8c9e1f34b3
Installs Guac v1.5.1. All manual scripts scripts now customise with install variables at install. Backup SMTP working. Many tidy ups with flow and menus, clearer readme notes for further customisation and editing |
||
|---|---|---|
| 1-setup.sh | ||
| 2-install-guacamole.sh | ||
| 3-install-nginx.sh | ||
| 4a-install-ssl-self-signed-nginx.sh | ||
| 4b-install-ssl-letsencrypt-nginx.sh | ||
| add-auth-duo.sh | ||
| add-auth-ldap.sh | ||
| add-auth-totp.sh | ||
| add-fail2ban.sh | ||
| add-ssl-guac-gaucd.sh | ||
| backup-guac.sh | ||
| branding.jar | ||
| README.md | ||
| useful-commands.txt | ||
Guacamole 1.5.1 RDP jump server appliance with MFA, Active Directory integration & Nginx SSL reverse proxy
Automatic build, install & config script:
wget https://raw.githubusercontent.com/itiligent/Guacamole-Setup/main/1-setup.sh && chmod +x 1-setup.sh && ./1-setup.sh
Prerequisites:
Recent flavours of Ubuntu / Debian / Raspian
Min 8GB RAM, 40GB HDD
Public or private DNS entries matching the default physical interface IP address. (needed for SSL)
Incoming access on tcp 22, 80 & 443
Setup menu opations are:
1. Install default Guacamole with either a local MySQL database or with a remote MySQL instance
sub-options:
a. Add MySQL mysql_secure_installation settings (to a local or remote MySQL instance)
b. Add Guacamole MFA and Auth extensions - DUO, TOTP, LDAP. (Simultaneous TOTP & DUO not possible)
2. Optionally add a reverse proxy front end to Guacamole of either:
a) None: Skip Nginx and keep the default Guacamole front end e.g. http://hostname:8080/guacamole
b) Install Nginx with NO SSL: e.g. http://hostname.local
c) Install Nginx with SELF SIGNED SSL certificates: e.g. https://hostname.local
- Newly created Windows & Linux browser certs $site.crt, $site.key & $site.pfx are saved to $DOWNLOAD_DIR/guac-setup
- Exact custom commands for the import of client certificates is generated on screen and is logged for later use.
d) Install Nginx with LET'S ENCRYPT certificates: e.g. https://public.site.com
3. After installation, optional hardening scripts can be manually run for :
a. Adding a fail2ban lockdown policy for Guacamole
b. Encryption of internal traffic between the Gaucamole client and Guacd daemon with SSL
To do list: (Hardening scripts for Nginx & MFA for shell access)
Install notes:
To create an unattended setup, you must first run the link as above, then EXIT the 1-setup.sh script when prompted. At this point only a download of all scripts has occurred and from there you may edit the "Silent setup options" section at the start of 1-setup.sh as needed.
In 1-setup-sh, any variables with an actual setting i.e. Variable="value" will not prompt during interactive setup, so with the right combination of saved inputs it is fully possible to deploy Guacamole with Nginx and SSL with zero touch!
Note: If you have edited 1-setup.sh, you must now run the setup script you saved LOCALLY with ./1-setup.sh (DO NOT RUN AS SUDO). Beware: If you start setup again from the above wget link this will re-download and overwrite any previous customisations. There should be no need to customise any other scripts before installation. All optional (manually run) scripts are dynamically updated with their specific and relevant variables during setup. Essentially, this means that all scripts are built to work as a set that are specific to your exact and particular install. Editing anything but 1-setup.sh (untill a at least a full install is completed) is not therefore not recommended.
To keep any adaptations you do make to any of the scripts, simply comment out the relevant wget lines in the "Download github setup" section at the top of script 1-setup.sh. This willl prevent any subsequent setup re-runs from overwriting your own edited versions.
This approach of pre-saving of options in the setup script itself has been taken because as there are just far too many potential inputs and combinations of command line arguments that would need to be handeld and managed. With so much input required for what is quite a complex install, any other method would require digesting and typing and insanely long string of setup arguments before the script itself.
# Items downloaded with the setup command above are placed in the $DOWNLOAD_DIR/guac-setup directory...
1. 1-setup.sh - the parent install script itself
2. 2-install-guacamole.sh - Guacamole install script (inspired by https://github.com/MysticRyuujin/guac-install)
3. 3-install-nginx.sh - Installs Nginx and auto configures as a front end for Guacamole (optional)
4. 4a-install-ssl-self-signed-nginx.sh - Configures self signed ssl certs for Nginx (optional)
5. 4b-install-ssl-letsencrypt-nginx.sh - Installs and configures Let's Encrypt with Guacamole and Nginx (optional)
6. add-auth-duo.sh - Adds the Duo MFA extensions if not selected at install (optional)
7. add-auth-ldap.sh - Adds the LDAP Active Directory extension and guides the specific LDAP setup requirements (optional)
8. add-auth-totp.sh - Adds the TOTP MFA extension if not selected at install (optional)
9. add-ssl-guac-gaucd.sh - A hardening script to wrap an extra ssl layer between the guacd server and the Guacamole client (optional)
10. add-fail2ban.sh - Adds and configures fail2ban to secure Guacamole against brute force attacks
11. backup-guacamole.sh - A simple Guacamole backup script
12. branding.jar - An extension to customise the Guacomole login screen (optional)
see: https://github.com/Zer0CoolX/guacamole-customize-loginscreen-extension
Special acknowledgement to MysticRyuujin @ https://github.com/MysticRyuujin/guac-install and Zer0CoolX @ https://github.com/Zer0CoolX/guacamole-customize-loginscreen-extension whos repos were a helpful source of ideas in assembling this project.