Easy-Guacamole-Installer/README.md

Guacamole 1.5.3 VDI & Jump Server Appliance Builder

A menu based build & install script for Guacamole 1.5.3 with support for SSL reverse proxy, AD integration, multi-factor authentication and further security hardening.

Automatic build, install & config script

To install Guacamole, copy and paste the following command into your terminal:

wget https://raw.githubusercontent.com/itiligent/Guacamole-Install/main/1-setup.sh && chmod +x 1-setup.sh && ./1-setup.sh

Prerequisites

PLEASE NOTE: DEBIAN 12 & Tomcat 10 NOT COMPATIBLE - SEE ISSUE #10

• Ubuntu 18.04 - 22.x / Debian 11 & 10 / Raspbian Buster or Bullseye
  • (if using cloud images - only use above listed release versions not latest daily builds!)
• Minimum 8GB RAM and 40GB HDD
• Public or private DNS entries that match the default physical interface IP address (required for SSL)
• Incoming access on TCP ports 22, 80, and 443
• The user executing the wget installer script must be a member of the sudo group

Setup Menu Flow

1. Setup MySQL

• Install a new local MySQL instance, or choose an existing/remote MySQL instance.
  • Sub option: Add MySQL mysql_secure_installation settings to the selected MySQL instance

2. Select authentication extension

• Choose an authentication extension [DUO, TOTP, LDAP or None]
  • Simultaneous TOTP and DUO not possible, but LDAP with TOTP is ok.

3. Choose a Guacamole front end option

• Install Nginx Reverse Proxy? [y/n]
  • n = Use Guacamole native front end http://hostname.local:8080/guacamole
    • Sub option: Set native url to http root? [y/n] y = http://hostname.local:8080
• Install Nginx with no SSL? [y/n]
  • y = port 80 url http://hostname.local
• Install Nginx with self-signed SSL certificate? [y/n]
  • y = port 443 url https://hostname.local)
    • Configures Nginx with self signed certificate & generates Windows/Linux client certificates
• Install Nginx with Let's Encrypt certificate? [y/n]
  • y = port 443 https://your-public-site.com)
    • Configures Nginx with a new LetsEncrypt certificate and sets up auto renewals.)

Optional post install hardening

The installer downloads additional scripts to manually run:

• add-fail2ban.sh - Adds a fail2ban lockdown policy for Guacamole
• add-ssl-guac-gaucd.sh - Encrypts internal traffic between Guacamole application and Guacd daemon with TLS
• add-auth-ldap.sh - Template script for Integrating with Active Directory (See ACTIVE-DIRECTORY-HOW-TO.md)
• add-smtp-relay-o365.sh - Template script for email alerts via MSO65 (SMTP auth, requires BYO app password)

Installation notes

To create a custom or unattended setup, follow these steps:

1. From a terminal session, change to your home directory then paste and run the above wget link.
2. Exit 1-setup.sh script at the first prompt. (At this point only the scripts have been downloaded).
3. Edit the "Silent setup options" section of 1-setup.sh.
   • Note that script variables with an actual setting (e.g., VARIABLE="value") will NOT prompt during the interactive setup. This means that with the right combination of variable inputs, it is possible to mass deploy a full Guacamole appliance with Nginx & SSL with zero touch.
4. After setting your custom variable values in 1-setup.sh, you must run the modified script saved locally with ./1-setup.sh Beware: If you run the wget link again you will overwrite all your changes!
   • For adaptations made to any other downloaded script, you must comment out the relevant wget lines in the "Download GitHub Setup" section at the top of 1-setup.sh to prevent these from being re-downloaded and overwritten as well.
   • There should be no need to customise any scripts other than 1-setup.sh as all install options are managed in the first parent script.
   • Be aware that all optional (manually run) add-xxxx.sh scripts are dynamically updated during the installation with the exact variables you selected at install. Editing anything other than 1-setup.sh may break this functionality, so make changes only if you understand the impacts.
5. Self signed client TLS certificates are saved in the $DOWNLOAD_DIR/guac-setup directory.

Setup script download manifest

The setup command mentioned above downloads the following items into the $DOWNLOAD_DIR/guac-setup directory:

• 1-setup.sh: The parent install script itself
• 2-install-guacamole.sh: Guacamole installation script (inspired by MysticRyuujin/guac-install)
• 3-install-nginx.sh: Installs Nginx & auto-configures a front-end reverse proxy for Guacamole (optional)
• 4a-install-ssl-self-signed-nginx.sh: Configures self-signed TLS certificate for Nginx proxy (optional)
• 4b-install-ssl-letsencrypt-nginx.sh: Installs & configures Let's Encrypt with Guacamole & Nginx proxy (optional)
• add-auth-duo.sh: Adds the Duo MFA extension if not selected during install (optional)
• add-auth-ldap.sh: Adds the Active Directory extension and setup template if not selected at install (optional)
• add-auth-totp.sh: Adds the TOTP MFA extension if not selected at install (optional)
• add-ssl-guac-gaucd.sh: A hardening script to add a TLS wrapper for guacd daemon to Guacamole client application traffic (optional)
• add-fail2ban.sh: Adds a fail2ban policy (with local subnet override) to secure Guacamole against external brute force attacks
• add-smtp-relay-o365.sh: Sets up a TLS/SMTP auth relay with O365 for monitoring & alerts (BYO app password)
• backup-guacamole.sh: A simple Guacamole backup script
• branding.jar: An example customised Guacamole login screen extension to allow you to brand Guacamole to your own requirements (delete to keep the default interface.) This is a version of https://github.com/Zer0CoolX/guacamole-customize-loginscreen-extension but has been further tweaked to additionally support custom browser tab favicons.