Bash Script Installation on Debian 11
Based on the Manual Installation steps, I have created a simple bash script to automate the Apache Guacamole server install with MariaDB for database authentication and NGINX for web-server front-end.
Copy the following code into a bash file, and run the script with sudo.
If you want to enable HTTPS for NGINX, make sure you have place your self-signed internal certificate or public certificate on the server before running the script.
#!/bin/bash
#Simple script to install Apache Guacamole with MariaDB and NGINX
set -e #Exit immediately if a command exits with a non-zero status
GUACAMOLE_VERSION=1.5.1
CURRENT_DIRECTORY=$(pwd)
#Get all the variables for the configs
echo "This is a simple script for installing Apache Guacamole with MariaDB Database Authentication and NGINX SSL Frontend. \n"
#Prompt for DB user 'guacamole' password
while true
do
read -sp "Enter a password for the new guacamole database user:" db_user_pass1
echo ""
read -sp "Enter the password again:" db_user_pass2
echo ""
if [ "$db_user_pass1" == "$db_user_pass2" ]
then
break
else
echo "Password did not match. Try again."
fi
done
while true
do
read -sp "Enter a new MariaDB Root User password:" db_root_pass1
echo ""
read -sp "Enter the password again:" db_root_pass2
echo ""
if [ "$db_root_pass1" == "$db_root_pass2" ]
then
break
else
echo "Password did not match. Try again."
fi
done
while true
do
read -p "Enter your Apache Gucamole Server's FQDN:" server_FQDN1
echo ""
read -p "Enter the FQDN again:" server_FQDN2
echo ""
if [ "$server_FQDN1" == "$server_FQDN2" ]
then
break
else
echo "FQDN did not match. Try again."
fi
done
# Ask user if they want to define SSL cert location
read -p "Do you want to define SSL cert location? (y/n): " define_ssl_cert
if [ "$define_ssl_cert" == "y" ]
then
# Prompt for SSL cert and key location
while true
do
read -p "Enter the location of your SSL Cert: " ssl_cert_path
read -p "Enter the location of your SSL Key: " ssl_key_path
# Check if the provided SSL cert and key location exists
if [ -f "$ssl_cert_path" ] && [ -f "$ssl_key_path" ]
then
break
else
echo "Invalid SSL Cert or Key location. Try again."
fi
done
else
echo "Skipping SSL Cert configuration..."
fi
#update repo
sudo apt update && sudo apt upgrade -y
#install debian dependency
sudo apt install -y build-essential wget
#install Apache Guacamole dependencies
sudo apt install -y libcairo2-dev libjpeg62-turbo-dev libpng-dev libtool-bin uuid-dev libavcodec-dev libavformat-dev libavutil-dev libswscale-dev freerdp2-dev libpango1.0-dev libssh2-1-dev libvncserver-dev libwebsockets-dev libpulse-dev libssl-dev libvorbis-dev libwebp-dev
#install Tomcat 9
sudo apt install -y tomcat9 tomcat9-admin
#enable Tomcat 9
sudo systemctl start tomcat9
sudo systemctl enable tomcat9
#Download guacamole server and extract the tar file
cd $CURRENT_DIRECTORY
wget https://downloads.apache.org/guacamole/$GUACAMOLE_VERSION/source/guacamole-server-$GUACAMOLE_VERSION.tar.gz
tar -xzf guacamole-server-$GUACAMOLE_VERSION.tar.gz
#configure Guacamole server installation and verify system requirements
cd guacamole-server-$GUACAMOLE_VERSION
./configure --with-systemd-dir=/etc/systemd/system/
#compile and install Guacamole Server
make
sudo make install
#Update symbolic links of the system libraries
sudo ldconfig
#Reload systemctl and auto start guacd
sudo systemctl daemon-reload
sudo systemctl enable guacd
#Download guacamole clients
cd $CURRENT_DIRECTORY && wget https://downloads.apache.org/guacamole/$GUACAMOLE_VERSION/binary/guacamole-$GUACAMOLE_VERSION.war
#Move the downloaded .war file to the Tomcat webapps directory
sudo mv guacamole-$GUACAMOLE_VERSION.war /var/lib/tomcat9/webapps/guacamole.war
#create the configuration directory
sudo mkdir -p /etc/guacamole/{extensions,lib}
#Tell Tomcat to look for GUACAMOLE_HOME directory in /etc/guacamole
sudo sed -i "$ a GUACAMOLE_HOME=/etc/guacamole" /etc/default/tomcat9
#Install MariaDB
sudo apt-get install -y mariadb-server mariadb-client
#start mariadb on boot
sudo systemctl enable mariadb
#Create local Guacamole Database
sudo mysql -u root -e "CREATE DATABASE IF NOT EXISTS guacamole_db"
#Download the Guacamole Database Extension and extract the tar file
cd $CURRENT_DIRECTORY && wget https://downloads.apache.org/guacamole/$GUACAMOLE_VERSION/binary/guacamole-auth-jdbc-$GUACAMOLE_VERSION.tar.gz && tar -xzf guacamole-auth-jdbc-$GUACAMOLE_VERSION.tar.gz
#Copy guacamole-auth-jdbc-mysql-* to the guacamole extensions folder
sudo cp ./guacamole-auth-jdbc-$GUACAMOLE_VERSION/mysql/guacamole-auth-jdbc-mysql-$GUACAMOLE_VERSION.jar /etc/guacamole/extensions/
#Copy the Guacamole Schema to the MariaDB database
sudo cat ./guacamole-auth-jdbc-*/mysql/schema/*.sql | sudo mysql -u root guacamole_db
#Create local Guacamole Database User
sudo mysql -u root --execute="CREATE USER 'guacamole'@'localhost' IDENTIFIED WITH mysql_native_password AS PASSWORD('$db_user_pass2');"
sudo mysql -u root --execute="GRANT ALL ON guacamole_db.* TO 'guacamole'@'localhost'"
#Perform mysql_secure_installation queries
#Drop the anonymous users
sudo mysql -u root -e "DELETE FROM mysql.user WHERE User=''"
#Drop the demo database
sudo mysql -u root -e "DROP DATABASE IF EXISTS test"
#Make sure that NOBODY can access the DB without a password. Any subsequent tries to run queries this way will get access denied because lack of usr/pwd param'
sudo mysql -u root --execute="SET PASSWORD FOR 'root'@'localhost' = PASSWORD('$db_root_pass2')"
sudo mysql -u root --execute="FLUSH PRIVILEGES"
#Download the MySQL Java connector and Extract z file
cd $CURRENT_DIRECTORY &&
wget https://dev.mysql.com/get/Downloads/Connector-J/mysql-connector-j-8.0.33.tar.gz && tar -xzf mysql-connector-j-8.0.33.tar.gz
#Copy the connector to guacamole folder
sudo cp ./mysql-connector-j-*/mysql-connector-j-*.jar /etc/guacamole/lib/
#create the blank guacamole property and config files
sudo touch /etc/guacamole/{guacamole.properties,guacd.conf}
#Modify the guacamole.properties file with DB details
sudo tee /etc/guacamole/guacamole.properties >/dev/null <<EOF
mysql-hostname: localhost
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: guacamole
mysql-password: $db_user_pass2
EOF
#Modify the guacd.conf file with the DB Details
sudo tee /etc/guacamole/guacd.conf >/dev/null <<EOF
[server]
bind_host = 0.0.0.0
bind_port = 4822
EOF
# restart guacd and tomcat 9
sudo systemctl restart guacd
sudo systemctl restart tomcat9
#Install Nginx
sudo apt install -y nginx
#Start nginx on boot
sudo systemctl enable nginx
#Unlink the default NGINX config
sudo unlink /etc/nginx/sites-enabled/default
#Create blank NGINX Config
sudo touch /etc/nginx/sites-available/guacamole
#Create the NGINX config
if [ "$define_ssl_cert" == "y" ]
then
sudo tee /etc/nginx/sites-available/guacamole > /dev/null <<EOF
server {
listen 443 ssl http2;
server_name $server_FQDN2;
root /var/www/html;
index index.html;
#SSL Certs
ssl_certificate $ssl_cert_path;
ssl_certificate_key $ssl_key_path;
#Force strong TLS
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers on;
#Disable weak ciphers
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA HIGH !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
access_log /var/log/nginx/guacamole-access.log;
error_log /var/log/nginx/guacamole-error.log;
#Gucamole location
location / {
proxy_pass http://127.0.0.1:8080/guacamole/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection \$http_connection;
client_max_body_size 1g;
access_log off;
}
}
EOF
echo "That's it! You can now access your Guacamole instance at https://$server_FQDN2, using user 'guacadmin' and password 'guacadmin'. Change your password upon login."
else
sudo tee /etc/nginx/sites-available/guacamole > /dev/null <<EOF
server {
listen 80;
server_name $server_FQDN2;
root /var/www/html;
index index.html;
access_log /var/log/nginx/guacamole-access.log;
error_log /var/log/nginx/guacamole-error.log;
#Gucamole location
location / {
proxy_pass http://127.0.0.1:8080/guacamole/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection \$http_connection;
client_max_body_size 1g;
access_log off;
}
}
EOF
echo "That's it! You can now access your Guacamole instance at http://$server_FQDN2, using user 'guacadmin' and password 'guacadmin'. Change your password upon login."
fi
#Link config
sudo ln -s /etc/nginx/sites-available/guacamole /etc/nginx/sites-enabled/guacamole
#Restart all services
sudo systemctl restart guacd tomcat9 mariadb nginxOnce competed, you can navigate to your server and login using user 'guacadmin' and password 'guacadmin'.
Change your password upon login.