mirror of
https://github.com/itiligent/Easy-Guacamole-Installer.git
synced 2025-12-13 18:02:32 +00:00
5032e5ba29
add scripts improved, backup gaucd before nginx, standalone install of ssl for existing nginx, allow space in sql passwords, added upgrade script, improved tomcat self detection, simplified how SSL scrips detect local settings, many tidy ups
93 lines
2.6 KiB
Bash
93 lines
2.6 KiB
Bash
#!/bin/bash
|
|
#######################################################################################################################
|
|
# Harden Guacd <-> Guac client traffic in SSL wrapper
|
|
# For Ubuntu / Debian / Raspian
|
|
# David Harrop
|
|
# April 2023
|
|
#######################################################################################################################
|
|
|
|
# Prepare text output colours
|
|
GREY='\033[0;37m'
|
|
DGREY='\033[0;90m'
|
|
GREYB='\033[1;37m'
|
|
LRED='\033[0;91m'
|
|
LGREEN='\033[0;92m'
|
|
LYELLOW='\033[0;93m'
|
|
NC='\033[0m' #No Colour
|
|
|
|
CERT_COUNTRY=
|
|
CERT_STATE=
|
|
CERT_LOCATION=
|
|
CERT_ORG=
|
|
CERT_OU=
|
|
|
|
clear
|
|
|
|
if ! [ $( id -u ) = 0 ]; then
|
|
echo
|
|
echo -e "${LGREEN}Please run this script as sudo or root${NC}" 1>&2
|
|
exit 1
|
|
fi
|
|
|
|
# Create the special directory for guacd ssl certfifacte and key.
|
|
sudo mkdir /etc/guacamole/ssl
|
|
echo
|
|
cat <<EOF | tee -a cert_attributes.txt
|
|
[req]
|
|
distinguished_name = req_distinguished_name
|
|
x509_extensions = v3_req
|
|
prompt = no
|
|
string_mask = utf8only
|
|
|
|
[req_distinguished_name]
|
|
C = $CERT_COUNTRY
|
|
ST = $CERT_STATE
|
|
L = $CERT_LOCATION
|
|
O = $CERT_ORG
|
|
OU = $CERT_OU
|
|
CN = localhost
|
|
|
|
[v3_req]
|
|
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
|
|
extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
|
|
subjectAltName = @alt_names
|
|
|
|
[alt_names]
|
|
DNS.1 = localhost
|
|
IP.1 = 127.0.0.1
|
|
EOF
|
|
|
|
# Create the self signining request, certificate & key
|
|
sudo openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -keyout /etc/guacamole/ssl/guacd.key -out /etc/guacamole/ssl/guacd.crt -config cert_attributes.txt
|
|
rm -f cert_attributes.txt
|
|
|
|
# Point Gaucamole config file to certificate any key
|
|
sudo cat <<EOF | sudo tee /etc/guacamole/guacd.conf
|
|
[server]
|
|
bind_host = 127.0.0.1
|
|
bind_port = 4822
|
|
[ssl]
|
|
server_certificate = /etc/guacamole/ssl/guacd.crt
|
|
server_key = /etc/guacamole/ssl/guacd.key
|
|
EOF
|
|
|
|
# Enable SSL backend
|
|
sudo cat <<EOF | sudo tee -a /etc/guacamole/guacamole.properties
|
|
guacd-ssl: true
|
|
EOF
|
|
|
|
# Fix required permissions as guacd only runs as daemon
|
|
sudo chown daemon:daemon /etc/guacamole/ssl
|
|
sudo chown daemon:daemon /etc/guacamole/ssl/guacd.key
|
|
sudo chown daemon:daemon /etc/guacamole/ssl/guacd.crt
|
|
sudo chmod 644 /etc/guacamole/ssl/guacd.crt
|
|
sudo chmod 644 /etc/guacamole/ssl/guacd.key
|
|
|
|
# Add the new certificate into the Java Runtime certificate store and set JRE to trust it.
|
|
cd /etc/guacamole/ssl
|
|
sudo keytool -importcert -alias guacd -noprompt -cacerts -storepass changeit -file guacd.crt
|
|
sudo systemctl restart guacd
|
|
|
|
echo
|
|
echo "Done!"
|
|
echo -e ${NC}
|