someorg/Easy-Guacamole-Installer
1
0
Fork 0
mirror of https://github.com/itiligent/Easy-Guacamole-Installer.git synced 2025-12-13 18:02:32 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

ssl labels now tls and other tidy ups

Browse source
This commit is contained in:
Itiligent 2023-08-21 01:27:46 +10:00 committed by itiligent
parent 6b2d2afe6d
commit ca43e73546
15 changed files with 163 additions and 237 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

75
1-setup.sh
View file

@ -17,8 +17,8 @@
# 1-setup.sh is a central script that manages all inputs, options and sequences other included 'install' scripts. # 1-setup.sh is a central script that manages all inputs, options and sequences other included 'install' scripts.
# 2-install-guacamole is the main guts of the whole build. This script downloads and builds Guacamole from source. # 2-install-guacamole is the main guts of the whole build. This script downloads and builds Guacamole from source.
# 3-install-nginx.sh automatically installs and configures Nginx to work as an http port 80 front end to Guacamole # 3-install-nginx.sh automatically installs and configures Nginx to work as an http port 80 front end to Guacamole
# 4a-install-self-signed-nginx.sh sets up the new Nginx/Guacamole front end with self signed SSL certificates. # 4a-install-self-signed-nginx.sh sets up the new Nginx/Guacamole front end with self signed TLS certificates.
# 4b-install-ssl-letsencrypt-nginx.sh sets up Nginx with public SSL certificates from LetsEncrypt. # 4b-install-tls-letsencrypt-nginx.sh sets up Nginx with public TLS certificates from LetsEncrypt.
# Scripts with "add" in their name can be run post guacamole setup to add optional features not included in the main install # Scripts with "add" in their name can be run post guacamole setup to add optional features not included in the main install
clear clear
@ -32,6 +32,7 @@ LGREEN='\033[0;92m'
LYELLOW='\033[0;93m' LYELLOW='\033[0;93m'
NC='\033[0m' #No Colour NC='\033[0m' #No Colour
# Make sure the user is NOT running this as root
if [[ $EUID -eq 0 ]]; then if [[ $EUID -eq 0 ]]; then
echo echo
echo -e "${LRED}This script must NOT be run as root, exiting..." 1>&2 echo -e "${LRED}This script must NOT be run as root, exiting..." 1>&2
@ -39,6 +40,7 @@ if [[ $EUID -eq 0 ]]; then
exit 1 exit 1
fi fi
# Make sure the user is a member of the sudo group
if ! [ $(id -nG "$USER" 2>/dev/null | egrep "sudo" | wc -l) -gt 0 ]; then if ! [ $(id -nG "$USER" 2>/dev/null | egrep "sudo" | wc -l) -gt 0 ]; then
echo echo
echo -e "${LRED}The current user (${USER}) must be a member of the 'sudo' group, exiting..." 1>&2 echo -e "${LRED}The current user (${USER}) must be a member of the 'sudo' group, exiting..." 1>&2
@ -51,11 +53,11 @@ if [ "$(find . -maxdepth 1 \( -name 'guacamole-*' -o -name 'mysql-connector-j-*'
# Script branding header # Script branding header
echo echo
echo -e "${GREYB}Itiligent VDI & Jump Server Appliance Setup." echo -e "${GREYB}Itiligent VDI & Jump Server Appliance Setup."
echo -e " ${LGREEN}Powered by Guacamole" echo -e " ${LGREEN}Powered by Guacamole"
echo echo
echo echo
echo -e "${LRED}Possible previous temp files detected in current build path. Please review and remove old 'guacamole-*' & 'mysql-connector-j-*' files before proceeding.${GREY}" 1>&2 echo -e "${LRED}Possible previous install files detected in current build path. Please review and remove old guacamole install files files before proceeding.${GREY}" 1>&2
echo echo
exit 1 exit 1
fi fi
@ -70,7 +72,7 @@ DOWNLOAD_DIR=$USER_HOME_DIR/guac-setup
DB_BACKUP_DIR=$USER_HOME_DIR/mysqlbackups/ DB_BACKUP_DIR=$USER_HOME_DIR/mysqlbackups/
TMP_DIR=$DOWNLOAD_DIR/tmp TMP_DIR=$DOWNLOAD_DIR/tmp
# Github download branch # GitHub download branch
GITHUB="https://raw.githubusercontent.com/itiligent/Guacamole-Install/main/" GITHUB="https://raw.githubusercontent.com/itiligent/Guacamole-Install/main/"
#Version of Guacamole to install #Version of Guacamole to install
@ -84,6 +86,7 @@ MYSQLJCON="8.0.33"
# Select a specific MySQL version. See https://mariadb.org/mariadb/all-releases/ # Select a specific MySQL version. See https://mariadb.org/mariadb/all-releases/
MYSQL_VERSION="" # If left blank, script will use Linux distro default version packages. MYSQL_VERSION="" # If left blank, script will use Linux distro default version packages.
# Setup MySQL package name variables to call based on the above MYSQL_VERSION option
if [ -z "${MYSQL_VERSION}" ]; then if [ -z "${MYSQL_VERSION}" ]; then
# Use Linux distro default version. # Use Linux distro default version.
MYSQLSRV="default-mysql-server default-mysql-client mysql-common" MYSQLSRV="default-mysql-server default-mysql-client mysql-common"
@ -115,7 +118,7 @@ LOG_LOCATION="${DOWNLOAD_DIR}/guacamole_${GUAC_VERSION}_setup.log"
GUAC_URL=http://localhost:8080/guacamole/ GUAC_URL=http://localhost:8080/guacamole/
# Depending on the Linux distro, required libraries have varied names. Standardising with names makes adapting # Depending on the Linux distro, required libraries have varied names. Standardising with names makes adapting
# to other distros easier. # to other distros easier. Here the variables for the library dependency names are initialised.
source /etc/os-release source /etc/os-release
OS_FLAVOUR=$ID OS_FLAVOUR=$ID
OS_VERSION=$VERSION OS_VERSION=$VERSION
@ -172,15 +175,15 @@ INSTALL_DUO="" # Add DUO MFA extension (can't be installed simu
INSTALL_LDAP="" # Add Active Directory extension (true/false) INSTALL_LDAP="" # Add Active Directory extension (true/false)
CHANGE_ROOT="" # Set default Guacamole URL to http root (remove extra "/guacamole" from the default URL) CHANGE_ROOT="" # Set default Guacamole URL to http root (remove extra "/guacamole" from the default URL)
INSTALL_NGINX="" # Install and configure Guacamole behind Nginx reverse proxy (http port 80 only, true/false) INSTALL_NGINX="" # Install and configure Guacamole behind Nginx reverse proxy (http port 80 only, true/false)
PROXY_SITE="" # Local DNS name for reverse proxy and/or self signed ssl certificates PROXY_SITE="" # Local DNS name for reverse proxy and/or self signed TLS certificates
SELF_SIGN="" # Add self signed SSL support to Nginx (Let's Encrypt not available with this, true/false) SELF_SIGN="" # Add self signed TLS support to Nginx (Let's Encrypt not available with this option, true/false)
CERT_COUNTRY="AU" # Self signed cert setup: 2 country character code only, must not be blank CERT_COUNTRY="AU" # Self signed cert setup: 2 country character code only, must not be blank
CERT_STATE="Victoria" # Self signed cert setup: Optional to change, must not be blank CERT_STATE="Victoria" # Self signed cert setup: Optional to change, must not be blank
CERT_LOCATION="Melbourne" # Self signed cert setup: Optional to change, must not be blank CERT_LOCATION="Melbourne" # Self signed cert setup: Optional to change, must not be blank
CERT_ORG="Itiligent" # Self signed cert setup: Optional to change, must not be blank CERT_ORG="Itiligent" # Self signed cert setup: Optional to change, must not be blank
CERT_OU="I.T." # Self signed cert setup: Optional to change, must not be blank CERT_OU="I.T." # Self signed cert setup: Optional to change, must not be blank
CERT_DAYS="3650" # Self signed cert setup: Number of days until self signed certificate expiry CERT_DAYS="3650" # Self signed cert setup: Number of days until self signed certificate expiry
LETS_ENCRYPT="" # Add Lets Encrypt public SSL support for Nginx (self signed SSL certs not available with this option, true/false) LETS_ENCRYPT="" # Add Lets Encrypt public TLS support for Nginx (self signed TLS certs not available with this option, true/false)
LE_DNS_NAME="" # Public DNS name to bind with Lets Encrypt certificates LE_DNS_NAME="" # Public DNS name to bind with Lets Encrypt certificates
LE_EMAIL="" # Webmaster/admin email for Lets Encrypt notifications LE_EMAIL="" # Webmaster/admin email for Lets Encrypt notifications
BACKUP_EMAIL="" # Email address for backup notifications BACKUP_EMAIL="" # Email address for backup notifications
@ -192,7 +195,7 @@ RDP_PRINTER_LABEL="RDP Printer" # Custom Windows RDP printer name
# Script branding header # Script branding header
echo echo
echo -e "${GREYB}Itiligent VDI & Jump Server Appliance Setup." echo -e "${GREYB}Itiligent VDI & Jump Server Appliance Setup."
echo -e " ${LGREEN}Powered by Guacamole" echo -e " ${LGREEN}Powered by Guacamole"
echo echo
echo echo
@ -210,8 +213,8 @@ cd $DOWNLOAD_DIR
echo -e "${GREY}Downloading setup files...${DGREY}" echo -e "${GREY}Downloading setup files...${DGREY}"
wget -q --show-progress ${GITHUB}2-install-guacamole.sh -O 2-install-guacamole.sh wget -q --show-progress ${GITHUB}2-install-guacamole.sh -O 2-install-guacamole.sh
wget -q --show-progress ${GITHUB}3-install-nginx.sh -O 3-install-nginx.sh wget -q --show-progress ${GITHUB}3-install-nginx.sh -O 3-install-nginx.sh
wget -q --show-progress ${GITHUB}4a-install-ssl-self-signed-nginx.sh -O 4a-install-ssl-self-signed-nginx.sh wget -q --show-progress ${GITHUB}4a-install-tls-self-signed-nginx.sh -O 4a-install-tls-self-signed-nginx.sh
wget -q --show-progress ${GITHUB}4b-install-ssl-letsencrypt-nginx.sh -O 4b-install-ssl-letsencrypt-nginx.sh wget -q --show-progress ${GITHUB}4b-install-tls-letsencrypt-nginx.sh -O 4b-install-tls-letsencrypt-nginx.sh
# Grab Guacamole manual add on/upgrade scripts # Grab Guacamole manual add on/upgrade scripts
wget -q --show-progress ${GITHUB}add-auth-duo.sh -O add-auth-duo.sh wget -q --show-progress ${GITHUB}add-auth-duo.sh -O add-auth-duo.sh
wget -q --show-progress ${GITHUB}add-auth-ldap.sh -O add-auth-ldap.sh wget -q --show-progress ${GITHUB}add-auth-ldap.sh -O add-auth-ldap.sh
@ -220,7 +223,7 @@ wget -q --show-progress ${GITHUB}add-smtp-relay-o365.sh -O add-smtp-relay-o365.s
wget -q --show-progress ${GITHUB}upgrade-guac.sh -O upgrade-guac.sh wget -q --show-progress ${GITHUB}upgrade-guac.sh -O upgrade-guac.sh
# Grab backup and security hardening scripts # Grab backup and security hardening scripts
wget -q --show-progress ${GITHUB}backup-guac.sh -O backup-guac.sh wget -q --show-progress ${GITHUB}backup-guac.sh -O backup-guac.sh
wget -q --show-progress ${GITHUB}add-ssl-guac-gaucd.sh -O add-ssl-guac-gaucd.sh wget -q --show-progress ${GITHUB}add-tls-guac-daemon.sh -O add-tls-guac-daemon.sh
wget -q --show-progress ${GITHUB}add-fail2ban.sh -O add-fail2ban.sh wget -q --show-progress ${GITHUB}add-fail2ban.sh -O add-fail2ban.sh
# Grab a (customisable) branding extension # Grab a (customisable) branding extension
wget -q --show-progress ${GITHUB}branding.jar -O branding.jar wget -q --show-progress ${GITHUB}branding.jar -O branding.jar
@ -231,7 +234,7 @@ clear
# Script branding header # Script branding header
echo echo
echo -e "${GREYB}Itiligent VDI & Jump Server Appliance Setup." echo -e "${GREYB}Itiligent VDI & Jump Server Appliance Setup."
echo -e " ${LGREEN}Powered by Guacamole" echo -e " ${LGREEN}Powered by Guacamole"
echo echo
echo echo
@ -249,7 +252,7 @@ sudo chown -R $SUDO_USER:root $TMP_DIR
# We need a default hostname value available to apply even if we do not want to change the hostname. This approach allows the # We need a default hostname value available to apply even if we do not want to change the hostname. This approach allows the
# user to simply hit enter at the prompt without this creating a blank entry into the /etc/hosts file. # user to simply hit enter at the prompt without this creating a blank entry into the /etc/hosts file.
# hostnames and matching DNS entries are essential for implementing SSL successfully. # hostnames and matching DNS entries are essential for implementing TLS successfully.
if [[ -z ${SERVER_NAME} ]]; then if [[ -z ${SERVER_NAME} ]]; then
echo -e "${LYELLOW}Update Linux system HOSTNAME [Enter to keep: ${HOSTNAME}]${LGREEN}" echo -e "${LYELLOW}Update Linux system HOSTNAME [Enter to keep: ${HOSTNAME}]${LGREEN}"
read -p " Enter new HOSTNAME : " SERVER_NAME read -p " Enter new HOSTNAME : " SERVER_NAME
@ -269,7 +272,7 @@ else
sudo systemctl restart systemd-hostnamed &>>${LOG_LOCATION} sudo systemctl restart systemd-hostnamed &>>${LOG_LOCATION}
fi fi
# We need a dns suffix to append to the hostname so as SSL can be available. # We need a dns suffix to append to the hostname so as TLS can be available.
if [[ -z ${LOCAL_DOMAIN} ]]; then if [[ -z ${LOCAL_DOMAIN} ]]; then
echo -e "${LYELLOW}Update Linux LOCAL DNS DOMAIN [Enter to keep: ${DOMAIN_SUFFIX}]${LGREEN}" echo -e "${LYELLOW}Update Linux LOCAL DNS DOMAIN [Enter to keep: ${DOMAIN_SUFFIX}]${LGREEN}"
read -p " Enter FULL LOCAL DOMAIN NAME: " LOCAL_DOMAIN read -p " Enter FULL LOCAL DOMAIN NAME: " LOCAL_DOMAIN
@ -310,7 +313,7 @@ clear
# Script branding header # Script branding header
echo echo
echo -e "${GREYB}Itiligent VDI & Jump Server Appliance Setup." echo -e "${GREYB}Itiligent VDI & Jump Server Appliance Setup."
echo -e " ${LGREEN}Powered by Guacamole" echo -e " ${LGREEN}Powered by Guacamole"
echo echo
echo echo
@ -504,10 +507,10 @@ if [ -z "${PROXY_SITE}" ]; then
PROXY_SITE="${DEFAULT_FQDN}" PROXY_SITE="${DEFAULT_FQDN}"
fi fi
# Prompt for self signed SSL reverse proxy option # Prompt for self signed TLS reverse proxy option
if [[ -z ${SELF_SIGN} ]] && [[ "${INSTALL_NGINX}" = true ]]; then if [[ -z ${SELF_SIGN} ]] && [[ "${INSTALL_NGINX}" = true ]]; then
# Prompt the user to see if they would like to install self signed SSL support for Nginx, default of no # Prompt the user to see if they would like to install self signed TLS support for Nginx, default of no
echo -e -n "FRONT END: Add self signed SSL support to Nginx? [y/N]? (choose 'n' for Let's Encrypt)[default n]: " echo -e -n "FRONT END: Add self signed TLS support to Nginx? [y/N]? (choose 'n' for Let's Encrypt)[default n]: "
read PROMPT read PROMPT
if [[ ${PROMPT} =~ ^[Yy]$ ]]; then if [[ ${PROMPT} =~ ^[Yy]$ ]]; then
SELF_SIGN=true SELF_SIGN=true
@ -516,19 +519,19 @@ if [[ -z ${SELF_SIGN} ]] && [[ "${INSTALL_NGINX}" = true ]]; then
fi fi
fi fi
# Optional prompt to assign the self sign SSL certificate a custom expiry date, un-comment to force a manual entry # Optional prompt to assign the self sign TLS certificate a custom expiry date, un-comment to force a manual entry
#if [ "${SELF_SIGN}" = true ]; then #if [ "${SELF_SIGN}" = true ]; then
# read - p "PROXY: Enter number of days till SSL certificate expires [default 3650]: " CERT_DAYS # read - p "PROXY: Enter number of days till TLS certificate expires [default 3650]: " CERT_DAYS
#fi #fi
# If no self sign SSL certificate expiry given, lets assume a generous 10 year default certificate expiry # If no self sign TLS certificate expiry given, lets assume a generous 10 year default certificate expiry
if [ -z "${CERT_DAYS}" ]; then if [ -z "${CERT_DAYS}" ]; then
CERT_DAYS="3650" CERT_DAYS="3650"
fi fi
# Prompt for Let's Encrypt SSL reverse proxy configuration option # Prompt for Let's Encrypt TLS reverse proxy configuration option
if [[ -z ${LETS_ENCRYPT} ]] && [[ "${INSTALL_NGINX}" = true ]] && [[ "${SELF_SIGN}" = "false" ]]; then if [[ -z ${LETS_ENCRYPT} ]] && [[ "${INSTALL_NGINX}" = true ]] && [[ "${SELF_SIGN}" = "false" ]]; then
echo -e -n "FRONT END: Add Let's Encrypt SSL support to Nginx reverse proxy [y/N] [default n]: ${GREY}" echo -e -n "FRONT END: Add Let's Encrypt TLS support to Nginx reverse proxy [y/N] [default n]: ${GREY}"
read PROMPT read PROMPT
if [[ ${PROMPT} =~ ^[Yy]$ ]]; then if [[ ${PROMPT} =~ ^[Yy]$ ]]; then
LETS_ENCRYPT=true LETS_ENCRYPT=true
@ -565,7 +568,7 @@ fi
clear clear
echo echo
echo -e "${GREYB}Itiligent VDI & Jump Server Appliance Setup." echo -e "${GREYB}Itiligent VDI & Jump Server Appliance Setup."
echo -e " ${LGREEN}Powered by Guacamole" echo -e " ${LGREEN}Powered by Guacamole"
echo echo
echo echo
echo -e "${LGREEN}Beginning Guacamole setup...${GREY}" echo -e "${LGREEN}Beginning Guacamole setup...${GREY}"
@ -599,11 +602,11 @@ sed -i "s|GUAC_DB=|GUAC_DB='${GUAC_DB}'|g" $DOWNLOAD_DIR/backup-guac.sh
sed -i "s|DB_BACKUP_DIR=|DB_BACKUP_DIR='${DB_BACKUP_DIR}'|g" $DOWNLOAD_DIR/backup-guac.sh sed -i "s|DB_BACKUP_DIR=|DB_BACKUP_DIR='${DB_BACKUP_DIR}'|g" $DOWNLOAD_DIR/backup-guac.sh
sed -i "s|BACKUP_EMAIL=|BACKUP_EMAIL='${BACKUP_EMAIL}'|g" $DOWNLOAD_DIR/backup-guac.sh sed -i "s|BACKUP_EMAIL=|BACKUP_EMAIL='${BACKUP_EMAIL}'|g" $DOWNLOAD_DIR/backup-guac.sh
sed -i "s|BACKUP_RETENTION=|BACKUP_RETENTION='${BACKUP_RETENTION}'|g" $DOWNLOAD_DIR/backup-guac.sh sed -i "s|BACKUP_RETENTION=|BACKUP_RETENTION='${BACKUP_RETENTION}'|g" $DOWNLOAD_DIR/backup-guac.sh
sed -i "s|CERT_COUNTRY=|CERT_COUNTRY='${CERT_COUNTRY}'|g" $DOWNLOAD_DIR/add-ssl-guac-gaucd.sh sed -i "s|CERT_COUNTRY=|CERT_COUNTRY='${CERT_COUNTRY}'|g" $DOWNLOAD_DIR/add-tls-guac-daemon.sh
sed -i "s|CERT_STATE=|CERT_STATE='${CERT_STATE}'|g" $DOWNLOAD_DIR/add-ssl-guac-gaucd.sh sed -i "s|CERT_STATE=|CERT_STATE='${CERT_STATE}'|g" $DOWNLOAD_DIR/add-tls-guac-daemon.sh
sed -i "s|CERT_LOCATION=|CERT_LOCATION='${CERT_LOCATION=}'|g" $DOWNLOAD_DIR/add-ssl-guac-gaucd.sh sed -i "s|CERT_LOCATION=|CERT_LOCATION='${CERT_LOCATION=}'|g" $DOWNLOAD_DIR/add-tls-guac-daemon.sh
sed -i "s|CERT_ORG=|CERT_ORG='${CERT_ORG}'|g" $DOWNLOAD_DIR/add-ssl-guac-gaucd.sh sed -i "s|CERT_ORG=|CERT_ORG='${CERT_ORG}'|g" $DOWNLOAD_DIR/add-tls-guac-daemon.sh
sed -i "s|CERT_OU=|CERT_OU='${CERT_OU}'|g" $DOWNLOAD_DIR/add-ssl-guac-gaucd.sh sed -i "s|CERT_OU=|CERT_OU='${CERT_OU}'|g" $DOWNLOAD_DIR/add-tls-guac-daemon.sh
# Export the relevant variable selections to child install scripts # Export the relevant variable selections to child install scripts
export BACKUP_EMAIL=$BACKUP_EMAIL export BACKUP_EMAIL=$BACKUP_EMAIL
@ -675,16 +678,16 @@ if [ "${INSTALL_NGINX}" = true ]; then
echo -e "${LGREEN}Nginx install complete\nhttp://${PROXY_SITE} - admin login: guacadmin pass: guacadmin\n${LYELLOW}***Be sure to change the password***${GREY}" echo -e "${LGREEN}Nginx install complete\nhttp://${PROXY_SITE} - admin login: guacadmin pass: guacadmin\n${LYELLOW}***Be sure to change the password***${GREY}"
fi fi
# Apply self signed SSL certificates to Nginx reverse proxy if option is selected # Apply self signed TLS certificates to Nginx reverse proxy if option is selected
if [[ "${INSTALL_NGINX}" = true ]] && [[ "${SELF_SIGN}" = true ]]; then if [[ "${INSTALL_NGINX}" = true ]] && [[ "${SELF_SIGN}" = true ]]; then
sudo -E ./4a-install-ssl-self-signed-nginx.sh ${PROXY_SITE} ${CERT_DAYS} sudo -E ./4a-install-tls-self-signed-nginx.sh ${PROXY_SITE} ${CERT_DAYS}
echo -e "${LGREEN}Self signed certificate configured for Nginx \n${LYELLOW}https:${LGREEN}//${PROXY_SITE} - admin login: guacadmin pass: guacadmin\n${LYELLOW}***Be sure to change the password***${GREY}" echo -e "${LGREEN}Self signed certificate configured for Nginx \n${LYELLOW}https:${LGREEN}//${PROXY_SITE} - admin login: guacadmin pass: guacadmin\n${LYELLOW}***Be sure to change the password***${GREY}"
fi fi
# Apply Let's Encrypt SSL certificates to Nginx reverse proxy if option is selected # Apply Let's Encrypt TLS certificates to Nginx reverse proxy if option is selected
if [[ "${INSTALL_NGINX}" = true ]] && [[ "${LETS_ENCRYPT}" = true ]]; then if [[ "${INSTALL_NGINX}" = true ]] && [[ "${LETS_ENCRYPT}" = true ]]; then
sudo -E ./4b-install-ssl-letsencrypt-nginx.sh sudo -E ./4b-install-tls-letsencrypt-nginx.sh
echo -e "${LGREEN}Let's Encrypt SSL configured for Nginx \n${LYELLOW}https:${LGREEN}//${LE_DNS_NAME} - admin login: guacadmin pass: guacadmin\n${LYELLOW}***Be sure to change the password***${GREY}" echo -e "${LGREEN}Let's Encrypt TLS configured for Nginx \n${LYELLOW}https:${LGREEN}//${LE_DNS_NAME} - admin login: guacadmin pass: guacadmin\n${LYELLOW}***Be sure to change the password***${GREY}"
fi fi
# Duo Settings reminder - If Duo is selected you can't login to Guacamole at all until this extension is fully configured # Duo Settings reminder - If Duo is selected you can't login to Guacamole at all until this extension is fully configured

2
2-install-guacamole.sh
View file

@ -4,8 +4,6 @@
# For Ubuntu / Debian / Raspbian # For Ubuntu / Debian / Raspbian
# David Harrop # David Harrop
# April 2023 # April 2023
# Special thanks to MysticRyuujin for much of the guac install outline here
# pls see https://github.com/MysticRyuujin/guac-install for more
####################################################################################################################### #######################################################################################################################
# Prepare text output colours # Prepare text output colours

4
3-install-nginx.sh
View file

@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
####################################################################################################################### #######################################################################################################################
# Add Nginx reverse proxy fromt end to default Guacamole install # Add Nginx reverse proxy front end to default Guacamole install
# For Ubuntu / Debian / Raspbian # For Ubuntu / Debian / Raspbian
# 3 of 4 # 3 of 4
# David Harrop # David Harrop
@ -55,8 +55,6 @@ fi
sudo sed -i -e '/ssl_protocols/s/^/#/' /etc/nginx/nginx.conf sudo sed -i -e '/ssl_protocols/s/^/#/' /etc/nginx/nginx.conf
sudo sed -i "/SSL Settings/a \ ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE" /etc/nginx/nginx.conf sudo sed -i "/SSL Settings/a \ ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE" /etc/nginx/nginx.conf
# Symlink from sites-available to sites-enabled # Symlink from sites-available to sites-enabled
ln -s /etc/nginx/sites-available/$PROXY_SITE /etc/nginx/sites-enabled/ ln -s /etc/nginx/sites-available/$PROXY_SITE /etc/nginx/sites-enabled/

58
4a-install-ssl-self-signed-nginx.sh → 4a-install-tls-self-signed-nginx.sh
View file

@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
####################################################################################################################### #######################################################################################################################
# Add self signed SSL certificates to Guacamole with Nginx reverse proxy # Add self signed TLS certificates to Guacamole with Nginx reverse proxy
# For Ubuntu / Debian / Rasbpian # For Ubuntu / Debian / Rasbpian
# 4a of 4 # 4a of 4
# David Harrop # David Harrop
@ -18,41 +18,15 @@ NC='\033[0m' #No Colour
echo echo
echo echo
echo -e "${LGREEN}Setting up self signed SSL certificates for Nginx...${GREY}" echo -e "${LGREEN}Setting up self signed TLS certificates for Nginx...${GREY}"
echo echo
# Setup script cmd line arguments for proxy site and certificate days # Setup script cmd line arguments for proxy site and certificate days
SSLNAME=$1 SSLNAME=$1
SSLDAYS=$2 SSLDAYS=$2
#######################################################################################################################
# If you wish to add/regenerate self signed SSL to a pre-existing Nginx install, this script can be adapted to be run
# standalone. To run as standalone, simply un-comment this entire section and provide the desired variable
# values to complete the reconfiguration of Nginx.
# Variable inputs
#TOMCAT_VERSION="tomcat9" # Not needed for general SSL install(if Guacamole not present, also comment the tomcat restart)
#DOWNLOAD_DIR=$(eval echo ~${SUDO_USER})
#LOG_LOCATION="${DOWNLOAD_DIR}/ssl_install.log"
#TMP_DIR=/tmp
#GUAC_URL=http://localhost:8080/guacamole/ # substitute for whatever url that nginx is proxying
#CERT_COUNTRY="AU" # must be two letter code!
#CERT_STATE="Victoria"
#CERT_LOCATION="Melbourne"
#CERT_ORG="Itiligent"
#CERT_OU="I.T. dept"
#PROXY_SITE=$SSLNAME
# To run manually or to regenerate SSL certificates, this script must be run in the current user environment [-E switch]
# Be aware that running this script just as sudo will save certs to sudo's home path with incorrect permissions,
# plus the custom certificate install instructions shown after running will be invalid.
# e.g. sudo -E ./4a-install-ssl-self-signed-nginx.sh proxy-site-name 3650
#######################################################################################################################
# Discover IPv4 interface # Discover IPv4 interface
echo -e "${GREY}Discovering the default route interface and Proxy DNS name to bind with the new SSL certificate..." echo -e "${GREY}Discovering the default route interface and Proxy DNS name to bind with the new TLS certificate..."
DEFAULT_IP=$(ip addr show $(ip route | awk '/default/ { print $5 }') | grep "inet" | head -n 1 | awk '/inet/ {print $2}' | cut -d'/' -f1) DEFAULT_IP=$(ip addr show $(ip route | awk '/default/ { print $5 }') | grep "inet" | head -n 1 | awk '/inet/ {print $2}' | cut -d'/' -f1)
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
echo -e "${LRED}Failed. See ${LOG_LOCATION}${GREY}" 1>&2 echo -e "${LRED}Failed. See ${LOG_LOCATION}${GREY}" 1>&2
@ -62,8 +36,8 @@ else
echo echo
fi fi
echo -e "${GREY}New self signed SSL certificate attributes are shown below...${DGREY}" echo -e "${GREY}New self signed TLS certificate attributes are shown below...${DGREY}"
# Display the new SSL cert parameters. # Display the new TLS cert parameters.
cat <<EOF | tee -a $TMP_DIR/cert_attributes.txt cat <<EOF | tee -a $TMP_DIR/cert_attributes.txt
[req] [req]
distinguished_name = req_distinguished_name distinguished_name = req_distinguished_name
@ -88,18 +62,12 @@ subjectAltName = @alt_names
DNS.1 = $PROXY_SITE DNS.1 = $PROXY_SITE
IP.1 = $DEFAULT_IP IP.1 = $DEFAULT_IP
EOF EOF
# Add IP.2 & IP.3 above EOF as needed.
#IP.2 = $IP3
#IP.3 = $IP3
# Additional DNS names can also be manually added into the above cat <<EOF as needed.
#DNS.2 =
#DNS.3 =
# Set default certificate file destinations. These can be adapted for any other SSL application. # Set default certificate file destinations. These can be adapted for any other TLS application.
DIR_SSL_CERT="/etc/nginx/ssl/cert" DIR_SSL_CERT="/etc/nginx/ssl/cert"
DIR_SSL_KEY="/etc/nginx/ssl/private" DIR_SSL_KEY="/etc/nginx/ssl/private"
# Make directories to place SSL Certificate if they don't exist # Make directories to place TLS Certificate if they don't exist
if [[ ! -d $DIR_SSL_KEY ]]; then if [[ ! -d $DIR_SSL_KEY ]]; then
sudo mkdir -p $DIR_SSL_KEY sudo mkdir -p $DIR_SSL_KEY
fi fi
@ -113,7 +81,7 @@ if [[ $SSLDAYS == "" ]]; then
fi fi
echo echo
echo "{$GREY}Creating a new Nginx SSL Certificate ..." echo "{$GREY}Creating a new Nginx TLS Certificate ..."
openssl req -x509 -nodes -newkey rsa:2048 -keyout $SSLNAME.key -out $SSLNAME.crt -days $SSLDAYS -config $TMP_DIR/cert_attributes.txt openssl req -x509 -nodes -newkey rsa:2048 -keyout $SSLNAME.key -out $SSLNAME.crt -days $SSLDAYS -config $TMP_DIR/cert_attributes.txt
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
echo -e "${LRED}Failed. See ${LOG_LOCATION}${GREY}" 1>&2 echo -e "${LRED}Failed. See ${LOG_LOCATION}${GREY}" 1>&2
@ -123,7 +91,7 @@ else
echo echo
fi fi
# Place SSL Certificate within defined path # Place TLS Certificate within defined path
sudo cp $SSLNAME.key $DIR_SSL_KEY/$SSLNAME.key sudo cp $SSLNAME.key $DIR_SSL_KEY/$SSLNAME.key
sudo cp $SSLNAME.crt $DIR_SSL_CERT/$SSLNAME.crt sudo cp $SSLNAME.crt $DIR_SSL_CERT/$SSLNAME.crt
@ -151,7 +119,7 @@ else
fi fi
# Update Nginx config to accept the new certificates # Update Nginx config to accept the new certificates
echo -e "${GREY}Configuring Nginx proxy to use self signed SSL certificates and setting up automatic HTTP to HTTPS redirect...${DGREY}" echo -e "${GREY}Configuring Nginx proxy to use self signed TLS certificates and setting up automatic HTTP to HTTPS redirect...${DGREY}"
#cat > /etc/nginx/sites-available/$PROXY_SITE <<EOL | > /dev/null #cat > /etc/nginx/sites-available/$PROXY_SITE <<EOL | > /dev/null
cat <<EOF | tee /etc/nginx/sites-available/$PROXY_SITE cat <<EOF | tee /etc/nginx/sites-available/$PROXY_SITE
server { server {
@ -233,7 +201,7 @@ SHOWASTEXT1='$mypwd'
SHOWASTEXT2='"Cert:\LocalMachine\Root"' SHOWASTEXT2='"Cert:\LocalMachine\Root"'
printf "${GREY}+------------------------------------------------------------------------------------------------------------- printf "${GREY}+-------------------------------------------------------------------------------------------------------------
${LGREEN}+ WINDOWS CLIENT SELF SIGNED SSL BROWSER CONFIG - SAVE THIS BEFORE CONTINUING!${GREY} ${LGREEN}+ WINDOWS CLIENT SELF SIGNED TLS BROWSER CONFIG - SAVE THIS BEFORE CONTINUING!${GREY}
+ +
+ 1. In ${DOWNLOAD_DIR} is a Windows version of the new certificate ${LYELLOW}$SSLNAME.pfx${GREY} + 1. In ${DOWNLOAD_DIR} is a Windows version of the new certificate ${LYELLOW}$SSLNAME.pfx${GREY}
+ 2. Import this PFX file into your Windows client with the below Powershell commands (as Administrator): + 2. Import this PFX file into your Windows client with the below Powershell commands (as Administrator):
@ -241,7 +209,7 @@ ${LGREEN}+ WINDOWS CLIENT SELF SIGNED SSL BROWSER CONFIG - SAVE THIS BEFORE CONT
echo -e "${SHOWASTEXT1} = ConvertTo-SecureString -String "1234" -Force -AsPlainText" echo -e "${SHOWASTEXT1} = ConvertTo-SecureString -String "1234" -Force -AsPlainText"
echo -e "Import-pfxCertificate -FilePath $SSLNAME.pfx -Password "${SHOWASTEXT1}" -CertStoreLocation "${SHOWASTEXT2}"" echo -e "Import-pfxCertificate -FilePath $SSLNAME.pfx -Password "${SHOWASTEXT1}" -CertStoreLocation "${SHOWASTEXT2}""
printf "${GREY}+------------------------------------------------------------------------------------------------------------- printf "${GREY}+-------------------------------------------------------------------------------------------------------------
${LGREEN}+ LINUX CLIENT SELF SIGNED SSL BROWSER CONFIG - SAVE THIS BEFORE CONTINUING!${GREY} ${LGREEN}+ LINUX CLIENT SELF SIGNED TLS BROWSER CONFIG - SAVE THIS BEFORE CONTINUING!${GREY}
+ +
+ 1. In ${DOWNLOAD_DIR} is a new Linux native OpenSSL certificate ${LYELLOW}$SSLNAME.crt${GREY} + 1. In ${DOWNLOAD_DIR} is a new Linux native OpenSSL certificate ${LYELLOW}$SSLNAME.crt${GREY}
+ 2. Import the CRT file into your Linux client certificate store with the below command: + 2. Import the CRT file into your Linux client certificate store with the below command:
@ -250,7 +218,7 @@ echo -e "(If certutil is not installed, run apt-get install libnss3-tools)"
echo -e "mkdir -p $HOME/.pki/nssdb && certutil -d $HOME/.pki/nssdb -N" echo -e "mkdir -p $HOME/.pki/nssdb && certutil -d $HOME/.pki/nssdb -N"
echo -e "certutil -d sql:$HOME/.pki/nssdb -A -t "CT,C,c" -n $SSLNAME -i $SSLNAME.crt" echo -e "certutil -d sql:$HOME/.pki/nssdb -A -t "CT,C,c" -n $SSLNAME -i $SSLNAME.crt"
printf "+-------------------------------------------------------------------------------------------------------------\n" printf "+-------------------------------------------------------------------------------------------------------------\n"
echo -e "${LYELLOW}The above SSL browser config instructions are saved in ${LGREEN}$LOG_LOCATION${GREY}" echo -e "${LYELLOW}The above TLS browser config instructions are saved in ${LGREEN}$LOG_LOCATION${GREY}"
# Done # Done
echo -e ${NC} echo -e ${NC}

51
4b-install-ssl-letsencrypt-nginx.sh → 4b-install-tls-letsencrypt-nginx.sh
View file

@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
####################################################################################################################### #######################################################################################################################
# Add Let's Encrypt SSL Certificates to Guacamole with Nginx reverse proxy # Add Let's Encrypt TLS Certificates to Guacamole with Nginx reverse proxy
# For Ubuntu / Debian / Raspbian # For Ubuntu / Debian / Raspbian
# 4b of 4 # 4b of 4
# David Harrop # David Harrop
@ -18,54 +18,9 @@ NC='\033[0m' #No Colour
echo echo
echo echo
echo -e "${LGREEN}Installing Let's Encrypt SSL configuration for Nginx...${GREY}" echo -e "${LGREEN}Installing Let's Encrypt TLS configuration for Nginx...${GREY}"
echo echo
#######################################################################################################################
# If you wish to add/regenerate self signed SSL to a pre-existing Nginx install, this script can be adapted to be run
# standalone. To run as standalone, simply un-comment this entire section and provide the desired variable
# values to complete the reconfiguration of Nginx.
# Variable inputs
#TOMCAT_VERSION="tomcat9" # Not be needed for genreral SSL install SSL (i.e. where Guacamole not present)
#DOWNLOAD_DIR=$(eval echo ~${SUDO_USER})
#LOG_LOCATION="${DOWNLOAD_DIR}/ssl_install.log"
#GUAC_URL=http://localhost:8080/guacamole/ # substitute for whatever url that nginx is proxying
# Find the existing nginx site name
#echo -e "${GREY}Discovering exising proxy sites to configure with SSL...${GREY}"
#for file in "/etc/nginx/sites-enabled"/*
#do
#PROXY_SITE="${file##*/}"
#done
#if [ $? -ne 0 ]; then
# echo -e "${LRED}Failed. See ${LOG_LOCATION}${GREY}" 1>&2
# exit 1
# else
# echo -e "${LGREEN}OK${GREY}"
#fi
#echo
# Prompt for the FQDN of the new Let's encrypt certificate
#while true
#do
#echo -e "${LGREEN}"
#read -p "Enter the public FQDN for your proxy site: " LE_DNS_NAME
#echo
# [ "${LE_DNS_NAME}" != "" ] && break
#done
# Prompt for the admin/webmaster email for Let's encrypt certificate notifications
#while true
#do
#echo -e "${LGREEN}"
#read -p "Enter the email address for Let's Encrypt notifications : " LE_EMAIL
#echo
# [ "${LE_EMAIL}" != "" ] && break
#done
#echo -e "${GREY}"
#######################################################################################################################
# Install nginx # Install nginx
apt-get update -qq &>>${LOG_LOCATION} apt-get update -qq &>>${LOG_LOCATION}
apt-get install nginx certbot python3-certbot-nginx -qq -y &>>${LOG_LOCATION} apt-get install nginx certbot python3-certbot-nginx -qq -y &>>${LOG_LOCATION}
@ -83,7 +38,7 @@ else
fi fi
# Configure Nginx to accept the new certificates # Configure Nginx to accept the new certificates
echo -e "${GREY}Configuring Nginx proxy for Let's Encrypt SSL and setting up automatic HTTP redirect...${GREY}" echo -e "${GREY}Configuring Nginx proxy for Let's Encrypt TLS and setting up automatic HTTP redirect...${GREY}"
cat >/etc/nginx/sites-available/$PROXY_SITE <<EOL cat >/etc/nginx/sites-available/$PROXY_SITE <<EOL
server { server {
listen 80 default_server; listen 80 default_server;

12
ACTIVE-DIRECTORY-HOW-TO.md
View file

@ -41,9 +41,9 @@ ldap-max-search-results:200
``` ```
- **_Important note on `ldap-user-base-dn:`_** _This value sets a position in the directory as a relative root to search within. All Guacamole users to be authenticated by Active Directory must be placed in a lower position within the directory tree to this value. This line can be added multiple times to more efficiently search across multiple branches of a directory tree._ - **_Important note on `ldap-user-base-dn:`_** _This value sets a position in the directory as a relative root to search within. All Guacamole users to be authenticated by Active Directory must be placed in a lower position within the directory tree to this value. This line can be added multiple times to more efficiently search across multiple branches of a directory tree._
- **_Important note on `ldap-max-search-results:`_** _Yes, there is no space before the :200 value. In larger environments managing the directory efficiently requires we don't query every object in the tree for every user lookup. You may need to adjust this number depending on the number of objects in you tree._ - **_Important note on `ldap-max-search-results:`_** _Yes, there is no space before the :200 value. In larger environments managing the directory efficiently requires we don't query every object in the tree for every user lookup. You may need to adjust this number depending on the number of objects in your tree._
- **_Important note on `mysql-auto-create-accounts:`_** _This line is optional and can be deleted. This line ensures that all Active Directory user accounts will have a matching user account created in the Guacamole db at first logon. Local Guacamole accounts are NOT necessarily needed for access to Guacamole connections - these are only necessary when deploying MFA or you want to assign other settings specific to individual users. Domain users can be provisioned access to connections without creating local users in the Guacamole db. For many use cases, manually creating a small number of Guacamole user accounts to their matching domain accounts may be more preferable than all users inheriting access to establish a local account in the Guacamole db. See below for manual account setup._ - **_Important note on `mysql-auto-create-accounts:`_** _This line is optional and can be deleted. This line ensures that all Active Directory user accounts will have a matching user account created in the Guacamole db at first logon. Local Guacamole accounts are NOT necessarily needed for access to Guacamole connections - these are only necessary when deploying MFA or you want to assign other settings specific to individual users. Domain users can be provisioned access to Guacamole sessions connections without creating local users in the Guacamole db. For many use cases, manually creating a small number of Guacamole user accounts to their matching domain accounts may be more preferable than all users inheriting access to establish a local account in the Guacamole db. See below for manual account setup._
## **4. Run the (now customised) LDAP configuration script** ## **4. Run the (now customised) LDAP configuration script**
@ -51,7 +51,7 @@ ldap-max-search-results:200
## **5. Logging on to Guacamole with the new guacbind-ad account** ## **5. Logging on to Guacamole with the new guacbind-ad account**
- When logging in to Guacamole as the new Active Directory account and password created above, that domain user now passes through to Guacamole as both a Guacamole admin and a Domain User. If all is working correctly, all the users located below the directory tree position set in **ldap-user-base-dn** will be listed under **Settings | Users** of the Guacamole management console. - When logging in to Guacamole as the new Active Directory account and password created above, that domain user now passed through to Guacamole as both a Guacamole admin and a Domain User. If all is working correctly, all the users located below the directory tree position set in **ldap-user-base-dn** will be listed under **Settings | Users** of the Guacamole management console.
## **6. Manually creating and configuring new Guacamole users for Active Directory authentication** ## **6. Manually creating and configuring new Guacamole users for Active Directory authentication**
@ -59,15 +59,15 @@ ldap-max-search-results:200
## **7. Logging on using either the local vs the domain guacbind-ad account** ## **7. Logging on using either the local vs the domain guacbind-ad account**
- As described above, logging on with the Guacamole admin user password will authenticate with the local Guacamole admin account, conversely if the Guacamole admin domain account password is given, the domain account is authenticated via Active Directory and then passed through as authorised to administer Guacamole. It may sometimes be necessary to log on with the local Guacamole admin account to manage some admin functions, but be aware that when doing so you will not be able to view and search the user list from Active Directory. Only when logged on with the domain version of the Guacamole admin account can domain user permissions to various Guacamole sessions and objects be delegated and managed. - As described above, logging on with the Guacamole admin user password will authenticate with the local Guacamole admin account, conversely if the Guacamole admin domain account password is given, the domain account is authenticated via Active Directory and then passed through as authorised to administer Guacamole. It may sometimes be necessary to log on with the local Guacamole admin account to manage some application functions, but be aware that when doing so you will not be able to view and search the user list from Active Directory. Only when logged on with the domain version of the Guacamole admin account can domain user permissions to various Guacamole sessions and objects be delegated and managed.
## **8. Creating a quasi Single Sign On user experience for Windows RDP access** ## **8. Creating a quasi Single Sign On user experience for Windows RDP access**
- Create a Global Security domain group (e.g. Guac_Users) and populate it with selected domain users as required. - Create a Global Security domain group (e.g. Guac_Users) and populate it with selected domain users as required.
- Now add this new security group to the built-in “Remote Desktop Users” domain group. - Now add this new security group to the built-in “Remote Desktop Users” domain group.
- Next, for each connection profile you wish to create the SSO behaviour, _parameter_ _tokens_ must be used in place of hard coded usernames and password values as follows... - Next, for each connection profile you wish to create the SSO experience and behaviour, _parameter_ _tokens_ must be used in place of hard coded usernames and password values as follows...
- Add the parameter token `${GUAC_USERNAME}` to the Username field for each connection profile - Add the parameter token `${GUAC_USERNAME}` to the Username field for each connection profile
- Add the parameter token `${GUAC_PASSWORD}` to the Password field for each connection profile - Add the parameter token `${GUAC_PASSWORD}` to the Password field for each connection profile
- If the user has been given directory rights to the Guacamole session object, Guacamole will first authenticate the user to the Guacamole application (via a brokered Active Directory challenge) and then seamlessly pass the user's same domain credentials through to the Guacamole remote desktop session, thus avoiding any further remote desktop authentication prompts. - If the user has been given directory rights to the Guacamole session object, Guacamole will first authenticate the user to the Guacamole application (via a brokered Active Directory challenge) and then seamlessly pass the user's same domain credentials through to the Guacamole remote desktop session, thus avoiding any further remote desktop authentication prompts.
- For more info on other dynamic connection settings see https://guacamole.apache.org/doc/gug/configuring-guacamole.html#parameter-tokens - For more info on other dynamic connection settings see https://guacamole.apache.org/doc/gug/configuring-guacamole.html#parameter-tokens
- For full SSO, the SAML authentication must be used. As the SAML extension requires a very bespoke approach to configuring login providers and login behaviours, the SAML authentication feature is beyond the scope of this project. - For full SSO, the SAML authentication extension must be used. As the Guacamole SAML extension requires a very bespoke approach to configuring login providers and login behaviours, the SAML authentication feature is beyond the scope of this project. If your organisation already uses SAML within your infrastructure then you likely already know what to do to implement.

89
README.md
View file

@ -1,68 +1,64 @@
# **Guacamole 1.5.3 VDI / Jump Server Appliance Build Script** # **Guacamole 1.5.3 VDI / Jump Server Appliance Build Script**
A menu based build & install script for Guacamole 1.5.3 with support for TLS reverse proxy, AD integration, multi-factor authentication and further security hardening. A menu based source build & install script for Guacamole 1.5.3 with support for TLS reverse proxy, AD integration, multi-factor authentication and further security hardening.
### **Automatic build, install & config script** ### **Automatic build, install & config script**
To install Guacamole, paste the following command into your terminal **(do not run as sudo)**: To build the Guacamole appliance, paste the below link into a terminal and follow prompts **(do not run as sudo)**:
``` ```
wget https://raw.githubusercontent.com/itiligent/Guacamole-Install/main/1-setup.sh && chmod +x 1-setup.sh && ./1-setup.sh wget https://raw.githubusercontent.com/itiligent/Guacamole-Install/main/1-setup.sh && chmod +x 1-setup.sh && ./1-setup.sh
``` ```
## **Prerequisites** ## **Prerequisites**
### PLEASE NOTE: DEBIAN 12 & Tomcat 10 NOT COMPATIBLE - SEE ISSUE #10 ### NOTE: DEBIAN 12 & TOMCAT 10 NOT CURRENTLY COMPATIBLE - SEE ISSUE #10
- **Ubuntu 18.04 - 22.x / Debian 11 & 10 / Raspbian Buster or Bullseye** - **Ubuntu 18.04 - 22.x / Debian 11 & 10 / Raspbian Buster or Bullseye**
- *(if using OS vendor cloud images - you must use **stable releases of the above OS variants.** Daily cloud image builds are akin to rolling releases and may contain as yet unsupported updates that break Guacamole!)* - *(if using OS vendor cloud images - you must use **stable releases of the above OS variants.** Daily cloud image builds are akin to rolling releases and may contain as yet unsupported updates that break Guacamole!)*
- Minimum 8GB RAM and 40GB HDD - Minimum 8GB RAM and 40GB HDD
- Public or private DNS entries that match the default route interface IP address (required for TLS) - Public or private DNS entries that match the default route interface IP address (required for TLS)
- Incoming access on TCP ports 22, 80, and 443 - Incoming access on TCP ports 22, 80, and 443
- The user executing the wget installer script **must be a member of the sudo group** - Do not run as root. The user executing the installer script must instead be a **member of the sudo group**
## **Setup Menu Flow** ## **Installer Menu Flow**
### **1. Confim the system hostname & local domain suffix** ### **1. Confirm the system hostname & local dns domain suffix**
- Change or keep the current hostname and local DNS suffix
### **2. Select a MySQL instance type and security baseline** ### **2. Select a MySQL instance type and security baseline**
- Install a new local MySQL instance, or choose an existing/remote MySQL instance. - Install a new local MySQL instance, or choose an existing/remote MySQL instance?
- *Optionally add MySQL **mysql_secure_installation** settings to the selected MySQL instance* - *Optionally add MySQL **mysql_secure_installation** settings to the selected MySQL instance*
- *Optionally provide an email address for backup messages and alerts* - *Optionally provide an email address for backup messages and alerts*
### **3. Pick an authentication extension** ### **3. Pick an authentication extension**
- **DUO, TOTP, LDAP or None** - DUO, TOTP, LDAP or none?
- *Simultaneous TOTP and DUO not possible, but LDAP with TOTP is ok.*
### **4. Choose the Guacamole front end** ### **4. Choose the Guacamole front end**
- **Install Nginx reverse Proxy?** [y/n] - **Install Nginx reverse Proxy?** [y/n]
- No: Keep the Guacamole native front end & url http://server.local:8080/guacamole - No: Keeps the Guacamole native front end & url http://server.local:8080/guacamole
- *Sub option: Change Guacamole's default url to http root? Yes = http://server.local:8080*
- Yes: Prompts for a reverse proxy local dns name (this can be different to the hostname) - Yes: Prompts for a reverse proxy local dns name (this can be different to the hostname)
- **Install Nginx reverse proxy with a self-signed SSL certificate?** [y/n] - **Install Nginx reverse proxy with a self-signed TLS certificate?** [y/n]
- No: Installs Nginx as **http** reverse proxy with the given local dns name e.g. http://server.local - No: Installs Nginx as **http** reverse proxy, Guacamole site set to http://server.local
- Yes: Installs Nginx as **https** reverse proxy with the given local dns name e.g https://server.local - Yes: Installs Nginx as **https** reverse proxy, Guacamole site set to https://server.local
- *Auto configures Nginx with a self signed TLS certificate and http redirect* - *Nginx is configured with a self signed TLS certificate and http redirect*
- *Auto generates Windows & Linux client browser certificates* - *Windows & Linux self signed client browser certificates generated*
- **Install Nginx reverse proxy with a Let's Encrypt certificate?** [y/n] - **Install Nginx reverse proxy with a Let's Encrypt certificate?** [y/n]
- Yes: = Prompts for a webmaster email & public reverse proxy dns name e.g https://your-public-site.com - Yes: Prompts for a webmaster email & public reverse proxy dns name
- *Installs Nginx with the given public dns name* - *Installs Nginx as **https** reverse proxy, Guacamole site set to* https://your-public-site.com
- *Auto configures Nginx with a new LetsEncrypt certificate and http redirect* - *Nginx configured with a new LetsEncrypt certificate and http redirect*
- *Auto configures certificate notifications to the webmaster email* - *Ongoing certbot certificate renewals scheduled*
- *Auto schedules recurring certificate renewals*
## **Optional post install hardening** ## **Post install hardening options**
The installer downloads additional scripts to manually run: The installer additionally downloads the following manual configuration scripts:
- `add-fail2ban.sh` - Adds a conservative fail2ban lockdown policy to Guacamole & whitelists local LAN - `add-fail2ban.sh` - Adds a baseline fail2ban lockdown policy to Guacamole (& whitelists the local subnet)
- `add-ssl-guac-gaucd.sh` - Encrypts internal traffic between Guacamole application and Guacd daemon with TLS - `add-tls-guac-daemon.sh` - Adds a TLS wrapper to internal traffic between the Guacamole application and guacd server daemon
- `add-auth-ldap.sh` - Template script for integrating with Active Directory (See ACTIVE-DIRECTORY-HOW-TO.md) - `add-auth-ldap.sh` - A template script for integrating Guacamole with Active Directory
- `add-smtp-relay-o365.sh` - Template script for email alerts via MSO65 (SMTP auth, requires BYO app password) - `add-smtp-relay-o365.sh` - A template script for email alerts via MSO65 (SMTP auth via BYO app password)
## **Active Directory integration** ## **Active Directory integration**
@ -71,32 +67,31 @@ See Active Directory authentication instructions [here](https://github.com/itili
## **Installation notes** ## **Installation notes**
To create a custom or unattended setup, follow these steps: The installer can be run interactively, or for a customised/unattended setup:
1. From a terminal session, change to your home directory then paste and run the above wget setup link. 1. From a terminal session, change to your home directory then paste and run the above wget autorun link.
2. Exit the `1-setup.sh` script at the first prompt. (At this point only the scripts have downloaded). 2. Exit the `1-setup.sh` script at the first prompt. (At this point only the scripts have downloaded).
3. Customise the installation variables in the "Silent setup options" section of `1-setup.sh` as appropriate. 3. Customise the many installation variables in the "Silent setup options" section of `1-setup.sh` as appropriate.
- *Note that script variables with an actual value (e.g. `VARIABLE="value"`) will not prompt during the interactive setup. This means that with the right combination of script variable inputs, it is possible to mass deploy full Guacamole appliances with zero touch.* - *Script variables with a given value (e.g. `VARIABLE="value"`) will not prompt during the interactive setup. With the right combination of custom script variables, it is possible to deploy Guacamole appliance(s) with zero touch in only minutes.*
4. **After setting your custom variable values in `1-setup.sh`, you must now run the modified script saved locally with `./1-setup.sh` Beware: If you run the setup script once again via the wget link you will overwrite all your changes!** 4. **Beware: If any settings in `1-setup.sh` are edited, you must run this modified script locally. If you run the wget autorun link again you will overwrite all your changes!**
- *There should be no need to customise any scripts other than `1-setup.sh` as all install options are managed in this parent script.* - *All install options are managed from within `1-setup.sh`. If you edit any of the other downloaded scripts, **you must also comment out each script's corresponding download link** within the "Download GitHub Setup" section of `1-setup.sh` to prevent re-download and overwrite when running setup.*
- *If you must make changes to any other downloaded scripts, you must also comment out their corresponding wget lines in the "Download GitHub Setup" section at the top of `1-setup.sh` to prevent a re-download and overwrite when re-running the setup.* - *Some manual scripts are automatically customised at installation to reflect various install settings and options.*
- *Be aware that all optional (manually run) `add-xxxx.sh` scripts are dynamically updated during the installation with variables selected at install. Editing anything other than `1-setup.sh` may break this functionality.* 6. If the TLS self signed option is selected, client TLS certificates will be saved to `$DOWNLOAD_DIR/guac-setup`.
6. If the self signed SSL option is selected, client TLS certificates are saved to `$DOWNLOAD_DIR/guac-setup`. 7. Nginx is configured to only support TLS 1.2 or above.
7. If any TLS option is selected, Nginx is configured to only support connections using TLS 1.2 or above.
## **Setup download manifest** ## **Download manifest**
The setup command mentioned above downloads the following items into the `$DOWNLOAD_DIR/guac-setup` directory: The autorun link above downloads the following items into the `$DOWNLOAD_DIR/guac-setup` directory:
- `1-setup.sh`: The parent install script itself - `1-setup.sh`: The parent install script itself (saved to the current directory)
- `2-install-guacamole.sh`: Guacamole installation script (inspired by [MysticRyuujin/guac-install](https://github.com/MysticRyuujin/guac-install)) - `2-install-guacamole.sh`: Guacamole installation script (based on [MysticRyuujin/guac-install](https://github.com/MysticRyuujin/guac-install))
- `3-install-nginx.sh`: Installs Nginx & auto-configures a front-end reverse proxy for Guacamole (optional) - `3-install-nginx.sh`: Installs Nginx & auto-configures a front-end reverse proxy for Guacamole (optional)
- `4a-install-ssl-self-signed-nginx.sh`: Configures self-signed TLS certificate for Nginx proxy (optional) - `4a-install-tls-self-signed-nginx.sh`: Configures self-signed TLS certificate for Nginx proxy (optional)
- `4b-install-ssl-letsencrypt-nginx.sh`: Installs & configures Let's Encrypt for Nginx proxy (optional) - `4b-install-tls-letsencrypt-nginx.sh`: Installs & configures Let's Encrypt for Nginx proxy (optional)
- `add-auth-duo.sh`: Adds the Duo MFA extension if not selected during install (optional) - `add-auth-duo.sh`: Adds the Duo MFA extension if not selected during install (optional)
- `add-auth-ldap.sh`: Adds the Active Directory extension and setup template if not selected at install (optional) - `add-auth-ldap.sh`: Adds the Active Directory extension and setup template if not selected at install (optional)
- `add-auth-totp.sh`: Adds the TOTP MFA extension if not selected at install (optional) - `add-auth-totp.sh`: Adds the TOTP MFA extension if not selected at install (optional)
- `add-ssl-guac-gaucd.sh`: A hardening script to add a TLS wrapper between the guacd daemon and Guacamole client application traffic (optional, consider extra performance impact mitigations) - `add-tls-guac-daemon.sh`: A hardening script to add a TLS wrapper between the guacd server daemon and Guacamole application traffic (optional, consider extra performance impact mitigations)
- `add-fail2ban.sh`: Adds a fail2ban policy (with local subnet override) to secure Guacamole against external brute force attacks - `add-fail2ban.sh`: Adds a fail2ban policy (with local subnet override) to secure Guacamole against external brute force attacks
- `add-smtp-relay-o365.sh`: Sets up a TLS/SMTP auth relay with O365 for monitoring & alerts (BYO app password) - `add-smtp-relay-o365.sh`: Sets up an SMTP auth relay with O365 for monitoring & alerts (BYO app password)
- `backup-guacamole.sh`: A simple MySQL Guacamole backup script - `backup-guacamole.sh`: A simple MySQL Guacamole backup script
- `branding.jar`: An example template for a customised Guacamole login screen. The extension allows some measure of branding the user interface (or delete to keep the default interface). This is a version of https://github.com/Zer0CoolX/guacamole-customize-loginscreen-extension but with further tweaks to additionally support custom browser tab favicons. Much more extensive branding is possible via CSS inside this extension. - `branding.jar`: An example template for a customised Guacamole login screen. Much further UI customisation is possible inside this extension via additional CSS. Delete this file to keep the default Guacmole UI.

2
add-auth-duo.sh
View file

@ -50,7 +50,7 @@ echo "duo-api-hostname: ??????????"
echo "duo-secret-key: ??????????" echo "duo-secret-key: ??????????"
echo "duo-application-key: (this is locally created - run 'pwgen 40 1' to manually generate this 40 char random value)" echo "duo-application-key: (this is locally created - run 'pwgen 40 1' to manually generate this 40 char random value)"
echo echo
echo "Once this change is complete, restart Guacamole with sudo systemctl restart tomcat9" echo "Once this change is complete, restart Guacamole with sudo systemctl restart ${TOMCAT_VERSION}"
rm -rf guacamole-* rm -rf guacamole-*

1
add-auth-ldap.sh
View file

@ -18,7 +18,6 @@ NC='\033[0m' #No Colour
clear clear
# Check if user is root or sudo # Check if user is root or sudo
if ! [ $(id -u) = 0 ]; then if ! [ $(id -u) = 0 ]; then
echo echo
echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2 echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2

1
add-auth-totp.sh
View file

@ -17,6 +17,7 @@ NC='\033[0m' #No Colour
clear clear
# Check if user is root or sudo
if ! [ $(id -u) = 0 ]; then if ! [ $(id -u) = 0 ]; then
echo echo
echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2 echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2

90
add-fail2ban.sh
View file

@ -17,6 +17,7 @@ NC='\033[0m' #No Colour
clear clear
# Check if user is root or sudo
if ! [ $(id -u) = 0 ]; then if ! [ $(id -u) = 0 ]; then
echo echo
echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2 echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2
@ -40,10 +41,10 @@ rm -f /tmp/fail2ban.update
# Start setup prompts ################################################################################################# # Start setup prompts #################################################################################################
####################################################################################################################### #######################################################################################################################
# Prompt to install fail2ban base app, default of yes # Prompt to install fail2ban base package with no policy as yet, default of yes
if [[ -z ${FAIL2BAN_BASE} ]]; then if [[ -z ${FAIL2BAN_BASE} ]]; then
echo echo
echo -e -n "${LGREEN}Install Fail2ban? [default y]: ${GREY}" echo -e -n "${LGREEN}Install Fail2ban? (base package with no policy as yet) [default y]: ${GREY}"
read PROMPT read PROMPT
if [[ ${PROMPT} =~ ^[Nn]$ ]]; then if [[ ${PROMPT} =~ ^[Nn]$ ]]; then
FAIL2BAN_BASE=false FAIL2BAN_BASE=false
@ -63,40 +64,40 @@ if [[ -z ${FAIL2BAN_GUAC} ]] && [[ "${FAIL2BAN_BASE}" = true ]]; then
fi fi
fi fi
# Prompt to install Nginx fail2ban config defaults , default of no # Prompt to install Nginx fail2ban config defaults , default of no - NOT IMPLEMENTED YET
if [[ -z ${FAIL2BAN_NGINX} ]] && [[ "${FAIL2BAN_BASE}" = true ]]; then #if [[ -z ${FAIL2BAN_NGINX} ]] && [[ "${FAIL2BAN_BASE}" = true ]]; then
echo -e -n "${GREY}POLICY: Apply Nginx fail2ban security policy? (y/n) [default n]:${GREY}" # echo -e -n "${GREY}POLICY: Apply Nginx fail2ban security policy? (y/n) [default n]:${GREY}"
read PROMPT # read PROMPT
if [[ ${PROMPT} =~ ^[Yy]$ ]]; then # if [[ ${PROMPT} =~ ^[Yy]$ ]]; then
FAIL2BAN_NGINX=true # FAIL2BAN_NGINX=true
else # else
FAIL2BAN_NGINX=false # FAIL2BAN_NGINX=false
fi # fi
fi #fi
# Prompt to install SSH fail2ban config defaults , default of no # Prompt to install SSH fail2ban config defaults , default of no - NOT IMPLEMENTED YET
if [[ -z ${FAIL2BAN_SSH} ]] && [[ "${FAIL2BAN_BASE}" = true ]]; then #if [[ -z ${FAIL2BAN_SSH} ]] && [[ "${FAIL2BAN_BASE}" = true ]]; then
echo -e -n "${GREY}POLICY: Apply SSH fail2ban security policy? (y/n) [default n]:${GREY}" # echo -e -n "${GREY}POLICY: Apply SSH fail2ban security policy? (y/n) [default n]:${GREY}"
read PROMPT # read PROMPT
if [[ ${PROMPT} =~ ^[Yy]$ ]]; then # if [[ ${PROMPT} =~ ^[Yy]$ ]]; then
FAIL2BAN_SSH=true # FAIL2BAN_SSH=true
else # else
FAIL2BAN_SSH=false # FAIL2BAN_SSH=false
fi # fi
fi #fi
####################################################################################################################### #######################################################################################################################
# Fail2ban base setup ################################################################################################# # Fail2ban base setup #################################################################################################
####################################################################################################################### #######################################################################################################################
# Install base fail2ban base application (no policy defined yet) # Install base fail2ban base application, and whitelist the local subnet as the starting baseline (no policy defined yet)
if [ "${FAIL2BAN_BASE}" = true ]; then if [ "${FAIL2BAN_BASE}" = true ]; then
#Update and install fail2ban (and john for management of config file updates) #Update and install fail2ban (and john for management of config file updates, and not overwrite any existing settings)
sudo apt-get update -qq >/dev/null 2>&1 sudo apt-get update -qq >/dev/null 2>&1
sudo apt-get install fail2ban john -qq -y >/dev/null 2>&1 sudo apt-get install fail2ban john -qq -y >/dev/null 2>&1
# Create the basic jail.local template # Create the basic jail.local template and local subnet whitelist
cat >/tmp/fail2ban.conf <<EOF cat >/tmp/fail2ban.conf <<EOF
[DEFAULT] [DEFAULT]
destemail = yourname@example.com destemail = yourname@example.com
@ -173,7 +174,7 @@ if [ "${FAIL2BAN_BASE}" = true ]; then
# Now the above loop is done, append the single loopback address to all the discovered the subnet IDs in a single line # Now the above loop is done, append the single loopback address to all the discovered the subnet IDs in a single line
sed -i 's/^/127.0.0.1\/24 /' /tmp/netaddr.txt sed -i 's/^/127.0.0.1\/24 /' /tmp/netaddr.txt
# Finally assemble the entire syntaxt of the ignoreip whitelist for insertion into the base fail2ban config # Finally assemble the entire syntax of the ignoreip whitelist for insertion into the base fail2ban config
SED_IGNORE=$(echo "ignoreip = ") SED_IGNORE=$(echo "ignoreip = ")
SED_NETADDR=$(cat /tmp/netaddr.txt) SED_NETADDR=$(cat /tmp/netaddr.txt)
sed -i "s|ignoreip \=|${SED_IGNORE}${SED_NETADDR}|g" /tmp/fail2ban.conf sed -i "s|ignoreip \=|${SED_IGNORE}${SED_NETADDR}|g" /tmp/fail2ban.conf
@ -181,7 +182,7 @@ if [ "${FAIL2BAN_BASE}" = true ]; then
# Move the new base fail2ban config to the jail.local file # Move the new base fail2ban config to the jail.local file
touch /etc/fail2ban/jail.local touch /etc/fail2ban/jail.local
# Apply thhe base config, keeping any pre-existing settings # Apply the base config, keeping any pre-existing settings
sudo bash -c 'cat /tmp/fail2ban.conf /etc/fail2ban/jail.local | unique /tmp/fail2ban.update ; cat /tmp/fail2ban.update > /etc/fail2ban/jail.local' sudo bash -c 'cat /tmp/fail2ban.conf /etc/fail2ban/jail.local | unique /tmp/fail2ban.update ; cat /tmp/fail2ban.update > /etc/fail2ban/jail.local'
# Clean up # Clean up
@ -190,7 +191,7 @@ if [ "${FAIL2BAN_BASE}" = true ]; then
rm -f /tmp/netaddr.txt rm -f /tmp/netaddr.txt
rm -f /tmp/fail2ban.update rm -f /tmp/fail2ban.update
# bounce the service to relaod the new config # bounce the service to reload the new config
sudo systemctl restart fail2ban sudo systemctl restart fail2ban
# Done # Done
@ -204,16 +205,18 @@ else
fi fi
####################################################################################################################### #######################################################################################################################
# Fail2ban optional setup items ####################################################################################### # Fail2ban optional policy setup items ################################################################################
####################################################################################################################### #######################################################################################################################
if [ "${FAIL2BAN_GUAC}" = true ]; then
# Create the Guacamole jail.local policy template # Create the Guacamole jail.local policy template
cat >/tmp/fail2ban.conf <<EOF cat >/tmp/fail2ban.conf <<EOF
[guacamole] [guacamole]
enabled = true enabled = true
port = http,https port = http,https
logpath = /var/log/$TOMCAT_VERSION/catalina.out logpath = /var/log/$TOMCAT_VERSION/catalina.out
bantime = 10m bantime = 15m
findtime = 60m findtime = 60m
maxretry = 5 maxretry = 5
EOF EOF
@ -232,8 +235,13 @@ REGEX='failregex = ^.*WARN o\.a\.g\.r\.auth\.AuthenticationService - Authentica
#Insert the new regex #Insert the new regex
sed -i -e "/Authentication attempt from/a ${REGEX}" /etc/fail2ban/filter.d/guacamole.conf sed -i -e "/Authentication attempt from/a ${REGEX}" /etc/fail2ban/filter.d/guacamole.conf
# Bounce the service to relaod the new config # Done
echo -e "${LGREEN}Guacamole security policy applied${GREY}\n- ${SED_NETADDR}are whitelisted from all IP bans.\n- To alter this whitelist, edit /etc/fail2ban/jail.local & sudo systemctl restart fail2ban"
# Bounce the service to reload the new config
sudo systemctl restart fail2ban sudo systemctl restart fail2ban
echo
fi
# Clean up # Clean up
rm -f /tmp/fail2ban.conf rm -f /tmp/fail2ban.conf
@ -241,21 +249,17 @@ rm -f /tmp/ip_list.txt
rm -f /tmp/netaddr.txt rm -f /tmp/netaddr.txt
rm -f /tmp/fail2ban.update rm -f /tmp/fail2ban.update
# Done
echo -e "${LGREEN}Guacamole security policy applied${GREY}\n-${SED_NETADDR}are whitelisted from all IP bans.\n- To alter this whitelist, edit /etc/fail2ban/jail.local & sudo systemctl restart fail2ban"
echo
############## Start Fail2ban NGINX security policy option ############### ############## Start Fail2ban NGINX security policy option ###############
if [ "${FAIL2BAN_NGINX}" = true ]; then #if [ "${FAIL2BAN_NGINX}" = true ]; then
echo -e "${LGREEN}Nginx Fail2ban policy not implemented yet.${GREY}" # echo -e "${LGREEN}Nginx Fail2ban policy not implemented yet.${GREY}"
echo # echo
fi #fi
############### Start Fail2ban SSH security policy option ################ ############### Start Fail2ban SSH security policy option ################
if [ "${FAIL2BAN_SSH}" = true ]; then #if [ "${FAIL2BAN_SSH}" = true ]; then
echo -e "${LGREEN}SSH Fail2ban policy not implemented yet..${GREY}" # echo -e "${LGREEN}SSH Fail2ban policy not implemented yet..${GREY}"
echo # echo
fi #fi
#Done #Done
echo -e ${NC} echo -e ${NC}

1
add-smtp-relay-o365.sh
View file

@ -26,6 +26,7 @@ SENDER=$SUDO_USER
SERVER=$(uname -n) SERVER=$(uname -n)
DOMAIN_SEARCH_SUFFIX=$(grep search /etc/resolv.conf | grep -v "#" | sed 's/'search[[:space:]]'//') DOMAIN_SEARCH_SUFFIX=$(grep search /etc/resolv.conf | grep -v "#" | sed 's/'search[[:space:]]'//')
# Check if user is root or sudo
if ! [ $(id -u) = 0 ]; then if ! [ $(id -u) = 0 ]; then
echo echo
echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2 echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2

12
add-ssl-guac-gaucd.sh → add-tls-guac-daemon.sh
View file

@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
####################################################################################################################### #######################################################################################################################
# Harden Guacd <-> Guac client traffic in SSL wrapper # Harden Guacd <-> Guac client traffic in TLS wrapper
# For Ubuntu / Debian / Raspbian # For Ubuntu / Debian / Raspbian
# David Harrop # David Harrop
# April 2023 # April 2023
@ -15,6 +15,7 @@ LGREEN='\033[0;92m'
LYELLOW='\033[0;93m' LYELLOW='\033[0;93m'
NC='\033[0m' #No Colour NC='\033[0m' #No Colour
# Below variables are automatically updated by the 1-setup.sh script with the respective values given at install
CERT_COUNTRY= CERT_COUNTRY=
CERT_STATE= CERT_STATE=
CERT_LOCATION= CERT_LOCATION=
@ -23,13 +24,14 @@ CERT_OU=
clear clear
# Check if user is root or sudo
if ! [ $(id -u) = 0 ]; then if ! [ $(id -u) = 0 ]; then
echo echo
echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2 echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2
exit 1 exit 1
fi fi
# Create the special directory for guacd ssl certfifacte and key. # Create the special directory for guacd tls certificate and key.
sudo mkdir /etc/guacamole/ssl sudo mkdir /etc/guacamole/ssl
echo echo
cat <<EOF | tee -a cert_attributes.txt cat <<EOF | tee -a cert_attributes.txt
@ -57,11 +59,11 @@ DNS.1 = localhost
IP.1 = 127.0.0.1 IP.1 = 127.0.0.1
EOF EOF
# Create the self signining request, certificate & key # Create the self signing request, certificate & key
sudo openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -keyout /etc/guacamole/ssl/guacd.key -out /etc/guacamole/ssl/guacd.crt -config cert_attributes.txt sudo openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -keyout /etc/guacamole/ssl/guacd.key -out /etc/guacamole/ssl/guacd.crt -config cert_attributes.txt
rm -f cert_attributes.txt rm -f cert_attributes.txt
# Point Gaucamole config file to certificate any key # Point Guacamole config file to certificate and key
sudo cat <<EOF | sudo tee /etc/guacamole/guacd.conf sudo cat <<EOF | sudo tee /etc/guacamole/guacd.conf
[server] [server]
bind_host = 127.0.0.1 bind_host = 127.0.0.1
@ -71,7 +73,7 @@ server_certificate = /etc/guacamole/ssl/guacd.crt
server_key = /etc/guacamole/ssl/guacd.key server_key = /etc/guacamole/ssl/guacd.key
EOF EOF
# Enable SSL backend # Enable TLS backend
sudo cat <<EOF | sudo tee -a /etc/guacamole/guacamole.properties sudo cat <<EOF | sudo tee -a /etc/guacamole/guacamole.properties
guacd-ssl: true guacd-ssl: true
EOF EOF

1
backup-guac.sh
View file

@ -19,6 +19,7 @@ clear
export PATH=/bin:/usr/bin:/usr/local/bin export PATH=/bin:/usr/bin:/usr/local/bin
TODAY=$(date +%Y-%m-%d) TODAY=$(date +%Y-%m-%d)
# Below variables are automatically updated by the 1-setup.sh script with the respective values given at install
MYSQL_HOST= MYSQL_HOST=
MYSQL_PORT= MYSQL_PORT=
GUAC_USER= GUAC_USER=

1
upgrade-guac.sh
View file

@ -21,6 +21,7 @@ LGREEN='\033[0;92m'
LYELLOW='\033[0;93m' LYELLOW='\033[0;93m'
NC='\033[0m' #No Colour NC='\033[0m' #No Colour
# Check if user is root or sudo
if ! [ $(id -u) = 0 ]; then if ! [ $(id -u) = 0 ]; then
echo echo
echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2 echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2