Bash Script Installation on Debian 11
Based on the Manual Installation steps, I have created a simple bash script to automate the Apache Guacamole server install with MariaDB for database authentication and NGINX for web-server front-end.
Copy the following code into a bash file, and run the script with sudo.
If you want to enable HTTPS for NGINX, make sure you have place your self-signed internal certificate or public certificate on the server before running the script.
#!/bin/bash
#Simple script to install Apache Guacamole with MariaDB and NGINX
set -e #Exit immediately if a command exits with a non-zero status
GUACAMOLE_VERSION=1.5.1
CURRENT_DIRECTORY=$(pwd)
#Get all the variables for the configs
echo -e "This is a simple script for installing Apache Guacamole with MariaDB Database Authentication and NGINX SSL Frontend. \n"
#Prompt for DB user 'guacamole' password
while true
do
read -sp "Enter a password for the new guacamole database user:" db_user_pass1
echo ""
read -sp "Enter the password again:" db_user_pass2
echo ""
if [ "$db_user_pass1" == "$db_user_pass2" ]
then
break
else
echo "Password did not match. Try again."
fi
done
while true
do
read -sp "Enter a new MariaDB Root User password:" db_root_pass1
echo ""
read -sp "Enter the password again:" db_root_pass2
echo ""
if [ "$db_root_pass1" == "$db_root_pass2" ]
then
break
else
echo "Password did not match. Try again."
fi
done
while true
do
read -p "Enter your Apache Gucamole Server's FQDN:" server_FQDN1
echo ""
read -p "Enter the FQDN again:" server_FQDN2
echo ""
if [ "$server_FQDN1" == "$server_FQDN2" ]
then
break
else
echo "FQDN did not match. Try again."
fi
done
# Ask user if they want to define SSL cert location
read -p "Do you want to define SSL cert location? (y/n): " define_ssl_cert
if [ "$define_ssl_cert" == "y" ]
then
# Prompt for SSL cert and key location
while true
do
read -p "Enter the location of your SSL Cert: " ssl_cert_path
read -p "Enter the location of your SSL Key: " ssl_key_path
# Check if the provided SSL cert and key location exists
if [ -f "$ssl_cert_path" ] && [ -f "$ssl_key_path" ]
then
break
else
echo "Invalid SSL Cert or Key location. Try again."
fi
done
else
echo "Skipping SSL Cert configuration..."
fi
#update repo
sudo apt update && sudo apt upgrade -y
#install debian dependency
sudo apt install -y build-essential wget
#install Apache Guacamole dependencies
sudo apt install -y libcairo2-dev libjpeg62-turbo-dev libpng-dev libtool-bin uuid-dev libavcodec-dev libavformat-dev libavutil-dev libswscale-dev freerdp2-dev libpango1.0-dev libssh2-1-dev libvncserver-dev libwebsockets-dev libpulse-dev libssl-dev libvorbis-dev libwebp-dev
#install Tomcat 9
sudo apt install -y tomcat9 tomcat9-admin
#enable Tomcat 9
sudo systemctl start tomcat9
sudo systemctl enable tomcat9
#Download guacamole server and extract the tar file
cd $CURRENT_DIRECTORY
wget https://downloads.apache.org/guacamole/$GUACAMOLE_VERSION/source/guacamole-server-$GUACAMOLE_VERSION.tar.gz
tar -xzf guacamole-server-$GUACAMOLE_VERSION.tar.gz
#configure Guacamole server installation and verify system requirements
cd guacamole-server-$GUACAMOLE_VERSION
./configure --with-systemd-dir=/etc/systemd/system/
#compile and install Guacamole Server
make
sudo make install
#Update symbolic links of the system libraries
sudo ldconfig
#Reload systemctl and auto start guacd
sudo systemctl daemon-reload
sudo systemctl enable guacd
#Download guacamole clients
cd $CURRENT_DIRECTORY && wget https://downloads.apache.org/guacamole/$GUACAMOLE_VERSION/binary/guacamole-$GUACAMOLE_VERSION.war
#Move the downloaded .war file to the Tomcat webapps directory
sudo mv guacamole-$GUACAMOLE_VERSION.war /var/lib/tomcat9/webapps/guacamole.war
#create the configuration directory
sudo mkdir -p /etc/guacamole/{extensions,lib}
#Tell Tomcat to look for GUACAMOLE_HOME directory in /etc/guacamole
sudo sed -i "$ a GUACAMOLE_HOME=/etc/guacamole" /etc/default/tomcat9
#Install MariaDB
sudo apt-get install -y mariadb-server mariadb-client
#start mariadb on boot
sudo systemctl enable mariadb
#Create local Guacamole Database
sudo mysql -u root -e "CREATE DATABASE IF NOT EXISTS guacamole_db"
#Download the Guacamole ToTP Extension and extract the tar file
cd $CURRENT_DIRECTORY && wget https://downloads.apache.org/guacamole/$GUACAMOLE_VERSION/binary/guacamole-auth-totp-$GUACAMOLE_VERSION.tar.gz && tar -xzf guacamole-auth-totp-$GUACAMOLE_VERSION.tar.gz
#Copy Guacamole ToTP Extension to the guacamole extensions folder
sudo cp ./guacamole-auth-totp-$GUACAMOLE_VERSION/guacamole-auth-totp-$GUACAMOLE_VERSION.jar /etc/guacamole/extensions/
#Download the Guacamole Database Extension and extract the tar file
cd $CURRENT_DIRECTORY && wget https://downloads.apache.org/guacamole/$GUACAMOLE_VERSION/binary/guacamole-auth-jdbc-$GUACAMOLE_VERSION.tar.gz && tar -xzf guacamole-auth-jdbc-$GUACAMOLE_VERSION.tar.gz
#Copy guacamole-auth-jdbc-mysql-* to the guacamole extensions folder
sudo cp ./guacamole-auth-jdbc-$GUACAMOLE_VERSION/mysql/guacamole-auth-jdbc-mysql-$GUACAMOLE_VERSION.jar /etc/guacamole/extensions/
#Copy the Guacamole Schema to the MariaDB database
sudo cat ./guacamole-auth-jdbc-*/mysql/schema/*.sql | sudo mysql -u root guacamole_db
#Create local Guacamole Database User
sudo mysql -u root --execute="CREATE USER 'guacamole'@'localhost' IDENTIFIED WITH mysql_native_password AS PASSWORD('$db_user_pass2');"
sudo mysql -u root --execute="GRANT ALL ON guacamole_db.* TO 'guacamole'@'localhost'"
#Perform mysql_secure_installation queries
#Drop the anonymous users
sudo mysql -u root -e "DELETE FROM mysql.user WHERE User=''"
#Drop the demo database
sudo mysql -u root -e "DROP DATABASE IF EXISTS test"
#Make sure that NOBODY can access the DB without a password. Any subsequent tries to run queries this way will get access denied because lack of usr/pwd param'
sudo mysql -u root --execute="SET PASSWORD FOR 'root'@'localhost' = PASSWORD('$db_root_pass2')"
sudo mysql -u root --execute="FLUSH PRIVILEGES"
#Download the MySQL Java connector and Extract z file
cd $CURRENT_DIRECTORY &&
wget https://dev.mysql.com/get/Downloads/Connector-J/mysql-connector-j-8.0.33.tar.gz && tar -xzf mysql-connector-j-8.0.33.tar.gz
#Copy the connector to guacamole folder
sudo cp ./mysql-connector-j-*/mysql-connector-j-*.jar /etc/guacamole/lib/
#create the blank guacamole property and config files
sudo touch /etc/guacamole/{guacamole.properties,guacd.conf}
#Modify the guacamole.properties file with DB details
sudo tee /etc/guacamole/guacamole.properties >/dev/null <<EOF
mysql-hostname: localhost
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: guacamole
mysql-password: $db_user_pass2
EOF
#Modify the guacd.conf file with the DB Details
sudo tee /etc/guacamole/guacd.conf >/dev/null <<EOF
[server]
bind_host = 0.0.0.0
bind_port = 4822
EOF
# restart guacd and tomcat 9
sudo systemctl restart guacd
sudo systemctl restart tomcat9
#Install Nginx
sudo apt install -y nginx
#Start nginx on boot
sudo systemctl enable nginx
#Unlink the default NGINX config
sudo unlink /etc/nginx/sites-enabled/default
#Create blank NGINX Config
sudo touch /etc/nginx/sites-available/guacamole
#Create the NGINX config
if [ "$define_ssl_cert" == "y" ]
then
sudo tee /etc/nginx/sites-available/guacamole > /dev/null <<EOF
server {
listen 443 ssl http2;
server_name $server_FQDN2;
root /var/www/html;
index index.html;
#SSL Certs
ssl_certificate $ssl_cert_path;
ssl_certificate_key $ssl_key_path;
#Force strong TLS
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers on;
#Disable weak ciphers
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA HIGH !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
access_log /var/log/nginx/guacamole-access.log;
error_log /var/log/nginx/guacamole-error.log;
#Gucamole location
location / {
proxy_pass http://127.0.0.1:8080/guacamole/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection \$http_connection;
client_max_body_size 1g;
access_log off;
}
}
EOF
echo "That's it! You can now access your Guacamole instance at https://$server_FQDN2, using user 'guacadmin' and password 'guacadmin'. Change your password upon login."
else
sudo tee /etc/nginx/sites-available/guacamole > /dev/null <<EOF
server {
listen 80;
server_name $server_FQDN2;
root /var/www/html;
index index.html;
access_log /var/log/nginx/guacamole-access.log;
error_log /var/log/nginx/guacamole-error.log;
#Gucamole location
location / {
proxy_pass http://127.0.0.1:8080/guacamole/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection \$http_connection;
client_max_body_size 1g;
access_log off;
}
}
EOF
echo "That's it! You can now access your Guacamole instance at http://$server_FQDN2, using user 'guacadmin' and password 'guacadmin'. Change your password upon login."
fi
#Link config
sudo ln -s /etc/nginx/sites-available/guacamole /etc/nginx/sites-enabled/guacamole
#Set guacd to run under guacd user instead of deamon. This is needed for RDP to work properly.
sudo ed -i 's/daemon/guacd/' /etc/systemd/system/guacd.service
sudo mkdir /var/lib/guacd
sudo chown -R guacd: /var/lib/guacd
#Restart all services
sudo systemctl daemon-reload
sudo systemctl restart guacd tomcat9 mariadb nginxThe script will ask for user input in the beginning, and then will run.
Once competed, you can navigate to your server and login using user 'guacadmin' and password 'guacadmin'.
Change your password upon login.