1 | awk '/inet/ {print $2}' | cut -d'/' -f1)
get_domain_suffix() {
echo "$1" | awk '{print $2}'
}
# Search for "search" and "domain" entries in /etc/resolv.conf
search_line=$(grep -E '^search[[:space:]]+' /etc/resolv.conf)
domain_line=$(grep -E '^domain[[:space:]]+' /etc/resolv.conf)
# Check if both "search" and "domain" lines exist
if [[ -n "$search_line" ]] && [[ -n "$domain_line" ]]; then
# Both "search" and "domain" lines exist, extract the domain suffix from both
search_suffix=$(get_domain_suffix "$search_line")
domain_suffix=$(get_domain_suffix "$domain_line")
# Print the domain suffix that appears first
if [[ ${#search_suffix} -lt ${#domain_suffix} ]]; then
DOMAIN_SUFFIX=$search_suffix
else
DOMAIN_SUFFIX=$domain_suffix
fi
elif [[ -n "$search_line" ]]; then
# If only "search" line exists
DOMAIN_SUFFIX=$(get_domain_suffix "$search_line")
elif [[ -n "$domain_line" ]]; then
# If only "domain" line exists
DOMAIN_SUFFIX=$(get_domain_suffix "$domain_line")
else
# If no "search" or "domain" lines found
DOMAIN_SUFFIX="local"
fi
# Setup directory locations
mkdir -p $DOWNLOAD_DIR
mkdir -p $DB_BACKUP_DIR
mkdir -p $TMP_DIR
# Script branding header
echo
echo -e "${GREYB}Guacamole VDI & Jump Server Appliance Setup."
echo -e " ${LGREEN}Powered by Itiligent"
echo
echo
# Install log Location
INSTALL_LOG="${DOWNLOAD_DIR}/guacamole_setup.log"
#######################################################################################################################
# Silent setup options - true/false or specific values below prevents prompt at install. EDIT TO SUIT #################
@ -200,9 +141,16 @@ RDP_PRINTER_LABEL="RDP Printer" # Custom Windows RDP printer label
# Download GitHub setup scripts. To prevent overwrite, COMMENT OUT LINES OF ANY SCRIPTS YOU HAVE EDITED. ##############
#######################################################################################################################
# Script branding header
echo
echo -e "${GREYB}Guacamole VDI & Jump Server Appliance Setup."
echo -e " ${LGREEN}Powered by Itiligent"
echo
echo
# Download the set of config scripts from GitHub
cd $DOWNLOAD_DIR
echo -e "${GREY}Downloading setup files...${DGREY}"
echo -e "${GREY}Downloading the Guacamole build suite...${DGREY}"
wget -q --show-progress ${GITHUB}/2-install-guacamole.sh -O 2-install-guacamole.sh
wget -q --show-progress ${GITHUB}/3-install-nginx.sh -O 3-install-nginx.sh
wget -q --show-progress ${GITHUB}/4a-install-tls-self-signed-nginx.sh -O 4a-install-tls-self-signed-nginx.sh
@ -218,34 +166,28 @@ wget -q --show-progress ${GITHUB}/guac-optional-features/add-tls-guac-daemon.sh
wget -q --show-progress ${GITHUB}/guac-optional-features/add-fail2ban.sh -O add-fail2ban.sh
wget -q --show-progress ${GITHUB}/guac-management/backup-guac.sh -O backup-guac.sh
wget -q --show-progress ${GITHUB}/guac-management/upgrade-guac.sh -O upgrade-guac.sh
wget -q --show-progress ${GITHUB}/guac-management/refresh-tls-self-signed.sh -O refresh-tls-self-signed.sh
wget -q --show-progress ${GITHUB}/guac-management/refresh-tls-self-signed.sh -O refresh-tls-self-signed.sh
# Download the (customisable) dark theme & branding template
wget -q --show-progress ${GITHUB}/branding.jar -O branding.jar
chmod +x *.sh
sleep 3
clear
# Script branding header
echo
echo -e "${GREYB}Guacamole VDI & Jump Server Appliance Setup."
echo -e " ${LGREEN}Powered by Itiligent"
echo
echo
# Pause here to optionally customise downloaded scripts before any actual install actions have began
echo -e "${LYELLOW}Ctrl+Z now to exit now if you wish to customise 1-setup.sh options or to setup an unattended install."
echo
echo
# Lets trigger a sudo prompt here for root credentials needed for the install - this keeps the install menu flow neat
# Set permissions for sudo and non sudo access to tmp setup files
sudo chmod -R 770 $TMP_DIR
sudo chown -R $SUDO_USER:root $TMP_DIR
#######################################################################################################################
# Determine the correct version of Tomcat use #########################################################################
# Logic for determining desired packages between distros & database options. Modify as Linux distros diverge ##########
#######################################################################################################################
# First lets trigger a sudo prompt to cache the admin credentials needed for the next installer steps
sudo apt-get update -qq &>>${INSTALL_LOG}
# Standardise the language used for distro versions
source /etc/os-release
OS_NAME=$ID
OS_VERSION=$VERSION_ID
OS_CODENAME=$VERSION_CODENAME
# Check for the latest version of Tomcat currently supported by the distro
if [[ $(apt-cache show tomcat10 2>/dev/null | egrep "Version: 10" | wc -l) -gt 0 ]]; then
TOMCAT_VERSION="tomcat10"
@ -259,24 +201,79 @@ else
fi
# Workaround for current Debian 12 & Tomcat 10 incompatibilities
if [[ ${OS_FLAVOUR,,} = "debian" ]] && [[ ${OS_CODENAME,,} = *"bookworm"* ]]; then #(checks for upper and lower case)
if [[ ${OS_NAME,,} = "debian" ]] && [[ ${OS_CODENAME,,} = *"bookworm"* ]]; then #(checks for upper and lower case)
# Add the oldstable repo and downgrade tomcat version install
echo "deb http://deb.debian.org/debian/ bullseye main" | sudo tee /etc/apt/sources.list.d/bullseye.list >/dev/null
TOMCAT_VERSION="tomcat9"
fi
# Workaround for Ubuntu 23.x & Tomcat 10 incompatibilities
if [[ ${OS_FLAVOUR,,} = "ubuntu" ]] && [[ ${OS_CODENAME,,} = *"lunar"* ]]; then #(checks for upper and lower case)
if [[ ${OS_NAME,,} = "ubuntu" ]] && [[ ${OS_CODENAME,,} = *"lunar"* ]]; then #(checks for upper and lower case)
TOMCAT_VERSION="tomcat9"
fi
# Uncomment to force a specific Tomcat version here.
# Uncomment here to force a specific Tomcat version.
# TOMCAT_VERSION="tomcat9"
# Standardise language for the the install of MySQL packages
if [[ -z "${MYSQL_VERSION}" ]]; then
# Use Linux distro default version.
MYSQLSRV="default-mysql-server default-mysql-client mysql-common" # Server
MYSQLCLIENT="default-mysql-client" # Client
DB_CMD="mysql" # mysql command is depricated
else
# Use official mariadb.org repo
MYSQLSRV="mariadb-server mariadb-client mariadb-common" # Server
MYSQLCLIENT="mariadb-client" # Client
DB_CMD="mariadb" # mysql command is depricated on newer versions
fi
# Standardise differing dependency package names and add any extra distro repositories for these if needed
# Current package names for various distros are referenced at https://guacamole.apache.org/doc/gug/installing-guacamole.html
JPEGTURBO=""
LIBPNG=""
if [[ $OS_NAME == "ubuntu" ]] || [[ $OS_NAME == *"ubuntu"* ]]; then # potentially expand out distro choices here
JPEGTURBO="libjpeg-turbo8-dev"
LIBPNG="libpng-dev"
# Just in case this repo is not added by default in the distro
sudo add-apt-repository -y universe &>>${INSTALL_LOG}
elif [[ $OS_NAME == "debian" ]] || [[ $OS_NAME == "raspbian" ]]; then # expand distro choices here if required
JPEGTURBO="libjpeg62-turbo-dev"
LIBPNG="libpng-dev"
fi
#######################################################################################################################
# DO NOT EDIT PAST THIS POINT #########################################################################################
# DO NOT EDIT PAST THIS POINT! ########################################################################################
#######################################################################################################################
# A default dns suffix is needed for initial prompts & default starting values.
get_domain_suffix() {
echo "$1" | awk '{print $2}'
}
# Search for "search" and "domain" entries in /etc/resolv.conf
search_line=$(grep -E '^search[[:space:]]+' /etc/resolv.conf)
domain_line=$(grep -E '^domain[[:space:]]+' /etc/resolv.conf)
# Check if both "search" and "domain" lines exist
if [[ -n "$search_line" ]] && [[ -n "$domain_line" ]]; then
# Both "search" and "domain" lines exist, extract the domain suffix from both
search_suffix=$(get_domain_suffix "$search_line")
domain_suffix=$(get_domain_suffix "$domain_line")
# Print the domain suffix that appears first
if [[ ${#search_suffix} -lt ${#domain_suffix} ]]; then
DOMAIN_SUFFIX=$search_suffix
else
DOMAIN_SUFFIX=$domain_suffix
fi
elif [[ -n "$search_line" ]]; then
# If only "search" line exists
DOMAIN_SUFFIX=$(get_domain_suffix "$search_line")
elif [[ -n "$domain_line" ]]; then
# If only "domain" line exists
DOMAIN_SUFFIX=$(get_domain_suffix "$domain_line")
else
# If no "search" or "domain" lines found
DOMAIN_SUFFIX="local"
fi
#######################################################################################################################
# Begin install menu prompts ##########################################################################################
#######################################################################################################################
@ -353,19 +350,10 @@ if [[ -z ${RDP_SHARE_HOST} ]]; then
RDP_SHARE_HOST=$SERVER_NAME
fi
clear
# Script branding header
echo
echo -e "${GREYB}Guacamole VDI & Jump Server Appliance Setup."
echo -e " ${LGREEN}Powered by Itiligent"
echo
echo
# Prompt the user to install MySQL
echo -e "${LGREEN}MySQL setup options:${GREY}"
if [[ -z ${INSTALL_MYSQL} ]]; then
echo -e -n "SQL: Install MySQL locally? (to use a remote MySQL Server select 'n') [Y/n] [default y]: ${GREY}"
echo -e -n "SQL: Install MySQL locally? (For a REMOTE MySQL server select 'n') [Y/n] [default y]: ${GREY}"
read PROMPT
if [[ ${PROMPT} =~ ^[Nn]$ ]]; then
INSTALL_MYSQL=false
@ -385,18 +373,6 @@ if [[ -z ${SECURE_MYSQL} ]] && [[ "${INSTALL_MYSQL}" = true ]]; then
fi
fi
# Prompt the user to apply the Mysql secure installation to remote db
# This may be problematic on remote databases (for one-script upgrades) as this addition removes remote root login access - a good thing.
#if [[ -z ${SECURE_MYSQL} ]] && [[ "${INSTALL_MYSQL}" = false ]]; then
# echo -e -n "${GREY}SQL: Apply MySQL secure installation settings to REMOTE db? [y/N] [default n]: ${GREY}"
# read PROMPT
# if [[ ${PROMPT} =~ ^[Yy]$ ]]; then
# SECURE_MYSQL=true
# else
# SECURE_MYSQL=false
# fi
#fi
# Get additional MYSQL values
if [[ "${INSTALL_MYSQL}" = false ]]; then
[[ -z "${MYSQL_HOST}" ]] &&
@ -425,7 +401,6 @@ if [[ -z "${GUAC_USER}" ]]; then
GUAC_USER="guacamole_user"
fi
echo -e ${LMAGENTA}
# Get MySQL root password, confirm correct password entry and prevent blank passwords. No root pw needed for remote instances.
if [[ -z "${MYSQL_ROOT_PWD}" ]] && [[ "${INSTALL_MYSQL}" = true ]]; then
while true; do
@ -438,7 +413,6 @@ if [[ -z "${MYSQL_ROOT_PWD}" ]] && [[ "${INSTALL_MYSQL}" = true ]]; then
done
fi
echo -e ${LCYAN}
# Get Guacamole User password, confirm correct password entry and prevent blank passwords
if [[ -z "${GUAC_PWD}" ]]; then
while true; do
@ -451,7 +425,6 @@ if [[ -z "${GUAC_PWD}" ]]; then
done
fi
echo -e ${GREY}
# Prompt for preferred backup notification email address
if [[ -z ${BACKUP_EMAIL} ]]; then
while true; do
@ -533,6 +506,7 @@ if [[ -z "${INSTALL_HISTREC}" ]]; then
INSTALL_HISTREC=false
fi
fi
HISTREC_PATH_DEFAULT=/var/lib/guacamole/recordings # Apache default
if [[ -z ${HISTREC_PATH} ]] && [[ "${INSTALL_HISTREC}" = true ]]; then
while true; do
@ -540,6 +514,7 @@ if [[ -z ${HISTREC_PATH} ]] && [[ "${INSTALL_HISTREC}" = true ]]; then
[[ "${HISTREC_PATH}" = "" ]] || [[ "${HISTREC_PATH}" != "" ]] && break
done
fi
# If no custom path is given, lets assume the default path on hitting enter
if [[ -z "${HISTREC_PATH}" ]]; then
HISTREC_PATH="${HISTREC_PATH_DEFAULT}"
@ -561,7 +536,7 @@ fi
# Prompt to remove the trailing /guacamole dir from the default front end url
if [[ "${INSTALL_NGINX}" = false ]]; then
echo -e -n "FRONT END: Shorten Guacamole root url to *:8080 (& redirect to /guacamole ) [Y/n]? [default y]: "
echo -e -n "FRONT END: Redirect the Tomcat http root url to /guacamole [Y/n]? [default y]: "
read PROMPT
if [[ ${PROMPT} =~ ^[Nn]$ ]]; then
GUAC_URL_REDIR=false
@ -573,7 +548,7 @@ fi
# We must assign a DNS name for the new proxy site
if [[ -z ${PROXY_SITE} ]] && [[ "${INSTALL_NGINX}" = true ]]; then
while true; do
read -p "FRONT END: Enter proxy local DNS name? [Enter to use ${DEFAULT_FQDN}]: " PROXY_SITE
read -p "FRONT END: Enter proxy LOCAL DNS name? [Enter to use ${DEFAULT_FQDN}]: " PROXY_SITE
[[ "${PROXY_SITE}" = "" ]] || [[ "${PROXY_SITE}" != "" ]] && break
# Rather than allow the default value below, un-comment to alternately force user to enter an explicit name instead
# [[ "${PROXY_SITE}" != "" ]] && break
@ -598,7 +573,7 @@ if [[ -z ${SELF_SIGN} ]] && [[ "${INSTALL_NGINX}" = true ]]; then
fi
fi
# Optional prompt to assign the self sign TLS certificate a custom expiry date, un-comment to force a manual entry
# Optional prompt to manually enter a self sign TLS certificate expiry date, un-comment to force manual entry
#if [[ "${SELF_SIGN}" = true ]]; then
# read - p "PROXY: Enter number of days till TLS certificate expires [default 3650]: " CERT_DAYS
#fi
@ -622,7 +597,7 @@ fi
# Prompt for Let's Encrypt public dns name
if [[ -z ${LE_DNS_NAME} ]] && [[ "${LETS_ENCRYPT}" = true ]]; then
while true; do
read -p "FRONT END: Enter the FQDN for your public proxy site : " LE_DNS_NAME
read -p "FRONT END: Enter the PUBLIC FQDN for your proxy site : " LE_DNS_NAME
[[ "${LE_DNS_NAME}" != "" ]] && break
echo -e "${LRED}You must enter a public DNS name. Please try again.${GREY}" 1>&2
done
@ -641,9 +616,6 @@ fi
# Start global setup actions #########################################################################################
#######################################################################################################################
# Ubuntu and Debian each require different dependency packages.
# To adapt this script to other distros, research the correct library package names and reference these with their variable
# names shown here: https://guacamole.apache.org/doc/gug/installing-guacamole.html
clear
echo
echo -e "${GREYB}Guacamole VDI & Jump Server Appliance Setup."
@ -653,25 +625,10 @@ echo
echo -e "${LGREEN}Beginning Guacamole setup...${GREY}"
echo
echo -e "${GREY}Checking Linux distro specific dependencies..."
if [[ $OS_FLAVOUR == "ubuntu" ]] || [[ $OS_FLAVOUR == *"ubuntu"* ]]; then # potentially expand out distro choices here
JPEGTURBO="libjpeg-turbo8-dev"
LIBPNG="libpng-dev"
# Just in case this repo is not added by default in the distro
sudo add-apt-repository -y universe &>>${INSTALL_LOG}
elif [[ $OS_FLAVOUR == "debian" ]] || [[ $OS_FLAVOUR == "raspbian" ]]; then # expand distro choices here if required
JPEGTURBO="libjpeg62-turbo-dev"
LIBPNG="libpng-dev"
fi
if [[ $? -ne 0 ]]; then
echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2
exit 1
else
echo -e "${LGREEN}OK${GREY}"
echo
fi
echo -e "${GREY}Synchronising the install script suite with selected settings for later standalone use..."
# Sync the various manual config scripts with the relevant variables selected at install
# This way scripts can be run at a later time without modification to match the original install
sed -i "s|MYSQL_HOST=|MYSQL_HOST='${MYSQL_HOST}'|g" $DOWNLOAD_DIR/backup-guac.sh
sed -i "s|MYSQL_PORT=|MYSQL_PORT='${MYSQL_PORT}'|g" $DOWNLOAD_DIR/backup-guac.sh
sed -i "s|GUAC_USER=|GUAC_USER='${GUAC_USER}'|g" $DOWNLOAD_DIR/backup-guac.sh
@ -696,6 +653,22 @@ sed -i "s|MYSQL_ROOT_PWD=|MYSQL_ROOT_PWD='${MYSQL_ROOT_PWD}'|g" $DOWNLOAD_DIR/up
sed -i "s|GUAC_USER=|GUAC_USER='${GUAC_USER}'|g" $DOWNLOAD_DIR/upgrade-guac.sh
sed -i "s|GUAC_PWD=|GUAC_PWD='${GUAC_PWD}'|g" $DOWNLOAD_DIR/upgrade-guac.sh
sed -i "s|PROXY_SITE=|PROXY_SITE='${PROXY_SITE}'|g" $DOWNLOAD_DIR/3-install-nginx.sh
sed -i "s|INSTALL_LOG=|INSTALL_LOG='${INSTALL_LOG}'|g" $DOWNLOAD_DIR/3-install-nginx.sh
sed -i "s|GUAC_URL=|GUAC_URL='${GUAC_URL}'|g" $DOWNLOAD_DIR/3-install-nginx.sh
sed -i "s|DOWNLOAD_DIR=|DOWNLOAD_DIR='${DOWNLOAD_DIR}'|g" $DOWNLOAD_DIR/4a-install-tls-self-signed-nginx.sh
sed -i "s|PROXY_SITE=|PROXY_SITE='${PROXY_SITE}'|g" $DOWNLOAD_DIR/4a-install-tls-self-signed-nginx.sh
sed -i "s|CERT_COUNTRY=|CERT_COUNTRY='${CERT_COUNTRY}'|g" $DOWNLOAD_DIR/4a-install-tls-self-signed-nginx.sh
sed -i "s|CERT_STATE=|CERT_STATE='${CERT_STATE}'|g" $DOWNLOAD_DIR/4a-install-tls-self-signed-nginx.sh
sed -i "s|CERT_LOCATION=|CERT_LOCATION='${CERT_LOCATION=}'|g" $DOWNLOAD_DIR/4a-install-tls-self-signed-nginx.sh
sed -i "s|CERT_ORG=|CERT_ORG='${CERT_ORG}'|g" $DOWNLOAD_DIR/4a-install-tls-self-signed-nginx.sh
sed -i "s|CERT_OU=|CERT_OU='${CERT_OU}'|g" $DOWNLOAD_DIR/4a-install-tls-self-signed-nginx.sh
sed -i "s|CERT_DAYS=|CERT_DAYS='${CERT_DAYS}'|g" $DOWNLOAD_DIR/4a-install-tls-self-signed-nginx.sh
sed -i "s|GUAC_URL=|GUAC_URL='${GUAC_URL}'|g" $DOWNLOAD_DIR/4a-install-tls-self-signed-nginx.sh
sed -i "s|INSTALL_LOG=|INSTALL_LOG='${INSTALL_LOG}'|g" $DOWNLOAD_DIR/4a-install-tls-self-signed-nginx.sh
sed -i "s|DEFAULT_IP=|DEFAULT_IP='${DEFAULT_IP}'|g" $DOWNLOAD_DIR/4a-install-tls-self-signed-nginx.sh
sed -i "s|CERT_COUNTRY=|CERT_COUNTRY='${CERT_COUNTRY}'|g" $DOWNLOAD_DIR/refresh-tls-self-signed.sh
sed -i "s|CERT_STATE=|CERT_STATE='${CERT_STATE}'|g" $DOWNLOAD_DIR/refresh-tls-self-signed.sh
sed -i "s|CERT_LOCATION=|CERT_LOCATION='${CERT_LOCATION}'|g" $DOWNLOAD_DIR/refresh-tls-self-signed.sh
@ -705,9 +678,24 @@ sed -i "s|PROXY_SITE=|PROXY_SITE='${PROXY_SITE}'|g" $DOWNLOAD_DIR/refresh-tls-se
sed -i "s|DEFAULT_IP=|DEFAULT_IP='${DEFAULT_IP}'|g" $DOWNLOAD_DIR/refresh-tls-self-signed.sh
sed -i "s|CERT_DAYS=|CERT_DAYS='${CERT_DAYS}'|g" $DOWNLOAD_DIR/refresh-tls-self-signed.sh
# Export the relevant variable selections to child install scripts
sed -i "s|DOWNLOAD_DIR=|DOWNLOAD_DIR='${DOWNLOAD_DIR}'|g" $DOWNLOAD_DIR/4b-install-tls-letsencrypt-nginx.sh
sed -i "s|PROXY_SITE=|PROXY_SITE='${PROXY_SITE}'|g" $DOWNLOAD_DIR/4b-install-tls-letsencrypt-nginx.sh
sed -i "s|GUAC_URL=|GUAC_URL='${GUAC_URL}'|g" $DOWNLOAD_DIR/4b-install-tls-letsencrypt-nginx.sh
sed -i "s|LE_DNS_NAME=|LE_DNS_NAME='${LE_DNS_NAME}'|g" $DOWNLOAD_DIR/4b-install-tls-letsencrypt-nginx.sh
sed -i "s|LE_EMAIL=|LE_EMAIL='${LE_EMAIL}'|g" $DOWNLOAD_DIR/4b-install-tls-letsencrypt-nginx.sh
sed -i "s|INSTALL_LOG=|INSTALL_LOG='${INSTALL_LOG}'|g" $DOWNLOAD_DIR/4b-install-tls-letsencrypt-nginx.sh
sed -i "s|LOCAL_DOMAIN=|LOCAL_DOMAIN='${LOCAL_DOMAIN}'|g" $DOWNLOAD_DIR/add-smtp-relay-o365.sh
if [[ $? -ne 0 ]]; then
echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2
exit 1
else
echo -e "${LGREEN}OK${GREY}"
echo
fi
# For flexibility, export the relevant variable selections to child install scripts
export DOWNLOAD_DIR="${DOWNLOAD_DIR}"
export TMP_DIR=$TMP_DIR
export GUAC_VERSION=$GUAC_VERSION
export GUAC_SOURCE_LINK=$GUAC_SOURCE_LINK
export MYSQLJCON=$MYSQLJCON
@ -716,8 +704,8 @@ export MYSQLSRV=$MYSQLSRV
export MYSQLCLIENT=$MYSQLCLIENT
export DB_CMD=$DB_CMD
export TOMCAT_VERSION=$TOMCAT_VERSION
export INSTALL_LOG=$INSTALL_LOG
export GUAC_URL=$GUAC_URL
export INSTALL_LOG=$INSTALL_LOG
export JPEGTURBO=$JPEGTURBO
export LIBPNG=$LIBPNG
export INSTALL_MYSQL=$INSTALL_MYSQL
@ -738,17 +726,20 @@ export HISTREC_PATH="${HISTREC_PATH}"
export GUAC_URL_REDIR=$GUAC_URL_REDIR
export INSTALL_NGINX=$INSTALL_NGINX
export PROXY_SITE=$PROXY_SITE
export DEFAULT_IP=$DEFAULT_IP
export CERT_COUNTRY=$CERT_COUNTRY
export CERT_STATE="${CERT_STATE}"
export CERT_LOCATION="${CERT_LOCATION}"
export CERT_ORG="${CERT_ORG}"
export CERT_OU="${CERT_OU}"
export CERT_DAYS=$CERT_DAYS
export LE_DNS_NAME=$LE_DNS_NAME
export LE_EMAIL=$LE_EMAIL
export BACKUP_EMAIL=$BACKUP_EMAIL
export RDP_SHARE_HOST="${RDP_SHARE_HOST}"
export RDP_SHARE_LABEL="${RDP_SHARE_LABEL}"
export RDP_PRINTER_LABEL="${RDP_PRINTER_LABEL}"
export LOCAL_DOMAIN=$LOCAL_DOMAIN
# Run the Guacamole install script
sudo -E ./2-install-guacamole.sh
@ -761,14 +752,14 @@ else
echo -e "${LGREEN}Guacamole install complete\nhttp://${PROXY_SITE}:8080/guacamole - login user/pass: guacadmin/guacadmin\n${LYELLOW}***Be sure to change the password***${GREY}"
fi
# Add a Guacamole database backup (mon-fri 12:00am) into cron
# Add a Guacamole database backup (mon-fri 12:00am) into the current user's cron
mv $DOWNLOAD_DIR/backup-guac.sh $DB_BACKUP_DIR
crontab -l >cron_1
# Remove any existing entry
# Remove any existing entry just in case
sed -i '/# backup guacamole/d' cron_1
# Create the job
# Create the backup job
echo "0 0 * * 1-5 ${DB_BACKUP_DIR}/backup-guac.sh # backup guacamole" >>cron_1
# Overwrite the cron settings and cleanup
# Overwrite the old cron settings and cleanup
crontab cron_1
rm cron_1
@ -784,7 +775,7 @@ fi
# Apply self signed TLS certificates to Nginx reverse proxy if option is selected
if [[ "${INSTALL_NGINX}" = true ]] && [[ "${SELF_SIGN}" = true ]]; then
sudo -E ./4a-install-tls-self-signed-nginx.sh ${PROXY_SITE} ${CERT_DAYS} | tee -a ${INSTALL_LOG}
sudo -E ./4a-install-tls-self-signed-nginx.sh ${PROXY_SITE} ${CERT_DAYS} ${DEFAULT_IP} | tee -a ${INSTALL_LOG}
echo -e "${LGREEN}Self signed certificate configured for Nginx \n${LYELLOW}https:${LGREEN}//${PROXY_SITE} - admin login: guacadmin pass: guacadmin\n${LYELLOW}***Be sure to change the password***${GREY}"
fi
@ -809,12 +800,7 @@ if [[ $INSTALL_LDAP == "true" ]]; then
fi
# Tidy up. (Installer and Nginx scripts can't be run again or standalone without modification, so removing.)
rm -rf $USER_HOME_DIR/1-setup.sh
rm -f 2-install-guacamole.sh
rm -f 3-install-nginx.sh
rm -f 4a-install-tls-self-signed-nginx.sh
rm -f 4b-install-tls-letsencrypt-nginx.sh
sudo rm -rf $TMP_DIR
mv $USER_HOME_DIR/1-setup.sh $DOWNLOAD_DIR
apt-get -y autoremove &>>${INSTALL_LOG}
# Done

44
2-install-guacamole.sh
View file

@ -33,7 +33,6 @@ fi
# Update everything but don't do the annoying prompts during apt installs
echo -e "${GREY}Updating base Linux OS..."
export DEBIAN_FRONTEND=noninteractive
apt-get update -qq &>>${INSTALL_LOG}
apt-get upgrade -qq -y &>>${INSTALL_LOG}
if [[ $? -ne 0 ]]; then
echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2
@ -43,7 +42,7 @@ else
echo
fi
# Install Guacamole build dependencies.
# Install official MariaDB repo and MariaDB version if a specific version number was provided.
if [[ -n "${MYSQL_VERSION}" ]]; then
echo -e "${GREY}Adding the official MariaDB repository and installing version ${MYSQL_VERSION}..."
# Add the Official MariaDB repo.
@ -59,6 +58,7 @@ if [[ -n "${MYSQL_VERSION}" ]]; then
fi
fi
# Install Guacamole build dependencies.
echo -e "${GREY}Installing dependencies required for building Guacamole, this might take a few minutes..."
apt-get -qq -y install ${MYSQLPKG} ${TOMCAT_VERSION} ${JPEGTURBO} ${LIBPNG} ufw pwgen wget expect \
build-essential libcairo2-dev libtool-bin uuid-dev libavcodec-dev libavformat-dev libavutil-dev \
@ -137,7 +137,6 @@ if [[ "${INSTALL_TOTP}" = true ]]; then
exit 1
else
tar -xzf guacamole-auth-totp-${GUAC_VERSION}.tar.gz
rm -f add-auth-totp.sh
echo -e "${LGREEN}Downloaded guacamole-auth-totp-${GUAC_VERSION}.tar.gz${GREY}"
fi
fi
@ -151,7 +150,6 @@ if [[ "${INSTALL_DUO}" = true ]]; then
exit 1
else
tar -xzf guacamole-auth-duo-${GUAC_VERSION}.tar.gz
rm -f add-auth-duo.sh
echo -e "${LGREEN}Downloaded guacamole-auth-duo-${GUAC_VERSION}.tar.gz${GREY}"
fi
fi
@ -165,7 +163,6 @@ if [[ "${INSTALL_LDAP}" = true ]]; then
exit 1
else
tar -xzf guacamole-auth-ldap-${GUAC_VERSION}.tar.gz
rm -f add-auth-ldap.sh
echo -e "${LGREEN}Downloaded guacamole-auth-ldap-${GUAC_VERSION}.tar.gz${GREY}"
fi
fi
@ -179,7 +176,6 @@ if [[ "${INSTALL_QCONNECT}" = true ]]; then
exit 1
else
tar -xzf guacamole-auth-quickconnect-${GUAC_VERSION}.tar.gz
rm -f add-xtra-quickconnect.sh
echo -e "${LGREEN}Downloaded guacamole-auth-quickconnect-${GUAC_VERSION}.tar.gz${GREY}"
fi
fi
@ -194,7 +190,6 @@ if [[ "${INSTALL_HISTREC}" = true ]]; then
exit 1
else
tar -xzf guacamole-history-recording-storage-${GUAC_VERSION}.tar.gz
rm -f add-xtra-histrecstor.sh
echo -e "${LGREEN}Downloaded guacamole-history-recording-storage-${GUAC_VERSION}.tar.gz${GREY}"
fi
fi
@ -433,6 +428,7 @@ fi
# Set Tomcat to start at boot
systemctl enable ${TOMCAT_VERSION}
# Begin the MySQL database config if this is a local MYSQL install only.
if [[ "${INSTALL_MYSQL}" = true ]]; then
# Set MySQL password
export MYSQL_PWD=${MYSQL_ROOT_PWD}
@ -493,10 +489,9 @@ ALTER USER 'root'@'localhost' IDENTIFIED BY '$MYSQL_ROOT_PWD';"
echo
fi
# This should stay as localhost in most local MySQL install situations. This setting determine from WHERE the new ${GUAC_USER}
# will be able to login to the database (either specific remote IPs or localhost only.)
# However this setting can be quick and hacky way to build a backend guacamole database server for use behind another guac application server
# (albeit with the full application suite installed). To do this, set GUAC_USERHost="%" for login access from all IPs, or e.g. 192.168.1.% for an IP range.
# This should stay as localhost in most local MySQL install situations. This setting determines from WHERE the new ${GUAC_USER}
# will be able to login to the database (either from specific remote IPs or from localhost only.)
# However this setting can be a quick and hacky way to build a backend guacamole database server for use behind another guac application server, albeit with the full application suite installed). To do this, set GUAC_USERHost="%" for login access from all IPs, (or e.g. 192.168.1.% for an IP range.)
# You will also need to set the MySQL binding away from the default 127.0.0.1 to 0.0.0.0 or a specific external facing network interface to allow remote login.
if [[ "${MYSQL_HOST}" != "localhost" ]]; then
GUAC_USERHost="%"
@ -581,7 +576,7 @@ if [[ "${INSTALL_MYSQL}" = true ]]; then
fi
fi
# Create guacd.conf and locahost IP binding.
# Create guacd.conf and localhost IP binding.
echo -e "${GREY}Binding guacd to 127.0.0.1 port 4822..."
cat >/etc/guacamole/guacd.conf <<-"EOF"
[server]
@ -609,8 +604,9 @@ else
echo
fi
if [[ "${GUAC_URL_REDIR}" = true ]]; then
echo -e "${GREY}Shortening the Guacamole root url and setting up redirect...${DGREY}"
# Redirect the Tomcat URL to its root to avoid typing the extra /guacamole path (if not using a reverse proxy)
if [[ "${GUAC_URL_REDIR}" = true ]] && [[ "${INSTALL_NGINX}" = false ]]; then
echo -e "${GREY}Redirecting the Tomcat http root url to /guacamole...${DGREY}"
systemctl stop ${TOMCAT_VERSION}
mv /var/lib/${TOMCAT_VERSION}/webapps/ROOT/index.html /var/lib/${TOMCAT_VERSION}/webapps/ROOT/index.html.old
touch /var/lib/${TOMCAT_VERSION}/webapps/ROOT/index.jsp
@ -625,14 +621,14 @@ if [[ "${GUAC_URL_REDIR}" = true ]]; then
fi
fi
# Update Linux firewall
echo -e "${GREY}Updating firewall rules to allow only SSH and tcp 8080..."
sudo ufw default allow outgoing >/dev/null 2>&1
sudo ufw default deny incoming >/dev/null 2>&1
sudo ufw allow OpenSSH >/dev/null 2>&1
sudo ufw allow 8080/tcp >/dev/null 2>&1
ufw default allow outgoing >/dev/null 2>&1
ufw default deny incoming >/dev/null 2>&1
ufw allow OpenSSH >/dev/null 2>&1
ufw allow 8080/tcp >/dev/null 2>&1
echo "y" | sudo ufw enable >/dev/null 2>&1
# Reduce firewall logging noise
sudo ufw logging off >/dev/null 2>&1
ufw logging off >/dev/null 2>&1 # Reduce firewall logging noise
if [[ $? -ne 0 ]]; then
echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2
exit 1
@ -642,16 +638,10 @@ else
fi
# Cleanup
echo -e "${GREY}Cleanup install files...${GREY}"
echo -e "${GREY}Cleaning up Guacamole source files...${GREY}"
rm -rf guacamole-*
rm -rf mysql-connector-j-*
rm -rf mariadb_repo_setup
if [[ "${INSTALL_NGINX}" = false ]]; then
rm -f 3-install-nginx.sh
rm -f 4a-install-tls-self-signed-nginx.sh
rm -f 4b-install-tls-letsencrypt-nginx.sh
rm -f refresh-tls-self-signed.sh
fi
unset MYSQL_PWD
apt-get -y remove expect &>>${INSTALL_LOG}
if [[ $? -ne 0 ]]; then

44
3-install-nginx.sh
View file

@ -7,6 +7,9 @@
# August 2023
#######################################################################################################################
# If run as standalone and not from the main installer script, check the below variables are correct.
# To run standalone: sudo -E ./3-install-nginx.sh
# Prepare text output colours
GREY='\033[0;37m'
DGREY='\033[0;90m'
@ -16,13 +19,26 @@ LGREEN='\033[0;92m'
LYELLOW='\033[0;93m'
NC='\033[0m' #No Colour
if ! [[ $(id -u) = 0 ]]; then
echo
echo -e "${LRED}Please run this script as sudo or root${NC}" 1>&2
exit 1
fi
echo
echo
echo -e "${LGREEN}Installing Nginx...${DGREY}"
echo
TOMCAT_VERSION=$(ls /etc/ | grep tomcat)
# Below variables are automatically updated by the 1-setup.sh script with the respective values given at install (manually update if blank)
PROXY_SITE=
INSTALL_LOG=
GUAC_URL=
# Install Nginx
sudo apt-get install nginx -qq -y &>>${INSTALL_LOG}
apt-get update -qq &>>${INSTALL_LOG}
apt-get install nginx -qq -y &>>${INSTALL_LOG}
echo -e "${GREY}Configuring Nginx as a reverse proxy for Guacamole's Apache Tomcat front end...${DGREY}"
# Configure /etc/nginx/sites-available/(local dns site name)
@ -52,8 +68,8 @@ else
fi
# Force nginx to require tls1.2 and above
sudo sed -i -e '/ssl_protocols/s/^/#/' /etc/nginx/nginx.conf
sudo sed -i "/SSL Settings/a \ ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE" /etc/nginx/nginx.conf
sed -i -e '/ssl_protocols/s/^/#/' /etc/nginx/nginx.conf
sed -i "/SSL Settings/a \ ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE" /etc/nginx/nginx.conf
# Symlink from sites-available to sites-enabled
ln -s /etc/nginx/sites-available/$PROXY_SITE /etc/nginx/sites-enabled/
@ -63,7 +79,7 @@ unlink /etc/nginx/sites-enabled/default
# Do mandatory Nginx tweaks for logging actual client IPs through a proxy IP of 127.0.0.1 - DO NOT CHANGE COMMAND FORMATING!
echo -e "${GREY}Configuring Apache Tomcat valve for pass through of client IPs to Guacamole logs...${GREY}"
sudo sed -i '/pattern="%h %l %u %t &quot;%r&quot; %s %b"/a \ <!-- Allow host IP to pass through to guacamole.-->\n <Valve className="org.apache.catalina.valves.RemoteIpValve"\n internalProxies="127\.0\.0\.1|0:0:0:0:0:0:0:1"\n remoteIpHeader="x-forwarded-for"\n remoteIpProxiesHeader="x-forwarded-by"\n protocolHeader="x-forwarded-proto" />' /etc/$TOMCAT_VERSION/server.xml
sed -i '/pattern="%h %l %u %t &quot;%r&quot; %s %b"/a \ <!-- Allow host IP to pass through to guacamole.-->\n <Valve className="org.apache.catalina.valves.RemoteIpValve"\n internalProxies="127\.0\.0\.1|0:0:0:0:0:0:0:1"\n remoteIpHeader="x-forwarded-for"\n remoteIpProxiesHeader="x-forwarded-by"\n protocolHeader="x-forwarded-proto" />' /etc/$TOMCAT_VERSION/server.xml
if [[ $? -ne 0 ]]; then
echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2
exit 1
@ -73,8 +89,8 @@ else
fi
# Allow large file transfers through Nginx
sudo sed -i '/client_max_body_size/d' /etc/nginx/nginx.conf # remove this line if it already exists to prevent duplicates
sudo sed -i "/Basic Settings/a \ client_max_body_size 100000000M;" /etc/nginx/nginx.conf # Add the larger file transfer size
sed -i '/client_max_body_size/d' /etc/nginx/nginx.conf # remove this line if it already exists to prevent duplicates
sed -i "/Basic Settings/a \ client_max_body_size 100000000M;" /etc/nginx/nginx.conf # Add the larger file transfer size
echo -e "${GREY}Boosting Nginx's 'maximum body size' parameter to allow large file transfers...${GREY}"
if [[ $? -ne 0 ]]; then
echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2
@ -86,11 +102,11 @@ fi
# Update general ufw rules so force traffic via reverse proxy. Only Nginx and SSH will be available over the network.
echo -e "${GREY}Updating firewall rules to allow only SSH and tcp 80/443..."
sudo ufw default allow outgoing >/dev/null 2>&1
sudo ufw default deny incoming >/dev/null 2>&1
sudo ufw allow OpenSSH >/dev/null 2>&1
sudo ufw allow 80/tcp >/dev/null 2>&1
sudo ufw delete allow 8080/tcp >/dev/null 2>&1
ufw default allow outgoing >/dev/null 2>&1
ufw default deny incoming >/dev/null 2>&1
ufw allow OpenSSH >/dev/null 2>&1
ufw allow 80/tcp >/dev/null 2>&1
ufw delete allow 8080/tcp >/dev/null 2>&1
echo "y" | sudo ufw enable >/dev/null 2>&1
if [[ $? -ne 0 ]]; then
echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2
@ -102,9 +118,9 @@ fi
# Reload everything
echo -e "${GREY}Restaring Guacamole & Ngnix..."
sudo systemctl restart $TOMCAT_VERSION
sudo systemctl restart guacd
sudo systemctl restart nginx
systemctl restart $TOMCAT_VERSION
systemctl restart guacd
systemctl restart nginx
if [[ $? -ne 0 ]]; then
echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2
exit 1

134
4a-install-tls-self-signed-nginx.sh
View file

@ -7,6 +7,14 @@
# April 2023
#######################################################################################################################
# This script can be run multiple times to either install or update TLS settings and certificates.
# Change the name of the site or add/renew TLS certs by specifying command line arguments [dns.name] [cert-lifetime] [IP]
# e.g. sudo -E ./4a-install-tls-self-signed-nginx.sh proxy.domain.local 365 192.168.1.50
# Alternatively, run the script without any command arguments and the default variables below will apply
# e.g. sudo - E ./4a-install-tls-self-signed-nginx.sh
# Prepare text output colours
GREY='\033[0;37m'
DGREY='\033[0;90m'
@ -16,34 +24,62 @@ LGREEN='\033[0;92m'
LYELLOW='\033[0;93m'
NC='\033[0m' #No Colour
echo
echo
echo -e "${LGREEN}Setting up self signed TLS certificates for Nginx...${GREY}"
echo
# Setup script cmd line arguments for proxy site and certificate days
TLSNAME=$1
TLSDAYS=$2
# Check if user is root or sudo
if ! [[ $(id -u) = 0 ]]; then
echo
echo -e "${LRED}Please run this script as sudo or root${NC}" 1>&2
exit 1
fi
# Set default certificate file destinations.
DIR_SSL_CERT="/etc/nginx/ssl/cert"
DIR_SSL_KEY="/etc/nginx/ssl/private"
TOMCAT_VERSION=$(ls /etc/ | grep tomcat)
# Below variables are automatically updated by the 1-setup.sh script with the respective values given at install (manually update if blank)
DOWNLOAD_DIR=
CERT_COUNTRY=
CERT_STATE=
CERT_LOCATION=
CERT_ORG=
CERT_OU=
GUAC_URL=
INSTALL_LOG=
PROXY_SITE=
CERT_DAYS=
DEFAULT_IP=
# Setup script cmd line arguments for proxy site and certificate days
TLSNAME=$1
TLSDAYS=$2
TLSIP=$3
# Assume the values set the guacamole installer if the script is run without any command line options
# Assume the values set the guacamole installer if the script is run without any command line options
if [[ -z "$1" ]] | [[ -z "$2" ]] | [[ -z "$3" ]]; then
TLSNAME=$PROXY_SITE
TLSDAYS=$CERT_DAYS
TLSIP=$DEFAULT_IP
fi
echo
echo
echo -e "${LGREEN}Setting up self signed TLS certificates for Nginx...${GREY}"
echo
# Make directories to place TLS Certificate if they don't exist
if [[ ! -d $DIR_SSL_KEY ]]; then
sudo mkdir -p $DIR_SSL_KEY
mkdir -p $DIR_SSL_KEY
fi
if [[ ! -d $DIR_SSL_CERT ]]; then
sudo mkdir -p $DIR_SSL_CERT
mkdir -p $DIR_SSL_CERT
fi
# Discover IPv4 interface
DEFAULT_IP=$(ip addr show $(ip route | awk '/default/ { print $5 }') | grep "inet" | head -n 1 | awk '/inet/ {print $2}' | cut -d'/' -f1)
echo -e "${GREY}New self signed TLS certificate attributes are shown below...${DGREY}"
# Display the new TLS cert parameters.
cat <<EOF | tee $TMP_DIR/cert_attributes.txt
cat <<EOF | tee cert_attributes.txt
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
@ -65,12 +101,12 @@ subjectAltName = @alt_names
[alt_names]
DNS.1 = $TLSNAME
IP.1 = $DEFAULT_IP
IP.1 = $TLSIP
EOF
echo
echo "{$GREY}Creating a new Nginx TLS Certificate..."
openssl req -x509 -nodes -newkey rsa:2048 -keyout $TLSNAME.key -out $TLSNAME.crt -days $TLSDAYS -config $TMP_DIR/cert_attributes.txt
openssl req -x509 -nodes -newkey rsa:2048 -keyout $TLSNAME.key -out $TLSNAME.crt -days $TLSDAYS -config cert_attributes.txt
if [[ $? -ne 0 ]]; then
echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2
exit 1
@ -80,12 +116,12 @@ else
fi
# Place TLS Certificate into the defined application path
sudo cp $TLSNAME.key $DIR_SSL_KEY/$TLSNAME.key
sudo cp $TLSNAME.crt $DIR_SSL_CERT/$TLSNAME.crt
cp $TLSNAME.key $DIR_SSL_KEY/$TLSNAME.key
cp $TLSNAME.crt $DIR_SSL_CERT/$TLSNAME.crt
# Create a PFX formatted key for easier import to Windows hosts and change permissions to enable copying elsewhere
# Create a PFX formatted key for easier import to Windows hosts
echo -e "${GREY}Converting client certificates for Windows & Linux...${GREY}"
sudo openssl pkcs12 -export -out $TLSNAME.pfx -inkey $TLSNAME.key -in $TLSNAME.crt -password pass:1234
openssl pkcs12 -export -out $TLSNAME.pfx -inkey $TLSNAME.key -in $TLSNAME.crt -password pass:1234
if [[ $? -ne 0 ]]; then
echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2
exit 1
@ -95,20 +131,21 @@ else
fi
# Change of permissions so certs can be copied via WinSCP.
sudo chown $SUDO_USER:root $TLSNAME.pfx
sudo chown $SUDO_USER:root $TLSNAME.crt
sudo chown $SUDO_USER:root $TLSNAME.key
chown $SUDO_USER:root $TLSNAME.pfx
chown $SUDO_USER:root $TLSNAME.crt
chown $SUDO_USER:root $TLSNAME.key
# Backup the current Nginx config before update
echo -e "${GREY}Backing up previous Nginx proxy to $DOWNLOAD_DIR/$TLSNAME-nginx.bak"
cp /etc/nginx/sites-enabled/${TLSNAME} $DOWNLOAD_DIR/${TLSNAME}-nginx.bak
# Backup the previous configuration
if [ -f "/etc/nginx/sites-enabled/${TLSNAME}" ]; then
echo -e "${GREY}Backing up previous Nginx proxy config to $DOWNLOAD_DIR/${PROXY_SITE}-nginx.bak"
cp -f /etc/nginx/sites-enabled/${TLSNAME} $DOWNLOAD_DIR/${TLSNAME}-nginx.bak
if [[ $? -ne 0 ]]; then
echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2
exit 1
echo -e "${LRED}Warning: Failed to copy the Nginx site config.${GREY}" 1>&2
else
echo -e "${LGREEN}OK${GREY}"
echo
fi
fi
# Update Nginx config to accept the new certificates
echo -e "${GREY}Configuring Nginx proxy to use the self signed TLS certificate and setting up HTTP redirect...${DGREY}"
@ -158,13 +195,33 @@ else
echo
fi
# Find all enabled sites containing the $GUAC_URL and remove them to avoid conflicts
for x in /etc/nginx/sites-enabled/*; do
# Check inside each site candidate to see if the $GUAC_URL exists.
if [[ -f "${x}" ]]; then
if grep -qE "${GUAC_URL}" "${x}"; then
found_sites+=("${x}")
fi
fi
done
# Unlink all previous sites pointed to $GUAC_URL
if [ "${#found_sites[@]}" -gt 0 ]; then
for guacUrl in "${found_sites[@]}"; do
unlink "${guacUrl}"
done
fi
# Link to enable the new site configuration
ln -s /etc/nginx/sites-available/$TLSNAME /etc/nginx/sites-enabled/ >/dev/null 2>&1
# Update general ufw rules so force traffic via reverse proxy. Only Nginx and SSH will be available over the network.
echo -e "${GREY}Updating firewall rules to allow only SSH and tcp 80/443..."
sudo ufw default allow outgoing >/dev/null 2>&1
sudo ufw default deny incoming >/dev/null 2>&1
sudo ufw allow OpenSSH >/dev/null 2>&1
sudo ufw allow 80/tcp >/dev/null 2>&1
sudo ufw allow 443/tcp >/dev/null 2>&1
ufw default allow outgoing >/dev/null 2>&1
ufw default deny incoming >/dev/null 2>&1
ufw allow OpenSSH >/dev/null 2>&1
ufw allow 80/tcp >/dev/null 2>&1
ufw allow 443/tcp >/dev/null 2>&1
echo "y" | sudo ufw enable >/dev/null 2>&1
if [[ $? -ne 0 ]]; then
echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2
@ -174,11 +231,12 @@ else
echo
fi
# Reload everything
# Reload everything and tidy up
echo -e "${GREY}Restaring Guacamole & Ngnix..."
sudo systemctl restart $TOMCAT_VERSION
sudo systemctl restart guacd
sudo systemctl restart nginx
systemctl restart $TOMCAT_VERSION
systemctl restart guacd
systemctl restart nginx
rm -f cert_attributes.txt
if [[ $? -ne 0 ]]; then
echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2
exit 1
@ -195,7 +253,7 @@ printf "${GREY}+----------------------------------------------------------------
${LGREEN}+ WINDOWS CLIENT SELF SIGNED TLS BROWSER CONFIG - SAVE THIS BEFORE CONTINUING!${GREY}
+
+ 1. In ${DOWNLOAD_DIR} is a Windows version of the new certificate ${LYELLOW}$TLSNAME.pfx${GREY}
+ 2. Import this PFX file into your Windows client with the below Powershell commands (as Administrator):
+ 2. Import this PFX file into your Windows client with the below PowerShell commands (as Administrator):
\n"
echo -e "${SHOWASTEXT1} = ConvertTo-SecureString -String "1234" -Force -AsPlainText"
echo -e "Import-pfxCertificate -FilePath $TLSNAME.pfx -Password "${SHOWASTEXT1}" -CertStoreLocation "${SHOWASTEXT2}""

32
4b-install-tls-letsencrypt-nginx.sh
View file

@ -7,6 +7,9 @@
# April 2023
#######################################################################################################################
# If run as standalone and not from the main installer script, check the below variables are correct.
# To run standalone: sudo ./4b-install-tls-letsencrypt-nginx.sh
# Prepare text output colours
GREY='\033[0;37m'
DGREY='\033[0;90m'
@ -16,6 +19,15 @@ LGREEN='\033[0;92m'
LYELLOW='\033[0;93m'
NC='\033[0m' #No Colour
TOMCAT_VERSION=$(ls /etc/ | grep tomcat)
# Below variables are automatically updated by the 1-setup.sh script with the respective values given at install (manually update if blank)
DOWNLOAD_DIR=
PROXY_SITE=
GUAC_URL=
LE_DNS_NAME=
LE_EMAIL=
INSTALL_LOG=
echo
echo
echo -e "${LGREEN}Installing Let's Encrypt TLS configuration for Nginx...${GREY}"
@ -67,11 +79,11 @@ fi
# Update general ufw rules so force traffic via reverse proxy. Only Nginx and SSH will be available over the network.
echo -e "${GREY}Updating firewall rules to allow only SSH and tcp 80/443..."
sudo ufw default allow outgoing >/dev/null 2>&1
sudo ufw default deny incoming >/dev/null 2>&1
sudo ufw allow OpenSSH >/dev/null 2>&1
sudo ufw allow 80/tcp >/dev/null 2>&1
sudo ufw allow 443/tcp >/dev/null 2>&1
ufw default allow outgoing >/dev/null 2>&1
ufw default deny incoming >/dev/null 2>&1
ufw allow OpenSSH >/dev/null 2>&1
ufw allow 80/tcp >/dev/null 2>&1
ufw allow 443/tcp >/dev/null 2>&1
echo "y" | sudo ufw enable >/dev/null 2>&1
if [[ $? -ne 0 ]]; then
echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2
@ -81,10 +93,10 @@ else
echo
fi
# Bounce Nginx to reload the new Nginx config so certbot config can continue
# Reload the new Nginx config so as certbot can further ajust
systemctl restart nginx
# Run certbot to create and associate certificates with currenly public IP (must have tcp 80 and 443 open to work)
# Run certbot to create and associate certificates with current public IP (must have tcp 80 and 443 open to work!)
certbot --nginx -n -d $LE_DNS_NAME --email $LE_EMAIL --agree-tos --redirect --hsts
echo -e
echo -e "${GREY}Let's Encrypt successfully installed, but check for any errors above (DNS & firewall are the usual culprits).${GREY}"
@ -120,9 +132,9 @@ fi
# Reload everything once again
echo -e "${GREY}Restaring Guacamole & Ngnix..."
sudo systemctl restart $TOMCAT_VERSION
sudo systemctl restart guacd
sudo systemctl restart nginx
systemctl restart $TOMCAT_VERSION
systemctl restart guacd
systemctl restart nginx
if [[ $? -ne 0 ]]; then
echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2
exit 1

2
ACTIVE-DIRECTORY-HOW-TO.md
View file

@ -1,5 +1,5 @@
# Integrating Guacamole with Active Directory
# Integrating Guacamole With Active Directory
## :arrows_clockwise: **Step 1: Ensure two-way LDAP traffic is available to the Guacamole application server**

61
README.md
View file

@ -1,10 +1,10 @@
# Guacamole 1.5.3 VDI/Jump Server Appliance Build Script
<img src="https://github.githubassets.com/images/icons/emoji/sparkles.png" width="35"> This repo makes setting up a Guacamole a breeze. Its got installer support for TLS reverse proxy, Active Directory integration, multi-factor authentication, Quick Connect & History Recording Storage UI enhancements, dark mode and custom UI templates, auto database backup, O365 email alerts and even fail2ban and internal daemon security hardening options. There's also code in here to get you up and running with an enterprise high availability deployment too!
<img src="https://github.githubassets.com/images/icons/emoji/sparkles.png" width="35"> This repo makes setting up a Guacamole a breeze. Its got installer support for TLS reverse proxy, Active Directory integration, multi-factor authentication, Quick Connect & History Recording Storage UI enhancements, dark mode and custom UI templates, auto database backup, O365 email alerts and even fail2ban and internal daemon security hardening options. There's also code in here to get you up and running with an enterprise high availability deployment if that's your thing!
## Automatic Installation
<img src="https://github.githubassets.com/images/icons/emoji/rocket.png" width="35"> To start building your Guacamole appliance, paste the below link into a terminal and follow the prompts **(no need for sudo, but the user must be a member of the sudo group)**:
<img src="https://github.githubassets.com/images/icons/emoji/rocket.png" width="35"> To start building your Guacamole appliance, paste the below link into a terminal and just follow the prompts **(no need for sudo, but the user must be a member of the sudo group)**:
```shell
wget https://raw.githubusercontent.com/itiligent/Guacamole-Install/main/1-setup.sh && chmod +x 1-setup.sh && ./1-setup.sh
@ -23,8 +23,6 @@ wget https://raw.githubusercontent.com/itiligent/Guacamole-Install/main/1-setup.
- DNS entries matching your default appliance network interface IP (essential for TLS).
- Open TCP ports: 22, 80, and 443.
23.04, 22.04, 20.04 & 18.04
## Installation Menu
<img src="https://github.githubassets.com/images/icons/emoji/wrench.png" width="35"> **The main script guides you through the installation process in the following steps:**
@ -35,12 +33,17 @@ wget https://raw.githubusercontent.com/itiligent/Guacamole-Install/main/1-setup.
4. Select optional console features: Quick Connect & History Recorded Storage UI integrations.
5. Decide on the Guacamole front end: Nginx reverse proxy (http or https) or keep the native Guacamole interface
**For the more security minded, there's several post-install hardening script options available:**
- `add-fail2ban.sh`: Adds a lockdown policy for Guacamole to guard against brute force attacks.
- `add-tls-guac-daemon.sh`: Wraps internal server daemon <--> guac application traffic in TLS.
- `add-auth-ldap.sh`: A template script for Active Directory integration.
- `add-smtp-relay-o365.sh`: A template script for email alerts integrated with MSO65 (BYO app password).
## Managing self signed TLS certs with Nginx (the easy way!)
- **To change the reverse proxy dns name or IP:**
- Just re-run ` 4a-install-tls-self-signed-nginx.sh`as many times as you like (accompanying server and browser client certs will also be updated)
- **To renew certificates only, or change IP only:**
- Simply run `refresh-tls-self-signed-nginx.sh` as needed.
- **Above scripts will also:**
- Create and save new client browser certificates to `$HOME/guac-setup`
- Provide on-screen instructions for client certificate import (no more pesky browser warnings and that pro look).
## Active Directory Integration
@ -50,32 +53,42 @@ wget https://raw.githubusercontent.com/itiligent/Guacamole-Install/main/1-setup.
<img src="https://github.githubassets.com/images/icons/emoji/art.png" width="35"> **Want to give Guacamole your personal touch? Follow the theme and branding instructions** [here](https://github.com/itiligent/Guacamole-Install/tree/main/custom-theme-builder).
## Custom Installation Notes
## Installation Instructions
<img src="https://github.githubassets.com/images/icons/emoji/unicode/2699.png" width="35">
1. Paste and run the wget autorun link in your home directory.
2. Exit `1-setup.sh` at the first prompt. (At this point the scripts are downloaded only.)
3. Customise the huge number of installation variables available in `1-setup.sh` as required. All options for customisation are found in the top sections of this script only. (Certain combinations of edits will even produce a fully unattended install!)
4. **Caution: If editing `1-setup.sh`, be aware that running the autorun link again re-downloads and overwrites all changes. You must run setup locally after editing.** (Also be sure to comment out the download links in the setup script for any other edited scripts. There should be little need to edit outside of the setup script's options.)
5. The **upgrade-guac.sh, add-tls-guac-daemon.sh, refresh-tls-self-signed.sh & backup-guac.sh** scripts are automatically adjusted at installation to match your chosen installation settings. These can be run after install without any modification.
6. If the self-signed TLS proxy option is selected, browser client TLS certificates will be automatically created and saved to `$HOME/guac-setup`.
7. Note that Nginx is automatically configured to use TLS 1.2 or above (so really old browser versions may not work.)
8. A daily MySQL backup job will be automatically configured under the script owner's crontab.
9. **Security info:** The Quick Connect and History Recorded Storage options bring a few security implications; so be aware of potential risks in your particular environment.
### **Paste and the wget autorun link, thats it! *But if* you want to make Guacamole your own and customise...**
**Exit `1-setup.sh` at the first prompt**. All the configurable options can be found at the start of `1-setup.sh`. Certain combinations of edits will even produce an unattended install!
**Other useful install notes:**
- **Caution: Be aware that running the auto-run link again re-downloads the suite of scripts and will overwrite your changes. You must run setup locally after editing the setup script.** (Also be sure to comment out the download links in the setup script for any other scripts you want to edit, but there should be little need to touch these.)
- Many of the scripts in the suite are **automatically adjusted with your chosen installation settings** to form a matched & transportable set. This allows you to add extra features after installation whilst avoiding mismatches with the original install.
- Nginx is automatically configured to use TLS 1.2 or above (so really old browser versions may not work.)
- A daily MySQL backup job will be automatically configured under the script owner's crontab.
- **Security info:** The Quick Connect and History Recorded Storage options bring a few security implications; so be aware of potential risks in your particular environment.
**For the more security minded, there's several post-install hardening script options available:**
- `add-fail2ban.sh`: Adds a lockdown policy for Guacamole to guard against brute force attacks.
- `add-tls-guac-daemon.sh`: Wraps internal server daemon <--> guac application traffic in TLS.
- `add-auth-ldap.sh`: A template script for Active Directory integration.
- `add-smtp-relay-o365.sh`: A template script for email alerts integrated with MSO65 (BYO app password).
## Upgrading Guacamole
<img src="https://github.githubassets.com/images/icons/emoji/globe_with_meridians.png" width="35"> To upgrade Guacamole, edit `upgrade-guac.sh` to relfect the latest versions of Guacamole and MySQL connector/J before running it. This script will also automatically update the DUO, LDAP, TOTP, Quick Connect & History Recorded Storage extension if they are found to be present.
<img src="https://github.githubassets.com/images/icons/emoji/globe_with_meridians.png" width="35"> To upgrade Guacamole, edit `upgrade-guac.sh` to relfect the latest versions of Guacamole and MySQL connector/J before running it. This script will also automatically update the installed extensions.
## Enterprise Scale Out & High Availability
<img src="https://github.githubassets.com/images/icons/emoji/unicode/1f454.png" width="35"> For Enterprise deployments, did you know that Guacamole can be run in a load balanced farm? To achieve this, the database, application and front end components are usually **split into 2 or 3 layers.** (VLANs & firewalls between the layers helps with security too.) See [here](https://github.com/itiligent/Guacamole-Install/tree/main/guac-enterprise-build) for how to get started.
- **For the DATABASE layer:** Find the included `install-mysql-backend-only.sh` to install a standalone instance of the Guacamole MySQL database for your backend.
- **For the APPLICATION layer:** Simply use the main setup script to build as many application servers as you like. For a true 3 layer load balanced system, make sure to **say no to both the "Install MySQL locally" option and all Nginx front end options** so as only the Guacamole server and Apache Tomcat services are installed.
- **For the Front end**: There are may choices here. You can slightly modify the Nginx scripts for a separate front end TLS layer, however **HA Proxy** provides far superior session affinity under load balanced conditions when compared to Open Source Nginx, but an Nginx Plus subscription gets you all the good stuff! There's so many possible ways to achieve this in hardware and software. There's plenty of config details in here to help you begin to roll your own HA solution.
- **For the APPLICATION layer:** Simply use the main setup script to build as many application servers as you like, just use the installer to point these to the backend database, making sure to **say no to both the "Install MySQL locally" option and any Nginx install options**.
- **For the Front end**: There are so many choices available that are already very well documented. You could even take the (portable) Nginx scripts to build a separate TLS front end layer. Be aware that [HA Proxy](https://www.haproxy.org/) generally provides far superior session affinity and persistence under load balanced conditions [when compared to Open Source Nginx](https://www.nginx.com/products/nginx/compare-models/) as only Nginx Plus subscribers get all the proper load balancing stuff!)
### Installer script download manifest
## Auto Download Manifest
<img src="https://github.githubassets.com/images/icons/emoji/package.png" width="35"> The autorun link downloads these repo files into `$HOME/guac-setup`:

2
guac-custom-theme-builder/README.MD
View file

@ -2,7 +2,7 @@
## Custom branding & theme instructions ##
1. Install the Java JDK: `sudo apt update && sudo apt -y install default-jdk`
3. Modify `custom-theme.css` ,`guac-manifest.json`, `en.json` & `META-INF` as desired & add your logo .png files to the images directory.
3. Modify `custom-theme.css` ,`guac-manifest.json`, `en.json` & `META-INF` as desired & add your logos to the images directory. (Logos must be .png files.)
4. To commit your changes, run the below commands from within the custom-theme-builder directory, then refresh your browser to re-login to Guacamole:
```
# Run within the custom-theme-builder directory

2
guac-enterprise-build/install-mysql-backend-only.sh
View file

@ -51,7 +51,7 @@ DOWNLOAD_DIR=$USER_HOME_DIR/guac-setup
# Setup directory locations
mkdir -p $DOWNLOAD_DIR
sudo chown -R $SUDO_USER:root $DOWNLOAD_DIR
chown -R $SUDO_USER:root $DOWNLOAD_DIR
# Version of Guacamole auth jdbc database schema to use
GUAC_VERSION="1.5.3"

2
guac-enterprise-build/upgrade-mysql-backend-only.sh
View file

@ -49,7 +49,7 @@ DOWNLOAD_DIR=$USER_HOME_DIR/guac-setup
# Setup directory locations
mkdir -p $DOWNLOAD_DIR
sudo chown -R $SUDO_USER:root $DOWNLOAD_DIR
chown -R $SUDO_USER:root $DOWNLOAD_DIR
# Version of Guacamole to upgrade to. See https://guacamole.apache.org/releases/ for latest version info.
NEW_GUAC_VERSION="1.5.3"

2
guac-management/backup-guac.sh
View file

@ -19,7 +19,7 @@ clear
export PATH=/bin:/usr/bin:/usr/local/bin
TODAY=$(date +%Y-%m-%d)
# Below variables are automatically updated by the 1-setup.sh script with the respective values given at install
# Below variables are automatically updated by the 1-setup.sh script with the respective values given at install (manually update if blank)
MYSQL_HOST=
MYSQL_PORT=
GUAC_USER=

14
guac-management/refresh-tls-self-signed.sh
View file

@ -6,10 +6,10 @@
# September 2023
#######################################################################################################################
# If run with with no command arguments, the ${PROXY_SITE} ${CERT_DAYS} & ${Default_IP) values from original install are applied.
# e.g. sudo ./refresh-tls-self-signed-nginx.sh
# If run with with no command arguments, the ${PROXY_SITE}, ${CERT_DAYS} & ${Default_IP) values used during the
# the original install are applied. To keep these run: sudo ./refresh-tls-self-signed-nginx.sh
#
# SCript can also be run with custom command line arguments for use with any TLS application:
# This script can also be run with custom command line arguments for use with any TLS application:
# Command arguments are formatted as: [command] [FQDN] [cert-lifetime] [IP]
# e.g. sudo ./refresh-tls-self-signed-nginx.sh webserver.domain.local 365 192.168.1.1
@ -50,7 +50,7 @@ TLSNAME=$1
TLSDAYS=$2
TLSIP=$3
# Auto updated values from main installer (manually update if blank)
# Below variables are automatically updated by the 1-setup.sh script with the respective values given at install (manually update if blank)
CERT_COUNTRY=
CERT_STATE=
CERT_LOCATION=
@ -60,7 +60,7 @@ PROXY_SITE=
CERT_DAYS=
DEFAULT_IP=
# Assume the values used by the guacamole installer if the script is run without any command line options
# Assume the values set the guacamole installer if the script is run without any command line options
if [[ -z "$1" ]] | [[ -z "$2" ]] | [[ -z "$3" ]]; then
TLSNAME=$PROXY_SITE
TLSDAYS=$CERT_DAYS
@ -69,11 +69,11 @@ fi
# Make directories to place TLS Certificate if they don't exist
if [[ ! -d $DIR_SSL_KEY ]]; then
sudo mkdir -p $DIR_SSL_KEY
mkdir -p $DIR_SSL_KEY
fi
if [[ ! -d $DIR_SSL_CERT ]]; then
sudo mkdir -p $DIR_SSL_CERT
mkdir -p $DIR_SSL_CERT
fi
echo -e "${GREY}New self signed TLS certificate attributes are shown below...${DGREY}"

6
guac-management/upgrade-guac.sh
View file

@ -46,7 +46,7 @@ DOWNLOAD_DIR=$USER_HOME_DIR/guac-setup
# Setup directory locations
mkdir -p $DOWNLOAD_DIR
sudo chown -R $SUDO_USER:root $DOWNLOAD_DIR
chown -R $SUDO_USER:root $DOWNLOAD_DIR
# Version of Guacamole to upgrade to. See https://guacamole.apache.org/releases/ for latest version info.
NEW_GUAC_VERSION="1.5.3"
@ -66,7 +66,7 @@ GUAC_SOURCE_LINK="http://apache.org/dyn/closer.cgi?action=download&filename=guac
# Install log Location
INSTALL_LOG="${DOWNLOAD_DIR}/guacamole_${NEW_GUAC_VERSION}_upgrade.log"
# Auto updated values from main installer (manually update if blank)
# Below variables are automatically updated by the 1-setup.sh script with the respective values given at install (manually update if blank)
INSTALL_MYSQL=
MYSQL_HOST=
MYSQL_PORT=
@ -85,7 +85,7 @@ echo
# Start upgrade actions ##############################################################################################
#######################################################################################################################
sudo apt-get upgrade -qq -y
apt-get upgrade -qq -y
# Stop tomcat and guacd
systemctl stop ${TOMCAT_VERSION}

4
guac-optional-features/add-auth-duo.sh
View file

@ -6,6 +6,8 @@
# April 2023
#######################################################################################################################
# If run as standalone and not from the main installer script, check the below variables are correct.
# Prepare text output colours
GREY='\033[0;37m'
DGREY='\033[0;90m'
@ -38,7 +40,7 @@ echo "duo-api-hostname: " >>/etc/guacamole/guacamole.properties
echo "duo-application-key: " >>/etc/guacamole/guacamole.properties
echo
systemctl restart ${TOMCAT_VERSION}
sudo systemctl restart guacd
systemctl restart guacd
echo -e "${LYELLOW}You must now set up your online Duo account with a new 'Web SDK' application."
echo

11
guac-optional-features/add-auth-ldap.sh
View file

@ -6,6 +6,8 @@
# April 2023
#######################################################################################################################
# If run as standalone and not from the main installer script, check the below variables are correct.
# Prepare text output colours
GREY='\033[0;37m'
DGREY='\033[0;90m'
@ -17,10 +19,9 @@ NC='\033[0m' #No Colour
clear
# Check if user is root or sudo
if ! [[ $(id -u) = 0 ]]; then
echo
echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2
echo -e "${LRED}Please run this script as sudo or root${NC}" 1>&2
exit 1
fi
@ -49,7 +50,7 @@ echo
wget -q --show-progress -O guacamole-auth-ldap-${GUAC_VERSION}.tar.gz ${GUAC_SOURCE_LINK}/binary/guacamole-auth-ldap-${GUAC_VERSION}.tar.gz
tar -xzf guacamole-auth-ldap-${GUAC_VERSION}.tar.gz
mv -f guacamole-auth-ldap-${GUAC_VERSION}/guacamole-auth-ldap-${GUAC_VERSION}.jar /etc/guacamole/extensions/
sudo chmod 664 /etc/guacamole/extensions/guacamole-auth-ldap-${GUAC_VERSION}.jar
chmod 664 /etc/guacamole/extensions/guacamole-auth-ldap-${GUAC_VERSION}.jar
echo -e "${LGREEN}Installed guacamole-auth-ldap-${GUAC_VERSION}${GREY}"
echo
echo Adding the below config to /etc/guacamole/guacamole.properties
@ -66,8 +67,8 @@ ldap-user-search-filter:(objectClass=user)(!(objectCategory=computer))
ldap-max-search-results:200
EOF
sudo systemctl restart ${TOMCAT_VERSION}
sudo systemctl restart guacd
systemctl restart ${TOMCAT_VERSION}
systemctl restart guacd
rm -rf guacamole-*

5
guac-optional-features/add-auth-totp.sh
View file

@ -6,6 +6,8 @@
# April 2023
#######################################################################################################################
# If run as standalone and not from the main installer script, check the below variables are correct.
# Prepare text output colours
GREY='\033[0;37m'
DGREY='\033[0;90m'
@ -17,10 +19,9 @@ NC='\033[0m' #No Colour
clear
# Check if user is root or sudo
if ! [[ $(id -u) = 0 ]]; then
echo
echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2
echo -e "${LRED}Please run this script as sudo or root${NC}" 1>&2
exit 1
fi

10
guac-optional-features/add-fail2ban.sh
View file

@ -44,7 +44,7 @@ rm -f /tmp/fail2ban.update
# Prompt to install fail2ban base package with no policy as yet, default of yes
if [[ -z ${FAIL2BAN_BASE} ]]; then
echo
echo -e -n "${LGREEN}Install Fail2ban? (base package with no policy as yet) [default y]: ${GREY}"
echo -e -n "${LGREEN}Install Fail2ban base package? [default y]: ${GREY}"
read PROMPT
if [[ ${PROMPT} =~ ^[Nn]$ ]]; then
FAIL2BAN_BASE=false
@ -94,8 +94,8 @@ fi
if [[ "${FAIL2BAN_BASE}" = true ]]; then
#Update and install fail2ban (and john for management of config file updates, and not overwrite any existing settings)
sudo apt-get update -qq >/dev/null 2>&1
sudo apt-get install fail2ban john -qq -y >/dev/null 2>&1
apt-get update -qq >/dev/null 2>&1
apt-get install fail2ban john -qq -y >/dev/null 2>&1
# Create the basic jail.local template and local subnet whitelist
cat >/tmp/fail2ban.conf <<EOF
@ -192,7 +192,7 @@ if [[ "${FAIL2BAN_BASE}" = true ]]; then
rm -f /tmp/fail2ban.update
# bounce the service to reload the new config
sudo systemctl restart fail2ban
systemctl restart fail2ban
# Done
echo
@ -239,7 +239,7 @@ EOF
echo -e "${LGREEN}Guacamole security policy applied${GREY}\n- ${SED_NETADDR}are whitelisted from all IP bans.\n- To alter this whitelist, edit /etc/fail2ban/jail.local & sudo systemctl restart fail2ban \n \n This script may take a while to complete on first run..."
# Bounce the service to reload the new config
sudo systemctl restart fail2ban
systemctl restart fail2ban
echo
fi

45
guac-optional-features/add-smtp-relay-o365.sh
View file

@ -6,6 +6,8 @@
# April 2023
#######################################################################################################################
# If run as standalone and not from the main installer script, check the below variables are correct.
# Prerequisites:
# An office 365 account with a mailbox (NON ADMIN!!)
# An app password created for the above office 365 user at https://mysignins.microsoft.com/security-info
@ -20,18 +22,19 @@ LGREEN='\033[0;92m'
LYELLOW='\033[0;93m'
NC='\033[0m' #No Colour
# Check if user is root or sudo
if ! [[ $(id -u) = 0 ]]; then
echo
echo -e "${LRED}Please run this script as sudo or root${NC}" 1>&2
exit 1
fi
clear
SENDER=$SUDO_USER
SERVER=$(uname -n)
DOMAIN_SEARCH_SUFFIX=$(grep search /etc/resolv.conf | grep -v "#" | sed 's/'search[[:space:]]'//')
# Check if user is root or sudo
if ! [[ $(id -u) = 0 ]]; then
echo
echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2
exit 1
fi
# Below variables are automatically updated by the 1-setup.sh script with the respective values given at install (manually update if blank)
LOCAL_DOMAIN=
echo
echo -e "${LYELLOW}SMTP relay for Office365 setup...${LGREEN}"
@ -39,7 +42,7 @@ echo -e "${LYELLOW}SMTP relay for Office365 setup...${LGREEN}"
# Install Posfix
echo
echo -e "${GREY}Installing Postfix with non-interactive defaults..."
sudo apt update -qq >/dev/null 2>&1
apt-get update -qq >/dev/null 2>&1
DEBIAN_FRONTEND="noninteractive" apt-get install postfix mailutils -qq -y >/dev/null 2>&1
if [[ $? -ne 0 ]]; then
echo -e "${LRED}Postfix install failed. ${GREY}" 1>&2
@ -58,8 +61,8 @@ echo
echo
# Remove some default Postifx config items that conflict with new entries
sudo sed -i '/relayhost/d' /etc/postfix/main.cf
sudo sed -i '/smtp_tls_security_level=may/d' /etc/postfix/main.cf
sed -i '/relayhost/d' /etc/postfix/main.cf
sed -i '/smtp_tls_security_level=may/d' /etc/postfix/main.cf
# For simple relay outbound only, limit Postfix to just loopback and IPv4
sed -i 's/inet_interfaces = all/inet_interfaces = loopback-only/g' /etc/postfix/main.cf
@ -88,28 +91,28 @@ else
fi
# Setup the password file and postmap
sudo touch /etc/postfix/sasl_passwd
touch /etc/postfix/sasl_passwd
cat <<EOF | sudo tee -a /etc/postfix/sasl_passwd >/dev/null 2>&1
[smtp.office365.com]:587 ${SMTP_EMAIL}:${APP_PWD}
EOF
sudo chown root:root /etc/postfix/sasl_passwd
sudo chmod 0600 /etc/postfix/sasl_passwd
sudo postmap /etc/postfix/sasl_passwd
chown root:root /etc/postfix/sasl_passwd
chmod 0600 /etc/postfix/sasl_passwd
postmap /etc/postfix/sasl_passwd
# Setup the generic map file
sudo touch /etc/postfix/generic
touch /etc/postfix/generic
cat <<EOF | sudo tee -a /etc/postfix/generic >/dev/null 2>&1
root@${SERVER} ${SMTP_EMAIL}
${SENDER}@${SERVER} ${SMTP_EMAIL}
@${DOMAIN_SEARCH_SUFFIX} ${SMTP_EMAIL}
@${LOCAL_DOMAIN} ${SMTP_EMAIL}
EOF
sudo chown root:root /etc/postfix/generic
sudo chmod 0600 /etc/postfix/generic
sudo postmap /etc/postfix/generic
chown root:root /etc/postfix/generic
chmod 0600 /etc/postfix/generic
postmap /etc/postfix/generic
# Restart and test
echo -e "${GREY}Restarting Postfix..."
sudo systemctl restart postfix
systemctl restart postfix
if [[ $? -ne 0 ]]; then
echo -e "${LRED}Postfix restart failed. ${GREY}" 1>&2
exit 1

5
guac-optional-features/add-tls-guac-daemon.sh
View file

@ -21,14 +21,13 @@ NC='\033[0m' #No Colour
# Check if user is root or sudo
if ! [[ $(id -u) = 0 ]]; then
echo
echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2
echo -e "${LRED}Please run this script as sudo or root${NC}" 1>&2
exit 1
fi
TOMCAT_VERSION=$(ls /etc/ | grep tomcat)
RSA_KEY_LENGTH=2048
# Auto updated values from main installer (manually update if blank)
# Below variables are automatically updated by the 1-setup.sh script with the respective values given at install (manually update if blank)
CERT_COUNTRY=
CERT_STATE=
CERT_LOCATION=

4
guac-optional-features/add-xtra-histrecstor.sh
View file

@ -6,6 +6,8 @@
# September 2023
#######################################################################################################################
# If run as standalone and not from the main installer script, check the below variables are correct.
# Prepare text output colours
GREY='\033[0;37m'
DGREY='\033[0;90m'
@ -20,7 +22,7 @@ clear
# Check if user is root or sudo
if ! [[ $(id -u) = 0 ]]; then
echo
echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2
echo -e "${LRED}Please run this script as sudo or root${NC}" 1>&2
exit 1
fi

4
guac-optional-features/add-xtra-quickconnect.sh
View file

@ -6,6 +6,8 @@
# September 2023
#######################################################################################################################
# If run as standalone and not from the main installer script, check the below variables are correct.
# Prepare text output colours
GREY='\033[0;37m'
DGREY='\033[0;90m'
@ -20,7 +22,7 @@ clear
# Check if user is root or sudo
if ! [[ $(id -u) = 0 ]]; then
echo
echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2
echo -e "${LRED}Please run this script as sudo or root${NC}" 1>&2
exit 1
fi