mirror of https://github.com/itiligent/Easy-Guacamole-Installer.git synced 2025-12-13 18:02:32 +00:00

2025 Gucamole installer with options for HTTPS reverse proxy, Active Directory integration, MFA, LetsEncrypt, dark theme, MySQL backup, email alerts & more.

apache dark-mode fail2ban guacamole installer jumpbox jumphost jumpserver nginx nginx-proxy rdp reverse-proxy ssl tls virtual-desktop vnc

Find a file

itiligent a7f8ee6439 Debian 12 working ok		2023-09-10 23:21:59 +10:00
guac-custom-theme-builder	1.5.3 3 tier architecture build support	2023-09-09 23:50:31 +10:00
guac-enterprise-build	shfmt clean up	2023-09-10 23:21:58 +10:00
guac-management	Debian 12 working ok	2023-09-10 23:21:59 +10:00
guac-optional-features	shfmt clean up	2023-09-10 23:21:58 +10:00
1-setup.sh	Debian 12 working ok	2023-09-10 23:21:59 +10:00
2-install-guacamole.sh	Debian 12 working ok	2023-09-10 23:21:59 +10:00
3-install-nginx.sh	shfmt clean up	2023-09-10 23:21:58 +10:00
4a-install-tls-self-signed-nginx.sh	shfmt clean up	2023-09-10 23:21:58 +10:00
4b-install-tls-letsencrypt-nginx.sh	shfmt clean up	2023-09-10 23:21:58 +10:00
ACTIVE-DIRECTORY-HOW-TO.md	Update README.md	2023-09-08 17:19:44 +10:00
branding.jar	dark theme & theme diy tools	2023-09-08 17:19:11 +10:00
LICENSE	rebase 1.5.3	2023-08-22 10:48:53 +10:00
README.md	Debian 12 working ok	2023-09-10 23:21:59 +10:00

README.md

Guacamole 1.5.3 VDI/Jump Server Appliance Build Script

This repo makes setting up a Guacamole a breeze. Its got installer support for TLS reverse proxy, Active Directory integration, multi-factor authentication, Quick Connect & History Recording Storage UI enhancements, dark mode and custom UI templates, auto database backup, O365 email alerts and even fail2ban and internal daemon security hardening options. There's also code in here to get you up and running with Guacamole in an enterprise or high availability deployment too!

Automatic Installation

To start building your Guacamole appliance, paste the below link into a terminal and follow the prompts (no need for sudo, but the user must be a member of the sudo group):

wget https://raw.githubusercontent.com/itiligent/Guacamole-Install/main/1-setup.sh && chmod +x 1-setup.sh && ./1-setup.sh

Prerequisites (Debian 12 now working!)

Before diving in, make sure you have:

A compatible OS: Ubuntu 18.04 - 22.x, Debian 10, 11 or 12, or Raspbian Buster/Bullseye (If using vendor cloud images stick to stable releases).
Minimum 8GB RAM and 40GB HDD.
DNS entries matching your default appliance network interface IP (essential for TLS).
Open TCP ports: 22, 80, and 443.

The main script guides you through the installation process in the following steps:

Confirm your system hostname and local DNS domain suffix. (Must be consistent for TLS proxy)
Choose a locally installed or remote MySQL instance, set database security preferences.
Pick an authentication extension: DUO, TOTP, LDAP, or none.
Select optional console features: Quick Connect & History Recorded Storage UI integrations.
Decide on the Guacamole front end: Nginx reverse proxy (http or https) or keep the native Guacamole interface

For the more security minded, there's several post-install hardening script options available:

add-fail2ban.sh: Adds a lockdown policy for Guacamole to guard against brute force attacks.
add-tls-guac-daemon.sh: Wraps internal server daemon <--> guac application traffic in TLS.
add-auth-ldap.sh: A template script for Active Directory integration.
add-smtp-relay-o365.sh: A template script for email alerts integrated with MSO65 (BYO app password).

Active Directory Integration

Need help with Active Directory authentication? Check here.

Customise & Brand Your Guacamole Theme

Want to give Guacamole your personal touch? Follow the theme and branding instructions here.

Custom Installation Notes

Paste and run the wget autorun link in your home directory.
Exit 1-setup.sh at the first prompt. (At this point the scripts are downloaded only.)
Customise the huge number of installation variables available in 1-setup.sh as required. (Certain combinations of edits will produce a fully unattended install.)
Caution: If editing 1-setup.sh, be aware that running the autorun link again re-downloads and overwrites all changes. You must run setup locally after editing. (Also be sure to comment out the download links in the setup script for any other edited scripts. There should be little need to edit outside of the setup script's options.)
The upgrade-guac.sh, add-tls-guac-daemon.sh, refresh-tls-self-signed.sh & backup-guac.sh scripts are automatically adjusted at installation to match your chosen installation settings. These can be run after install without any modification.
If the self-signed TLS proxy option is selected, browser client TLS certificates will be automatically created and saved to $HOME/guac-setup.
Note that Nginx is automatically configured to use TLS 1.2 or above (so really old browser versions may not work.)
A daily MySQL backup job will be automatically configured under the script owner's crontab.
Security info: The Quick Connect and History Recorded Storage options bring a few security implications; so be aware of potential risks in your particular environment.

Upgrading Guacamole

To upgrade Guacamole, edit upgrade-guac.sh to relfect the latest versions of Guacamole and MySQL connector/J before running it. This script will also automatically update the DUO, LDAP, TOTP, Quick Connect & History Recorded Storage extension if they are found to be present.

Enterprise Scale Out & High Availability

For Enterprise deployments, did you know that Guacamole can be run in a load balanced farm? To achieve this, the database, application and front end components are usually split into 2 or 3 layers. (VLANs & firewalls between the layers helps with security too.) See here for how to get started.

For the DATABASE layer: Find the included install-mysql-backend-only.sh to install a standalone instance of the Guacamole MySQL database for your backend.
For the APPLICATION layer: Simply use the main setup script to build as many application servers as you like. For a true 3 layer load balanced system, make sure to say no to both the "Install MySQL locally" option and all Nginx front end options so as only the Guacamole server and Apache Tomcat services are installed.
For the Front end: There are may choices here. You can slightly modify the Nginx scripts for a separate front end TLS layer, however HA Proxy provides far superior session affinity under load balanced conditions when compared to Open Source Nginx, but an Nginx Plus subscription gets you all the good stuff! There's so many possible ways to achieve this in hardware and software. There's plenty of config details in here to help you begin to roll your own HA solution.

Auto Download Manifest

The autorun link downloads these repo files into $HOME/guac-setup:

1-setup.sh: The installation script.
2-install-guacamole.sh: Guacamole main source build installation script.
3-install-nginx.sh: Installs Nginx for reverse proxy (optional).
4a-install-tls-self-signed-nginx.sh: Configures self-signed TLS for Nginx (optional).
4b-install-tls-letsencrypt-nginx.sh: Installs Let's Encrypt for Nginx (optional).
add-auth-duo.sh: Adds Duo MFA extension (optional).
add-auth-ldap.sh: Adds Active Directory extension (optional).
add-auth-totp.sh: Adds TOTP MFA extension (optional).
add-xtra-quickconnect.sh: Adds Quick Connect console feature (optional).
add-xtra-histrecstore.sh: Adds History Recorded Storage feature (optional).
add-smtp-relay-o365.sh: Sets up SMTP auth relay with O365 for backup messages, monitoring & alerts (BYO app password).
add-tls-guac-daemon.sh: Adds TLS wrapper for guacd server daemon (optional).
add-fail2ban.sh: Adds a fail2ban policy for brute force protection.
backup-guacamole.sh: A MySQL Guacamole backup script.
upgrade-guac.sh: Upgrades Guacamole and MySQL connector.
refresh-tls-self-signed: Generates and installs updated TLS certificates for Nginx.
branding.jar: An example template for customising Guacamole's theme. Delete to keep the default UI.

Happy Guacamole-ing! 😄🥑