someorg/Easy-Guacamole-Installer
1
0
Fork 0
mirror of https://github.com/itiligent/Easy-Guacamole-Installer.git synced 2025-12-14 02:12:31 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Improve tls hardening flow & options

Browse source
This commit is contained in:
itiligent 2023-09-06 19:59:44 +10:00
parent 30f6bc59d7
commit 9c15a6ae11
3 changed files with 34 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
1-setup.sh
View file

@ -665,6 +665,7 @@ sed -i "s|CERT_STATE=|CERT_STATE='${CERT_STATE}'|g" $DOWNLOAD_DIR/add-tls-guac-d
sed -i "s|CERT_LOCATION=|CERT_LOCATION='${CERT_LOCATION=}'|g" $DOWNLOAD_DIR/add-tls-guac-daemon.sh sed -i "s|CERT_LOCATION=|CERT_LOCATION='${CERT_LOCATION=}'|g" $DOWNLOAD_DIR/add-tls-guac-daemon.sh
sed -i "s|CERT_ORG=|CERT_ORG='${CERT_ORG}'|g" $DOWNLOAD_DIR/add-tls-guac-daemon.sh sed -i "s|CERT_ORG=|CERT_ORG='${CERT_ORG}'|g" $DOWNLOAD_DIR/add-tls-guac-daemon.sh
sed -i "s|CERT_OU=|CERT_OU='${CERT_OU}'|g" $DOWNLOAD_DIR/add-tls-guac-daemon.sh sed -i "s|CERT_OU=|CERT_OU='${CERT_OU}'|g" $DOWNLOAD_DIR/add-tls-guac-daemon.sh
sed -i "s|CERT_DAYS=|CERT_DAYS='${CERT_DAYS}'|g" $DOWNLOAD_DIR/add-tls-guac-daemon.sh
sed -i "s|MYSQL_HOST=|MYSQL_HOST='${MYSQL_HOST}'|g" $DOWNLOAD_DIR/upgrade-guac.sh sed -i "s|MYSQL_HOST=|MYSQL_HOST='${MYSQL_HOST}'|g" $DOWNLOAD_DIR/upgrade-guac.sh
sed -i "s|MYSQL_PORT=|MYSQL_PORT='${MYSQL_PORT}'|g" $DOWNLOAD_DIR/upgrade-guac.sh sed -i "s|MYSQL_PORT=|MYSQL_PORT='${MYSQL_PORT}'|g" $DOWNLOAD_DIR/upgrade-guac.sh
sed -i "s|GUAC_USER=|GUAC_USER='${GUAC_USER}'|g" $DOWNLOAD_DIR/upgrade-guac.sh sed -i "s|GUAC_USER=|GUAC_USER='${GUAC_USER}'|g" $DOWNLOAD_DIR/upgrade-guac.sh

2
4a-install-tls-self-signed-nginx.sh
View file

@ -38,7 +38,7 @@ fi
echo -e "${GREY}New self signed TLS certificate attributes are shown below...${DGREY}" echo -e "${GREY}New self signed TLS certificate attributes are shown below...${DGREY}"
# Display the new TLS cert parameters. # Display the new TLS cert parameters.
cat <<EOF | tee -a $TMP_DIR/cert_attributes.txt cat <<EOF | tee $TMP_DIR/cert_attributes.txt
[req] [req]
distinguished_name = req_distinguished_name distinguished_name = req_distinguished_name
x509_extensions = v3_req x509_extensions = v3_req

53
add-tls-guac-daemon.sh
View file

@ -6,6 +6,9 @@
# April 2023 # April 2023
####################################################################################################################### #######################################################################################################################
# To delete and reissue a new cert
# sudo keytool -delete -alias guacd -noprompt -cacerts -storepass changeit -file guacd.crt
# Prepare text output colours # Prepare text output colours
GREY='\033[0;37m' GREY='\033[0;37m'
DGREY='\033[0;90m' DGREY='\033[0;90m'
@ -15,15 +18,6 @@ LGREEN='\033[0;92m'
LYELLOW='\033[0;93m' LYELLOW='\033[0;93m'
NC='\033[0m' #No Colour NC='\033[0m' #No Colour
# Below variables are automatically updated by the 1-setup.sh script with the respective values given at install
CERT_COUNTRY=
CERT_STATE=
CERT_LOCATION=
CERT_ORG=
CERT_OU=
clear
# Check if user is root or sudo # Check if user is root or sudo
if ! [ $(id -u) = 0 ]; then if ! [ $(id -u) = 0 ]; then
echo echo
@ -31,10 +25,23 @@ if ! [ $(id -u) = 0 ]; then
exit 1 exit 1
fi fi
TOMCAT_VERSION=$(ls /etc/ | grep tomcat)
RSA_KEY_LENGTH=2048
# Auto updated values from main installer (manually update if blank)
CERT_COUNTRY=
CERT_STATE=
CERT_LOCATION=
CERT_ORG=
CERT_OU=
CERT_DAYS=
clear
# Create the special directory for guacd tls certificate and key. # Create the special directory for guacd tls certificate and key.
sudo mkdir /etc/guacamole/ssl mkdir -p /etc/guacamole/ssl
echo echo
cat <<EOF | tee -a cert_attributes.txt cat <<EOF | tee cert_attributes.txt
[req] [req]
distinguished_name = req_distinguished_name distinguished_name = req_distinguished_name
x509_extensions = v3_req x509_extensions = v3_req
@ -60,11 +67,12 @@ IP.1 = 127.0.0.1
EOF EOF
# Create the self signing request, certificate & key # Create the self signing request, certificate & key
sudo openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -keyout /etc/guacamole/ssl/guacd.key -out /etc/guacamole/ssl/guacd.crt -config cert_attributes.txt openssl req -x509 -nodes -days $CERT_DAYS -newkey rsa:$RSA_KEY_LENGTH -keyout /etc/guacamole/ssl/guacd.key -out /etc/guacamole/ssl/guacd.crt -config cert_attributes.txt
rm -f cert_attributes.txt rm -f cert_attributes.txt
# Point Guacamole config file to certificate and key # Point Guacamole config file to certificate and key
sudo cat <<EOF | sudo tee /etc/guacamole/guacd.conf cp /etc/guacamole/guacd.conf /etc/guacamole/guacd.conf.bak
cat <<EOF | sudo tee /etc/guacamole/guacd.conf
[server] [server]
bind_host = 127.0.0.1 bind_host = 127.0.0.1
bind_port = 4822 bind_port = 4822
@ -74,21 +82,24 @@ server_key = /etc/guacamole/ssl/guacd.key
EOF EOF
# Enable TLS backend # Enable TLS backend
sudo cat <<EOF | sudo tee -a /etc/guacamole/guacamole.properties cat <<EOF | sudo tee -a /etc/guacamole/guacamole.properties
guacd-ssl: true guacd-ssl: true
EOF EOF
# Fix required permissions as guacd only runs as daemon # Fix required permissions as guacd only runs as daemon
sudo chown daemon:daemon /etc/guacamole/ssl chown daemon:daemon /etc/guacamole/ssl
sudo chown daemon:daemon /etc/guacamole/ssl/guacd.key chown daemon:daemon /etc/guacamole/ssl/guacd.key
sudo chown daemon:daemon /etc/guacamole/ssl/guacd.crt chown daemon:daemon /etc/guacamole/ssl/guacd.crt
sudo chmod 644 /etc/guacamole/ssl/guacd.crt chmod 644 /etc/guacamole/ssl/guacd.crt
sudo chmod 644 /etc/guacamole/ssl/guacd.key chmod 644 /etc/guacamole/ssl/guacd.key
# Add the new certificate into the Java Runtime certificate store and set JRE to trust it. # Add the new certificate into the Java Runtime certificate store and set JRE to trust it.
cd /etc/guacamole/ssl cd /etc/guacamole/ssl
sudo keytool -importcert -alias guacd -noprompt -cacerts -storepass changeit -file guacd.crt keytool -importcert -alias guacd -noprompt -cacerts -storepass changeit -file guacd.crt
sudo systemctl restart guacd
systemctl restart guacd
systemctl restart ${TOMCAT_VERSION}
echo echo
echo "Done!" echo "Done!"