From d150332e63c1a4615e425e6eb716b47d18f4c19d Mon Sep 17 00:00:00 2001 From: itiligent Date: Sun, 10 Sep 2023 22:39:54 +1000 Subject: [PATCH] Fixed for Debian 12 and Ubuntu 23.04 Debian 12 ready, Ubuntu 23.04 ready code final review normalized to uniform [[ ]] use, and shfmt to 4 space indents Changes redirect variable name fixed db installing server and client for client installs small tidy ups --- 1-setup.sh | 644 +++++++------- 2-install-guacamole.sh | 786 +++++++++--------- 3-install-nginx.sh | 48 +- 4a-install-tls-self-signed-nginx.sh | 64 +- 4b-install-tls-letsencrypt-nginx.sh | 58 +- README.md | 14 +- guac-custom-theme-builder/README.MD | 2 +- .../install-mysql-backend-only.sh | 252 +++--- .../upgrade-mysql-backend-only.sh | 68 +- guac-management/backup-guac.sh | 32 +- guac-management/refresh-tls-self-signed.sh | 52 +- guac-management/upgrade-guac.sh | 330 ++++---- guac-optional-features/add-auth-duo.sh | 8 +- guac-optional-features/add-auth-ldap.sh | 20 +- guac-optional-features/add-auth-totp.sh | 8 +- guac-optional-features/add-fail2ban.sh | 238 +++--- guac-optional-features/add-smtp-relay-o365.sh | 34 +- guac-optional-features/add-tls-guac-daemon.sh | 8 +- .../add-xtra-histrecstor.sh | 18 +- .../add-xtra-quickconnect.sh | 8 +- 20 files changed, 1355 insertions(+), 1337 deletions(-) diff --git a/1-setup.sh b/1-setup.sh index e549211..6781200 100644 --- a/1-setup.sh +++ b/1-setup.sh @@ -40,30 +40,30 @@ NC='\033[0m' #No Colour # Make sure the user is NOT running this script as root if [[ $EUID -eq 0 ]]; then - echo - echo -e "${LRED}This script must NOT be run as root, exiting..." 1>&2 - echo -e ${NC} - exit 1 + echo + echo -e "${LRED}This script must NOT be run as root, exiting..." 1>&2 + echo -e ${NC} + exit 1 fi # Make sure the user is a member of the sudo group -if ! [ $(id -nG "$USER" 2>/dev/null | egrep "sudo" | wc -l) -gt 0 ]; then - echo - echo -e "${LRED}The current user (${USER}) must be a member of the 'sudo' group, exiting..." 1>&2 - echo -e ${NC} - exit 1 +if ! [[ $(id -nG "$USER" 2>/dev/null | egrep "sudo" | wc -l) -gt 0 ]]; then + echo + echo -e "${LRED}The current user (${USER}) must be a member of the 'sudo' group, exiting..." 1>&2 + echo -e ${NC} + exit 1 fi # Check to see if any previous version of build/install files exist, if so stop and check to be safe. -if [ "$(find . -maxdepth 1 \( -name 'guacamole-*' -o -name 'mysql-connector-j-*' \))" != "" ]; then - echo - echo -e "${LRED}Possible previous install files detected in current build path. Please review and remove old guacamole install files before proceeding.${GREY}" 1>&2 - echo - exit 1 +if [[ "$(find . -maxdepth 1 \( -name 'guacamole-*' -o -name 'mysql-connector-j-*' \))" != "" ]]; then + echo + echo -e "${LRED}Possible previous install files detected in current build path. Please review and remove old guacamole install files before proceeding.${GREY}" 1>&2 + echo + exit 1 fi ####################################################################################################################### -# Core setup variables and mandatory inputs ########################################################################### +# Core setup variables and mandatory inputs - EDIT VARIABLE VALUES TO SUIT ############################################ ####################################################################################################################### # Setup download and temp directory paths @@ -87,32 +87,18 @@ GUAC_SOURCE_LINK="http://apache.org/dyn/closer.cgi?action=download&filename=guac # See https://mariadb.org/mariadb/all-releases/ for available versions. # Provide a specific MySQL version e.g. 11.1.2 or leave blank to use distro default MySQL packages. MYSQL_VERSION="" -if [ -z "${MYSQL_VERSION}" ]; then - # Use Linux distro default version. - MYSQLS="default-mysql-server default-mysql-client mysql-common" - MYSQLC="default-mysql-client" - DB_CMD="mysql" # mysql command is depricated +if [[ -z "${MYSQL_VERSION}" ]]; then + # Use Linux distro default version. + MYSQLSRV="default-mysql-server default-mysql-client mysql-common" # Server + MYSQLCLIENT="default-mysql-client" # Client + DB_CMD="mysql" # mysql command is depricated else - # Use official mariadb.org repo - MYSQLS="mariadb-server mariadb-client mariadb-common" - MYSQLC="mariadb-client" - DB_CMD="mariadb" # mysql command is depricated on newer versions + # Use official mariadb.org repo + MYSQLSRV="mariadb-server mariadb-client mariadb-common" # Server + MYSQLCLIENT="mariadb-client" # Client + DB_CMD="mariadb" # mysql command is depricated on newer versions fi -# Check for the latest version of Tomcat currently supported by the distro -if [[ $(apt-cache show tomcat10 2>/dev/null | egrep "Version: 10" | wc -l) -gt 0 ]]; then - TOMCAT_VERSION="tomcat10" -elif [[ $(apt-cache show tomcat9 2>/dev/null | egrep "Version: 9" | wc -l) -gt 0 ]]; then - TOMCAT_VERSION="tomcat9" -elif [[ $(apt-cache show tomcat8 2>/dev/null | egrep "Version: 8.[5-9]" | wc -l) -gt 0 ]]; then - TOMCAT_VERSION="tomcat8" -else - # Default to version - TOMCAT_VERSION="tomcat9" -fi -# Uncomment to force a specific Tomcat version here. -# TOMCAT_VERSION="tomcat9" - # Install log Location INSTALL_LOG="${DOWNLOAD_DIR}/guacamole_${GUAC_VERSION}_setup.log" @@ -123,7 +109,8 @@ GUAC_URL=http://localhost:8080/guacamole/ # Here the variables for OS variant and library dependency names are initialised. source /etc/os-release OS_FLAVOUR=$ID -OS_VERSION=$VERSION +OS_VERSION=$VERSION_ID +OS_CODENAME=$VERSION_CODENAME JPEGTURBO="" LIBPNG="" @@ -131,31 +118,31 @@ LIBPNG="" # Get the default route interface IP DEFAULT_IP=$(ip addr show $(ip route | awk '/default/ { print $5 }') | grep "inet" | head -n 1 | awk '/inet/ {print $2}' | cut -d'/' -f1) get_domain_suffix() { - echo "$1" | awk '{print $2}' + echo "$1" | awk '{print $2}' } # Search for "search" and "domain" entries in /etc/resolv.conf search_line=$(grep -E '^search[[:space:]]+' /etc/resolv.conf) domain_line=$(grep -E '^domain[[:space:]]+' /etc/resolv.conf) # Check if both "search" and "domain" lines exist -if [ -n "$search_line" ] && [ -n "$domain_line" ]; then - # Both "search" and "domain" lines exist, extract the domain suffix from both - search_suffix=$(get_domain_suffix "$search_line") - domain_suffix=$(get_domain_suffix "$domain_line") - # Print the domain suffix that appears first - if [ ${#search_suffix} -lt ${#domain_suffix} ]; then - DOMAIN_SUFFIX=$search_suffix - else - DOMAIN_SUFFIX=$domain_suffix - fi -elif [ -n "$search_line" ]; then - # If only "search" line exists - DOMAIN_SUFFIX=$(get_domain_suffix "$search_line") -elif [ -n "$domain_line" ]; then - # If only "domain" line exists - DOMAIN_SUFFIX=$(get_domain_suffix "$domain_line") +if [[ -n "$search_line" ]] && [[ -n "$domain_line" ]]; then + # Both "search" and "domain" lines exist, extract the domain suffix from both + search_suffix=$(get_domain_suffix "$search_line") + domain_suffix=$(get_domain_suffix "$domain_line") + # Print the domain suffix that appears first + if [[ ${#search_suffix} -lt ${#domain_suffix} ]]; then + DOMAIN_SUFFIX=$search_suffix + else + DOMAIN_SUFFIX=$domain_suffix + fi +elif [[ -n "$search_line" ]]; then + # If only "search" line exists + DOMAIN_SUFFIX=$(get_domain_suffix "$search_line") +elif [[ -n "$domain_line" ]]; then + # If only "domain" line exists + DOMAIN_SUFFIX=$(get_domain_suffix "$domain_line") else - # If no "search" or "domain" lines found - DOMAIN_SUFFIX="local" + # If no "search" or "domain" lines found + DOMAIN_SUFFIX="local" fi # Setup directory locations @@ -171,7 +158,7 @@ echo echo ####################################################################################################################### -# Silent setup options - adding true/false or specific values below prevents prompt at install ######################## +# Silent setup options - true/false or specific values below prevents prompt at install. EDIT TO SUIT ################# ####################################################################################################################### SERVER_NAME="" # Preferred server hostname LOCAL_DOMAIN="" # Local DNS space in use @@ -190,7 +177,7 @@ INSTALL_LDAP="" # Add Active Directory extension (true/false) INSTALL_QCONNECT="" # Add Guacamole console quick connect feature INSTALL_HISTREC="" # Add Guacamole history recording storage feature HISTREC_PATH="" # Path to save recorded sessions, default is /var/lib/guacamole/recordings -CHANGE_ROOT="" # Set default Guacamole URL to http root (remove extra "/guacamole" from the default URL) +GUAC_URL_REDIR="" # Redirect default Guacamole URL to http root (skip typing the extra "/guacamole" in the URL) INSTALL_NGINX="" # Install and configure Guacamole behind Nginx reverse proxy (http port 80 only, true/false) PROXY_SITE="" # Local DNS name for reverse proxy and/or self signed TLS certificates SELF_SIGN="" # Add self signed TLS support to Nginx (Let's Encrypt not available with this option, true/false) @@ -210,7 +197,7 @@ RDP_SHARE_LABEL="RDP Share" # Custom Windows RDP share drive label (e.g. RDP RDP_PRINTER_LABEL="RDP Printer" # Custom Windows RDP printer label ####################################################################################################################### -# Download GitHub setup scripts. To prevent overwrite, comment out lines of any scripts you have edited. ############## +# Download GitHub setup scripts. To prevent overwrite, COMMENT OUT LINES OF ANY SCRIPTS YOU HAVE EDITED. ############## ####################################################################################################################### # Download the set of config scripts from GitHub @@ -255,13 +242,41 @@ echo sudo chmod -R 770 $TMP_DIR sudo chown -R $SUDO_USER:root $TMP_DIR -# Workaround for current Debian 12 & Tomcat 10 incompatibilities (Experimental in August 2023) -if [[ $OS_FLAVOUR = "debian" ]] && [[ $OS_VERSION = *"bookworm"* ]]; then - # Add the oldstable repo and downgrade tomcat version install - echo "deb http://deb.debian.org/debian/ bullseye main" | sudo tee /etc/apt/sources.list.d/bullseye.list >/dev/null - TOMCAT_VERSION="tomcat9" +####################################################################################################################### +# Determine the correct version of Tomcat use ######################################################################### +####################################################################################################################### + +# Check for the latest version of Tomcat currently supported by the distro +if [[ $(apt-cache show tomcat10 2>/dev/null | egrep "Version: 10" | wc -l) -gt 0 ]]; then + TOMCAT_VERSION="tomcat10" +elif [[ $(apt-cache show tomcat9 2>/dev/null | egrep "Version: 9" | wc -l) -gt 0 ]]; then + TOMCAT_VERSION="tomcat9" +elif [[ $(apt-cache show tomcat8 2>/dev/null | egrep "Version: 8.[5-9]" | wc -l) -gt 0 ]]; then + TOMCAT_VERSION="tomcat8" +else + # Default to version + TOMCAT_VERSION="tomcat9" fi +# Workaround for current Debian 12 & Tomcat 10 incompatibilities +if [[ ${OS_FLAVOUR,,} = "debian" ]] && [[ ${OS_CODENAME,,} = *"bookworm"* ]]; then #(checks for upper and lower case) + # Add the oldstable repo and downgrade tomcat version install + echo "deb http://deb.debian.org/debian/ bullseye main" | sudo tee /etc/apt/sources.list.d/bullseye.list >/dev/null + TOMCAT_VERSION="tomcat9" +fi + +# Workaround for Ubuntu 23.x & Tomcat 10 incompatibilities +if [[ ${OS_FLAVOUR,,} = "ubuntu" ]] && [[ ${OS_CODENAME,,} = *"lunar"* ]]; then #(checks for upper and lower case) + TOMCAT_VERSION="tomcat9" +fi + +# Uncomment to force a specific Tomcat version here. +# TOMCAT_VERSION="tomcat9" + +####################################################################################################################### +# DO NOT EDIT PAST THIS POINT ######################################################################################### +####################################################################################################################### + ####################################################################################################################### # Begin install menu prompts ########################################################################################## ####################################################################################################################### @@ -272,70 +287,70 @@ fi # Ensure SERVER_NAME is consistent with local host entries if [[ -z ${SERVER_NAME} ]]; then - echo -e "${LYELLOW}Update Linux system HOSTNAME [Enter to keep: ${HOSTNAME}]${LGREEN}" - read -p " Enter new HOSTNAME : " SERVER_NAME - # If hit enter making no SERVER_NAME change, assume the existing hostname as current - if [[ "${SERVER_NAME}" = "" ]]; then - SERVER_NAME=$HOSTNAME - fi - echo - # A SERVER_NAME was derived via the prompt - # Apply the SERVER_NAME value & remove and update any old 127.0.1.1 local host references - sudo hostnamectl set-hostname $SERVER_NAME &>>${INSTALL_LOG} - sudo sed -i '/127.0.1.1/d' /etc/hosts &>>${INSTALL_LOG} - echo '127.0.1.1 '${SERVER_NAME}'' | sudo tee -a /etc/hosts &>>${INSTALL_LOG} - sudo systemctl restart systemd-hostnamed &>>${INSTALL_LOG} + echo -e "${LYELLOW}Update Linux system HOSTNAME [Enter to keep: ${HOSTNAME}]${LGREEN}" + read -p " Enter new HOSTNAME : " SERVER_NAME + # If hit enter making no SERVER_NAME change, assume the existing hostname as current + if [[ "${SERVER_NAME}" = "" ]]; then + SERVER_NAME=$HOSTNAME + fi + echo + # A SERVER_NAME was derived via the prompt + # Apply the SERVER_NAME value & remove and update any old 127.0.1.1 local host references + sudo hostnamectl set-hostname $SERVER_NAME &>>${INSTALL_LOG} + sudo sed -i '/127.0.1.1/d' /etc/hosts &>>${INSTALL_LOG} + echo '127.0.1.1 '${SERVER_NAME}'' | sudo tee -a /etc/hosts &>>${INSTALL_LOG} + sudo systemctl restart systemd-hostnamed &>>${INSTALL_LOG} else - echo - # A SERVER_NAME value was derived from a pre-set silent install option. - # Apply the SERVER_NAME value & remove and update any old 127.0.1.1 local host references - sudo hostnamectl set-hostname $SERVER_NAME &>>${INSTALL_LOG} - sudo sed -i '/127.0.1.1/d' /etc/hosts &>>${INSTALL_LOG} - echo '127.0.1.1 '${SERVER_NAME}'' | sudo tee -a /etc/hosts &>>${INSTALL_LOG} - sudo systemctl restart systemd-hostnamed &>>${INSTALL_LOG} + echo + # A SERVER_NAME value was derived from a pre-set silent install option. + # Apply the SERVER_NAME value & remove and update any old 127.0.1.1 local host references + sudo hostnamectl set-hostname $SERVER_NAME &>>${INSTALL_LOG} + sudo sed -i '/127.0.1.1/d' /etc/hosts &>>${INSTALL_LOG} + echo '127.0.1.1 '${SERVER_NAME}'' | sudo tee -a /etc/hosts &>>${INSTALL_LOG} + sudo systemctl restart systemd-hostnamed &>>${INSTALL_LOG} fi # Ensure SERVER_NAME, LOCAL_DOMAIN suffix and host entries are all consistent if [[ -z ${LOCAL_DOMAIN} ]]; then - echo -e "${LYELLOW}Update Linux LOCAL DNS DOMAIN [Enter to keep: ${DOMAIN_SUFFIX}]${LGREEN}" - read -p " Enter FULL LOCAL DOMAIN NAME: " LOCAL_DOMAIN - # If hit enter making no LOCAL_DOMAIN name change, assume the existing domain suffix as current - if [[ "${LOCAL_DOMAIN}" = "" ]]; then - LOCAL_DOMAIN=$DOMAIN_SUFFIX - fi - echo - # A LOCAL_DOMAIN value was derived via the prompt - # Remove any old hosts & resolv file values and update these with the new LOCAL_DOMAIN value - sudo sed -i "/${DEFAULT_IP}/d" /etc/hosts - sudo sed -i '/domain/d' /etc/resolv.conf - sudo sed -i '/search/d' /etc/resolv.conf - # Refresh the /etc/hosts file with the server name and new local domain value - echo ''${DEFAULT_IP}' '${SERVER_NAME}.${LOCAL_DOMAIN} ${SERVER_NAME}'' | sudo tee -a /etc/hosts &>>${INSTALL_LOG} - # Refresh /etc/resolv.conf with new domain and search suffix values - echo 'domain '${LOCAL_DOMAIN}'' | sudo tee -a /etc/resolv.conf &>>${INSTALL_LOG} - echo 'search '${LOCAL_DOMAIN}'' | sudo tee -a /etc/resolv.conf &>>${INSTALL_LOG} - sudo systemctl restart systemd-hostnamed &>>${INSTALL_LOG} + echo -e "${LYELLOW}Update Linux LOCAL DNS DOMAIN [Enter to keep: ${DOMAIN_SUFFIX}]${LGREEN}" + read -p " Enter FULL LOCAL DOMAIN NAME: " LOCAL_DOMAIN + # If hit enter making no LOCAL_DOMAIN name change, assume the existing domain suffix as current + if [[ "${LOCAL_DOMAIN}" = "" ]]; then + LOCAL_DOMAIN=$DOMAIN_SUFFIX + fi + echo + # A LOCAL_DOMAIN value was derived via the prompt + # Remove any old hosts & resolv file values and update these with the new LOCAL_DOMAIN value + sudo sed -i "/${DEFAULT_IP}/d" /etc/hosts + sudo sed -i '/domain/d' /etc/resolv.conf + sudo sed -i '/search/d' /etc/resolv.conf + # Refresh the /etc/hosts file with the server name and new local domain value + echo ''${DEFAULT_IP}' '${SERVER_NAME}.${LOCAL_DOMAIN} ${SERVER_NAME}'' | sudo tee -a /etc/hosts &>>${INSTALL_LOG} + # Refresh /etc/resolv.conf with new domain and search suffix values + echo 'domain '${LOCAL_DOMAIN}'' | sudo tee -a /etc/resolv.conf &>>${INSTALL_LOG} + echo 'search '${LOCAL_DOMAIN}'' | sudo tee -a /etc/resolv.conf &>>${INSTALL_LOG} + sudo systemctl restart systemd-hostnamed &>>${INSTALL_LOG} else - echo - # A LOCAL_DOMIN value was derived from a pre-set silent install option. - # Remove any old hosts & resolv file values and update these with the new LOCAL_DOMAIN value - sudo sed -i "/${DEFAULT_IP}/d" /etc/hosts - sudo sed -i '/domain/d' /etc/resolv.conf - sudo sed -i '/search/d' /etc/resolv.conf - # Refresh the /etc/hosts file with the server name and new local domain value - echo ''${DEFAULT_IP}' '${SERVER_NAME}.${LOCAL_DOMAIN} ${SERVER_NAME}'' | sudo tee -a /etc/hosts &>>${INSTALL_LOG} - # Refresh /etc/resolv.conf with new domain and search suffix values - echo 'domain '${LOCAL_DOMAIN}'' | sudo tee -a /etc/resolv.conf &>>${INSTALL_LOG} - echo 'search '${LOCAL_DOMAIN}'' | sudo tee -a /etc/resolv.conf &>>${INSTALL_LOG} - sudo systemctl restart systemd-hostnamed &>>${INSTALL_LOG} + echo + # A LOCAL_DOMIN value was derived from a pre-set silent install option. + # Remove any old hosts & resolv file values and update these with the new LOCAL_DOMAIN value + sudo sed -i "/${DEFAULT_IP}/d" /etc/hosts + sudo sed -i '/domain/d' /etc/resolv.conf + sudo sed -i '/search/d' /etc/resolv.conf + # Refresh the /etc/hosts file with the server name and new local domain value + echo ''${DEFAULT_IP}' '${SERVER_NAME}.${LOCAL_DOMAIN} ${SERVER_NAME}'' | sudo tee -a /etc/hosts &>>${INSTALL_LOG} + # Refresh /etc/resolv.conf with new domain and search suffix values + echo 'domain '${LOCAL_DOMAIN}'' | sudo tee -a /etc/resolv.conf &>>${INSTALL_LOG} + echo 'search '${LOCAL_DOMAIN}'' | sudo tee -a /etc/resolv.conf &>>${INSTALL_LOG} + sudo systemctl restart systemd-hostnamed &>>${INSTALL_LOG} fi # Now that $SERVER_NAME and $LOCAL_DOMAIN values are updated and refreshed: # Values are merged to build a local FQDN value (used for the default reverse proxy site name.) DEFAULT_FQDN=$SERVER_NAME.$LOCAL_DOMAIN -# The RDP share label default can now assume the updated $SERVER_NAME value if not manually specified in silent setup options. +# The RDP share label default can now assume the updated $SERVER_NAME value (if not manually specified in silent setup options). if [[ -z ${RDP_SHARE_HOST} ]]; then - RDP_SHARE_HOST=$SERVER_NAME + RDP_SHARE_HOST=$SERVER_NAME fi clear @@ -350,29 +365,29 @@ echo # Prompt the user to install MySQL echo -e "${LGREEN}MySQL setup options:${GREY}" if [[ -z ${INSTALL_MYSQL} ]]; then - echo -e -n "SQL: Install MySQL locally? (to use a remote MySQL Server select 'n') [Y/n] [default y]: ${GREY}" - read PROMPT - if [[ ${PROMPT} =~ ^[Nn]$ ]]; then - INSTALL_MYSQL=false - else - INSTALL_MYSQL=true - fi + echo -e -n "SQL: Install MySQL locally? (to use a remote MySQL Server select 'n') [Y/n] [default y]: ${GREY}" + read PROMPT + if [[ ${PROMPT} =~ ^[Nn]$ ]]; then + INSTALL_MYSQL=false + else + INSTALL_MYSQL=true + fi fi # Prompt the user to apply the Mysql secure installation locally -if [ -z ${SECURE_MYSQL} ] && [ "${INSTALL_MYSQL}" = true ]; then - echo -e -n "${GREY}SQL: Apply MySQL secure installation settings to LOCAL db? [Y/n] [default y]: ${GREY}" - read PROMPT - if [[ ${PROMPT} =~ ^[Nn]$ ]]; then - SECURE_MYSQL=false - else - SECURE_MYSQL=true - fi +if [[ -z ${SECURE_MYSQL} ]] && [[ "${INSTALL_MYSQL}" = true ]]; then + echo -e -n "${GREY}SQL: Apply MySQL secure installation settings to LOCAL db? [Y/n] [default y]: ${GREY}" + read PROMPT + if [[ ${PROMPT} =~ ^[Nn]$ ]]; then + SECURE_MYSQL=false + else + SECURE_MYSQL=true + fi fi # Prompt the user to apply the Mysql secure installation to remote db # This may be problematic on remote databases (for one-script upgrades) as this addition removes remote root login access - a good thing. -#if [ -z ${SECURE_MYSQL} ] && [ "${INSTALL_MYSQL}" = false ]; then +#if [[ -z ${SECURE_MYSQL} ]] && [[ "${INSTALL_MYSQL}" = false ]]; then # echo -e -n "${GREY}SQL: Apply MySQL secure installation settings to REMOTE db? [y/N] [default n]: ${GREY}" # read PROMPT # if [[ ${PROMPT} =~ ^[Yy]$ ]]; then @@ -383,243 +398,243 @@ fi #fi # Get additional MYSQL values -if [ "${INSTALL_MYSQL}" = false ]; then - [ -z "${MYSQL_HOST}" ] && - read -p "SQL: Enter remote MySQL server hostname or IP: " MYSQL_HOST - [ -z "${MYSQL_PORT}" ] && - read -p "SQL: Enter remote MySQL server port [3306]: " MYSQL_PORT - [ -z "${GUAC_DB}" ] && - read -p "SQL: Enter remote Guacamole database name [guacamole_db]: " GUAC_DB - [ -z "${GUAC_USER}" ] && - read -p "SQL: Enter remote Guacamole user name [guacamole_user]: " GUAC_USER +if [[ "${INSTALL_MYSQL}" = false ]]; then + [[ -z "${MYSQL_HOST}" ]] && + read -p "SQL: Enter remote MySQL server hostname or IP: " MYSQL_HOST + [[ -z "${MYSQL_PORT}" ]] && + read -p "SQL: Enter remote MySQL server port [3306]: " MYSQL_PORT + [[ -z "${GUAC_DB}" ]] && + read -p "SQL: Enter remote Guacamole database name [guacamole_db]: " GUAC_DB + [[-z "${GUAC_USER}" ]] && + read -p "SQL: Enter remote Guacamole user name [guacamole_user]: " GUAC_USER fi # Checking if a mysql host given, if not set a default -if [ -z "${MYSQL_HOST}" ]; then - MYSQL_HOST="localhost" +if [[ -z "${MYSQL_HOST}" ]]; then + MYSQL_HOST="localhost" fi # Checking if a mysql port given, if not set a default -if [ -z "${MYSQL_PORT}" ]; then - MYSQL_PORT="3306" +if [[ -z "${MYSQL_PORT}" ]]; then + MYSQL_PORT="3306" fi # Checking if a database name given, if not set a default -if [ -z "${GUAC_DB}" ]; then - GUAC_DB="guacamole_db" +if [[ -z "${GUAC_DB}" ]]; then + GUAC_DB="guacamole_db" fi # Checking if a mysql user given, if not set a default -if [ -z "${GUAC_USER}" ]; then - GUAC_USER="guacamole_user" +if [[ -z "${GUAC_USER}" ]]; then + GUAC_USER="guacamole_user" fi echo -e ${LMAGENTA} # Get MySQL root password, confirm correct password entry and prevent blank passwords. No root pw needed for remote instances. -if [ -z "${MYSQL_ROOT_PWD}" ] && [ "${INSTALL_MYSQL}" = true ]; then - while true; do - read -s -p "SQL: Enter ${MYSQL_HOST}'s MySQL ROOT password: " MYSQL_ROOT_PWD - echo - read -s -p "SQL: Confirm ${MYSQL_HOST}'s MySQL ROOT password: " PROMPT2 - echo - [ "${MYSQL_ROOT_PWD}" = "${PROMPT2}" ] && [ "${MYSQL_ROOT_PWD}" != "" ] && [ "${PROMPT2}" != "" ] && break - echo -e "${LRED}Passwords don't match or can't be null. Please try again.${LMAGENTA}" 1>&2 - done +if [[ -z "${MYSQL_ROOT_PWD}" ]] && [[ "${INSTALL_MYSQL}" = true ]]; then + while true; do + read -s -p "SQL: Enter ${MYSQL_HOST}'s MySQL ROOT password: " MYSQL_ROOT_PWD + echo + read -s -p "SQL: Confirm ${MYSQL_HOST}'s MySQL ROOT password: " PROMPT2 + echo + [[ "${MYSQL_ROOT_PWD}" = "${PROMPT2}" ]] && [[ "${MYSQL_ROOT_PWD}" != "" ]] && [[ "${PROMPT2}" != "" ]] && break + echo -e "${LRED}Passwords don't match or can't be null. Please try again.${LMAGENTA}" 1>&2 + done fi echo -e ${LCYAN} # Get Guacamole User password, confirm correct password entry and prevent blank passwords -if [ -z "${GUAC_PWD}" ]; then - while true; do - read -s -p "SQL: Enter ${MYSQL_HOST}'s MySQL ${GUAC_USER} password: " GUAC_PWD - echo - read -s -p "SQL: Confirm ${MYSQL_HOST}'s MySQL ${GUAC_USER} password: " PROMPT2 - echo - [ "${GUAC_PWD}" = "${PROMPT2}" ] && [ "${GUAC_PWD}" != "" ] && [ "${PROMPT2}" != "" ] && break - echo -e "${LRED}Passwords don't match or can't be null. Please try again.${LCYAN}" 1>&2 - done +if [[ -z "${GUAC_PWD}" ]]; then + while true; do + read -s -p "SQL: Enter ${MYSQL_HOST}'s MySQL ${GUAC_USER} password: " GUAC_PWD + echo + read -s -p "SQL: Confirm ${MYSQL_HOST}'s MySQL ${GUAC_USER} password: " PROMPT2 + echo + [[ "${GUAC_PWD}" = "${PROMPT2}" ]] && [[ "${GUAC_PWD}" != "" ]] && [[ "${PROMPT2}" != "" ]] && break + echo -e "${LRED}Passwords don't match or can't be null. Please try again.${LCYAN}" 1>&2 + done fi echo -e ${GREY} # Prompt for preferred backup notification email address -if [ -z ${BACKUP_EMAIL} ]; then - while true; do - read -p "SQL: Enter email address for SQL backup messages [Enter to skip]: " BACKUP_EMAIL - [ "${BACKUP_EMAIL}" = "" ] || [ "${BACKUP_EMAIL}" != "" ] && break - # Rather than allow a blank value, un-comment to alternately force user to enter an explicit value instead - # [ "${BACKUP_EMAIL}" != "" ] && break - # echo -e "${LRED}You must enter an email address. Please try again.${GREY}" 1>&2 - done +if [[ -z ${BACKUP_EMAIL} ]]; then + while true; do + read -p "SQL: Enter email address for SQL backup messages [Enter to skip]: " BACKUP_EMAIL + [[ "${BACKUP_EMAIL}" = "" ]] || [[ "${BACKUP_EMAIL}" != "" ]] && break + # Rather than allow a blank value, un-comment to alternately force user to enter an explicit value instead + # [[ "${BACKUP_EMAIL}" != "" ]] && break + # echo -e "${LRED}You must enter an email address. Please try again.${GREY}" 1>&2 + done fi # If no backup notification email address is given, provide a default value -if [ -z ${BACKUP_EMAIL} ]; then - BACKUP_EMAIL="backup-email@yourdomain.com" +if [[ -z ${BACKUP_EMAIL} ]]; then + BACKUP_EMAIL="backup-email@yourdomain.com" fi echo # Prompt the user to install TOTP MFA echo -e "${LGREEN}Guacamole authentication extension options:${GREY}" if [[ -z "${INSTALL_TOTP}" ]] && [[ "${INSTALL_DUO}" != true ]]; then - echo -e -n "AUTH: Install TOTP? (choose 'n' if you want Duo) [y/N]? [default n]: " - read PROMPT - if [[ ${PROMPT} =~ ^[Yy]$ ]]; then - INSTALL_TOTP=true - INSTALL_DUO=false - else - INSTALL_TOTP=false - fi + echo -e -n "AUTH: Install TOTP? (choose 'n' if you want Duo) [y/N]? [default n]: " + read PROMPT + if [[ ${PROMPT} =~ ^[Yy]$ ]]; then + INSTALL_TOTP=true + INSTALL_DUO=false + else + INSTALL_TOTP=false + fi fi # Prompt the user to install Duo MFA if [[ -z "${INSTALL_DUO}" ]] && [[ "${INSTALL_TOTP}" != true ]]; then - echo -e -n "${GREY}AUTH: Install Duo? [y/N] [default n]: " - read PROMPT - if [[ ${PROMPT} =~ ^[Yy]$ ]]; then - INSTALL_DUO=true - INSTALL_TOTP=false - else - INSTALL_DUO=false - fi + echo -e -n "${GREY}AUTH: Install Duo? [y/N] [default n]: " + read PROMPT + if [[ ${PROMPT} =~ ^[Yy]$ ]]; then + INSTALL_DUO=true + INSTALL_TOTP=false + else + INSTALL_DUO=false + fi fi # We can't install TOTP and Duo at the same time (option not supported by Guacamole) if [[ "${INSTALL_TOTP}" = true ]] && [[ "${INSTALL_DUO}" = true ]]; then - echo -e "${LRED}GUAC MFA: TOTP and Duo cannot be installed at the same time.${GREY}" 1>&2 - exit 1 + echo -e "${LRED}GUAC MFA: TOTP and Duo cannot be installed at the same time.${GREY}" 1>&2 + exit 1 fi # Prompt the user to install Duo MFA if [[ -z "${INSTALL_LDAP}" ]]; then - echo -e -n "${GREY}AUTH: Install LDAP? [y/N] [default n]: " - read PROMPT - if [[ ${PROMPT} =~ ^[Yy]$ ]]; then - INSTALL_LDAP=true - else - INSTALL_LDAP=false - fi + echo -e -n "${GREY}AUTH: Install LDAP? [y/N] [default n]: " + read PROMPT + if [[ ${PROMPT} =~ ^[Yy]$ ]]; then + INSTALL_LDAP=true + else + INSTALL_LDAP=false + fi fi echo # Prompt the user to install the Quick Connect feature (some higher security use cases may not want this) echo -e "${LGREEN}Guacamole console optional extras:${GREY}" if [[ -z "${INSTALL_QCONNECT}" ]]; then - echo -e -n "${GREY}EXTRAS: Install Quick Connect feature? [y/N] [default n]: " - read PROMPT - if [[ ${PROMPT} =~ ^[Yy]$ ]]; then - INSTALL_QCONNECT=true - else - INSTALL_QCONNECT=false - fi + echo -e -n "${GREY}EXTRAS: Install Quick Connect feature? [y/N] [default n]: " + read PROMPT + if [[ ${PROMPT} =~ ^[Yy]$ ]]; then + INSTALL_QCONNECT=true + else + INSTALL_QCONNECT=false + fi fi # Prompt the user to install the History Recorded Storage feature if [[ -z "${INSTALL_HISTREC}" ]]; then - echo -e -n "${GREY}EXTRAS: Install History Recorded Storage (session replay console integration) [y/N] [default n]: " - read PROMPT - if [[ ${PROMPT} =~ ^[Yy]$ ]]; then - INSTALL_HISTREC=true - else - INSTALL_HISTREC=false - fi + echo -e -n "${GREY}EXTRAS: Install History Recorded Storage (session replay console integration) [y/N] [default n]: " + read PROMPT + if [[ ${PROMPT} =~ ^[Yy]$ ]]; then + INSTALL_HISTREC=true + else + INSTALL_HISTREC=false + fi fi HISTREC_PATH_DEFAULT=/var/lib/guacamole/recordings # Apache default if [[ -z ${HISTREC_PATH} ]] && [[ "${INSTALL_HISTREC}" = true ]]; then - while true; do - read -p "EXTRAS: Enter recorded storage path [Enter for default ${HISTREC_PATH_DEFAULT}]: " HISTREC_PATH - [ "${HISTREC_PATH}" = "" ] || [ "${HISTREC_PATH}" != "" ] && break - done + while true; do + read -p "EXTRAS: Enter recorded storage path [Enter for default ${HISTREC_PATH_DEFAULT}]: " HISTREC_PATH + [[ "${HISTREC_PATH}" = "" ]] || [[ "${HISTREC_PATH}" != "" ]] && break + done fi # If no custom path is given, lets assume the default path on hitting enter -if [ -z "${HISTREC_PATH}" ]; then - HISTREC_PATH="${HISTREC_PATH_DEFAULT}" +if [[ -z "${HISTREC_PATH}" ]]; then + HISTREC_PATH="${HISTREC_PATH_DEFAULT}" fi echo # Prompt for Guacamole front end reverse proxy option echo -e "${LGREEN}Reverse Proxy & front end options:${GREY}" if [[ -z ${INSTALL_NGINX} ]]; then - echo -e -n "FRONT END: Protect Guacamole behind Nginx reverse proxy [y/N]? [default n]: " - read PROMPT - if [[ ${PROMPT} =~ ^[Yy]$ ]]; then - INSTALL_NGINX=true - CHANGE_ROOT=false - else - INSTALL_NGINX=false - fi + echo -e -n "FRONT END: Protect Guacamole behind Nginx reverse proxy [y/N]? [default n]: " + read PROMPT + if [[ ${PROMPT} =~ ^[Yy]$ ]]; then + INSTALL_NGINX=true + GUAC_URL_REDIR=false + else + INSTALL_NGINX=false + fi fi # Prompt to remove the trailing /guacamole dir from the default front end url -if [ "${INSTALL_NGINX}" = false ]; then - echo -e -n "FRONT END: Shorten Guacamole root url to *:8080 (& redirect to /guacamole ) [Y/n]? [default y]: " - read PROMPT - if [[ ${PROMPT} =~ ^[Nn]$ ]]; then - CHANGE_ROOT=false - else - CHANGE_ROOT=true - fi +if [[ "${INSTALL_NGINX}" = false ]]; then + echo -e -n "FRONT END: Shorten Guacamole root url to *:8080 (& redirect to /guacamole ) [Y/n]? [default y]: " + read PROMPT + if [[ ${PROMPT} =~ ^[Nn]$ ]]; then + GUAC_URL_REDIR=false + else + GUAC_URL_REDIR=true + fi fi # We must assign a DNS name for the new proxy site if [[ -z ${PROXY_SITE} ]] && [[ "${INSTALL_NGINX}" = true ]]; then - while true; do - read -p "FRONT END: Enter proxy local DNS name? [Enter to use ${DEFAULT_FQDN}]: " PROXY_SITE - [ "${PROXY_SITE}" = "" ] || [ "${PROXY_SITE}" != "" ] && break - # Rather than allow the default value below, un-comment to alternately force user to enter an explicit name instead - # [ "${PROXY_SITE}" != "" ] && break - # echo -e "${LRED}You must enter a proxy site DNS name. Please try again.${GREY}" 1>&2 - done + while true; do + read -p "FRONT END: Enter proxy local DNS name? [Enter to use ${DEFAULT_FQDN}]: " PROXY_SITE + [[ "${PROXY_SITE}" = "" ]] || [[ "${PROXY_SITE}" != "" ]] && break + # Rather than allow the default value below, un-comment to alternately force user to enter an explicit name instead + # [[ "${PROXY_SITE}" != "" ]] && break + # echo -e "${LRED}You must enter a proxy site DNS name. Please try again.${GREY}" 1>&2 + done fi # If no proxy site dns name is given, lets assume the default FQDN is the proxy site name -if [ -z "${PROXY_SITE}" ]; then - PROXY_SITE="${DEFAULT_FQDN}" +if [[ -z "${PROXY_SITE}" ]]; then + PROXY_SITE="${DEFAULT_FQDN}" fi # Prompt for self signed TLS reverse proxy option if [[ -z ${SELF_SIGN} ]] && [[ "${INSTALL_NGINX}" = true ]]; then - # Prompt the user to see if they would like to install self signed TLS support for Nginx, default of no - echo -e -n "FRONT END: Add self signed TLS support to Nginx? [y/N]? (choose 'n' for Let's Encrypt)[default n]: " - read PROMPT - if [[ ${PROMPT} =~ ^[Yy]$ ]]; then - SELF_SIGN=true - else - SELF_SIGN=false - fi + # Prompt the user to see if they would like to install self signed TLS support for Nginx, default of no + echo -e -n "FRONT END: Add self signed TLS support to Nginx? [y/N]? (choose 'n' for Let's Encrypt)[default n]: " + read PROMPT + if [[ ${PROMPT} =~ ^[Yy]$ ]]; then + SELF_SIGN=true + else + SELF_SIGN=false + fi fi # Optional prompt to assign the self sign TLS certificate a custom expiry date, un-comment to force a manual entry -#if [ "${SELF_SIGN}" = true ]; then +#if [[ "${SELF_SIGN}" = true ]]; then # read - p "PROXY: Enter number of days till TLS certificate expires [default 3650]: " CERT_DAYS #fi # If no self sign TLS certificate expiry given, lets assume a generous 10 year default certificate expiry -if [ -z "${CERT_DAYS}" ]; then - CERT_DAYS="3650" +if [[ -z "${CERT_DAYS}" ]]; then + CERT_DAYS="3650" fi # Prompt for Let's Encrypt TLS reverse proxy configuration option if [[ -z ${LETS_ENCRYPT} ]] && [[ "${INSTALL_NGINX}" = true ]] && [[ "${SELF_SIGN}" = "false" ]]; then - echo -e -n "FRONT END: Add Let's Encrypt TLS support to Nginx reverse proxy [y/N] [default n]: ${GREY}" - read PROMPT - if [[ ${PROMPT} =~ ^[Yy]$ ]]; then - LETS_ENCRYPT=true - else - LETS_ENCRYPT=false - fi + echo -e -n "FRONT END: Add Let's Encrypt TLS support to Nginx reverse proxy [y/N] [default n]: ${GREY}" + read PROMPT + if [[ ${PROMPT} =~ ^[Yy]$ ]]; then + LETS_ENCRYPT=true + else + LETS_ENCRYPT=false + fi fi # Prompt for Let's Encrypt public dns name if [[ -z ${LE_DNS_NAME} ]] && [[ "${LETS_ENCRYPT}" = true ]]; then - while true; do - read -p "FRONT END: Enter the FQDN for your public proxy site : " LE_DNS_NAME - [ "${LE_DNS_NAME}" != "" ] && break - echo -e "${LRED}You must enter a public DNS name. Please try again.${GREY}" 1>&2 - done + while true; do + read -p "FRONT END: Enter the FQDN for your public proxy site : " LE_DNS_NAME + [[ "${LE_DNS_NAME}" != "" ]] && break + echo -e "${LRED}You must enter a public DNS name. Please try again.${GREY}" 1>&2 + done fi # Prompt for Let's Encrypt admin email if [[ -z ${LE_EMAIL} ]] && [[ "${LETS_ENCRYPT}" = true ]]; then - while true; do - read -p "FRONT END: Enter the email address for Let's Encrypt notifications : " LE_EMAIL - [ "${LE_EMAIL}" != "" ] && break - echo -e "${LRED}You must enter an email address. Please try again.${GREY}" 1>&2 - done + while true; do + read -p "FRONT END: Enter the email address for Let's Encrypt notifications : " LE_EMAIL + [[ "${LE_EMAIL}" != "" ]] && break + echo -e "${LRED}You must enter an email address. Please try again.${GREY}" 1>&2 + done fi ####################################################################################################################### @@ -640,20 +655,20 @@ echo -e "${LGREEN}Beginning Guacamole setup...${GREY}" echo echo -e "${GREY}Checking Linux distro specific dependencies..." if [[ $OS_FLAVOUR == "ubuntu" ]] || [[ $OS_FLAVOUR == *"ubuntu"* ]]; then # potentially expand out distro choices here - JPEGTURBO="libjpeg-turbo8-dev" - LIBPNG="libpng-dev" - # Just in case this repo is not added by default in the distro - sudo add-apt-repository -y universe &>>${INSTALL_LOG} + JPEGTURBO="libjpeg-turbo8-dev" + LIBPNG="libpng-dev" + # Just in case this repo is not added by default in the distro + sudo add-apt-repository -y universe &>>${INSTALL_LOG} elif [[ $OS_FLAVOUR == "debian" ]] || [[ $OS_FLAVOUR == "raspbian" ]]; then # expand distro choices here if required - JPEGTURBO="libjpeg62-turbo-dev" - LIBPNG="libpng-dev" + JPEGTURBO="libjpeg62-turbo-dev" + LIBPNG="libpng-dev" fi -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}OK${GREY}" - echo + echo -e "${LGREEN}OK${GREY}" + echo fi # Sync the various manual config scripts with the relevant variables selected at install @@ -697,8 +712,8 @@ export GUAC_VERSION=$GUAC_VERSION export GUAC_SOURCE_LINK=$GUAC_SOURCE_LINK export MYSQLJCON=$MYSQLJCON export MYSQL_VERSION=$MYSQL_VERSION -export MYSQLS=$MYSQLS -export MYSQLC=$MYSQLC +export MYSQLSRV=$MYSQLSRV +export MYSQLCLIENT=$MYSQLCLIENT export DB_CMD=$DB_CMD export TOMCAT_VERSION=$TOMCAT_VERSION export INSTALL_LOG=$INSTALL_LOG @@ -720,7 +735,7 @@ export INSTALL_LDAP=$INSTALL_LDAP export INSTALL_QCONNECT=$INSTALL_QCONNECT export INSTALL_HISTREC=$INSTALL_HISTREC export HISTREC_PATH="${HISTREC_PATH}" -export CHANGE_ROOT=$CHANGE_ROOT +export GUAC_URL_REDIR=$GUAC_URL_REDIR export INSTALL_NGINX=$INSTALL_NGINX export PROXY_SITE=$PROXY_SITE export CERT_COUNTRY=$CERT_COUNTRY @@ -737,13 +752,13 @@ export RDP_PRINTER_LABEL="${RDP_PRINTER_LABEL}" # Run the Guacamole install script sudo -E ./2-install-guacamole.sh -if [ $? -ne 0 ]; then - echo -e "${LRED}2-install-guacamole.sh FAILED. See ${INSTALL_LOG}${GREY}" 1>&2 - exit 1 -elif [ "${CHANGE_ROOT}" = true ]; then - echo -e "${LGREEN}Guacamole install complete\nhttp://${PROXY_SITE}:8080 - login user/pass: guacadmin/guacadmin\n${LYELLOW}***Be sure to change the password***${GREY}" +if [[ $? -ne 0 ]]; then + echo -e "${LRED}2-install-guacamole.sh FAILED. See ${INSTALL_LOG}${GREY}" 1>&2 + exit 1 +elif [[ "${GUAC_URL_REDIR}" = true ]]; then + echo -e "${LGREEN}Guacamole install complete\nhttp://${PROXY_SITE}:8080 - login user/pass: guacadmin/guacadmin\n${LYELLOW}***Be sure to change the password***${GREY}" else - echo -e "${LGREEN}Guacamole install complete\nhttp://${PROXY_SITE}:8080/guacamole - login user/pass: guacadmin/guacadmin\n${LYELLOW}***Be sure to change the password***${GREY}" + echo -e "${LGREEN}Guacamole install complete\nhttp://${PROXY_SITE}:8080/guacamole - login user/pass: guacadmin/guacadmin\n${LYELLOW}***Be sure to change the password***${GREY}" fi # Add a Guacamole database backup (mon-fri 12:00am) into cron @@ -762,44 +777,45 @@ rm cron_1 ####################################################################################################################### # Install Nginx reverse proxy front end to Guacamole if option is selected -if [ "${INSTALL_NGINX}" = true ]; then - sudo -E ./3-install-nginx.sh - echo -e "${LGREEN}Nginx install complete\nhttp://${PROXY_SITE} - admin login: guacadmin pass: guacadmin\n${LYELLOW}***Be sure to change the password***${GREY}" +if [[ "${INSTALL_NGINX}" = true ]]; then + sudo -E ./3-install-nginx.sh + echo -e "${LGREEN}Nginx install complete\nhttp://${PROXY_SITE} - admin login: guacadmin pass: guacadmin\n${LYELLOW}***Be sure to change the password***${GREY}" fi # Apply self signed TLS certificates to Nginx reverse proxy if option is selected if [[ "${INSTALL_NGINX}" = true ]] && [[ "${SELF_SIGN}" = true ]]; then - sudo -E ./4a-install-tls-self-signed-nginx.sh ${PROXY_SITE} ${CERT_DAYS} | tee -a ${INSTALL_LOG} - echo -e "${LGREEN}Self signed certificate configured for Nginx \n${LYELLOW}https:${LGREEN}//${PROXY_SITE} - admin login: guacadmin pass: guacadmin\n${LYELLOW}***Be sure to change the password***${GREY}" + sudo -E ./4a-install-tls-self-signed-nginx.sh ${PROXY_SITE} ${CERT_DAYS} | tee -a ${INSTALL_LOG} + echo -e "${LGREEN}Self signed certificate configured for Nginx \n${LYELLOW}https:${LGREEN}//${PROXY_SITE} - admin login: guacadmin pass: guacadmin\n${LYELLOW}***Be sure to change the password***${GREY}" fi # Apply Let's Encrypt TLS certificates to Nginx reverse proxy if option is selected if [[ "${INSTALL_NGINX}" = true ]] && [[ "${LETS_ENCRYPT}" = true ]]; then - sudo -E ./4b-install-tls-letsencrypt-nginx.sh - echo -e "${LGREEN}Let's Encrypt TLS configured for Nginx \n${LYELLOW}https:${LGREEN}//${LE_DNS_NAME} - admin login: guacadmin pass: guacadmin\n${LYELLOW}***Be sure to change the password***${GREY}" + sudo -E ./4b-install-tls-letsencrypt-nginx.sh + echo -e "${LGREEN}Let's Encrypt TLS configured for Nginx \n${LYELLOW}https:${LGREEN}//${LE_DNS_NAME} - admin login: guacadmin pass: guacadmin\n${LYELLOW}***Be sure to change the password***${GREY}" fi # Duo Settings reminder - If Duo is selected you can't login to Guacamole until this extension is fully configured -if [ $INSTALL_DUO == "true" ]; then - echo - echo -e "${LYELLOW}Reminder: Duo requires extra account specific info configured in the\n/etc/guacamole/guacamole.properties file before you can log in to Guacamole." - echo -e "See https://guacamole.apache.org/doc/gug/duo-auth.html" +if [[ $INSTALL_DUO == "true" ]]; then + echo + echo -e "${LYELLOW}Reminder: Duo requires extra account specific info configured in the\n/etc/guacamole/guacamole.properties file before you can log in to Guacamole." + echo -e "See https://guacamole.apache.org/doc/gug/duo-auth.html" fi # LDAP Settings reminder, LDAP auth is not functional until the config is complete -if [ $INSTALL_LDAP == "true" ]; then - echo - echo -e "${LYELLOW}Reminder: LDAP requires that your LDAP directory configuration match the exact format\nadded to the /etc/guacamole/guacamole.properties file before LDAP auth will be active." - echo -e "See https://guacamole.apache.org/doc/gug/ldap-auth.html" +if [[ $INSTALL_LDAP == "true" ]]; then + echo + echo -e "${LYELLOW}Reminder: LDAP requires that your LDAP directory configuration match the exact format\nadded to the /etc/guacamole/guacamole.properties file before LDAP auth will be active." + echo -e "See https://guacamole.apache.org/doc/gug/ldap-auth.html" fi # Tidy up. (Installer and Nginx scripts can't be run again or standalone without modification, so removing.) -rm -f $USER_HOME_DIR/1-setup.sh +rm -rf $USER_HOME_DIR/1-setup.sh rm -f 2-install-guacamole.sh rm -f 3-install-nginx.sh rm -f 4a-install-tls-self-signed-nginx.sh rm -f 4b-install-tls-letsencrypt-nginx.sh -sudo rm -R $TMP_DIR +sudo rm -rf $TMP_DIR +apt-get -y autoremove &>>${INSTALL_LOG} # Done echo diff --git a/2-install-guacamole.sh b/2-install-guacamole.sh index 45f6e02..6ab576e 100644 --- a/2-install-guacamole.sh +++ b/2-install-guacamole.sh @@ -15,21 +15,19 @@ LGREEN='\033[0;92m' LYELLOW='\033[0;93m' NC='\033[0m' #No Colour -# Choose a specific MySQL version e.g. 11.1.2 See https://mariadb.org/mariadb/all-releases/ for available versions. -if [ -z "${MYSQL_VERSION}" ]; then - # Use Linux distro default version. - MYSQLPKG="default-mysql-server default-mysql-client mysql-common" - DB_CMD="mysql" # mysql command is depricated +# Apply MySQL client or server packages, and don't clobber any pre-existing database installation accidentally +if [[ "${INSTALL_MYSQL}" = true ]]; then + MYSQLPKG="${MYSQLSRV}" +elif [ -x "$(command -v mysql)" ]; then + MYSQLPKG="" else - # Use official mariadb.org repo - MYSQLPKG="mariadb-server mariadb-client mariadb-common" - DB_CMD="mariadb" # mysql command is depricated on newer versions + MYSQLPKG="${MYSQLCLIENT}" fi # Pre-seed MySQL root password values for Linux Distro default packages only -if [ "${INSTALL_MYSQL}" = true ] && [ -z "${MYSQL_VERSION}" ]; then - debconf-set-selections <<<"mysql-server mysql-server/root_password password ${MYSQL_ROOT_PWD}" - debconf-set-selections <<<"mysql-server mysql-server/root_password_again password ${MYSQL_ROOT_PWD}" +if [[ "${INSTALL_MYSQL}" = true ]] && [[ -z "${MYSQL_VERSION}" ]]; then + debconf-set-selections <<<"mysql-server mysql-server/root_password password ${MYSQL_ROOT_PWD}" + debconf-set-selections <<<"mysql-server mysql-server/root_password_again password ${MYSQL_ROOT_PWD}" fi # Update everything but don't do the annoying prompts during apt installs @@ -37,168 +35,168 @@ echo -e "${GREY}Updating base Linux OS..." export DEBIAN_FRONTEND=noninteractive apt-get update -qq &>>${INSTALL_LOG} apt-get upgrade -qq -y &>>${INSTALL_LOG} -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}OK${GREY}" - echo + echo -e "${LGREEN}OK${GREY}" + echo fi # Install Guacamole build dependencies. -if [ -n "${MYSQL_VERSION}" ]; then - echo -e "${GREY}Adding the official MariaDB repository and installing version ${MYSQL_VERSION}..." - # Add the Official MariaDB repo. - apt-get -qq -y install curl gnupg2 &>>${INSTALL_LOG} - curl -LsS -O https://downloads.mariadb.com/MariaDB/mariadb_repo_setup &>>${INSTALL_LOG} - bash mariadb_repo_setup --mariadb-server-version=$MYSQL_VERSION &>>${INSTALL_LOG} - if [ $? -ne 0 ]; then - echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 - exit 1 - else - echo -e "${LGREEN}OK${GREY}" - echo - fi +if [[ -n "${MYSQL_VERSION}" ]]; then + echo -e "${GREY}Adding the official MariaDB repository and installing version ${MYSQL_VERSION}..." + # Add the Official MariaDB repo. + apt-get -qq -y install curl gnupg2 &>>${INSTALL_LOG} + curl -LsS -O https://downloads.mariadb.com/MariaDB/mariadb_repo_setup &>>${INSTALL_LOG} + bash mariadb_repo_setup --mariadb-server-version=$MYSQL_VERSION &>>${INSTALL_LOG} + if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 + exit 1 + else + echo -e "${LGREEN}OK${GREY}" + echo + fi fi echo -e "${GREY}Installing dependencies required for building Guacamole, this might take a few minutes..." apt-get -qq -y install ${MYSQLPKG} ${TOMCAT_VERSION} ${JPEGTURBO} ${LIBPNG} ufw pwgen wget expect \ - build-essential libcairo2-dev libtool-bin uuid-dev libavcodec-dev libavformat-dev libavutil-dev \ - libswscale-dev freerdp2-dev libpango1.0-dev libssh2-1-dev libtelnet-dev libvncserver-dev libwebsockets-dev \ - libpulse-dev libssl-dev libvorbis-dev libwebp-dev ghostscript &>>${INSTALL_LOG} -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 - exit 1 + build-essential libcairo2-dev libtool-bin uuid-dev libavcodec-dev libavformat-dev libavutil-dev \ + libswscale-dev freerdp2-dev libpango1.0-dev libssh2-1-dev libtelnet-dev libvncserver-dev libwebsockets-dev \ + libpulse-dev libssl-dev libvorbis-dev libwebp-dev ghostscript &>>${INSTALL_LOG} +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}OK${GREY}" - echo + echo -e "${LGREEN}OK${GREY}" + echo fi # Install Postfix with default settings for smtp email relay echo -e "${GREY}Installing Postfix MTA for backup email notifications and alerts, see separate SMTP relay configuration script..." DEBIAN_FRONTEND="noninteractive" apt-get install postfix mailutils -qq -y &>>${INSTALL_LOG} -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 + exit 1 else - systemctl restart postfix - echo -e "${LGREEN}OK${GREY}" - echo + systemctl restart postfix + echo -e "${LGREEN}OK${GREY}" + echo fi # Download Guacamole Server echo -e "${GREY}Downloading Guacamole source files..." wget -q --show-progress -O guacamole-server-${GUAC_VERSION}.tar.gz ${GUAC_SOURCE_LINK}/source/guacamole-server-${GUAC_VERSION}.tar.gz -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed to download guacamole-server-${GUAC_VERSION}.tar.gz" 1>&2 - echo -e "${GUAC_SOURCE_LINK}/source/guacamole-server-${GUAC_VERSION}.tar.gz${GREY}" - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed to download guacamole-server-${GUAC_VERSION}.tar.gz" 1>&2 + echo -e "${GUAC_SOURCE_LINK}/source/guacamole-server-${GUAC_VERSION}.tar.gz${GREY}" + exit 1 else - tar -xzf guacamole-server-${GUAC_VERSION}.tar.gz - echo -e "${LGREEN}Downloaded guacamole-server-${GUAC_VERSION}.tar.gz${GREY}" + tar -xzf guacamole-server-${GUAC_VERSION}.tar.gz + echo -e "${LGREEN}Downloaded guacamole-server-${GUAC_VERSION}.tar.gz${GREY}" fi # Download Guacamole Client wget -q --show-progress -O guacamole-${GUAC_VERSION}.war ${GUAC_SOURCE_LINK}/binary/guacamole-${GUAC_VERSION}.war -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed to download guacamole-${GUAC_VERSION}.war" 1>&2 - echo -e "${GUAC_SOURCE_LINK}/binary/guacamole-${GUAC_VERSION}.war${GREY}" - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed to download guacamole-${GUAC_VERSION}.war" 1>&2 + echo -e "${GUAC_SOURCE_LINK}/binary/guacamole-${GUAC_VERSION}.war${GREY}" + exit 1 else - echo -e "${LGREEN}Downloaded guacamole-${GUAC_VERSION}.war (Guacamole client)${GREY}" + echo -e "${LGREEN}Downloaded guacamole-${GUAC_VERSION}.war (Guacamole client)${GREY}" fi # Download MySQL connector/j wget -q --show-progress -O mysql-connector-j-${MYSQLJCON}.tar.gz https://dev.mysql.com/get/Downloads/Connector-J/mysql-connector-j-${MYSQLJCON}.tar.gz -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed to download mysql-connector-j-${MYSQLJCON}.tar.gz" 1>&2 - echo -e "https://dev.mysql.com/get/Downloads/Connector-J/mysql-connector-j-${MYSQLJCON}}.tar.gz${GREY}" - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed to download mysql-connector-j-${MYSQLJCON}.tar.gz" 1>&2 + echo -e "https://dev.mysql.com/get/Downloads/Connector-J/mysql-connector-j-${MYSQLJCON}}.tar.gz${GREY}" + exit 1 else - tar -xzf mysql-connector-j-${MYSQLJCON}.tar.gz - echo -e "${LGREEN}Downloaded mysql-connector-j-${MYSQLJCON}.tar.gz${GREY}" + tar -xzf mysql-connector-j-${MYSQLJCON}.tar.gz + echo -e "${LGREEN}Downloaded mysql-connector-j-${MYSQLJCON}.tar.gz${GREY}" fi # Download Guacamole authentication extensions wget -q --show-progress -O guacamole-auth-jdbc-${GUAC_VERSION}.tar.gz ${GUAC_SOURCE_LINK}/binary/guacamole-auth-jdbc-${GUAC_VERSION}.tar.gz -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed to download guacamole-auth-jdbc-${GUAC_VERSION}.tar.gz" 1>&2 - echo -e "${GUAC_SOURCE_LINK}/binary/guacamole-auth-jdbc-${GUAC_VERSION}.tar.gz" - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed to download guacamole-auth-jdbc-${GUAC_VERSION}.tar.gz" 1>&2 + echo -e "${GUAC_SOURCE_LINK}/binary/guacamole-auth-jdbc-${GUAC_VERSION}.tar.gz" + exit 1 else - tar -xzf guacamole-auth-jdbc-${GUAC_VERSION}.tar.gz - echo -e "${LGREEN}Downloaded guacamole-auth-jdbc-${GUAC_VERSION}.tar.gz${GREY}" + tar -xzf guacamole-auth-jdbc-${GUAC_VERSION}.tar.gz + echo -e "${LGREEN}Downloaded guacamole-auth-jdbc-${GUAC_VERSION}.tar.gz${GREY}" fi # Download TOTP extension -if [ "${INSTALL_TOTP}" = true ]; then - wget -q --show-progress -O guacamole-auth-totp-${GUAC_VERSION}.tar.gz ${GUAC_SOURCE_LINK}/binary/guacamole-auth-totp-${GUAC_VERSION}.tar.gz - if [ $? -ne 0 ]; then - echo -e "${LRED}Failed to download guacamole-auth-totp-${GUAC_VERSION}.tar.gz" 1>&2 - echo -e "${GUAC_SOURCE_LINK}/binary/guacamole-auth-totp-${GUAC_VERSION}.tar.gz" - exit 1 - else - tar -xzf guacamole-auth-totp-${GUAC_VERSION}.tar.gz - rm -f add-auth-totp.sh - echo -e "${LGREEN}Downloaded guacamole-auth-totp-${GUAC_VERSION}.tar.gz${GREY}" - fi +if [[ "${INSTALL_TOTP}" = true ]]; then + wget -q --show-progress -O guacamole-auth-totp-${GUAC_VERSION}.tar.gz ${GUAC_SOURCE_LINK}/binary/guacamole-auth-totp-${GUAC_VERSION}.tar.gz + if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed to download guacamole-auth-totp-${GUAC_VERSION}.tar.gz" 1>&2 + echo -e "${GUAC_SOURCE_LINK}/binary/guacamole-auth-totp-${GUAC_VERSION}.tar.gz" + exit 1 + else + tar -xzf guacamole-auth-totp-${GUAC_VERSION}.tar.gz + rm -f add-auth-totp.sh + echo -e "${LGREEN}Downloaded guacamole-auth-totp-${GUAC_VERSION}.tar.gz${GREY}" + fi fi # Download DUO extension -if [ "${INSTALL_DUO}" = true ]; then - wget -q --show-progress -O guacamole-auth-duo-${GUAC_VERSION}.tar.gz ${GUAC_SOURCE_LINK}/binary/guacamole-auth-duo-${GUAC_VERSION}.tar.gz - if [ $? -ne 0 ]; then - echo -e "${LRED}Failed to download guacamole-auth-duo-${GUAC_VERSION}.tar.gz" 1>&2 - echo -e "${GUAC_SOURCE_LINK}/binary/guacamole-auth-duo-${GUAC_VERSION}.tar.gz" - exit 1 - else - tar -xzf guacamole-auth-duo-${GUAC_VERSION}.tar.gz - rm -f add-auth-duo.sh - echo -e "${LGREEN}Downloaded guacamole-auth-duo-${GUAC_VERSION}.tar.gz${GREY}" - fi +if [[ "${INSTALL_DUO}" = true ]]; then + wget -q --show-progress -O guacamole-auth-duo-${GUAC_VERSION}.tar.gz ${GUAC_SOURCE_LINK}/binary/guacamole-auth-duo-${GUAC_VERSION}.tar.gz + if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed to download guacamole-auth-duo-${GUAC_VERSION}.tar.gz" 1>&2 + echo -e "${GUAC_SOURCE_LINK}/binary/guacamole-auth-duo-${GUAC_VERSION}.tar.gz" + exit 1 + else + tar -xzf guacamole-auth-duo-${GUAC_VERSION}.tar.gz + rm -f add-auth-duo.sh + echo -e "${LGREEN}Downloaded guacamole-auth-duo-${GUAC_VERSION}.tar.gz${GREY}" + fi fi # Download LDAP extension -if [ "${INSTALL_LDAP}" = true ]; then - wget -q --show-progress -O guacamole-auth-ldap-${GUAC_VERSION}.tar.gz ${GUAC_SOURCE_LINK}/binary/guacamole-auth-ldap-${GUAC_VERSION}.tar.gz - if [ $? -ne 0 ]; then - echo -e "${LRED}Failed to download guacamole-auth-ldap-${GUAC_VERSION}.tar.gz" 1>&2 - echo -e "${GUAC_SOURCE_LINK}/binary/guacamole-auth-ldap-${GUAC_VERSION}.tar.gz" - exit 1 - else - tar -xzf guacamole-auth-ldap-${GUAC_VERSION}.tar.gz - rm -f add-auth-ldap.sh - echo -e "${LGREEN}Downloaded guacamole-auth-ldap-${GUAC_VERSION}.tar.gz${GREY}" - fi +if [[ "${INSTALL_LDAP}" = true ]]; then + wget -q --show-progress -O guacamole-auth-ldap-${GUAC_VERSION}.tar.gz ${GUAC_SOURCE_LINK}/binary/guacamole-auth-ldap-${GUAC_VERSION}.tar.gz + if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed to download guacamole-auth-ldap-${GUAC_VERSION}.tar.gz" 1>&2 + echo -e "${GUAC_SOURCE_LINK}/binary/guacamole-auth-ldap-${GUAC_VERSION}.tar.gz" + exit 1 + else + tar -xzf guacamole-auth-ldap-${GUAC_VERSION}.tar.gz + rm -f add-auth-ldap.sh + echo -e "${LGREEN}Downloaded guacamole-auth-ldap-${GUAC_VERSION}.tar.gz${GREY}" + fi fi # Download Guacamole quick-connect extension -if [ "${INSTALL_QCONNECT}" = true ]; then - wget -q --show-progress -O guacamole-auth-quickconnect-${GUAC_VERSION}.tar.gz ${GUAC_SOURCE_LINK}/binary/guacamole-auth-quickconnect-${GUAC_VERSION}.tar.gz - if [ $? -ne 0 ]; then - echo -e "${LRED}Failed to download guacamole-auth-quickconnect-${GUAC_VERSION}.tar.gz" 1>&2 - echo -e "${GUAC_SOURCE_LINK}/binary/guacamole-auth-quickconnect-${GUAC_VERSION}.tar.gz" - exit 1 - else - tar -xzf guacamole-auth-quickconnect-${GUAC_VERSION}.tar.gz - rm -f add-xtra-quickconnect.sh - echo -e "${LGREEN}Downloaded guacamole-auth-quickconnect-${GUAC_VERSION}.tar.gz${GREY}" - fi +if [[ "${INSTALL_QCONNECT}" = true ]]; then + wget -q --show-progress -O guacamole-auth-quickconnect-${GUAC_VERSION}.tar.gz ${GUAC_SOURCE_LINK}/binary/guacamole-auth-quickconnect-${GUAC_VERSION}.tar.gz + if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed to download guacamole-auth-quickconnect-${GUAC_VERSION}.tar.gz" 1>&2 + echo -e "${GUAC_SOURCE_LINK}/binary/guacamole-auth-quickconnect-${GUAC_VERSION}.tar.gz" + exit 1 + else + tar -xzf guacamole-auth-quickconnect-${GUAC_VERSION}.tar.gz + rm -f add-xtra-quickconnect.sh + echo -e "${LGREEN}Downloaded guacamole-auth-quickconnect-${GUAC_VERSION}.tar.gz${GREY}" + fi fi # Download Guacamole history recording storage extension -if [ "${INSTALL_HISTREC}" = true ]; then - wget -q --show-progress -O guacamole-history-recording-storage-${GUAC_VERSION}.tar.gz ${GUAC_SOURCE_LINK}/binary/guacamole-history-recording-storage-${GUAC_VERSION}.tar.gz +if [[ "${INSTALL_HISTREC}" = true ]]; then + wget -q --show-progress -O guacamole-history-recording-storage-${GUAC_VERSION}.tar.gz ${GUAC_SOURCE_LINK}/binary/guacamole-history-recording-storage-${GUAC_VERSION}.tar.gz - if [ $? -ne 0 ]; then - echo -e "${LRED}Failed to download guacamole-history-recording-storage-${GUAC_VERSION}.tar.gz" 1>&2 - echo -e "${GUAC_SOURCE_LINK}/binary/guacamole-history-recording-storage-${GUAC_VERSION}.tar.gz" - exit 1 - else - tar -xzf guacamole-history-recording-storage-${GUAC_VERSION}.tar.gz - rm -f add-xtra-histrecstor.sh - echo -e "${LGREEN}Downloaded guacamole-history-recording-storage-${GUAC_VERSION}.tar.gz${GREY}" - fi + if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed to download guacamole-history-recording-storage-${GUAC_VERSION}.tar.gz" 1>&2 + echo -e "${GUAC_SOURCE_LINK}/binary/guacamole-history-recording-storage-${GUAC_VERSION}.tar.gz" + exit 1 + else + tar -xzf guacamole-history-recording-storage-${GUAC_VERSION}.tar.gz + rm -f add-xtra-histrecstor.sh + echo -e "${LGREEN}Downloaded guacamole-history-recording-storage-${GUAC_VERSION}.tar.gz${GREY}" + fi fi echo -e "Source download complete.${GREY}" @@ -234,37 +232,37 @@ export CFLAGS="-Wno-error" # Configure Guacamole Server source ./configure --with-systemd-dir=/etc/systemd/system &>>${INSTALL_LOG} -if [ $? -ne 0 ]; then - echo "Failed to configure guacamole-server" - echo "Trying again with --enable-allow-freerdp-snapshots" - ./configure --with-systemd-dir=/etc/systemd/system --enable-allow-freerdp-snapshots - if [ $? -ne 0 ]; then - echo "Failed to configure guacamole-server - again" - exit - fi +if [[ $? -ne 0 ]]; then + echo "Failed to configure guacamole-server" + echo "Trying again with --enable-allow-freerdp-snapshots" + ./configure --with-systemd-dir=/etc/systemd/system --enable-allow-freerdp-snapshots + if [[ $? -ne 0 ]]; then + echo "Failed to configure guacamole-server - again" + exit + fi else - echo -e "${LGREEN}OK${GREY}" - echo + echo -e "${LGREEN}OK${GREY}" + echo fi echo -e "${GREY}Running make and building the Guacamole-Server application..." make &>>${INSTALL_LOG} -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}OK${GREY}" - echo + echo -e "${LGREEN}OK${GREY}" + echo fi echo -e "${GREY}Installing Guacamole-Server..." make install &>>${INSTALL_LOG} -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}OK${GREY}" - echo + echo -e "${LGREEN}OK${GREY}" + echo fi # Update the shared library cache @@ -277,35 +275,35 @@ mv -f guacamole-${GUAC_VERSION}.war /etc/guacamole/guacamole.war chmod 664 /etc/guacamole/guacamole.war # Create a symbolic link for Tomcat ln -sf /etc/guacamole/guacamole.war /var/lib/${TOMCAT_VERSION}/webapps/ &>>${INSTALL_LOG} -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}OK${GREY}" - echo + echo -e "${LGREEN}OK${GREY}" + echo fi echo -e "${GREY}Moving guacamole-auth-jdbc-mysql-${GUAC_VERSION}.jar (/etc/guacamole/extensions/)..." mv -f guacamole-auth-jdbc-${GUAC_VERSION}/mysql/guacamole-auth-jdbc-mysql-${GUAC_VERSION}.jar /etc/guacamole/extensions/ chmod 664 /etc/guacamole/extensions/guacamole-auth-jdbc-mysql-${GUAC_VERSION}.jar -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}OK${GREY}" - echo + echo -e "${LGREEN}OK${GREY}" + echo fi # Move MySQL connector/j files echo -e "${GREY}Moving mysql-connector-j-${MYSQLJCON}.jar (/etc/guacamole/lib/mysql-connector-java.jar)..." mv -f mysql-connector-j-${MYSQLJCON}/mysql-connector-j-${MYSQLJCON}.jar /etc/guacamole/lib/mysql-connector-java.jar chmod 664 /etc/guacamole/lib/mysql-connector-java.jar -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}OK${GREY}" - echo + echo -e "${LGREEN}OK${GREY}" + echo fi # Configure guacamole.properties file @@ -318,229 +316,228 @@ echo "mysql-username: ${GUAC_USER}" >>/etc/guacamole/guacamole.properties echo "mysql-password: ${GUAC_PWD}" >>/etc/guacamole/guacamole.properties # Move TOTP files -if [ "${INSTALL_TOTP}" = true ]; then - echo -e "${GREY}Moving guacamole-auth-totp-${GUAC_VERSION}.jar (/etc/guacamole/extensions/)..." - mv -f guacamole-auth-totp-${GUAC_VERSION}/guacamole-auth-totp-${GUAC_VERSION}.jar /etc/guacamole/extensions/ - chmod 664 /etc/guacamole/extensions/guacamole-auth-totp-${GUAC_VERSION}.jar - if [ $? -ne 0 ]; then - echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 - exit 1 - else - echo -e "${LGREEN}OK${GREY}" - echo - fi +if [[ "${INSTALL_TOTP}" = true ]]; then + echo -e "${GREY}Moving guacamole-auth-totp-${GUAC_VERSION}.jar (/etc/guacamole/extensions/)..." + mv -f guacamole-auth-totp-${GUAC_VERSION}/guacamole-auth-totp-${GUAC_VERSION}.jar /etc/guacamole/extensions/ + chmod 664 /etc/guacamole/extensions/guacamole-auth-totp-${GUAC_VERSION}.jar + if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 + exit 1 + else + echo -e "${LGREEN}OK${GREY}" + echo + fi fi # Move Duo files -if [ "${INSTALL_DUO}" = true ]; then - echo -e "${GREY}Moving guacamole-auth-duo-${GUAC_VERSION}.jar (/etc/guacamole/extensions/)..." - mv -f guacamole-auth-duo-${GUAC_VERSION}/guacamole-auth-duo-${GUAC_VERSION}.jar /etc/guacamole/extensions/ - chmod 664 /etc/guacamole/extensions/guacamole-auth-duo-${GUAC_VERSION}.jar - echo "#duo-api-hostname: " >>/etc/guacamole/guacamole.properties - echo "#duo-integration-key: " >>/etc/guacamole/guacamole.properties - echo "#duo-secret-key: " >>/etc/guacamole/guacamole.properties - echo "#duo-application-key: " >>/etc/guacamole/guacamole.properties - echo -e "Duo auth is installed, it will need to be configured via guacamole.properties" - if [ $? -ne 0 ]; then - echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 - exit 1 - else - echo -e "${LGREEN}OK${GREY}" - echo - fi +if [[ "${INSTALL_DUO}" = true ]]; then + echo -e "${GREY}Moving guacamole-auth-duo-${GUAC_VERSION}.jar (/etc/guacamole/extensions/)..." + mv -f guacamole-auth-duo-${GUAC_VERSION}/guacamole-auth-duo-${GUAC_VERSION}.jar /etc/guacamole/extensions/ + chmod 664 /etc/guacamole/extensions/guacamole-auth-duo-${GUAC_VERSION}.jar + echo "#duo-api-hostname: " >>/etc/guacamole/guacamole.properties + echo "#duo-integration-key: " >>/etc/guacamole/guacamole.properties + echo "#duo-secret-key: " >>/etc/guacamole/guacamole.properties + echo "#duo-application-key: " >>/etc/guacamole/guacamole.properties + echo -e "Duo auth is installed, it will need to be configured via guacamole.properties" + if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 + exit 1 + else + echo -e "${LGREEN}OK${GREY}" + echo + fi fi # Move LDAP files -if [ "${INSTALL_LDAP}" = true ]; then - echo -e "${GREY}Moving guacamole-auth-ldap-${GUAC_VERSION}.jar (/etc/guacamole/extensions/)..." - mv -f guacamole-auth-ldap-${GUAC_VERSION}/guacamole-auth-ldap-${GUAC_VERSION}.jar /etc/guacamole/extensions/ - chmod 664 /etc/guacamole/extensions/guacamole-auth-ldap-${GUAC_VERSION}.jar - echo "#If you have issues with LDAP, check the formatting is exactly as below or you will despair!" >>/etc/guacamole/guacamole.properties - echo "#Be extra careful with spaces at line ends or with windows line feeds." >>/etc/guacamole/guacamole.properties - echo "#ldap-hostname: dc1.yourdomain.com dc2.yourdomain.com" >>/etc/guacamole/guacamole.properties - echo "#ldap-port: 389" >>/etc/guacamole/guacamole.properties - echo "#ldap-username-attribute: sAMAccountName" >>/etc/guacamole/guacamole.properties - echo "#ldap-encryption-method: none" >>/etc/guacamole/guacamole.properties - echo "#ldap-search-bind-dn: ad-account@yourdomain.com" >>/etc/guacamole/guacamole.properties - echo "#ldap-search-bind-password: ad-account-password" >>/etc/guacamole/guacamole.properties - echo "#ldap-config-base-dn: dc=domain,dc=com" >>/etc/guacamole/guacamole.properties - echo "#ldap-user-base-dn: OU=SomeOU,DC=domain,DC=com" >>/etc/guacamole/guacamole.properties - echo "#ldap-user-search-filter:(objectClass=user)(!(objectCategory=computer))" >>/etc/guacamole/guacamole.properties - echo "#ldap-max-search-results:200" >>/etc/guacamole/guacamole.properties - if [ $? -ne 0 ]; then - echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 - exit 1 - else - echo -e "${LGREEN}OK${GREY}" - echo - fi +if [[ "${INSTALL_LDAP}" = true ]]; then + echo -e "${GREY}Moving guacamole-auth-ldap-${GUAC_VERSION}.jar (/etc/guacamole/extensions/)..." + mv -f guacamole-auth-ldap-${GUAC_VERSION}/guacamole-auth-ldap-${GUAC_VERSION}.jar /etc/guacamole/extensions/ + chmod 664 /etc/guacamole/extensions/guacamole-auth-ldap-${GUAC_VERSION}.jar + echo "#If you have issues with LDAP, check the formatting is exactly as below or you will despair!" >>/etc/guacamole/guacamole.properties + echo "#Be extra careful with spaces at line ends or with windows line feeds." >>/etc/guacamole/guacamole.properties + echo "#ldap-hostname: dc1.yourdomain.com dc2.yourdomain.com" >>/etc/guacamole/guacamole.properties + echo "#ldap-port: 389" >>/etc/guacamole/guacamole.properties + echo "#ldap-username-attribute: sAMAccountName" >>/etc/guacamole/guacamole.properties + echo "#ldap-encryption-method: none" >>/etc/guacamole/guacamole.properties + echo "#ldap-search-bind-dn: ad-account@yourdomain.com" >>/etc/guacamole/guacamole.properties + echo "#ldap-search-bind-password: ad-account-password" >>/etc/guacamole/guacamole.properties + echo "#ldap-config-base-dn: dc=domain,dc=com" >>/etc/guacamole/guacamole.properties + echo "#ldap-user-base-dn: OU=SomeOU,DC=domain,DC=com" >>/etc/guacamole/guacamole.properties + echo "#ldap-user-search-filter:(objectClass=user)(!(objectCategory=computer))" >>/etc/guacamole/guacamole.properties + echo "#ldap-max-search-results:200" >>/etc/guacamole/guacamole.properties + if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 + exit 1 + else + echo -e "${LGREEN}OK${GREY}" + echo + fi fi # Move quick-connect extension files -if [ "${INSTALL_QCONNECT}" = true ]; then - echo -e "${GREY}Moving guacamole-auth-quickconnect-${GUAC_VERSION}.jar (/etc/guacamole/extensions/)..." - mv -f guacamole-auth-quickconnect-${GUAC_VERSION}/guacamole-auth-quickconnect-${GUAC_VERSION}.jar /etc/guacamole/extensions/ - chmod 664 /etc/guacamole/extensions/guacamole-auth-quickconnect-${GUAC_VERSION}.jar - if [ $? -ne 0 ]; then - echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 - exit 1 - else - echo -e "${LGREEN}OK${GREY}" - echo - fi +if [[ "${INSTALL_QCONNECT}" = true ]]; then + echo -e "${GREY}Moving guacamole-auth-quickconnect-${GUAC_VERSION}.jar (/etc/guacamole/extensions/)..." + mv -f guacamole-auth-quickconnect-${GUAC_VERSION}/guacamole-auth-quickconnect-${GUAC_VERSION}.jar /etc/guacamole/extensions/ + chmod 664 /etc/guacamole/extensions/guacamole-auth-quickconnect-${GUAC_VERSION}.jar + if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 + exit 1 + else + echo -e "${LGREEN}OK${GREY}" + echo + fi fi # Move history recording storage extension files -if [ "${INSTALL_HISTREC}" = true ]; then - echo -e "${GREY}Moving guacamole-history-recording-storage-${GUAC_VERSION}.jar (/etc/guacamole/extensions/)..." - mv -f guacamole-history-recording-storage-${GUAC_VERSION}/guacamole-history-recording-storage-${GUAC_VERSION}.jar /etc/guacamole/extensions/ - chmod 664 /etc/guacamole/extensions/guacamole-history-recording-storage-${GUAC_VERSION}.jar - #Setup the default recording path - mkdir -p ${HISTREC_PATH} - chown daemon:tomcat ${HISTREC_PATH} - chmod 2750 ${HISTREC_PATH} - echo "recording-search-path: ${HISTREC_PATH}" >>/etc/guacamole/guacamole.properties - if [ $? -ne 0 ]; then - echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 - exit 1 - else - echo -e "${LGREEN}OK${GREY}" - echo - fi +if [[ "${INSTALL_HISTREC}" = true ]]; then + echo -e "${GREY}Moving guacamole-history-recording-storage-${GUAC_VERSION}.jar (/etc/guacamole/extensions/)..." + mv -f guacamole-history-recording-storage-${GUAC_VERSION}/guacamole-history-recording-storage-${GUAC_VERSION}.jar /etc/guacamole/extensions/ + chmod 664 /etc/guacamole/extensions/guacamole-history-recording-storage-${GUAC_VERSION}.jar + #Setup the default recording path + mkdir -p ${HISTREC_PATH} + chown daemon:tomcat ${HISTREC_PATH} + chmod 2750 ${HISTREC_PATH} + echo "recording-search-path: ${HISTREC_PATH}" >>/etc/guacamole/guacamole.properties + if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 + exit 1 + else + echo -e "${LGREEN}OK${GREY}" + echo + fi fi # Apply a branded interface and dark theme. You may delete this file and restart guacd & tomcat for the default console echo -e "${GREY}Setting the Guacamole console to a (customisable) dark mode themed template..." mv branding.jar /etc/guacamole/extensions chmod 664 /etc/guacamole/extensions/branding.jar -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}OK${GREY}" - echo + echo -e "${LGREEN}OK${GREY}" + echo fi # Restart Tomcat echo -e "${GREY}Restarting Tomcat service & enable at boot..." systemctl restart ${TOMCAT_VERSION} -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}OK${GREY}" - echo + echo -e "${LGREEN}OK${GREY}" + echo fi # Set Tomcat to start at boot systemctl enable ${TOMCAT_VERSION} -echo -if [ "${INSTALL_MYSQL}" = true ]; then - # Set MySQL password - export MYSQL_PWD=${MYSQL_ROOT_PWD} +if [[ "${INSTALL_MYSQL}" = true ]]; then + # Set MySQL password + export MYSQL_PWD=${MYSQL_ROOT_PWD} - # Set the root password without a reliance on debconf. - echo -e "${GREY}Setting MySQL root password..." - SQLCODE=" + # Set the root password without a reliance on debconf. + echo -e "${GREY}Setting MySQL root password..." + SQLCODE=" FLUSH PRIVILEGES; ALTER USER 'root'@'localhost' IDENTIFIED BY '$MYSQL_ROOT_PWD';" - echo ${SQLCODE} | $DB_CMD -u root - if [ $? -ne 0 ]; then - echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 - exit 1 - else - echo -e "${LGREEN}OK${GREY}" - echo - fi + echo ${SQLCODE} | $DB_CMD -u root + if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 + exit 1 + else + echo -e "${LGREEN}OK${GREY}" + echo + fi - # Find the location of the MySQL or MariaDB config files. (Add to this list for more potential candidates.) - for x in /etc/mysql/mariadb.conf.d/50-server.cnf \ - /etc/mysql/mysql.conf.d/mysqld.cnf \ - /etc/mysql/my.cnf; do - # Check inside each candidate to see if a [mysqld] or [mariadbd] section exists, assign $x the correct filename. - if [ -e "${x}" ]; then - if grep -qE '^\[(mysqld|mariadbd)\]$' "${x}"; then - mysqlconfig="${x}" - # Reduce any duplicated section names, then sanitise the [ ] special characters for sed below) - config_section=$(grep -m 1 -E '^\[(mysqld|mariadbd)\]$' "${x}" | sed 's/\[\(.*\)\]/\1/') - break - fi - fi - done + # Find the location of the MySQL or MariaDB config files. (Add to this list for more potential candidates.) + for x in /etc/mysql/mariadb.conf.d/50-server.cnf \ + /etc/mysql/mysql.conf.d/mysqld.cnf \ + /etc/mysql/my.cnf; do + # Check inside each candidate to see if a [mysqld] or [mariadbd] section exists, assign $x the correct filename. + if [[ -e "${x}" ]]; then + if grep -qE '^\[(mysqld|mariadbd)\]$' "${x}"; then + mysqlconfig="${x}" + # Reduce any duplicated section names, then sanitise the [ ] special characters for sed below) + config_section=$(grep -m 1 -E '^\[(mysqld|mariadbd)\]$' "${x}" | sed 's/\[\(.*\)\]/\1/') + break + fi + fi + done - # Set the MySQL Timezone - if [ -z "${mysqlconfig}" ]; then - echo -e "${GREY}Couldn't detect MySQL config file - you will need to manually configure database timezone settings" - else - # Is there already a timzeone value configured? - if grep -q "^default_time_zone[[:space:]]=" "${mysqlconfig}"; then - echo -e "MySQL database timezone defined in ${mysqlconfig}" - else - timezone=${DB_TZ} - if [ -z "${DB_TZ}" ]; then - echo -e "Couldn't find system timezone, using UTC$" - timezone="UTC" - fi - echo -e "Setting MySQL database timezone as ${timezone}${GREY}" - mysql_tzinfo_to_sql /usr/share/zoneinfo 2>/dev/null | ${DB_CMD} -u root -D mysql -p${MYSQL_ROOT_PWD} - # Add the timzone value to the sanitsed server file section name. - sed -i -e "/^\[${config_section}\]/a default_time_zone = ${timezone}" "${mysqlconfig}" - fi - fi - if [ $? -ne 0 ]; then - echo -e "${LRED}Failed${GREY}" 1>&2 - exit 1 - else - echo -e "${LGREEN}OK${GREY}" - echo - fi + # Set the MySQL Timezone + if [[ -z "${mysqlconfig}" ]]; then + echo -e "${GREY}Couldn't detect MySQL config file - you will need to manually configure database timezone settings" + else + # Is there already a timzeone value configured? + if grep -q "^default_time_zone[[:space:]]=" "${mysqlconfig}"; then + echo -e "MySQL database timezone defined in ${mysqlconfig}" + else + timezone=${DB_TZ} + if [[ -z "${DB_TZ}" ]]; then + echo -e "Couldn't find system timezone, using UTC$" + timezone="UTC" + fi + echo -e "Setting MySQL database timezone as ${timezone}${GREY}" + mysql_tzinfo_to_sql /usr/share/zoneinfo 2>/dev/null | ${DB_CMD} -u root -D mysql -p${MYSQL_ROOT_PWD} + # Add the timzone value to the sanitsed server file section name. + sed -i -e "/^\[${config_section}\]/a default_time_zone = ${timezone}" "${mysqlconfig}" + fi + fi + if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed${GREY}" 1>&2 + exit 1 + else + echo -e "${LGREEN}OK${GREY}" + echo + fi - # This should stay as localhost in most local MySQL install situations. This setting determine from WHERE the new ${GUAC_USER} - # will be able to login to the database (either specific remote IPs or localhost only.) - # However this setting can be quick and hacky way to build a backend guacamole database server for use behind another guac application server - # (albeit with the full application suite installed). To do this, set GUAC_USERHost="%" for login access from all IPs, or e.g. 192.168.1.% for an IP range. - # You will also need to set the MySQL binding away from the default 127.0.0.1 to 0.0.0.0 or a specific external facing network interface to allow remote login. - if [ "${MYSQL_HOST}" != "localhost" ]; then - GUAC_USERHost="%" - echo -e "${LYELLOW}${GUAC_USER} is set to accept db logins from any host, you may wish to limit this to specific IPs.${GREY}" - else - GUAC_USERHost="localhost" - fi + # This should stay as localhost in most local MySQL install situations. This setting determine from WHERE the new ${GUAC_USER} + # will be able to login to the database (either specific remote IPs or localhost only.) + # However this setting can be quick and hacky way to build a backend guacamole database server for use behind another guac application server + # (albeit with the full application suite installed). To do this, set GUAC_USERHost="%" for login access from all IPs, or e.g. 192.168.1.% for an IP range. + # You will also need to set the MySQL binding away from the default 127.0.0.1 to 0.0.0.0 or a specific external facing network interface to allow remote login. + if [[ "${MYSQL_HOST}" != "localhost" ]]; then + GUAC_USERHost="%" + echo -e "${LYELLOW}${GUAC_USER} is set to accept db logins from any host, you may wish to limit this to specific IPs.${GREY}" + else + GUAC_USERHost="localhost" + fi - # Execute SQL code to create the Guacamole database - echo -e "${GREY}Creating the Guacamole database..." - SQLCODE=" + # Execute SQL code to create the Guacamole database + echo -e "${GREY}Creating the Guacamole database..." + SQLCODE=" DROP DATABASE IF EXISTS ${GUAC_DB}; CREATE DATABASE IF NOT EXISTS ${GUAC_DB}; CREATE USER IF NOT EXISTS '${GUAC_USER}'@'${GUAC_USERHost}' IDENTIFIED BY \"${GUAC_PWD}\"; GRANT SELECT,INSERT,UPDATE,DELETE ON ${GUAC_DB}.* TO '${GUAC_USER}'@'${GUAC_USERHost}'; FLUSH PRIVILEGES;" - echo ${SQLCODE} | mysql -u root -D mysql -h ${MYSQL_HOST} -P ${MYSQL_PORT} - if [ $? -ne 0 ]; then - echo -e "${LRED}Failed${GREY}" 1>&2 - exit 1 - else - echo -e "${LGREEN}OK${GREY}" - echo - fi + echo ${SQLCODE} | mysql -u root -D mysql -h ${MYSQL_HOST} -P ${MYSQL_PORT} + if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed${GREY}" 1>&2 + exit 1 + else + echo -e "${LGREEN}OK${GREY}" + echo + fi - # Add Guacamole schema to newly created database - echo -e "${GREY}Adding database tables..." - cat guacamole-auth-jdbc-${GUAC_VERSION}/mysql/schema/*.sql | $DB_CMD -u root -D ${GUAC_DB} -p${MYSQL_ROOT_PWD} - if [ $? -ne 0 ]; then - echo -e "${LRED}Failed${GREY}" 1>&2 - exit 1 - else - echo -e "${LGREEN}OK${GREY}" - echo - fi + # Add Guacamole schema to newly created database + echo -e "${GREY}Adding database tables..." + cat guacamole-auth-jdbc-${GUAC_VERSION}/mysql/schema/*.sql | $DB_CMD -u root -D ${GUAC_DB} -p${MYSQL_ROOT_PWD} + if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed${GREY}" 1>&2 + exit 1 + else + echo -e "${LGREEN}OK${GREY}" + echo + fi fi # Apply Secure MySQL installation settings -if [ "${SECURE_MYSQL}" = true ] && [ "${INSTALL_MYSQL}" = true ]; then - echo -e "${GREY}Applying mysql_secure_installation settings...${DGREY}" - SECURE_MYSQL=$(expect -c " +if [[ "${SECURE_MYSQL}" = true ]] && [[ "${INSTALL_MYSQL}" = true ]]; then + echo -e "${GREY}Applying mysql_secure_installation settings...${DGREY}" + SECURE_MYSQL=$(expect -c " set timeout 10 spawn mysql_secure_installation expect \"Enter current password for root (enter for none):\" @@ -559,44 +556,44 @@ expect \"Reload privilege tables now?\" send \"y\r\" expect eof ") - echo "$SECURE_MYSQL" - if [ $? -ne 0 ]; then - echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 - exit 1 - else - echo -e "${LGREEN}OK${GREY}" - echo - fi + echo "$SECURE_MYSQL" + if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 + exit 1 + else + echo -e "${LGREEN}OK${GREY}" + echo + fi fi # Restart MySQL service -if [ "${INSTALL_MYSQL}" = true ]; then - echo -e "${GREY}Restarting MySQL service & enable at boot..." - # Set MySQl to start at boot - systemctl enable mysql - systemctl restart mysql - if [ $? -ne 0 ]; then - echo -e "${LRED}Failed${GREY}" 1>&2 - exit 1 - else - echo -e "${LGREEN}OK${GREY}" - echo - fi +if [[ "${INSTALL_MYSQL}" = true ]]; then + echo -e "${GREY}Restarting MySQL service & enable at boot..." + # Set MySQl to start at boot + systemctl enable mysql + systemctl restart mysql + if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed${GREY}" 1>&2 + exit 1 + else + echo -e "${LGREEN}OK${GREY}" + echo + fi fi # Create guacd.conf and locahost IP binding. echo -e "${GREY}Binding guacd to 127.0.0.1 port 4822..." cat >/etc/guacamole/guacd.conf <<-"EOF" - [server] - bind_host = 127.0.0.1 - bind_port = 4822 +[server] +bind_host = 127.0.0.1 +bind_port = 4822 EOF -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}OK${GREY}" - echo + echo -e "${LGREEN}OK${GREY}" + echo fi # Ensure guacd is started @@ -604,28 +601,28 @@ echo -e "${GREY}Starting guacd service & enable at boot..." systemctl enable guacd systemctl stop guacd 2>/dev/null systemctl start guacd -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}OK${GREY}" - echo + echo -e "${LGREEN}OK${GREY}" + echo fi -if [ "${CHANGE_ROOT}" = true ]; then - echo -e "${GREY}Shortening the Guacamole root url and setting up redirect...${DGREY}" - systemctl stop ${TOMCAT_VERSION} - mv /var/lib/${TOMCAT_VERSION}/webapps/ROOT/index.html /var/lib/${TOMCAT_VERSION}/webapps/ROOT/index.html.old - touch /var/lib/${TOMCAT_VERSION}/webapps/ROOT/index.jsp - echo "<% response.sendRedirect(\"/guacamole\");%>" >>/var/lib/${TOMCAT_VERSION}/webapps/ROOT/index.jsp - systemctl start ${TOMCAT_VERSION} - if [ $? -ne 0 ]; then - echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 - exit 1 - else - echo -e "${LGREEN}OK${GREY}" - echo - fi +if [[ "${GUAC_URL_REDIR}" = true ]]; then + echo -e "${GREY}Shortening the Guacamole root url and setting up redirect...${DGREY}" + systemctl stop ${TOMCAT_VERSION} + mv /var/lib/${TOMCAT_VERSION}/webapps/ROOT/index.html /var/lib/${TOMCAT_VERSION}/webapps/ROOT/index.html.old + touch /var/lib/${TOMCAT_VERSION}/webapps/ROOT/index.jsp + echo "<% response.sendRedirect(\"/guacamole\");%>" >>/var/lib/${TOMCAT_VERSION}/webapps/ROOT/index.jsp + systemctl start ${TOMCAT_VERSION} + if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 + exit 1 + else + echo -e "${LGREEN}OK${GREY}" + echo + fi fi echo -e "${GREY}Updating firewall rules to allow only SSH and tcp 8080..." @@ -636,12 +633,12 @@ sudo ufw allow 8080/tcp >/dev/null 2>&1 echo "y" | sudo ufw enable >/dev/null 2>&1 # Reduce firewall logging noise sudo ufw logging off >/dev/null 2>&1 -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}OK${GREY}" - echo + echo -e "${LGREEN}OK${GREY}" + echo fi # Cleanup @@ -649,20 +646,19 @@ echo -e "${GREY}Cleanup install files...${GREY}" rm -rf guacamole-* rm -rf mysql-connector-j-* rm -rf mariadb_repo_setup -if [ "${INSTALL_NGINX}" = false ]; then - rm -rf 3-install-nginx.sh - rm -f 4a-install-tls-self-signed-nginx.sh - rm -rf 4b-install-tls-letsencrypt-nginx.sh - rm -f refresh-tls-self-signed.sh +if [[ "${INSTALL_NGINX}" = false ]]; then + rm -f 3-install-nginx.sh + rm -f 4a-install-tls-self-signed-nginx.sh + rm -f 4b-install-tls-letsencrypt-nginx.sh + rm -f refresh-tls-self-signed.sh fi unset MYSQL_PWD apt-get -y remove expect &>>${INSTALL_LOG} -apt-get -y autoremove &>>${INSTALL_LOG} -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}OK${GREY}" + echo -e "${LGREEN}OK${GREY}" fi # Done diff --git a/3-install-nginx.sh b/3-install-nginx.sh index 96eebc0..fcfd1dc 100644 --- a/3-install-nginx.sh +++ b/3-install-nginx.sh @@ -43,12 +43,12 @@ server { } } EOF -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}OK${GREY}" - echo + echo -e "${LGREEN}OK${GREY}" + echo fi # Force nginx to require tls1.2 and above @@ -64,24 +64,24 @@ unlink /etc/nginx/sites-enabled/default # Do mandatory Nginx tweaks for logging actual client IPs through a proxy IP of 127.0.0.1 - DO NOT CHANGE COMMAND FORMATING! echo -e "${GREY}Configuring Apache Tomcat valve for pass through of client IPs to Guacamole logs...${GREY}" sudo sed -i '/pattern="%h %l %u %t "%r" %s %b"/a \ \n ' /etc/$TOMCAT_VERSION/server.xml -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}OK${GREY}" - echo + echo -e "${LGREEN}OK${GREY}" + echo fi # Allow large file transfers through Nginx sudo sed -i '/client_max_body_size/d' /etc/nginx/nginx.conf # remove this line if it already exists to prevent duplicates sudo sed -i "/Basic Settings/a \ client_max_body_size 100000000M;" /etc/nginx/nginx.conf # Add the larger file transfer size echo -e "${GREY}Boosting Nginx's 'maximum body size' parameter to allow large file transfers...${GREY}" -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}OK${GREY}" - echo + echo -e "${LGREEN}OK${GREY}" + echo fi # Update general ufw rules so force traffic via reverse proxy. Only Nginx and SSH will be available over the network. @@ -92,12 +92,12 @@ sudo ufw allow OpenSSH >/dev/null 2>&1 sudo ufw allow 80/tcp >/dev/null 2>&1 sudo ufw delete allow 8080/tcp >/dev/null 2>&1 echo "y" | sudo ufw enable >/dev/null 2>&1 -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}OK${GREY}" - echo + echo -e "${LGREEN}OK${GREY}" + echo fi # Reload everything @@ -105,11 +105,11 @@ echo -e "${GREY}Restaring Guacamole & Ngnix..." sudo systemctl restart $TOMCAT_VERSION sudo systemctl restart guacd sudo systemctl restart nginx -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}OK${GREY}" + echo -e "${LGREEN}OK${GREY}" fi # Done diff --git a/4a-install-tls-self-signed-nginx.sh b/4a-install-tls-self-signed-nginx.sh index e4046b4..cc1efdf 100644 --- a/4a-install-tls-self-signed-nginx.sh +++ b/4a-install-tls-self-signed-nginx.sh @@ -31,11 +31,11 @@ DIR_SSL_KEY="/etc/nginx/ssl/private" # Make directories to place TLS Certificate if they don't exist if [[ ! -d $DIR_SSL_KEY ]]; then - sudo mkdir -p $DIR_SSL_KEY + sudo mkdir -p $DIR_SSL_KEY fi if [[ ! -d $DIR_SSL_CERT ]]; then - sudo mkdir -p $DIR_SSL_CERT + sudo mkdir -p $DIR_SSL_CERT fi # Discover IPv4 interface @@ -71,12 +71,12 @@ EOF echo echo "{$GREY}Creating a new Nginx TLS Certificate..." openssl req -x509 -nodes -newkey rsa:2048 -keyout $TLSNAME.key -out $TLSNAME.crt -days $TLSDAYS -config $TMP_DIR/cert_attributes.txt -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}OK${GREY}" - echo + echo -e "${LGREEN}OK${GREY}" + echo fi # Place TLS Certificate into the defined application path @@ -86,12 +86,12 @@ sudo cp $TLSNAME.crt $DIR_SSL_CERT/$TLSNAME.crt # Create a PFX formatted key for easier import to Windows hosts and change permissions to enable copying elsewhere echo -e "${GREY}Converting client certificates for Windows & Linux...${GREY}" sudo openssl pkcs12 -export -out $TLSNAME.pfx -inkey $TLSNAME.key -in $TLSNAME.crt -password pass:1234 -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}OK${GREY}" - echo + echo -e "${LGREEN}OK${GREY}" + echo fi # Change of permissions so certs can be copied via WinSCP. @@ -102,12 +102,12 @@ sudo chown $SUDO_USER:root $TLSNAME.key # Backup the current Nginx config before update echo -e "${GREY}Backing up previous Nginx proxy to $DOWNLOAD_DIR/$TLSNAME-nginx.bak" cp /etc/nginx/sites-enabled/${TLSNAME} $DOWNLOAD_DIR/${TLSNAME}-nginx.bak -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}OK${GREY}" - echo + echo -e "${LGREEN}OK${GREY}" + echo fi # Update Nginx config to accept the new certificates @@ -150,12 +150,12 @@ server { } } EOF -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}OK${GREY}" - echo + echo -e "${LGREEN}OK${GREY}" + echo fi # Update general ufw rules so force traffic via reverse proxy. Only Nginx and SSH will be available over the network. @@ -166,12 +166,12 @@ sudo ufw allow OpenSSH >/dev/null 2>&1 sudo ufw allow 80/tcp >/dev/null 2>&1 sudo ufw allow 443/tcp >/dev/null 2>&1 echo "y" | sudo ufw enable >/dev/null 2>&1 -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}OK${GREY}" - echo + echo -e "${LGREEN}OK${GREY}" + echo fi # Reload everything @@ -179,12 +179,12 @@ echo -e "${GREY}Restaring Guacamole & Ngnix..." sudo systemctl restart $TOMCAT_VERSION sudo systemctl restart guacd sudo systemctl restart nginx -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}OK${GREY}" - echo + echo -e "${LGREEN}OK${GREY}" + echo fi # Hack to assist with displaying "$" symbols and " ' quotes in a (cut/paste-able) bash screen output format diff --git a/4b-install-tls-letsencrypt-nginx.sh b/4b-install-tls-letsencrypt-nginx.sh index 1a814e9..ac79ef5 100644 --- a/4b-install-tls-letsencrypt-nginx.sh +++ b/4b-install-tls-letsencrypt-nginx.sh @@ -29,12 +29,12 @@ apt-get install nginx certbot python3-certbot-nginx -qq -y &>>${INSTALL_LOG} echo echo -e "${GREY}Backing up previous Nginx proxy to $DOWNLOAD_DIR/$PROXY_SITE-nginx.bak" cp /etc/nginx/sites-enabled/${PROXY_SITE} $DOWNLOAD_DIR/${PROXY_SITE}-nginx.bak -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}OK${GREY}" - echo + echo -e "${LGREEN}OK${GREY}" + echo fi # Configure Nginx to accept the new certificates @@ -57,12 +57,12 @@ server { } } EOL -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}OK${GREY}" - echo + echo -e "${LGREEN}OK${GREY}" + echo fi # Update general ufw rules so force traffic via reverse proxy. Only Nginx and SSH will be available over the network. @@ -73,12 +73,12 @@ sudo ufw allow OpenSSH >/dev/null 2>&1 sudo ufw allow 80/tcp >/dev/null 2>&1 sudo ufw allow 443/tcp >/dev/null 2>&1 echo "y" | sudo ufw enable >/dev/null 2>&1 -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}OK${GREY}" - echo + echo -e "${LGREEN}OK${GREY}" + echo fi # Bounce Nginx to reload the new Nginx config so certbot config can continue @@ -88,12 +88,12 @@ systemctl restart nginx certbot --nginx -n -d $LE_DNS_NAME --email $LE_EMAIL --agree-tos --redirect --hsts echo -e echo -e "${GREY}Let's Encrypt successfully installed, but check for any errors above (DNS & firewall are the usual culprits).${GREY}" -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}OK${GREY}" - echo + echo -e "${LGREEN}OK${GREY}" + echo fi # Select a random daily time to schedule a daily check for Let's Encrypt certificates due to expire in next 30 days. @@ -110,12 +110,12 @@ echo "${MINUTE} ${HOUR} * * * /usr/bin/certbot renew --quiet --pre-hook 'systemc # Overwrite old cron settings and cleanup crontab cron_1 rm cron_1 -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}OK${GREY}" - echo + echo -e "${LGREEN}OK${GREY}" + echo fi # Reload everything once again @@ -123,11 +123,11 @@ echo -e "${GREY}Restaring Guacamole & Ngnix..." sudo systemctl restart $TOMCAT_VERSION sudo systemctl restart guacd sudo systemctl restart nginx -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}OK${GREY}" + echo -e "${LGREEN}OK${GREY}" fi # Done diff --git a/README.md b/README.md index e4e688e..33ff6b2 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Guacamole 1.5.3 VDI/Jump Server Appliance Build Script - This repo makes setting up a Guacamole a breeze. Its got installer support for TLS reverse proxy, Active Directory integration, multi-factor authentication, Quick Connect & History Recording Storage UI enhancements, dark mode and custom UI templates, auto database backup, O365 email alerts and even fail2ban and internal daemon security hardening options. There's also code in here to get you up and running with Guacamole in an enterprise or high availability deployment too! + This repo makes setting up a Guacamole a breeze. Its got installer support for TLS reverse proxy, Active Directory integration, multi-factor authentication, Quick Connect & History Recording Storage UI enhancements, dark mode and custom UI templates, auto database backup, O365 email alerts and even fail2ban and internal daemon security hardening options. There's also code in here to get you up and running with an enterprise high availability deployment too! ## Automatic Installation @@ -10,15 +10,21 @@ wget https://raw.githubusercontent.com/itiligent/Guacamole-Install/main/1-setup.sh && chmod +x 1-setup.sh && ./1-setup.sh ``` -## Prerequisites (Debian 12 now working!) +## Prerequisites (Yes! Debian 12 is now supported!) **Before diving in, make sure you have:** -- A compatible OS: Ubuntu 18.04 - 22.x, Debian 10, 11 or 12, or Raspbian Buster/Bullseye (If using vendor cloud images stick to stable releases). +- **A compatible OS:** + - **Debian 12, 11 or 10** + - **Ubuntu 23.04, 22.04, 20.04 & 18.04** + - **Raspbian Buster & Bullseye** + - **Official vendor cloud images equivalent to the above.** - Minimum 8GB RAM and 40GB HDD. - DNS entries matching your default appliance network interface IP (essential for TLS). - Open TCP ports: 22, 80, and 443. +23.04, 22.04, 20.04 & 18.04 + ## Installation Menu **The main script guides you through the installation process in the following steps:** @@ -50,7 +56,7 @@ wget https://raw.githubusercontent.com/itiligent/Guacamole-Install/main/1-setup. 1. Paste and run the wget autorun link in your home directory. 2. Exit `1-setup.sh` at the first prompt. (At this point the scripts are downloaded only.) -3. Customise the huge number of installation variables available in `1-setup.sh` as required. (Certain combinations of edits will produce a fully unattended install.) +3. Customise the huge number of installation variables available in `1-setup.sh` as required. All options for customisation are found in the top sections of this script only. (Certain combinations of edits will even produce a fully unattended install!) 4. **Caution: If editing `1-setup.sh`, be aware that running the autorun link again re-downloads and overwrites all changes. You must run setup locally after editing.** (Also be sure to comment out the download links in the setup script for any other edited scripts. There should be little need to edit outside of the setup script's options.) 5. The **upgrade-guac.sh, add-tls-guac-daemon.sh, refresh-tls-self-signed.sh & backup-guac.sh** scripts are automatically adjusted at installation to match your chosen installation settings. These can be run after install without any modification. 6. If the self-signed TLS proxy option is selected, browser client TLS certificates will be automatically created and saved to `$HOME/guac-setup`. diff --git a/guac-custom-theme-builder/README.MD b/guac-custom-theme-builder/README.MD index 16701dc..b7f2efd 100644 --- a/guac-custom-theme-builder/README.MD +++ b/guac-custom-theme-builder/README.MD @@ -1,7 +1,7 @@ ## Custom branding & theme instructions ## -1. Install Java JDK: `sudo apt update && sudo apt -y install default-jdk` +1. Install the Java JDK: `sudo apt update && sudo apt -y install default-jdk` 3. Modify `custom-theme.css` ,`guac-manifest.json`, `en.json` & `META-INF` as desired & add your logo .png files to the images directory. 4. To commit your changes, run the below commands from within the custom-theme-builder directory, then refresh your browser to re-login to Guacamole: ``` diff --git a/guac-enterprise-build/install-mysql-backend-only.sh b/guac-enterprise-build/install-mysql-backend-only.sh index 6a914ce..dc2e9d1 100644 --- a/guac-enterprise-build/install-mysql-backend-only.sh +++ b/guac-enterprise-build/install-mysql-backend-only.sh @@ -27,18 +27,18 @@ LYELLOW='\033[0;93m' NC='\033[0m' #No Colour # Check if user is root or sudo -if ! [ $(id -u) = 0 ]; then - echo - echo -e "${LRED}Please run this script as sudo or root${NC}" 1>&2 - exit 1 +if ! [[ $(id -u) = 0 ]]; then + echo + echo -e "${LRED}Please run this script as sudo or root${NC}" 1>&2 + exit 1 fi # Check to see if any previous version of build/install files exist, if so stop and check to be safe. -if [ "$(find . -maxdepth 1 \( -name 'guacamole-*' -o -name 'mysql-connector-j-*' \))" != "" ]; then - echo - echo -e "${LRED}Possible previous install files detected. Please review and remove old guacamole install files before proceeding.${GREY}" 1>&2 - echo - exit 1 +if [[ "$(find . -maxdepth 1 \( -name 'guacamole-*' -o -name 'mysql-connector-j-*' \))" != "" ]]; then + echo + echo -e "${LRED}Possible previous install files detected. Please review and remove old guacamole install files before proceeding.${GREY}" 1>&2 + echo + exit 1 fi ####################################################################################################################### @@ -100,14 +100,14 @@ DB_TZ=$(cat /etc/timezone) # Typically system default (cat /etc/timezone) or cha # Choose a specific MySQL version e.g. 11.1.2 See https://mariadb.org/mariadb/all-releases/ for available versions. MYSQL_VERSION="" # Blank "" forces distro default MySQL packages. -if [ -z "${MYSQL_VERSION}" ]; then - # Use Linux distro default version. - MYSQLPKG="default-mysql-server default-mysql-client mysql-common" - DB_CMD="mysql" # mysql command is depricated +if [[ -z "${MYSQL_VERSION}" ]]; then + # Use Linux distro default version. + MYSQLPKG="default-mysql-server default-mysql-client mysql-common" + DB_CMD="mysql" # mysql command is depricated else - # Use official mariadb.org repo - MYSQLPKG="mariadb-server mariadb-client mariadb-common" - DB_CMD="mariadb" # mysql command is depricated on newer versions + # Use official mariadb.org repo + MYSQLPKG="mariadb-server mariadb-client mariadb-common" + DB_CMD="mariadb" # mysql command is depricated on newer versions fi # Update everything but don't do the annoying prompts during apt installs @@ -115,44 +115,44 @@ echo -e "${GREY}Updating base Linux OS..." export DEBIAN_FRONTEND=noninteractive apt-get update -qq &>>${INSTALL_LOG} apt-get upgrade -qq -y &>>${INSTALL_LOG} -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}OK${GREY}" - echo + echo -e "${LGREEN}OK${GREY}" + echo fi cd $DOWNLOAD_DIR # Add the official MariaDB repo -if [ -n "${MYSQL_VERSION}" ]; then - apt-get -qq -y install curl gnupg2 &>>${INSTALL_LOG} - curl -LsS -O https://downloads.mariadb.com/MariaDB/mariadb_repo_setup &>>${INSTALL_LOG} - bash mariadb_repo_setup --mariadb-server-version=$MYSQL_VERSION &>>${INSTALL_LOG} +if [[ -n "${MYSQL_VERSION}" ]]; then + apt-get -qq -y install curl gnupg2 &>>${INSTALL_LOG} + curl -LsS -O https://downloads.mariadb.com/MariaDB/mariadb_repo_setup &>>${INSTALL_LOG} + bash mariadb_repo_setup --mariadb-server-version=$MYSQL_VERSION &>>${INSTALL_LOG} fi # Download and extract the Guacamole SQL authentication extension containing the database schema echo -e "${GREY}Downloading Guacamole database source files..." wget -q --show-progress -O guacamole-auth-jdbc-${GUAC_VERSION}.tar.gz ${GUAC_SOURCE_LINK}/binary/guacamole-auth-jdbc-${GUAC_VERSION}.tar.gz -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed to download guacamole-auth-jdbc-${GUAC_VERSION}.tar.gz" 1>&2 - echo -e "${GUAC_SOURCE_LINK}/binary/guacamole-auth-jdbc-${GUAC_VERSION}.tar.gz" - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed to download guacamole-auth-jdbc-${GUAC_VERSION}.tar.gz" 1>&2 + echo -e "${GUAC_SOURCE_LINK}/binary/guacamole-auth-jdbc-${GUAC_VERSION}.tar.gz" + exit 1 else - tar -xzf guacamole-auth-jdbc-${GUAC_VERSION}.tar.gz + tar -xzf guacamole-auth-jdbc-${GUAC_VERSION}.tar.gz fi echo -e "${LGREEN}Downloaded guacamole-auth-jdbc-${GUAC_VERSION}.tar.gz${GREY}" echo echo -e "${GREY}Installing MySQL packages..." apt-get -qq -y install ${MYSQLPKG} &>>${INSTALL_LOG} -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}OK${GREY}" - echo + echo -e "${LGREEN}OK${GREY}" + echo fi # Set the root password without a reliance on debconf. @@ -161,89 +161,89 @@ SQLCODE=" FLUSH PRIVILEGES; ALTER USER 'root'@'localhost' IDENTIFIED BY '$MYSQL_ROOT_PWD';" echo ${SQLCODE} | $DB_CMD -u root -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}OK${GREY}" - echo + echo -e "${LGREEN}OK${GREY}" + echo fi # Find the location of the MySQL or MariaDB config files. (Add to this list for more potential candidates.) for x in /etc/mysql/mariadb.conf.d/50-server.cnf \ - /etc/mysql/mysql.conf.d/mysqld.cnf \ - /etc/mysql/my.cnf; do - # Check inside each candidate to see if a [mysqld] or [mariadbd] section exists, assign $x the correct filename. - if [ -e "${x}" ]; then - if grep -qE '^\[(mysqld|mariadbd)\]$' "${x}"; then - mysqlconfig="${x}" - # Reduce any duplicated section names, then sanitise the [ ] special characters for sed below) - config_section=$(grep -m 1 -E '^\[(mysqld|mariadbd)\]$' "${x}" | sed 's/\[\(.*\)\]/\1/') - break - fi - fi + /etc/mysql/mysql.conf.d/mysqld.cnf \ + /etc/mysql/my.cnf; do + # Check inside each candidate to see if a [mysqld] or [mariadbd] section exists, assign $x the correct filename. + if [[ -e "${x}" ]]; then + if grep -qE '^\[(mysqld|mariadbd)\]$' "${x}"; then + mysqlconfig="${x}" + # Reduce any duplicated section names, then sanitise the [ ] special characters for sed below) + config_section=$(grep -m 1 -E '^\[(mysqld|mariadbd)\]$' "${x}" | sed 's/\[\(.*\)\]/\1/') + break + fi + fi done # Set the MySQL Timezone -if [ -z "${mysqlconfig}" ]; then - echo -e "${GREY}Couldn't detect MySQL config file - you will need to manually configure database timezone settings" +if [[ -z "${mysqlconfig}" ]]; then + echo -e "${GREY}Couldn't detect MySQL config file - you will need to manually configure database timezone settings" else - # Is there already a timzeone value configured? - if grep -q "^default_time_zone[[:space:]]=" "${mysqlconfig}"; then - echo -e "MySQL database timezone defined in ${mysqlconfig}" - else - timezone=${DB_TZ} - if [ -z "${DB_TZ}" ]; then - echo -e "Couldn't find system timezone, using UTC$" - timezone="UTC" - fi - echo -e "Setting MySQL database timezone as ${timezone}${GREY}" - mysql_tzinfo_to_sql /usr/share/zoneinfo 2>/dev/null | ${DB_CMD} -u root -D mysql -p${MYSQL_ROOT_PWD} - # Add the timzone value to the sanitsed server file section name. - sed -i -e "/^\[${config_section}\]/a default_time_zone = ${timezone}" "${mysqlconfig}" - fi + # Is there already a timzeone value configured? + if grep -q "^default_time_zone[[:space:]]=" "${mysqlconfig}"; then + echo -e "MySQL database timezone defined in ${mysqlconfig}" + else + timezone=${DB_TZ} + if [[ -z "${DB_TZ}" ]]; then + echo -e "Couldn't find system timezone, using UTC$" + timezone="UTC" + fi + echo -e "Setting MySQL database timezone as ${timezone}${GREY}" + mysql_tzinfo_to_sql /usr/share/zoneinfo 2>/dev/null | ${DB_CMD} -u root -D mysql -p${MYSQL_ROOT_PWD} + # Add the timzone value to the sanitsed server file section name. + sed -i -e "/^\[${config_section}\]/a default_time_zone = ${timezone}" "${mysqlconfig}" + fi fi -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}OK${GREY}" - echo + echo -e "${LGREEN}OK${GREY}" + echo fi # Set the MySQL binding IP address to whatever the setup variable is set to. echo -e "${GREY}Setting MySQL IP address binding to ${MYSQL_BIND_ADDR}..." sed -i "s/^bind-address[[:space:]]*=[[:space:]]*.*/bind-address = ${MYSQL_BIND_ADDR}/g" ${mysqlconfig} -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}OK${GREY}" - echo + echo -e "${LGREEN}OK${GREY}" + echo fi # Establish the appropriate form of Guacamole user account access (remote or localhost login permissions) echo -e "${GREY}Setting up database access parameters for the Guacamole user ..." -if [ "${BACKEND_MYSQL}" = true ] && [ -z "${FRONTEND_NET}" ]; then - echo -e "${LYELLOW}${GUAC_USER} is set to accept db logins from any host, you may wish to limit this to specific IPs.${GREY}" - # e.g. RENAME USER '${GUAC_USER}'@'%' TO '${GUAC_USER}'@'xx.xx.xx.%';" - GUAC_USERHost="%" # Allow all IPs -elif [ "${BACKEND_MYSQL}" = true ] && [ -n "${FRONTEND_NET}" ]; then - echo -e "${LYELLOW}${GUAC_USER} is set to accept db logins from ${FRONTEND_NET}.${GREY}" - GUAC_USERHost="${FRONTEND_NET}" # Apply the given range -elif [ "${BACKEND_MYSQL}" = false ] || [ -z "${BACKEND_MYSQL}" ]; then - echo -e "${LYELLOW}${GUAC_USER} is set to accept db logins from localhost only.${GREY}" - GUAC_USERHost=localhost # Assume a localhost only install +if [[ "${BACKEND_MYSQL}" = true ]] && [[ -z "${FRONTEND_NET}" ]]; then + echo -e "${LYELLOW}${GUAC_USER} is set to accept db logins from any host, you may wish to limit this to specific IPs.${GREY}" + # e.g. RENAME USER '${GUAC_USER}'@'%' TO '${GUAC_USER}'@'xx.xx.xx.%';" + GUAC_USERHost="%" # Allow all IPs +elif [[ "${BACKEND_MYSQL}" = true ]] && [[ -n "${FRONTEND_NET}" ]]; then + echo -e "${LYELLOW}${GUAC_USER} is set to accept db logins from ${FRONTEND_NET}.${GREY}" + GUAC_USERHost="${FRONTEND_NET}" # Apply the given range +elif [[ "${BACKEND_MYSQL}" = false ]] || [[ -z "${BACKEND_MYSQL}" ]]; then + echo -e "${LYELLOW}${GUAC_USER} is set to accept db logins from localhost only.${GREY}" + GUAC_USERHost=localhost # Assume a localhost only install else - echo -e "${LYELLOW}${GUAC_USER} is set to accept db logins from localhost only.${GREY}" - GUAC_USERHost=localhost # Assume a localhost only install + echo -e "${LYELLOW}${GUAC_USER} is set to accept db logins from localhost only.${GREY}" + GUAC_USERHost=localhost # Assume a localhost only install fi -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}OK${GREY}" - echo + echo -e "${LGREEN}OK${GREY}" + echo fi # Create the new Guacamole database @@ -256,30 +256,30 @@ GRANT SELECT,INSERT,UPDATE,DELETE ON ${GUAC_DB}.* TO '${GUAC_USER}'@'${GUAC_USER FLUSH PRIVILEGES;" # Execute SQL code echo ${SQLCODE} | $DB_CMD -u root -D mysql -p${MYSQL_ROOT_PWD} -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}OK${GREY}" - echo + echo -e "${LGREEN}OK${GREY}" + echo fi # Add Guacamole's schema code to newly created database echo -e "${GREY}Adding the Guacamole database schema..." cat guacamole-auth-jdbc-${GUAC_VERSION}/mysql/schema/*.sql | $DB_CMD -u root -D ${GUAC_DB} -p${MYSQL_ROOT_PWD} -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}OK${GREY}" - echo + echo -e "${LGREEN}OK${GREY}" + echo fi # Apply Secure MySQL installation settings -if [ "${SECURE_MYSQL}" = true ]; then - apt-get -qq -y install expect &>>${INSTALL_LOG} - echo -e "${GREY}Applying mysql_secure_installation settings...${DGREY}" - SECURE_MYSQL=$(expect -c " +if [[ "${SECURE_MYSQL}" = true ]]; then + apt-get -qq -y install expect &>>${INSTALL_LOG} + echo -e "${GREY}Applying mysql_secure_installation settings...${DGREY}" + SECURE_MYSQL=$(expect -c " set timeout 10 spawn mysql_secure_installation expect \"Enter current password for root (enter for none):\" @@ -298,26 +298,26 @@ expect \"Reload privilege tables now?\" send \"y\r\" expect eof ") - echo "$SECURE_MYSQL" - if [ $? -ne 0 ]; then - echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 - exit 1 - else - echo -e "${LGREEN}OK${GREY}" - echo - fi + echo "$SECURE_MYSQL" + if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 + exit 1 + else + echo -e "${LGREEN}OK${GREY}" + echo + fi fi # Restart & enable MySQL service at boot echo -e "${GREY}Restarting MySQL service & enable at boot..." systemctl enable mysql systemctl restart mysql -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}OK${GREY}" - echo + echo -e "${LGREEN}OK${GREY}" + echo fi # Cleanup @@ -325,12 +325,12 @@ echo -e "${GREY}Cleaning up install files...${GREY}" apt-get -y remove expect &>>${INSTALL_LOG} apt-get -y autoremove &>>${INSTALL_LOG} rm -rf guacamole-* -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed. See ${LOG_LOCATION}${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed. See ${LOG_LOCATION}${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}OK${GREY}" - echo + echo -e "${LGREEN}OK${GREY}" + echo fi # Done diff --git a/guac-enterprise-build/upgrade-mysql-backend-only.sh b/guac-enterprise-build/upgrade-mysql-backend-only.sh index 201b803..94ec914 100644 --- a/guac-enterprise-build/upgrade-mysql-backend-only.sh +++ b/guac-enterprise-build/upgrade-mysql-backend-only.sh @@ -25,18 +25,18 @@ LYELLOW='\033[0;93m' NC='\033[0m' #No Colour # Check if user is root or sudo -if ! [ $(id -u) = 0 ]; then - echo - echo -e "${LRED}Please run this script as sudo or root${NC}" 1>&2 - exit 1 +if ! [[ $(id -u) = 0 ]]; then + echo + echo -e "${LRED}Please run this script as sudo or root${NC}" 1>&2 + exit 1 fi # Check to see if any previous version of build/install files exist, if so stop and check to be safe. -if [ "$(find . -maxdepth 1 \( -name 'guacamole-*' -o -name 'mysql-connector-j-*' \))" != "" ]; then - echo - echo -e "${LRED}Possible previous install files detected. Please review and remove old guacamole install files before proceeding.${GREY}" 1>&2 - echo - exit 1 +if [[ "$(find . -maxdepth 1 \( -name 'guacamole-*' -o -name 'mysql-connector-j-*' \))" != "" ]]; then + echo + echo -e "${LRED}Possible previous install files detected. Please review and remove old guacamole install files before proceeding.${GREY}" 1>&2 + echo + exit 1 fi ####################################################################################################################### @@ -82,12 +82,12 @@ echo # Download and extract the Guacamole SQL authentication extension containing the database schema wget -q --show-progress -O guacamole-auth-jdbc-${NEW_GUAC_VERSION}.tar.gz ${GUAC_SOURCE_LINK}/binary/guacamole-auth-jdbc-${NEW_GUAC_VERSION}.tar.gz -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed to download guacamole-auth-jdbc-${NEW_GUAC_VERSION}.tar.gz" 1>&2 - echo -e "${GUAC_SOURCE_LINK}/binary/guacamole-auth-jdbc-${NEW_GUAC_VERSION}.tar.gz" - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed to download guacamole-auth-jdbc-${NEW_GUAC_VERSION}.tar.gz" 1>&2 + echo -e "${GUAC_SOURCE_LINK}/binary/guacamole-auth-jdbc-${NEW_GUAC_VERSION}.tar.gz" + exit 1 else - tar -xzf guacamole-auth-jdbc-${NEW_GUAC_VERSION}.tar.gz + tar -xzf guacamole-auth-jdbc-${NEW_GUAC_VERSION}.tar.gz fi echo @@ -97,40 +97,40 @@ UPGRADEFILES=($(ls -1 guacamole-auth-jdbc-${NEW_GUAC_VERSION}/mysql/schema/upgra # Compare SQL Upgrage Files against old version, apply upgrades as needed for FILE in ${UPGRADEFILES[@]}; do - FILEVERSION=$(echo ${FILE} | grep -oP 'upgrade-pre-\K[0-9\.]+(?=\.)') - if [[ $(echo -e "${FILEVERSION}\n${OLD_GUAC_VERSION}" | sort -V | head -n1) == ${OLD_GUAC_VERSION} && ${FILEVERSION} != ${OLD_GUAC_VERSION} ]]; then - echo "Patching ${GUAC_DB} with ${FILE}" - mariadb -u root -D ${GUAC_DB} -p${MYSQL_ROOT_PWD} >${INSTALL_LOG} - fi + FILEVERSION=$(echo ${FILE} | grep -oP 'upgrade-pre-\K[0-9\.]+(?=\.)') + if [[ $(echo -e "${FILEVERSION}\n${OLD_GUAC_VERSION}" | sort -V | head -n1) == ${OLD_GUAC_VERSION} && ${FILEVERSION} != ${OLD_GUAC_VERSION} ]]; then + echo "Patching ${GUAC_DB} with ${FILE}" + mariadb -u root -D ${GUAC_DB} -p${MYSQL_ROOT_PWD} >${INSTALL_LOG} + fi done -if [ $? -ne 0 ]; then - echo -e "${LRED}SQL upgrade failed. See ${INSTALL_LOG}${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}SQL upgrade failed. See ${INSTALL_LOG}${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}OK${GREY}" - echo + echo -e "${LGREEN}OK${GREY}" + echo fi # Restart MySQL service echo -e "${GREY}Restarting MySQL service..." systemctl restart mysql -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}OK${GREY}" - echo + echo -e "${LGREEN}OK${GREY}" + echo fi # Cleanup echo -e "${GREY}Clean up install files...${GREY}" rm -rf guacamole-* -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}OK${GREY}" - echo + echo -e "${LGREEN}OK${GREY}" + echo fi # Done diff --git a/guac-management/backup-guac.sh b/guac-management/backup-guac.sh index 97e506b..9bd6b73 100644 --- a/guac-management/backup-guac.sh +++ b/guac-management/backup-guac.sh @@ -39,28 +39,28 @@ echo -e "${LGREEN}Backup started for database - ${GUAC_DB}" echo mysqldump -h ${MYSQL_HOST} \ - -P ${MYSQL_PORT} \ - -u ${GUAC_USER} \ - -p"${GUAC_PWD}" \ - ${GUAC_DB} \ - --single-transaction --quick --lock-tables=false >${DB_BACKUP_DIR}${GUAC_DB}-${TODAY}.sql + -P ${MYSQL_PORT} \ + -u ${GUAC_USER} \ + -p"${GUAC_PWD}" \ + ${GUAC_DB} \ + --single-transaction --quick --lock-tables=false >${DB_BACKUP_DIR}${GUAC_DB}-${TODAY}.sql SQLFILE=${DB_BACKUP_DIR}${GUAC_DB}-${TODAY}.sql -if [ $? -ne 0 ]; then - echo -e "${LRED}Backup failed.${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Backup failed.${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}Backup completed ok.${GREY}" - echo + echo -e "${LGREEN}Backup completed ok.${GREY}" + echo fi gzip -f ${SQLFILE} # Error check and email alerts -if [ $? -ne 0 ]; then - echo -e "${LRED}Backup failed.${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Backup failed.${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}${GUAC_DB} backup was successfully copied to ${DB_BACKUP_DIR}" - #mailx -s "Guacamomle Database Backup Success" ${BACKUP_EMAIL} - echo "${GUAC_DB} backup was successfully copied to $DB_BACKUP_DIR" | mailx -s "Guacamole backup " ${BACKUP_EMAIL} + echo -e "${LGREEN}${GUAC_DB} backup was successfully copied to ${DB_BACKUP_DIR}" + #mailx -s "Guacamomle Database Backup Success" ${BACKUP_EMAIL} + echo "${GUAC_DB} backup was successfully copied to $DB_BACKUP_DIR" | mailx -s "Guacamole backup " ${BACKUP_EMAIL} fi echo -e ${NC} diff --git a/guac-management/refresh-tls-self-signed.sh b/guac-management/refresh-tls-self-signed.sh index 219055f..f83bd4e 100644 --- a/guac-management/refresh-tls-self-signed.sh +++ b/guac-management/refresh-tls-self-signed.sh @@ -23,11 +23,11 @@ LYELLOW='\033[0;93m' NC='\033[0m' #No Colour # Check if user is root or sudo -if ! [ $(id -u) = 0 ]; then - echo - echo -e "${LRED}Please run this script as sudo or root${NC}" 1>&2 - echo - exit 1 +if ! [[ $(id -u) = 0 ]]; then + echo + echo -e "${LRED}Please run this script as sudo or root${NC}" 1>&2 + echo + exit 1 fi echo @@ -61,19 +61,19 @@ CERT_DAYS= DEFAULT_IP= # Assume the values used by the guacamole installer if the script is run without any command line options -if [ -z "$1" ] | [ -z "$2" ] | [ -z "$3" ]; then - TLSNAME=$PROXY_SITE - TLSDAYS=$CERT_DAYS - TLSIP=$DEFAULT_IP +if [[ -z "$1" ]] | [[ -z "$2" ]] | [[ -z "$3" ]]; then + TLSNAME=$PROXY_SITE + TLSDAYS=$CERT_DAYS + TLSIP=$DEFAULT_IP fi # Make directories to place TLS Certificate if they don't exist if [[ ! -d $DIR_SSL_KEY ]]; then - sudo mkdir -p $DIR_SSL_KEY + sudo mkdir -p $DIR_SSL_KEY fi if [[ ! -d $DIR_SSL_CERT ]]; then - sudo mkdir -p $DIR_SSL_CERT + sudo mkdir -p $DIR_SSL_CERT fi echo -e "${GREY}New self signed TLS certificate attributes are shown below...${DGREY}" @@ -107,12 +107,12 @@ echo # Create the new certificates echo "{$GREY}Creating a new TLS Certificate..." openssl req -x509 -nodes -newkey rsa:2048 -keyout $TLSNAME.key -out $TLSNAME.crt -days $TLSDAYS -config cert_attributes.txt -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed.${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed.${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}OK${GREY}" - echo + echo -e "${LGREEN}OK${GREY}" + echo fi # Place TLS Certificate into the defined application path @@ -122,12 +122,12 @@ cp $TLSNAME.crt $DIR_SSL_CERT/$TLSNAME.crt # Create a PFX formatted key for easier import to Windows hosts and change permissions to enable copying elsewhere echo -e "${GREY}Converting client certificates for Windows & Linux...${GREY}" openssl pkcs12 -export -out $TLSNAME.pfx -inkey $TLSNAME.key -in $TLSNAME.crt -password pass:1234 -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed.${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed.${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}OK${GREY}" - echo + echo -e "${LGREEN}OK${GREY}" + echo fi # Change of permissions so certs can be copied via WinSCP. @@ -139,12 +139,12 @@ TOMCAT=$(ls /etc/ | grep tomcat) systemctl restart $TOMCAT systemctl restart guacd systemctl restart nginx -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed.${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed.${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}OK${GREY}" - echo + echo -e "${LGREEN}OK${GREY}" + echo fi # Hack to assist with displaying "$" symbols and " ' quotes in a (cut/paste-able) bash screen output format diff --git a/guac-management/upgrade-guac.sh b/guac-management/upgrade-guac.sh index 495f46e..830b08f 100644 --- a/guac-management/upgrade-guac.sh +++ b/guac-management/upgrade-guac.sh @@ -22,18 +22,18 @@ LYELLOW='\033[0;93m' NC='\033[0m' #No Colour # Check if user is root or sudo -if ! [ $(id -u) = 0 ]; then - echo - echo -e "${LRED}Please run this script as sudo or root${NC}" 1>&2 - exit 1 +if ! [[ $(id -u) = 0 ]]; then + echo + echo -e "${LRED}Please run this script as sudo or root${NC}" 1>&2 + exit 1 fi # Check to see if any previous version of build/install files exist, if so stop and check to be safe. -if [ "$(find . -maxdepth 1 \( -name 'guacamole-*' -o -name 'mysql-connector-j-*' \))" != "" ]; then - echo - echo -e "${LRED}Possible previous install files detected. Please review and remove old guacamole install files before proceeding.${GREY}" 1>&2 - echo - exit 1 +if [[ "$(find . -maxdepth 1 \( -name 'guacamole-*' -o -name 'mysql-connector-j-*' \))" != "" ]]; then + echo + echo -e "${LRED}Possible previous install files detected. Please review and remove old guacamole install files before proceeding.${GREY}" 1>&2 + echo + exit 1 fi ####################################################################################################################### @@ -96,52 +96,52 @@ cd $DOWNLOAD_DIR echo echo -e "${GREY}Downloading updated Guacamole source files and beginning Guacamole ${OLD_GUAC_VERSION} to ${NEW_GUAC_VERSION} upgrade..." wget -q --show-progress -O guacamole-${NEW_GUAC_VERSION}.war ${GUAC_SOURCE_LINK}/binary/guacamole-${NEW_GUAC_VERSION}.war -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed to download guacamole-${NEW_GUAC_VERSION}.war" 1>&2 - echo -e "${GUAC_SOURCE_LINK}/binary/guacamole-${NEW_GUAC_VERSION}.war${GREY}" - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed to download guacamole-${NEW_GUAC_VERSION}.war" 1>&2 + echo -e "${GUAC_SOURCE_LINK}/binary/guacamole-${NEW_GUAC_VERSION}.war${GREY}" + exit 1 else - rm /etc/guacamole/guacamole.war - mv -f guacamole-${NEW_GUAC_VERSION}.war /etc/guacamole/guacamole.war - chmod 664 /etc/guacamole/guacamole.war + rm /etc/guacamole/guacamole.war + mv -f guacamole-${NEW_GUAC_VERSION}.war /etc/guacamole/guacamole.war + chmod 664 /etc/guacamole/guacamole.war fi echo -e "${LGREEN}Upgraded Guacamole client to version ${NEW_GUAC_VERSION}${GREY}" # Download and upgrade Guacamole SQL authentication extension wget -q --show-progress -O guacamole-auth-jdbc-${NEW_GUAC_VERSION}.tar.gz ${GUAC_SOURCE_LINK}/binary/guacamole-auth-jdbc-${NEW_GUAC_VERSION}.tar.gz -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed to download guacamole-auth-jdbc-${NEW_GUAC_VERSION}.tar.gz" 1>&2 - echo -e "${GUAC_SOURCE_LINK}/binary/guacamole-auth-jdbc-${NEW_GUAC_VERSION}.tar.gz" - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed to download guacamole-auth-jdbc-${NEW_GUAC_VERSION}.tar.gz" 1>&2 + echo -e "${GUAC_SOURCE_LINK}/binary/guacamole-auth-jdbc-${NEW_GUAC_VERSION}.tar.gz" + exit 1 else - tar -xzf guacamole-auth-jdbc-${NEW_GUAC_VERSION}.tar.gz - rm /etc/guacamole/extensions/guacamole-auth-jdbc-*.jar - mv -f guacamole-auth-jdbc-${NEW_GUAC_VERSION}/mysql/guacamole-auth-jdbc-mysql-${NEW_GUAC_VERSION}.jar /etc/guacamole/extensions/ - chmod 664 /etc/guacamole/extensions/guacamole-auth-jdbc-mysql-${NEW_GUAC_VERSION}.jar + tar -xzf guacamole-auth-jdbc-${NEW_GUAC_VERSION}.tar.gz + rm /etc/guacamole/extensions/guacamole-auth-jdbc-*.jar + mv -f guacamole-auth-jdbc-${NEW_GUAC_VERSION}/mysql/guacamole-auth-jdbc-mysql-${NEW_GUAC_VERSION}.jar /etc/guacamole/extensions/ + chmod 664 /etc/guacamole/extensions/guacamole-auth-jdbc-mysql-${NEW_GUAC_VERSION}.jar fi echo -e "${LGREEN}Upgraded Guacamole SQL jdbc to version ${NEW_GUAC_VERSION}${GREY}" # Download MySQL connector/j wget -q --show-progress -O mysql-connector-j-${NEW_MYSQLJCON}.tar.gz https://dev.mysql.com/get/Downloads/Connector-J/mysql-connector-j-${NEW_MYSQLJCON}.tar.gz -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed to download mysql-connector-j-${NEW_MYSQLJCON}.tar.gz" 1>&2 - echo -e "https://dev.mysql.com/get/Downloads/Connector-J/mysql-connector-j-${NEW_MYSQLJCON}}.tar.gz${GREY}" - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed to download mysql-connector-j-${NEW_MYSQLJCON}.tar.gz" 1>&2 + echo -e "https://dev.mysql.com/get/Downloads/Connector-J/mysql-connector-j-${NEW_MYSQLJCON}}.tar.gz${GREY}" + exit 1 else - tar -xzf mysql-connector-j-${NEW_MYSQLJCON}.tar.gz - rm /etc/guacamole/lib/mysql-connector-java.jar - mv -f mysql-connector-j-${NEW_MYSQLJCON}/mysql-connector-j-${NEW_MYSQLJCON}.jar /etc/guacamole/lib/mysql-connector-java.jar + tar -xzf mysql-connector-j-${NEW_MYSQLJCON}.tar.gz + rm /etc/guacamole/lib/mysql-connector-java.jar + mv -f mysql-connector-j-${NEW_MYSQLJCON}/mysql-connector-j-${NEW_MYSQLJCON}.jar /etc/guacamole/lib/mysql-connector-java.jar fi echo -e "${LGREEN}Upgraded MySQL connector/j to ${NEW_MYSQLJCON}${GREY}" # Download Guacamole Server wget -q --show-progress -O guacamole-server-${NEW_GUAC_VERSION}.tar.gz ${GUAC_SOURCE_LINK}/source/guacamole-server-${NEW_GUAC_VERSION}.tar.gz -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed to download guacamole-server-${NEW_GUAC_VERSION}.tar.gz" 1>&2 - echo -e "${GUAC_SOURCE_LINK}/source/guacamole-server-${NEW_GUAC_VERSION}.tar.gz${GREY}" - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed to download guacamole-server-${NEW_GUAC_VERSION}.tar.gz" 1>&2 + echo -e "${GUAC_SOURCE_LINK}/source/guacamole-server-${NEW_GUAC_VERSION}.tar.gz${GREY}" + exit 1 else - tar -xzf guacamole-server-${NEW_GUAC_VERSION}.tar.gz + tar -xzf guacamole-server-${NEW_GUAC_VERSION}.tar.gz fi echo -e "${LGREEN}Downloaded guacamole-server-${NEW_GUAC_VERSION}.tar.gz${GREY}" @@ -153,163 +153,163 @@ echo -e "${GREY}Compiling Guacamole-Server ${NEW_GUAC_VERSION} from source with export CFLAGS="-Wno-error" # Configure Guacamole Server source ./configure --with-systemd-dir=/etc/systemd/system &>>${INSTALL_LOG} -if [ $? -ne 0 ]; then - echo "Failed to configure guacamole-server" - echo "Trying again with --enable-allow-freerdp-snapshots" - ./configure --with-systemd-dir=/etc/systemd/system --enable-allow-freerdp-snapshots - if [ $? -ne 0 ]; then - echo "Failed to configure guacamole-server - again" - exit - fi +if [[ $? -ne 0 ]]; then + echo "Failed to configure guacamole-server" + echo "Trying again with --enable-allow-freerdp-snapshots" + ./configure --with-systemd-dir=/etc/systemd/system --enable-allow-freerdp-snapshots + if [[ $? -ne 0 ]]; then + echo "Failed to configure guacamole-server - again" + exit + fi else - echo -e "${LGREEN}OK${GREY}" - echo + echo -e "${LGREEN}OK${GREY}" + echo fi echo -e "${GREY}Running make and building the upgraded Guacamole-Server application..." make &>>${INSTALL_LOG} -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}OK${GREY}" - echo + echo -e "${LGREEN}OK${GREY}" + echo fi echo -e "${GREY}Installing the upgraded Guacamole-Server..." make install &>>${INSTALL_LOG} ldconfig -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}OK${GREY}" - echo + echo -e "${LGREEN}OK${GREY}" + echo fi cd .. # Don't run the SQL upgrade commands if original setup option was set to remote MySQL instance. - Use separate DB update script. -if [ "${INSTALL_MYSQL}" = true ]; then - # Get list of SQL Upgrade Files - echo -e "${GREY}Upgrading MySQL Schema..." - UPGRADEFILES=($(ls -1 guacamole-auth-jdbc-${NEW_GUAC_VERSION}/mysql/schema/upgrade/ | sort -V)) +if [[ "${INSTALL_MYSQL}" = true ]]; then + # Get list of SQL Upgrade Files + echo -e "${GREY}Upgrading MySQL Schema..." + UPGRADEFILES=($(ls -1 guacamole-auth-jdbc-${NEW_GUAC_VERSION}/mysql/schema/upgrade/ | sort -V)) - # Compare SQL Upgrage Files against old version, apply upgrades as needed - for FILE in ${UPGRADEFILES[@]}; do - FILEVERSION=$(echo ${FILE} | grep -oP 'upgrade-pre-\K[0-9\.]+(?=\.)') - if [[ $(echo -e "${FILEVERSION}\n${OLD_GUAC_VERSION}" | sort -V | head -n1) == ${OLD_GUAC_VERSION} && ${FILEVERSION} != ${OLD_GUAC_VERSION} ]]; then - echo "Patching ${GUAC_DB} with ${FILE}" - mysql -u root -D ${GUAC_DB} -h ${MYSQL_HOST} -P ${MYSQL_PORT} >${INSTALL_LOG} - fi - done - if [ $? -ne 0 ]; then - echo -e "${LRED}SQL upgrade failed. See ${INSTALL_LOG}${GREY}" 1>&2 - exit 1 - else - echo -e "${LGREEN}OK${GREY}" - echo - fi + # Compare SQL Upgrage Files against old version, apply upgrades as needed + for FILE in ${UPGRADEFILES[@]}; do + FILEVERSION=$(echo ${FILE} | grep -oP 'upgrade-pre-\K[0-9\.]+(?=\.)') + if [[ $(echo -e "${FILEVERSION}\n${OLD_GUAC_VERSION}" | sort -V | head -n1) == ${OLD_GUAC_VERSION} && ${FILEVERSION} != ${OLD_GUAC_VERSION} ]]; then + echo "Patching ${GUAC_DB} with ${FILE}" + mysql -u root -D ${GUAC_DB} -h ${MYSQL_HOST} -P ${MYSQL_PORT} >${INSTALL_LOG} + fi + done + if [[ $? -ne 0 ]]; then + echo -e "${LRED}SQL upgrade failed. See ${INSTALL_LOG}${GREY}" 1>&2 + exit 1 + else + echo -e "${LGREEN}OK${GREY}" + echo + fi fi # Check for TOTP extension and upgrade if found for file in /etc/guacamole/extensions/guacamole-auth-totp*.jar; do - if [[ -f $file ]]; then - echo -e "${LGREEN}TOTP authentication extension was found, upgrading...${GREY}" - rm /etc/guacamole/extensions/guacamole-auth-totp*.jar &>>${INSTALL_LOG} - wget -q --show-progress -O guacamole-auth-totp-${NEW_GUAC_VERSION}.tar.gz ${GUAC_SOURCE_LINK}/binary/guacamole-auth-totp-${NEW_GUAC_VERSION}.tar.gz - if [ $? -ne 0 ]; then - echo -e "${LRED}Failed to download guacamole-auth-totp-${NEW_GUAC_VERSION}.tar.gz" 1>&2 - echo -e "${GUAC_SOURCE_LINK}/binary/guacamole-auth-totp-${NEW_GUAC_VERSION}.tar.gz" - exit 1 - fi - tar -xzf guacamole-auth-totp-${NEW_GUAC_VERSION}.tar.gz &>>${INSTALL_LOG} - mv -f guacamole-auth-totp-${NEW_GUAC_VERSION}/guacamole-auth-totp-${NEW_GUAC_VERSION}.jar /etc/guacamole/extensions/ &>>${INSTALL_LOG} - chmod 664 /etc/guacamole/extensions/guacamole-auth-totp-${NEW_GUAC_VERSION}.jar - echo -e "${LGREEN}Upgraded TOTP extension to version ${NEW_GUAC_VERSION}${GREY}" - echo - break - fi + if [[ -f $file ]]; then + echo -e "${LGREEN}TOTP authentication extension was found, upgrading...${GREY}" + rm /etc/guacamole/extensions/guacamole-auth-totp*.jar &>>${INSTALL_LOG} + wget -q --show-progress -O guacamole-auth-totp-${NEW_GUAC_VERSION}.tar.gz ${GUAC_SOURCE_LINK}/binary/guacamole-auth-totp-${NEW_GUAC_VERSION}.tar.gz + if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed to download guacamole-auth-totp-${NEW_GUAC_VERSION}.tar.gz" 1>&2 + echo -e "${GUAC_SOURCE_LINK}/binary/guacamole-auth-totp-${NEW_GUAC_VERSION}.tar.gz" + exit 1 + fi + tar -xzf guacamole-auth-totp-${NEW_GUAC_VERSION}.tar.gz &>>${INSTALL_LOG} + mv -f guacamole-auth-totp-${NEW_GUAC_VERSION}/guacamole-auth-totp-${NEW_GUAC_VERSION}.jar /etc/guacamole/extensions/ &>>${INSTALL_LOG} + chmod 664 /etc/guacamole/extensions/guacamole-auth-totp-${NEW_GUAC_VERSION}.jar + echo -e "${LGREEN}Upgraded TOTP extension to version ${NEW_GUAC_VERSION}${GREY}" + echo + break + fi done # Check for DUO extension and upgrade if found for file in /etc/guacamole/extensions/guacamole-auth-duo*.jar; do - if [[ -f $file ]]; then - echo -e "${LGREEN}DUO authentication extension was found, upgrading...${GREY}" - rm /etc/guacamole/extensions/guacamole-auth-duo*.jar &>>${INSTALL_LOG} - wget -q --show-progress -O guacamole-auth-duo-${NEW_GUAC_VERSION}.tar.gz ${GUAC_SOURCE_LINK}/binary/guacamole-auth-duo-${NEW_GUAC_VERSION}.tar.gz - if [ $? -ne 0 ]; then - echo -e "${LRED}Failed to download guacamole-auth-duo-${NEW_GUAC_VERSION}.tar.gz" 1>&2 - echo -e "${GUAC_SOURCE_LINK}/binary/guacamole-auth-duo-${NEW_GUAC_VERSION}.tar.gz" - exit 1 - fi - tar -xzf guacamole-auth-duo-${NEW_GUAC_VERSION}.tar.gz &>>${INSTALL_LOG} - mv -f guacamole-auth-duo-${NEW_GUAC_VERSION}/guacamole-auth-duo-${NEW_GUAC_VERSION}.jar /etc/guacamole/extensions/ &>>${INSTALL_LOG} - chmod 664 /etc/guacamole/extensions/guacamole-auth-duo-${NEW_GUAC_VERSION}.jar - echo -e "${LGREEN}Upgraded DUO extension to version ${NEW_GUAC_VERSION}${GREY}" - echo - break - fi + if [[ -f $file ]]; then + echo -e "${LGREEN}DUO authentication extension was found, upgrading...${GREY}" + rm /etc/guacamole/extensions/guacamole-auth-duo*.jar &>>${INSTALL_LOG} + wget -q --show-progress -O guacamole-auth-duo-${NEW_GUAC_VERSION}.tar.gz ${GUAC_SOURCE_LINK}/binary/guacamole-auth-duo-${NEW_GUAC_VERSION}.tar.gz + if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed to download guacamole-auth-duo-${NEW_GUAC_VERSION}.tar.gz" 1>&2 + echo -e "${GUAC_SOURCE_LINK}/binary/guacamole-auth-duo-${NEW_GUAC_VERSION}.tar.gz" + exit 1 + fi + tar -xzf guacamole-auth-duo-${NEW_GUAC_VERSION}.tar.gz &>>${INSTALL_LOG} + mv -f guacamole-auth-duo-${NEW_GUAC_VERSION}/guacamole-auth-duo-${NEW_GUAC_VERSION}.jar /etc/guacamole/extensions/ &>>${INSTALL_LOG} + chmod 664 /etc/guacamole/extensions/guacamole-auth-duo-${NEW_GUAC_VERSION}.jar + echo -e "${LGREEN}Upgraded DUO extension to version ${NEW_GUAC_VERSION}${GREY}" + echo + break + fi done # Check for LDAP extension and upgrade if found for file in /etc/guacamole/extensions/guacamole-auth-ldap*.jar; do - if [[ -f $file ]]; then - echo -e "${LGREEN}LDAP authentication extension was found, upgrading...${GREY}" - rm /etc/guacamole/extensions/guacamole-auth-ldap*.jar &>>${INSTALL_LOG} - wget -q --show-progress -O guacamole-auth-ldap-${NEW_GUAC_VERSION}.tar.gz ${GUAC_SOURCE_LINK}/binary/guacamole-auth-ldap-${NEW_GUAC_VERSION}.tar.gz - if [ $? -ne 0 ]; then - echo -e "${LRED}Failed to download guacamole-auth-ldap-${NEW_GUAC_VERSION}.tar.gz" 1>&2 - echo -e "${GUAC_SOURCE_LINK}/binary/guacamole-auth-ldap-${NEW_GUAC_VERSION}.tar.gz" - exit 1 - fi - tar -xzf guacamole-auth-ldap-${NEW_GUAC_VERSION}.tar.gz &>>${INSTALL_LOG} - mv -f guacamole-auth-ldap-${NEW_GUAC_VERSION}/guacamole-auth-ldap-${NEW_GUAC_VERSION}.jar /etc/guacamole/extensions/ &>>${INSTALL_LOG} - chmod 664 /etc/guacamole/extensions/guacamole-auth-ldap-${NEW_GUAC_VERSION}.jar - echo -e "${LGREEN}Upgraded LDAP extension to version ${NEW_GUAC_VERSION}${GREY}" - echo - break - fi + if [[ -f $file ]]; then + echo -e "${LGREEN}LDAP authentication extension was found, upgrading...${GREY}" + rm /etc/guacamole/extensions/guacamole-auth-ldap*.jar &>>${INSTALL_LOG} + wget -q --show-progress -O guacamole-auth-ldap-${NEW_GUAC_VERSION}.tar.gz ${GUAC_SOURCE_LINK}/binary/guacamole-auth-ldap-${NEW_GUAC_VERSION}.tar.gz + if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed to download guacamole-auth-ldap-${NEW_GUAC_VERSION}.tar.gz" 1>&2 + echo -e "${GUAC_SOURCE_LINK}/binary/guacamole-auth-ldap-${NEW_GUAC_VERSION}.tar.gz" + exit 1 + fi + tar -xzf guacamole-auth-ldap-${NEW_GUAC_VERSION}.tar.gz &>>${INSTALL_LOG} + mv -f guacamole-auth-ldap-${NEW_GUAC_VERSION}/guacamole-auth-ldap-${NEW_GUAC_VERSION}.jar /etc/guacamole/extensions/ &>>${INSTALL_LOG} + chmod 664 /etc/guacamole/extensions/guacamole-auth-ldap-${NEW_GUAC_VERSION}.jar + echo -e "${LGREEN}Upgraded LDAP extension to version ${NEW_GUAC_VERSION}${GREY}" + echo + break + fi done # Check for Quick Connection extension and upgrade if found for file in /etc/guacamole/extensions/guacamole-auth-quickconnect*.jar; do - if [[ -f $file ]]; then - echo -e "${LGREEN}Quick Connect extension was found, upgrading...${GREY}" - rm /etc/guacamole/extensions/guacamole-auth-quickconnect*.jar &>>${INSTALL_LOG} - wget -q --show-progress -O guacamole-auth-quickconnect-${NEW_GUAC_VERSION}.tar.gz ${GUAC_SOURCE_LINK}/binary/guacamole-auth-quickconnect-${NEW_GUAC_VERSION}.tar.gz - if [ $? -ne 0 ]; then - echo -e "${LRED}Failed to download guacamole-auth-quickconnect-${NEW_GUAC_VERSION}.tar.gz" 1>&2 - echo -e "${GUAC_SOURCE_LINK}/binary/guacamole-auth-quickconnect-${NEW_GUAC_VERSION}.tar.gz" - exit 1 - fi - tar -xzf guacamole-auth-quickconnect-${NEW_GUAC_VERSION}.tar.gz &>>${INSTALL_LOG} - mv -f guacamole-auth-quickconnect-${NEW_GUAC_VERSION}/guacamole-auth-quickconnect-${NEW_GUAC_VERSION}.jar /etc/guacamole/extensions/ &>>${INSTALL_LOG} - chmod 664 /etc/guacamole/extensions/guacamole-auth-quickconnect-${NEW_GUAC_VERSION}.jar - echo -e "${LGREEN}Upgraded Quick Connect extension to version ${NEW_GUAC_VERSION}${GREY}" - echo - break - fi + if [[ -f $file ]]; then + echo -e "${LGREEN}Quick Connect extension was found, upgrading...${GREY}" + rm /etc/guacamole/extensions/guacamole-auth-quickconnect*.jar &>>${INSTALL_LOG} + wget -q --show-progress -O guacamole-auth-quickconnect-${NEW_GUAC_VERSION}.tar.gz ${GUAC_SOURCE_LINK}/binary/guacamole-auth-quickconnect-${NEW_GUAC_VERSION}.tar.gz + if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed to download guacamole-auth-quickconnect-${NEW_GUAC_VERSION}.tar.gz" 1>&2 + echo -e "${GUAC_SOURCE_LINK}/binary/guacamole-auth-quickconnect-${NEW_GUAC_VERSION}.tar.gz" + exit 1 + fi + tar -xzf guacamole-auth-quickconnect-${NEW_GUAC_VERSION}.tar.gz &>>${INSTALL_LOG} + mv -f guacamole-auth-quickconnect-${NEW_GUAC_VERSION}/guacamole-auth-quickconnect-${NEW_GUAC_VERSION}.jar /etc/guacamole/extensions/ &>>${INSTALL_LOG} + chmod 664 /etc/guacamole/extensions/guacamole-auth-quickconnect-${NEW_GUAC_VERSION}.jar + echo -e "${LGREEN}Upgraded Quick Connect extension to version ${NEW_GUAC_VERSION}${GREY}" + echo + break + fi done # Check for History Recording Storage extension and upgrade if found for file in /etc/guacamole/extensions/guacamole-history-recording-storage*.jar; do - if [[ -f $file ]]; then - echo -e "${LGREEN}History Recording Storage extension was found, upgrading...${GREY}" - rm /etc/guacamole/extensions/guacamole-history-recording-storage*.jar &>>${INSTALL_LOG} - wget -q --show-progress -O guacamole-history-recording-storage-${NEW_GUAC_VERSION}.tar.gz ${GUAC_SOURCE_LINK}/binary/guacamole-history-recording-storage-${NEW_GUAC_VERSION}.tar.gz - if [ $? -ne 0 ]; then - echo -e "${LRED}Failed to download guacamole-history-recording-storage-${NEW_GUAC_VERSION}.tar.gz" 1>&2 - echo -e "${GUAC_SOURCE_LINK}/binary/guacamole-history-recording-storage-${NEW_GUAC_VERSION}.tar.gz" - exit 1 - fi - tar -xzf guacamole-history-recording-storage-${NEW_GUAC_VERSION}.tar.gz &>>${INSTALL_LOG} - mv -f guacamole-history-recording-storage-${NEW_GUAC_VERSION}/guacamole-history-recording-storage-${NEW_GUAC_VERSION}.jar /etc/guacamole/extensions/ &>>${INSTALL_LOG} - chmod 664 /etc/guacamole/extensions/guacamole-history-recording-storage-${NEW_GUAC_VERSION}.jar - echo -e "${LGREEN}Upgraded History Recording Storage extension to version ${NEW_GUAC_VERSION}${GREY}" - echo - break - fi + if [[ -f $file ]]; then + echo -e "${LGREEN}History Recording Storage extension was found, upgrading...${GREY}" + rm /etc/guacamole/extensions/guacamole-history-recording-storage*.jar &>>${INSTALL_LOG} + wget -q --show-progress -O guacamole-history-recording-storage-${NEW_GUAC_VERSION}.tar.gz ${GUAC_SOURCE_LINK}/binary/guacamole-history-recording-storage-${NEW_GUAC_VERSION}.tar.gz + if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed to download guacamole-history-recording-storage-${NEW_GUAC_VERSION}.tar.gz" 1>&2 + echo -e "${GUAC_SOURCE_LINK}/binary/guacamole-history-recording-storage-${NEW_GUAC_VERSION}.tar.gz" + exit 1 + fi + tar -xzf guacamole-history-recording-storage-${NEW_GUAC_VERSION}.tar.gz &>>${INSTALL_LOG} + mv -f guacamole-history-recording-storage-${NEW_GUAC_VERSION}/guacamole-history-recording-storage-${NEW_GUAC_VERSION}.jar /etc/guacamole/extensions/ &>>${INSTALL_LOG} + chmod 664 /etc/guacamole/extensions/guacamole-history-recording-storage-${NEW_GUAC_VERSION}.jar + echo -e "${LGREEN}Upgraded History Recording Storage extension to version ${NEW_GUAC_VERSION}${GREY}" + echo + break + fi done # Fix for #196 see https://github.com/MysticRyuujin/guac-install/issues/196 @@ -325,24 +325,24 @@ echo -e "${GREY}Starting guacd and Tomcat services..." systemctl enable guacd systemctl start guacd systemctl start ${TOMCAT_VERSION} -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}OK${GREY}" - echo + echo -e "${LGREEN}OK${GREY}" + echo fi # Cleanup echo -e "${GREY}Clean up install files...${GREY}" rm -rf guacamole-* rm -rf mysql-connector-j-* -if [ $? -ne 0 ]; then - echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}OK${GREY}" - echo + echo -e "${LGREEN}OK${GREY}" + echo fi # Done diff --git a/guac-optional-features/add-auth-duo.sh b/guac-optional-features/add-auth-duo.sh index e617521..228b052 100644 --- a/guac-optional-features/add-auth-duo.sh +++ b/guac-optional-features/add-auth-duo.sh @@ -17,10 +17,10 @@ NC='\033[0m' #No Colour clear -if ! [ $(id -u) = 0 ]; then - echo - echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2 - exit 1 +if ! [[ $(id -u) = 0 ]]; then + echo + echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2 + exit 1 fi TOMCAT_VERSION=$(ls /etc/ | grep tomcat) GUAC_VERSION=$(grep -oP 'Guacamole.API_VERSION = "\K[0-9\.]+' /var/lib/${TOMCAT_VERSION}/webapps/guacamole/guacamole-common-js/modules/Version.js) diff --git a/guac-optional-features/add-auth-ldap.sh b/guac-optional-features/add-auth-ldap.sh index e3e7acc..33cf993 100644 --- a/guac-optional-features/add-auth-ldap.sh +++ b/guac-optional-features/add-auth-ldap.sh @@ -18,10 +18,10 @@ NC='\033[0m' #No Colour clear # Check if user is root or sudo -if ! [ $(id -u) = 0 ]; then - echo - echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2 - exit 1 +if ! [[ $(id -u) = 0 ]]; then + echo + echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2 + exit 1 fi TOMCAT_VERSION=$(ls /etc/ | grep tomcat) @@ -36,13 +36,13 @@ echo case $yn in y) echo Beginning LDAP auth config... ;; n) - echo exiting... - exit - ;; + echo exiting... + exit + ;; *) - echo invalid response - exit 1 - ;; + echo invalid response + exit 1 + ;; esac echo diff --git a/guac-optional-features/add-auth-totp.sh b/guac-optional-features/add-auth-totp.sh index c16a615..a26a545 100644 --- a/guac-optional-features/add-auth-totp.sh +++ b/guac-optional-features/add-auth-totp.sh @@ -18,10 +18,10 @@ NC='\033[0m' #No Colour clear # Check if user is root or sudo -if ! [ $(id -u) = 0 ]; then - echo - echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2 - exit 1 +if ! [[ $(id -u) = 0 ]]; then + echo + echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2 + exit 1 fi TOMCAT_VERSION=$(ls /etc/ | grep tomcat) diff --git a/guac-optional-features/add-fail2ban.sh b/guac-optional-features/add-fail2ban.sh index 37a1cf9..d54edee 100644 --- a/guac-optional-features/add-fail2ban.sh +++ b/guac-optional-features/add-fail2ban.sh @@ -18,10 +18,10 @@ NC='\033[0m' #No Colour clear # Check if user is root or sudo -if ! [ $(id -u) = 0 ]; then - echo - echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2 - exit 1 +if ! [[ $(id -u) = 0 ]]; then + echo + echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2 + exit 1 fi # Initialise variables @@ -43,25 +43,25 @@ rm -f /tmp/fail2ban.update # Prompt to install fail2ban base package with no policy as yet, default of yes if [[ -z ${FAIL2BAN_BASE} ]]; then - echo - echo -e -n "${LGREEN}Install Fail2ban? (base package with no policy as yet) [default y]: ${GREY}" - read PROMPT - if [[ ${PROMPT} =~ ^[Nn]$ ]]; then - FAIL2BAN_BASE=false - else - FAIL2BAN_BASE=true - fi + echo + echo -e -n "${LGREEN}Install Fail2ban? (base package with no policy as yet) [default y]: ${GREY}" + read PROMPT + if [[ ${PROMPT} =~ ^[Nn]$ ]]; then + FAIL2BAN_BASE=false + else + FAIL2BAN_BASE=true + fi fi # Prompt to install Guacamole fail2ban config defaults, default of no if [[ -z ${FAIL2BAN_GUAC} ]] && [[ "${FAIL2BAN_BASE}" = true ]]; then - echo -e -n "${GREY}POLICY: Apply Guacamole fail2ban security policy? (Y/n) [default y]:${GREY}" - read PROMPT - if [[ ${PROMPT} =~ ^[Nn]$ ]]; then - FAIL2BAN_GUAC=false - else - FAIL2BAN_GUAC=true - fi + echo -e -n "${GREY}POLICY: Apply Guacamole fail2ban security policy? (Y/n) [default y]:${GREY}" + read PROMPT + if [[ ${PROMPT} =~ ^[Nn]$ ]]; then + FAIL2BAN_GUAC=false + else + FAIL2BAN_GUAC=true + fi fi # Prompt to install Nginx fail2ban config defaults , default of no - NOT IMPLEMENTED YET @@ -91,14 +91,14 @@ fi ####################################################################################################################### # Install base fail2ban base application, and whitelist the local subnet as the starting baseline (no policy defined yet) -if [ "${FAIL2BAN_BASE}" = true ]; then +if [[ "${FAIL2BAN_BASE}" = true ]]; then - #Update and install fail2ban (and john for management of config file updates, and not overwrite any existing settings) - sudo apt-get update -qq >/dev/null 2>&1 - sudo apt-get install fail2ban john -qq -y >/dev/null 2>&1 + #Update and install fail2ban (and john for management of config file updates, and not overwrite any existing settings) + sudo apt-get update -qq >/dev/null 2>&1 + sudo apt-get install fail2ban john -qq -y >/dev/null 2>&1 - # Create the basic jail.local template and local subnet whitelist - cat >/tmp/fail2ban.conf </tmp/fail2ban.conf </tmp/ip_list.txt + # We need to discover all interfaces to ascertain what network ranges to add to fail2ban "ignoreip" policy override defaults + ip -o addr show up primary scope global | while read -r num dev fam addr rest; do echo ${addr%*}; done | cat >/tmp/ip_list.txt - # Loop the list of discovered ips and extract the subnet ID addresses for each interface - FILE=/tmp/ip_list.txt - LINES=$(cat $FILE) - for LINE in $LINES; do + # Loop the list of discovered ips and extract the subnet ID addresses for each interface + FILE=/tmp/ip_list.txt + LINES=$(cat $FILE) + for LINE in $LINES; do - tonum() { - if [[ $LINE =~ ([[:digit:]]+)\.([[:digit:]]+)\.([[:digit:]]+)\.([[:digit:]]+) ]]; then - addr=$(((${BASH_REMATCH[1]} << 24) + (${BASH_REMATCH[2]} << 16) + (${BASH_REMATCH[3]} << 8) + ${BASH_REMATCH[4]})) - eval "$2=\$addr" - fi - } - toaddr() { - b1=$((($1 & 0xFF000000) >> 24)) - b2=$((($1 & 0xFF0000) >> 16)) - b3=$((($1 & 0xFF00) >> 8)) - b4=$(($1 & 0xFF)) - eval "$2=\$b1.\$b2.\$b3.\$b4" - } + tonum() { + if [[ $LINE =~ ([[:digit:]]+)\.([[:digit:]]+)\.([[:digit:]]+)\.([[:digit:]]+) ]]; then + addr=$(((${BASH_REMATCH[1]} << 24) + (${BASH_REMATCH[2]} << 16) + (${BASH_REMATCH[3]} << 8) + ${BASH_REMATCH[4]})) + eval "$2=\$addr" + fi + } + toaddr() { + b1=$((($1 & 0xFF000000) >> 24)) + b2=$((($1 & 0xFF0000) >> 16)) + b3=$((($1 & 0xFF00) >> 8)) + b4=$(($1 & 0xFF)) + eval "$2=\$b1.\$b2.\$b3.\$b4" + } - if [[ $LINE =~ ^([0-9\.]+)/([0-9]+)$ ]]; then - # CIDR notation - IPADDR=${BASH_REMATCH[1]} - NETMASKLEN=${BASH_REMATCH[2]} - PREFIX=$NETMASKLEN - zeros=$((32 - NETMASKLEN)) - NETMASKNUM=0 - for ((i = 0; i < $zeros; i++)); do - NETMASKNUM=$(((NETMASKNUM << 1) ^ 1)) - done - NETMASKNUM=$((NETMASKNUM ^ 0xFFFFFFFF)) - toaddr $NETMASKNUM NETMASK - else - IPADDR=${1:-192.168.1.1} - NETMASK=${2:-255.255.255.0} - fi + if [[ $LINE =~ ^([0-9\.]+)/([0-9]+)$ ]]; then + # CIDR notation + IPADDR=${BASH_REMATCH[1]} + NETMASKLEN=${BASH_REMATCH[2]} + PREFIX=$NETMASKLEN + zeros=$((32 - NETMASKLEN)) + NETMASKNUM=0 + for ((i = 0; i < $zeros; i++)); do + NETMASKNUM=$(((NETMASKNUM << 1) ^ 1)) + done + NETMASKNUM=$((NETMASKNUM ^ 0xFFFFFFFF)) + toaddr $NETMASKNUM NETMASK + else + IPADDR=${1:-192.168.1.1} + NETMASK=${2:-255.255.255.0} + fi - tonum $IPADDR IPADDRNUM - tonum $NETMASK NETMASKNUM + tonum $IPADDR IPADDRNUM + tonum $NETMASK NETMASKNUM - # The logic to calculate network and broadcast - INVNETMASKNUM=$((0xFFFFFFFF ^ NETMASKNUM)) - NETWORKNUM=$((IPADDRNUM & NETMASKNUM)) - BROADCASTNUM=$((INVNETMASKNUM | NETWORKNUM)) + # The logic to calculate network and broadcast + INVNETMASKNUM=$((0xFFFFFFFF ^ NETMASKNUM)) + NETWORKNUM=$((IPADDRNUM & NETMASKNUM)) + BROADCASTNUM=$((INVNETMASKNUM | NETWORKNUM)) - toaddr $NETWORKNUM NETWORK - toaddr $BROADCASTNUM BROADCAST + toaddr $NETWORKNUM NETWORK + toaddr $BROADCASTNUM BROADCAST - # Reverse engineer the subnet ID from the calcualted IP address and subnet prefix - IFS=. read -r i1 i2 i3 i4 <<<"$IPADDR" - IFS=. read -r m1 m2 m3 m4 <<<"$NETMASK" + # Reverse engineer the subnet ID from the calcualted IP address and subnet prefix + IFS=. read -r i1 i2 i3 i4 <<<"$IPADDR" + IFS=. read -r m1 m2 m3 m4 <<<"$NETMASK" - # Lay out the subnet ID address as a variable - printf -v NETADDR "%d.%d.%d.%d" "$((i1 & m1))" "$((i2 & m2))" "$((i3 & m3))" "$((i4 & m4))" + # Lay out the subnet ID address as a variable + printf -v NETADDR "%d.%d.%d.%d" "$((i1 & m1))" "$((i2 & m2))" "$((i3 & m3))" "$((i4 & m4))" - #Dump out the calcualted subnet IDs to a file - echo $NETADDR"/"$NETMASKLEN | tr '\n' ' ' | cat >>/tmp/netaddr.txt + #Dump out the calcualted subnet IDs to a file + echo $NETADDR"/"$NETMASKLEN | tr '\n' ' ' | cat >>/tmp/netaddr.txt - done + done fi -if [ "${FAIL2BAN_BASE}" = true ]; then - # Now the above loop is done, append the single loopback address to all the discovered the subnet IDs in a single line - sed -i 's/^/127.0.0.1\/24 /' /tmp/netaddr.txt +if [[ "${FAIL2BAN_BASE}" = true ]]; then + # Now the above loop is done, append the single loopback address to all the discovered the subnet IDs in a single line + sed -i 's/^/127.0.0.1\/24 /' /tmp/netaddr.txt - # Finally assemble the entire syntax of the ignoreip whitelist for insertion into the base fail2ban config - SED_IGNORE=$(echo "ignoreip = ") - SED_NETADDR=$(cat /tmp/netaddr.txt) - sed -i "s|ignoreip \=|${SED_IGNORE}${SED_NETADDR}|g" /tmp/fail2ban.conf + # Finally assemble the entire syntax of the ignoreip whitelist for insertion into the base fail2ban config + SED_IGNORE=$(echo "ignoreip = ") + SED_NETADDR=$(cat /tmp/netaddr.txt) + sed -i "s|ignoreip \=|${SED_IGNORE}${SED_NETADDR}|g" /tmp/fail2ban.conf - # Move the new base fail2ban config to the jail.local file - touch /etc/fail2ban/jail.local + # Move the new base fail2ban config to the jail.local file + touch /etc/fail2ban/jail.local - # Apply the base config, keeping any pre-existing settings - sudo bash -c 'cat /tmp/fail2ban.conf /etc/fail2ban/jail.local | unique /tmp/fail2ban.update ; cat /tmp/fail2ban.update > /etc/fail2ban/jail.local' + # Apply the base config, keeping any pre-existing settings + sudo bash -c 'cat /tmp/fail2ban.conf /etc/fail2ban/jail.local | unique /tmp/fail2ban.update ; cat /tmp/fail2ban.update > /etc/fail2ban/jail.local' - # Clean up - rm -f /tmp/fail2ban.conf - rm -f /tmp/ip_list.txt - rm -f /tmp/netaddr.txt - rm -f /tmp/fail2ban.update + # Clean up + rm -f /tmp/fail2ban.conf + rm -f /tmp/ip_list.txt + rm -f /tmp/netaddr.txt + rm -f /tmp/fail2ban.update - # bounce the service to reload the new config - sudo systemctl restart fail2ban + # bounce the service to reload the new config + sudo systemctl restart fail2ban - # Done - echo - echo -e "${LGREEN}Fail2ban installed...${GREY}" - echo + # Done + echo + echo -e "${LGREEN}Fail2ban installed...${GREY}" + echo else - echo -e "${LGREEN}Fail2ban setup cancelled.${GREY}" + echo -e "${LGREEN}Fail2ban setup cancelled.${GREY}" fi @@ -208,10 +208,10 @@ fi # Fail2ban optional policy setup items ################################################################################ ####################################################################################################################### -if [ "${FAIL2BAN_GUAC}" = true ]; then +if [[ "${FAIL2BAN_GUAC}" = true ]]; then - # Create the Guacamole jail.local policy template - cat >/tmp/fail2ban.conf </tmp/fail2ban.conf < /etc/fail2ban/jail.local' + # Apply the new Guacamole jail config keeping any pre-existing settings + sudo bash -c 'cat /tmp/fail2ban.conf /etc/fail2ban/jail.local | unique /tmp/fail2ban.update ; cat /tmp/fail2ban.update > /etc/fail2ban/jail.local' - # Backup the default Fail2ban Guacamole filter - cp /etc/fail2ban/filter.d/guacamole.conf /etc/fail2ban/filter.d/guacamole.conf.bak + # Backup the default Fail2ban Guacamole filter + cp /etc/fail2ban/filter.d/guacamole.conf /etc/fail2ban/filter.d/guacamole.conf.bak - # Remove the default log search regex - sudo bash -c 'sed -e "/Authentication attempt from/ s/^#*/#/" -i /etc/fail2ban/filter.d/guacamole.conf' + # Remove the default log search regex + sudo bash -c 'sed -e "/Authentication attempt from/ s/^#*/#/" -i /etc/fail2ban/filter.d/guacamole.conf' - # Create a new log search regex specific for tomcat logs (as a variable due to complexity of characters for sed syntax) - REGEX='failregex = ^.*WARN o\.a\.g\.r\.auth\.AuthenticationService - Authentication attempt from for user "[^"]*" failed\.$' - #Insert the new regex - sed -i -e "/Authentication attempt from/a ${REGEX}" /etc/fail2ban/filter.d/guacamole.conf + # Create a new log search regex specific for tomcat logs (as a variable due to complexity of characters for sed syntax) + REGEX='failregex = ^.*WARN o\.a\.g\.r\.auth\.AuthenticationService - Authentication attempt from for user "[^"]*" failed\.$' + #Insert the new regex + sed -i -e "/Authentication attempt from/a ${REGEX}" /etc/fail2ban/filter.d/guacamole.conf - # Done - echo -e "${LGREEN}Guacamole security policy applied${GREY}\n- ${SED_NETADDR}are whitelisted from all IP bans.\n- To alter this whitelist, edit /etc/fail2ban/jail.local & sudo systemctl restart fail2ban \n \n This script may take a while to complete on first run..." + # Done + echo -e "${LGREEN}Guacamole security policy applied${GREY}\n- ${SED_NETADDR}are whitelisted from all IP bans.\n- To alter this whitelist, edit /etc/fail2ban/jail.local & sudo systemctl restart fail2ban \n \n This script may take a while to complete on first run..." - # Bounce the service to reload the new config - sudo systemctl restart fail2ban - echo + # Bounce the service to reload the new config + sudo systemctl restart fail2ban + echo fi # Clean up @@ -250,13 +250,13 @@ rm -f /tmp/netaddr.txt rm -f /tmp/fail2ban.update ############## Start Fail2ban NGINX security policy option ############### -#if [ "${FAIL2BAN_NGINX}" = true ]; then +#if [[ "${FAIL2BAN_NGINX}" = true ]]; then # echo -e "${LGREEN}Nginx Fail2ban policy not implemented yet.${GREY}" # echo #fi ############### Start Fail2ban SSH security policy option ################ -#if [ "${FAIL2BAN_SSH}" = true ]; then +#if [[ "${FAIL2BAN_SSH}" = true ]]; then # echo -e "${LGREEN}SSH Fail2ban policy not implemented yet..${GREY}" # echo #fi diff --git a/guac-optional-features/add-smtp-relay-o365.sh b/guac-optional-features/add-smtp-relay-o365.sh index 477fd61..aca98a6 100644 --- a/guac-optional-features/add-smtp-relay-o365.sh +++ b/guac-optional-features/add-smtp-relay-o365.sh @@ -27,10 +27,10 @@ SERVER=$(uname -n) DOMAIN_SEARCH_SUFFIX=$(grep search /etc/resolv.conf | grep -v "#" | sed 's/'search[[:space:]]'//') # Check if user is root or sudo -if ! [ $(id -u) = 0 ]; then - echo - echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2 - exit 1 +if ! [[ $(id -u) = 0 ]]; then + echo + echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2 + exit 1 fi echo @@ -41,11 +41,11 @@ echo echo -e "${GREY}Installing Postfix with non-interactive defaults..." sudo apt update -qq >/dev/null 2>&1 DEBIAN_FRONTEND="noninteractive" apt-get install postfix mailutils -qq -y >/dev/null 2>&1 -if [ $? -ne 0 ]; then - echo -e "${LRED}Postfix install failed. ${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Postfix install failed. ${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}OK${GREY}" + echo -e "${LGREEN}OK${GREY}" fi # Get the Office365 smtp authentication credentials @@ -79,12 +79,12 @@ smtp_tls_security_level = encrypt smtp_generic_maps = hash:/etc/postfix/generic smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt EOF -if [ $? -ne 0 ]; then - echo -e "${LRED}Postfix restart failed. ${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Postfix restart failed. ${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}OK${GREY}" - echo + echo -e "${LGREEN}OK${GREY}" + echo fi # Setup the password file and postmap @@ -110,11 +110,11 @@ sudo postmap /etc/postfix/generic # Restart and test echo -e "${GREY}Restarting Postfix..." sudo systemctl restart postfix -if [ $? -ne 0 ]; then - echo -e "${LRED}Postfix restart failed. ${GREY}" 1>&2 - exit 1 +if [[ $? -ne 0 ]]; then + echo -e "${LRED}Postfix restart failed. ${GREY}" 1>&2 + exit 1 else - echo -e "${LGREEN}OK${GREY}" + echo -e "${LGREEN}OK${GREY}" fi echo diff --git a/guac-optional-features/add-tls-guac-daemon.sh b/guac-optional-features/add-tls-guac-daemon.sh index 9f06acc..affa92c 100644 --- a/guac-optional-features/add-tls-guac-daemon.sh +++ b/guac-optional-features/add-tls-guac-daemon.sh @@ -19,10 +19,10 @@ LYELLOW='\033[0;93m' NC='\033[0m' #No Colour # Check if user is root or sudo -if ! [ $(id -u) = 0 ]; then - echo - echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2 - exit 1 +if ! [[ $(id -u) = 0 ]]; then + echo + echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2 + exit 1 fi TOMCAT_VERSION=$(ls /etc/ | grep tomcat) diff --git a/guac-optional-features/add-xtra-histrecstor.sh b/guac-optional-features/add-xtra-histrecstor.sh index afebb17..4715647 100644 --- a/guac-optional-features/add-xtra-histrecstor.sh +++ b/guac-optional-features/add-xtra-histrecstor.sh @@ -18,10 +18,10 @@ NC='\033[0m' #No Colour clear # Check if user is root or sudo -if ! [ $(id -u) = 0 ]; then - echo - echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2 - exit 1 +if ! [[ $(id -u) = 0 ]]; then + echo + echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2 + exit 1 fi TOMCAT_VERSION=$(ls /etc/ | grep tomcat) @@ -30,13 +30,13 @@ GUAC_SOURCE_LINK="http://apache.org/dyn/closer.cgi?action=download&filename=guac HISTREC_PATH_DEFAULT=/var/lib/guacamole/recordings # Apache default while true; do - echo - read -p "Enter recorded storage path [Enter for default ${HISTREC_PATH_DEFAULT}]: " HISTREC_PATH - [ "${HISTREC_PATH}" = "" ] || [ "${HISTREC_PATH}" != "" ] && break + echo + read -p "Enter recorded storage path [Enter for default ${HISTREC_PATH_DEFAULT}]: " HISTREC_PATH + [[ "${HISTREC_PATH}" = "" ]] || [[ "${HISTREC_PATH}" != "" ]] && break done # If no custom path is given, lets assume the default path on hitting enter -if [ -z "${HISTREC_PATH}" ]; then - HISTREC_PATH="${HISTREC_PATH_DEFAULT}" +if [[ -z "${HISTREC_PATH}" ]]; then + HISTREC_PATH="${HISTREC_PATH_DEFAULT}" fi echo diff --git a/guac-optional-features/add-xtra-quickconnect.sh b/guac-optional-features/add-xtra-quickconnect.sh index 0bcd2f7..a59cf30 100644 --- a/guac-optional-features/add-xtra-quickconnect.sh +++ b/guac-optional-features/add-xtra-quickconnect.sh @@ -18,10 +18,10 @@ NC='\033[0m' #No Colour clear # Check if user is root or sudo -if ! [ $(id -u) = 0 ]; then - echo - echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2 - exit 1 +if ! [[ $(id -u) = 0 ]]; then + echo + echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2 + exit 1 fi TOMCAT_VERSION=$(ls /etc/ | grep tomcat)