Guacamole

Source du script : http://chari.titanium.ee/script-to-install-guacamole/

#!/bin/bash

# Guacamole installation
# Supports Ubuntu 14.04,15.10 and Debian wheezy,jessie
# 32 and 64 bit
# Script to be run as sudo/root
# ver 1.5
# To be run on a FRESH OS install
# Do not install anything other than base OS
# Bharath Chari 2016
# http://chari.titanium.ee


#Variables for guacamole/mysql connector versionsare set here.
#Don't modify unless you know what you're doing
GUAC_VER=0.9.9
MYSQL_CONNECTOR_VERSION=5.1.38

# DO NOT MODIFY BELOW THIS LINE.
echo "Checking system.."
# Check if user is root or sudo
if ! [ $(id -u) = 0 ]; then echo "Please run this script as sudo or root"; exit 1 ; fi
# Check if this script has already been run successfully.
test -f /var/lock/guac-installed.lock && { echo "Guacamole already installed. This script cannot be run"; exit 1; }
# install lsb-release to check Distro version. Also gives us an idea if it's an apt based system!
apt-get -qq install lsb-release -y || { echo "Unsupported distribution. Aborting installation."; exit 1; }

# fetch the codename of the distribution (eg: trusty,wily,wheezy,jessie)
DISTVER=$(lsb_release -c | cut -d':' -f 2 | sed 's/[[:space:]]//g')

# Set Tomcat version depending on which distribution version else exit script
case $DISTVER in
    trusty|wheezy)
        TOMCAT_VER=tomcat7
        ;;
    wily|jessie)
        TOMCAT_VER=tomcat8
        ;;
    *)
    echo "Unsupported distribution. Sorry. Installation aborted"
    echo "Script works on Ubuntu (trusty,wily) and Debian (wheezy,jessie)"
    exit 1;
esac

# Set environment to non-interactive
export DEBIAN_FRONTEND="noninteractive"

# Today's date
TODAY=$(date +"%m-%d-%Y")

# get architecture - 32 bit or 64 bit
if [ $(getconf LONG_BIT | grep 64) ]; then ARCH="x86_64";  else ARCH="i386"; fi

# Find hostname
MYHOST=$(hostname -f)

#Helper functions
# Generate random string for passwords and directory names
genrand () { cat /dev/urandom | tr -dc '0-9A-Za-z+=_' | fold -w $1 | head -n 1 ; }


# Create temp directory for downloads. Uses genrand() to create random string
tmpdir=$(genrand 32)

cd ~
mkdir $tmpdir && cd $tmpdir

# Get passwords from user
clear
echo "Set passwords for the system"
echo "Note: Passwords will NOT be displayed on screen!"
echo 
while true
do
    read -s -p "Set MySQL ROOT Password: " MYSQL_ROOT_PASSWD
    echo
    read -s -p "MySQL ROOT Password (again): " password2
    echo
    [ "$MYSQL_ROOT_PASSWD" = "$password2" ] && break
    echo "Passwords don't match. Please try again"
done

echo

while true
do
    read -s -p "Set Guacamole DATABASE Password: " GUAC_DB_PASSWD
    echo
    read -s -p "Guacamole DATABASE Password (again): " password2
    echo
    [ "$GUAC_DB_PASSWD" = "$password2" ] && break
    echo "Passwords don't match. Please try again"
done

echo

while true
do
    read -s -p "Set Guacamole (guacadmin) WEB ADMIN Password: " GUAC_ADMIN_PASSWORD
    echo
    read -s -p "Guacamole (guacadmin) WEB ADMIN Password (again): " password2
    echo
    [ "$GUAC_ADMIN_PASSWORD" = "$password2" ] && break
    echo "Passwords don't match. Please try again"
done



# End password input


# Upgrade all packages
apt-get update && apt-get upgrade -y

#Install required dependencies
echo "Installing packages"
# Tomcat version is determined by distro 
apt-get -qq install $TOMCAT_VER -y
apt-get -qq install $TOMCAT_VER-admin $TOMCAT_VER-docs -y

apt-get -qq install ntp -y
apt-get -qq install build-essential -y
apt-get -qq install libcairo2-dev libjpeg62* libpng12-dev libossp-uuid-dev -y
apt-get -qq install libfreerdp-dev libpango1.0-dev libssh2-1-dev libtelnet-dev libvncserver-dev libpulse-dev libssl-dev libvorbis-dev -y
apt-get -qq install default-jdk -y
apt-get -qq install debconf-utils fail2ban -y

#MySQL install with preset password stored in variable MYSQL_ROOT_PASSWD
echo mysql-server mysql-server/root_password password $MYSQL_ROOT_PASSWD | debconf-set-selections
echo mysql-server mysql-server/root_password_again password $MYSQL_ROOT_PASSWD | debconf-set-selections
apt-get -qq install mysql-server -y

# Fetch and install guacamole server and client
echo "Downloading and configuring guacamole.."
#Fetch/compile/install guacamole-server-version defined in variable GUAC_VER
wget -O guacamole-server-$GUAC_VER.tar.gz http://sourceforge.net/projects/guacamole/files/current/source/guacamole-server-$GUAC_VER.tar.gz
tar -zxvf guacamole-server-$GUAC_VER.tar.gz
cd guacamole-server-$GUAC_VER/
./configure --with-init-dir=/etc/init.d
make
make install;
ldconfig

#Fetch / install client, JDBC-auth and mysql connectors 
mkdir -p /var/lib/guacamole && cd /var/lib/guacamole/
wget http://sourceforge.net/projects/guacamole/files/current/binary/guacamole-$GUAC_VER.war -O guacamole.war
ln -s /var/lib/guacamole/guacamole.war /var/lib/$TOMCAT_VER/webapps/guacamole.war
mkdir -p ~/$tmpdir/guacamole/sqlauth && cd ~/$tmpdir/guacamole/sqlauth
wget -O guacamole-auth-jdbc-$GUAC_VER.tar.gz http://sourceforge.net/projects/guacamole/files/current/extensions/guacamole-auth-jdbc-$GUAC_VER.tar.gz
tar -zxvf guacamole-auth-jdbc-$GUAC_VER.tar.gz
wget -O mysql-connector-java-$MYSQL_CONNECTOR_VERSION.tar.gz http://dev.mysql.com/get/Downloads/Connector/j/mysql-connector-java-$MYSQL_CONNECTOR_VERSION.tar.gz
tar -zxf mysql-connector-java-$MYSQL_CONNECTOR_VERSION.tar.gz
mkdir -p /usr/share/$TOMCAT_VER/.guacamole/{extensions,lib}
mv guacamole-auth-jdbc-$GUAC_VER/mysql/guacamole-auth-jdbc-mysql-$GUAC_VER.jar /usr/share/$TOMCAT_VER/.guacamole/extensions/
mv mysql-connector-java-$MYSQL_CONNECTOR_VERSION/mysql-connector-java-$MYSQL_CONNECTOR_VERSION-bin.jar /usr/share/$TOMCAT_VER/.guacamole/lib/
service mysql restart

# Create Guacamole mysql user and db
mysql --host=localhost --user=root --password=$MYSQL_ROOT_PASSWD << END

CREATE DATABASE IF NOT EXISTS guacdb;
CREATE USER 'guacuser'@'localhost' IDENTIFIED BY '$GUAC_DB_PASSWD';
grant select,insert,update,delete on guacdb.* to 'guacuser'@'localhost';
flush privileges;

END

cd ~/$tmpdir/guacamole/sqlauth/guacamole-auth-jdbc-$GUAC_VER/mysql/schema/
cat ./*.sql | mysql --host=localhost --user=root --password=$MYSQL_ROOT_PASSWD guacdb

# Create guacamole.properties file
mkdir -p /etc/guacamole/ 
cat > /etc/guacamole/guacamole.properties << EOG

mysql-hostname: localhost
mysql-port: 3306
mysql-database: guacdb
mysql-username: guacuser
mysql-password:$GUAC_DB_PASSWD
 
mysql-disallow-duplicate-connections: false

EOG

ln -s /etc/guacamole/guacamole.properties /usr/share/$TOMCAT_VER/.guacamole/

# Change default guacadmin password in guacdb
mysql --host=localhost --user=root --password=$MYSQL_ROOT_PASSWD << END

USE guacdb;
SET @salt = UNHEX(SHA2(UUID(), 256));
UPDATE guacamole_user
SET
    password_salt = @salt,
    password_hash = UNHEX(SHA2(CONCAT('$GUAC_ADMIN_PASSWORD', HEX(@salt)), 256))
WHERE
    username = 'guacadmin';

END

#Adding patch for entropy in virtual machines
sec_file=/jre/lib/security/java.security
java_path=$(dirname $(dirname $(readlink -f $(which javac))))
if grep -xq "urandom" $java_path$sec_file ; then
  echo "File already patched to use /dev/urandom"
else
 echo  "securerandom.source=file:/dev/./urandom">> $java_path$sec_file
fi  

# Add links for FreeRDP depending on architecture
mkdir -p /usr/lib/$ARCH-linux-gnu/freerdp/
ln -s /usr/local/lib/freerdp/guac*.so /usr/lib/$ARCH-linux-gnu/freerdp/

# Adding startup services
case $DISTVER in
    trusty|wheezy|wily)
        update-rc.d guacd defaults
        update-rc.d mysql defaults
        update-rc.d $TOMCAT_VER defaults 
        ;;
    jessie)
        systemctl enable $TOMCAT_VER
        systemctl enable mysql
        systemctl enable guacd
        ;;
    *)
esac



## Cleaning up
cd ~
rm -rf $tmpdir

touch /var/lock/guac-installed.lock
echo "Done"
echo
echo "#################################################################################"
echo "Guacamole install complete. Reboot server now - sudo shutdown -r now"
echo "After rebooting, you can access your installation at http://$MYHOST:8080/guacamole"
echo "#################################################################################"
exit 0;

Nginx

location /guacamole/ {
    proxy_pass http://HOSTNAME:8080/guacamole/;
    proxy_buffering off;
    proxy_http_version 1.1;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    access_log off;
}

Avec changement du chemin (/guacamole/) :

location /new-path/ {
    proxy_pass http://HOSTNAME:8080/guacamole/;
    proxy_buffering off;
    proxy_http_version 1.1;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_cookie_path /guacamole/ /new-path/;
    access_log off;
}

Exemple :

server {
	listen 80;
	server_name my-guacamole.net;
	return 301 https://$server_name$request_uri;
}

server {
        listen 443;
        server_name my-guacamole.net;
        access_log /var/log/nginx/my-guacamole.net-access.log;
        error_log /var/log/nginx/my-guacamole.net-error.log;
        rewrite_log on;

	ssl on;
	ssl_certificate /etc/letsencrypt/live/my-guacamole.net/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/my-guacamole.net/privkey.pem;

location / {
        proxy_pass http://127.0.0.1:8080/guacamole/;
        proxy_redirect off;
	proxy_buffering off;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection $http_connection;
	proxy_cookie_path /guacamole/ /;
	access_log off;
    }
}

Apache

Activer le mod proxy :

a2enmod proxy
<Location /guacamole/>
    Order allow,deny
    Allow from all
    ProxyPass http://HOSTNAME:8080/guacamole/ flushpackets=on
    ProxyPassReverse http://HOSTNAME:8080/guacamole/
</Location>

<Location /guacamole/websocket-tunnel>
    Order allow,deny
    Allow from all
    ProxyPass ws://HOSTNAME:8080/guacamole/websocket-tunnel
    ProxyPassReverse ws://HOSTNAME:8080/guacamole/websocket-tunnel
</Location>

Avec changement du chemin (/guacamole/) :

<Location /new-path/>
    Order allow,deny
    Allow from all
    ProxyPass http://HOSTNAME:8080/guacamole/ flushpackets=on
    ProxyPassReverse http://HOSTNAME:8080/guacamole/
    ProxyPassReverseCookiePath /guacamole/ /new-path/
</Location>

<Location /new-path/websocket-tunnel>
    Order allow,deny
    Allow from all
    ProxyPass ws://HOSTNAME:8080/guacamole/websocket-tunnel
    ProxyPassReverse ws://HOSTNAME:8080/guacamole/websocket-tunnel
</Location>

SSL

Penser à installer du Let's Encrypt.

  • system/linux/guacamole.txt
  • Dernière modification: 2018/12/02 16:01
  • par Liandri