Skip to main content

Bash Script Installation on Debian 11

Based on the Manual Installation steps, I have created a simple bash script to automate the Apache Guacamole server install with MariaDB for database authentication and NGINX for web-server front-end. 

Copy the following code into a bash file, and run the script with sudo.

If you want to enable HTTPS for NGINX, make sure you have place your self-signed internal certificate or public certificate on the server before running the script. 

#!/bin/bash
#Simple script to install Apache Guacamole with MariaDB and NGINX

set -e #Exit immediately if a command exits with a non-zero status

GUACAMOLE_VERSION=1.5.1
CURRENT_DIRECTORY=$(pwd)

#Get all the variables for the configs 
echo -e "This is a simple script for installing Apache Guacamole with MariaDB Database Authentication and NGINX SSL Frontend. \n"

#Prompt for DB user 'guacamole' password
while true
do
    read -sp "Enter a password for the new guacamole database user:" db_user_pass1
    echo ""
    read -sp "Enter the password again:" db_user_pass2
    echo ""
    if [ "$db_user_pass1" == "$db_user_pass2" ]
    then
        break
    else
        echo "Password did not match. Try again."
    fi
done

while true
do
    read -sp "Enter a new MariaDB Root User password:" db_root_pass1
    echo ""
    read -sp "Enter the password again:" db_root_pass2
    echo ""
    if [ "$db_root_pass1" == "$db_root_pass2" ]
    then
        break
    else
        echo "Password did not match. Try again."
    fi
done

while true
do
    read -p "Enter your Apache Gucamole Server's FQDN:" server_FQDN1
    echo ""
    read -p "Enter the FQDN again:" server_FQDN2
    echo ""
    if [ "$server_FQDN1" == "$server_FQDN2" ]
    then
        break
    else
        echo "FQDN did not match. Try again."
    fi
done

# Ask user if they want to define SSL cert location
read -p "Do you want to define SSL cert location? (y/n): " define_ssl_cert

if [ "$define_ssl_cert" == "y" ]
then
    # Prompt for SSL cert and key location
    while true
    do
        read -p "Enter the location of your SSL Cert: " ssl_cert_path
        read -p "Enter the location of your SSL Key: " ssl_key_path

        # Check if the provided SSL cert and key location exists
        if [ -f "$ssl_cert_path" ] && [ -f "$ssl_key_path" ]
        then
            break
        else
            echo "Invalid SSL Cert or Key location. Try again."
        fi
    done
else
    echo "Skipping SSL Cert configuration..."
fi

#update repo
sudo apt update && sudo apt upgrade -y

#install debian dependency
sudo apt install -y build-essential wget

#install Apache Guacamole dependencies
sudo apt install -y libcairo2-dev libjpeg62-turbo-dev libpng-dev libtool-bin uuid-dev libavcodec-dev libavformat-dev libavutil-dev libswscale-dev freerdp2-dev libpango1.0-dev libssh2-1-dev libvncserver-dev libwebsockets-dev libpulse-dev libssl-dev libvorbis-dev libwebp-dev

#install Tomcat 9
sudo apt install -y tomcat9 tomcat9-admin

#enable Tomcat 9
sudo systemctl start tomcat9
sudo systemctl enable tomcat9

#Download guacamole server and extract the tar file
cd $CURRENT_DIRECTORY
wget https://downloads.apache.org/guacamole/$GUACAMOLE_VERSION/source/guacamole-server-$GUACAMOLE_VERSION.tar.gz
tar -xzf guacamole-server-$GUACAMOLE_VERSION.tar.gz

#configure Guacamole server installation and verify system requirements
cd guacamole-server-$GUACAMOLE_VERSION
./configure --with-systemd-dir=/etc/systemd/system/

#compile and install Guacamole Server
make
sudo make install

#Update symbolic links of the system libraries
sudo ldconfig

#Reload systemctl and auto start guacd
sudo systemctl daemon-reload
sudo systemctl enable guacd

#Download guacamole clients
cd $CURRENT_DIRECTORY && wget https://downloads.apache.org/guacamole/$GUACAMOLE_VERSION/binary/guacamole-$GUACAMOLE_VERSION.war

#Move the downloaded .war file to the Tomcat webapps directory
sudo mv guacamole-$GUACAMOLE_VERSION.war /var/lib/tomcat9/webapps/guacamole.war

#create the configuration directory
sudo mkdir -p /etc/guacamole/{extensions,lib}

#Tell Tomcat to look for GUACAMOLE_HOME directory in /etc/guacamole
sudo sed -i "$ a GUACAMOLE_HOME=/etc/guacamole" /etc/default/tomcat9

#Install MariaDB
sudo apt-get install -y mariadb-server mariadb-client

#start mariadb on boot
sudo systemctl enable mariadb

#Create local Guacamole Database
sudo mysql -u root -e "CREATE DATABASE IF NOT EXISTS guacamole_db"

#Download the Guacamole ToTP Extension and extract the tar file
cd $CURRENT_DIRECTORY && wget https://downloads.apache.org/guacamole/$GUACAMOLE_VERSION/binary/guacamole-auth-totp-$GUACAMOLE_VERSION.tar.gz && tar -xzf guacamole-auth-totp-$GUACAMOLE_VERSION.tar.gz

#Copy Guacamole ToTP Extension to the guacamole extensions folder
sudo cp ./guacamole-auth-totp-$GUACAMOLE_VERSION/guacamole-auth-totp-$GUACAMOLE_VERSION.jar /etc/guacamole/extensions/

#Download the Guacamole Database Extension and extract the tar file
cd $CURRENT_DIRECTORY && wget https://downloads.apache.org/guacamole/$GUACAMOLE_VERSION/binary/guacamole-auth-jdbc-$GUACAMOLE_VERSION.tar.gz && tar -xzf guacamole-auth-jdbc-$GUACAMOLE_VERSION.tar.gz

#Copy guacamole-auth-jdbc-mysql-* to the guacamole extensions folder
sudo cp ./guacamole-auth-jdbc-$GUACAMOLE_VERSION/mysql/guacamole-auth-jdbc-mysql-$GUACAMOLE_VERSION.jar /etc/guacamole/extensions/

#Copy the Guacamole Schema to the MariaDB database
sudo cat ./guacamole-auth-jdbc-*/mysql/schema/*.sql | sudo mysql -u root guacamole_db

#Create local Guacamole Database User
sudo mysql -u root --execute="CREATE USER 'guacamole'@'localhost' IDENTIFIED WITH mysql_native_password AS PASSWORD('$db_user_pass2');"
sudo mysql -u root --execute="GRANT ALL ON guacamole_db.* TO 'guacamole'@'localhost'"

#Perform mysql_secure_installation queries
#Drop the anonymous users
sudo mysql -u root -e "DELETE FROM mysql.user WHERE User=''"
#Drop the demo database
sudo mysql -u root -e "DROP DATABASE IF EXISTS test"

#Make sure that NOBODY can access the DB without a password. Any subsequent tries to run queries this way will get access denied because lack of usr/pwd param'
sudo mysql -u root --execute="SET PASSWORD FOR 'root'@'localhost' = PASSWORD('$db_root_pass2')"
sudo mysql -u root --execute="FLUSH PRIVILEGES"

#Download the MySQL Java connector and Extract z file
cd $CURRENT_DIRECTORY && 
wget https://dev.mysql.com/get/Downloads/Connector-J/mysql-connector-j-8.0.33.tar.gz && tar -xzf mysql-connector-j-8.0.33.tar.gz

#Copy the connector to guacamole folder
sudo cp ./mysql-connector-j-*/mysql-connector-j-*.jar /etc/guacamole/lib/

#create the blank guacamole property and config files
sudo touch /etc/guacamole/{guacamole.properties,guacd.conf}

#Modify the guacamole.properties file with DB details
sudo tee /etc/guacamole/guacamole.properties >/dev/null <<EOF
mysql-hostname: localhost
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: guacamole
mysql-password: $db_user_pass2
EOF

#Modify the guacd.conf file with the DB Details
sudo tee /etc/guacamole/guacd.conf >/dev/null <<EOF
[server]
bind_host = 0.0.0.0
bind_port = 4822
EOF

# restart guacd and tomcat 9
sudo systemctl restart guacd
sudo systemctl restart tomcat9

#Install Nginx
sudo apt install -y nginx

#Start nginx on boot
sudo systemctl enable nginx

#Unlink the default NGINX config
sudo unlink /etc/nginx/sites-enabled/default

#Create blank NGINX Config
sudo touch /etc/nginx/sites-available/guacamole

#Create the NGINX config
if [ "$define_ssl_cert" == "y" ]
then
    sudo tee /etc/nginx/sites-available/guacamole > /dev/null <<EOF
    server {
        listen      443 ssl http2;
        server_name $server_FQDN2;

        root /var/www/html;
        index index.html;

        #SSL Certs
        ssl_certificate $ssl_cert_path;
        ssl_certificate_key $ssl_key_path;

        #Force strong TLS
        ssl_protocols      TLSv1.3;
        ssl_prefer_server_ciphers   on;

        #Disable weak ciphers
        ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA HIGH !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";

        access_log /var/log/nginx/guacamole-access.log;
        error_log /var/log/nginx/guacamole-error.log;

        #Gucamole location
        location / {
            proxy_pass http://127.0.0.1:8080/guacamole/;
            proxy_buffering off;
            proxy_http_version 1.1;
            proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
            proxy_set_header Upgrade \$http_upgrade;
            proxy_set_header Connection \$http_connection;
            client_max_body_size 1g;
            access_log off;
        }
    }
EOF
    echo "That's it! You can now access your Guacamole instance at https://$server_FQDN2, using user 'guacadmin' and password 'guacadmin'. Change your password upon login."

else
    sudo tee /etc/nginx/sites-available/guacamole > /dev/null <<EOF
    server {
        listen      80;
        server_name $server_FQDN2;

        root /var/www/html;
        index index.html;

        access_log /var/log/nginx/guacamole-access.log;
        error_log /var/log/nginx/guacamole-error.log;

        #Gucamole location
        location / {
            proxy_pass http://127.0.0.1:8080/guacamole/;
            proxy_buffering off;
            proxy_http_version 1.1;
            proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
            proxy_set_header Upgrade \$http_upgrade;
            proxy_set_header Connection \$http_connection;
            client_max_body_size 1g;
            access_log off;
        }
    }
EOF
    echo "That's it! You can now access your Guacamole instance at http://$server_FQDN2, using user 'guacadmin' and password 'guacadmin'. Change your password upon login."
fi

#Link config
sudo ln -s /etc/nginx/sites-available/guacamole /etc/nginx/sites-enabled/guacamole

#Set guacd to run under guacd user instead of deamon. This is needed for RDP to work properly.
sudo ed -i 's/daemon/guacd/' /etc/systemd/system/guacd.service
sudo mkdir /var/lib/guacd
sudo chown -R guacd: /var/lib/guacd

#Restart all services
sudo systemctl daemon-reload
sudo systemctl restart guacd tomcat9 mariadb nginx

The script will ask for user input in the beginning, and then will run. 

Screenshot 2023-04-23 010924.png

Once competed, you can navigate to your server and login using user 'guacadmin' and password 'guacadmin'.

Change your password upon login.