itiligent
diff --git a/‎1-setup.sh‎
Lines changed: 169 additions & 131 deletions b/‎1-setup.sh‎
Lines changed: 169 additions & 131 deletions
diff --git a/‎2-install-guacamole.sh‎
Lines changed: 45 additions & 15 deletions b/‎2-install-guacamole.sh‎
Lines changed: 45 additions & 15 deletions
diff --git a/‎3-install-nginx.sh‎
Lines changed: 38 additions & 18 deletions b/‎3-install-nginx.sh‎
Lines changed: 38 additions & 18 deletions
diff --git a/‎4a-install-ssl-self-signed-nginx.sh‎
Lines changed: 54 additions & 27 deletions b/‎4a-install-ssl-self-signed-nginx.sh‎
Lines changed: 54 additions & 27 deletions
@@ -8,8 +8,36 @@
 # pls see https://github.com/MysticRyuujin/guac-install for more
 #######################################################################################################################
 
+# Prepare text output colours
+GREY='\033[0;37m'
+DGREY='\033[0;90m'
+GREYB='\033[1;37m'
+RED='\033[0;31m'
+LRED='\033[0;91m'
+GREEN='\033[0;32m'
+LGREEN='\033[0;92m'
+YELLOW='\033[0;33m'
+LYELLOW='\033[0;93m'
+BLUE='\033[0;34m'
+LBLUE='\033[0;94m'
+CYAN='\033[0;36m'
+LCYAN='\033[0;96m'
+MAGENTA='\033[0;35m'
+LMAGENTA='\033[0;95m'
+NC='\033[0m' #No Colour
+
 clear
 
+#Script branding header
+echo
+echo -e "${GREYB}Itiligent Jump Server Appliance Setup."
+echo -e "                    ${LGREEN}Powered by Guacamole"
+
+echo
+echo
+echo -e "Beginning Guacamole setup...${GREY}"
+echo
+
 # Pre-seed MySQL install values
 if [ "${INSTALL_MYSQL}" = true ]; then
 debconf-set-selections <<< "mysql-server mysql-server/root_password password ${MYSQL_ROOT_PWD}"
@@ -26,11 +54,10 @@ if [ "${INSTALL_MYSQL}" = true ]; then
 fi
 
 # Don't do annoying prompts during apt installs
-echo
 echo -e "${GREY}Updating base Linux OS..."
-export DEBIAN_FRONTEND=noninteractive &>> ${LOG_LOCATION}
-sudo apt-get update &>> ${LOG_LOCATION}
-sudo apt-get upgrade -y &>> ${LOG_LOCATION}
+export DEBIAN_FRONTEND=noninteractive
+sudo apt-get update -qq &>> ${LOG_LOCATION}
+sudo apt-get upgrade -qq -y &>> ${LOG_LOCATION}
 if [ $? -ne 0 ]; then
 	echo -e "${RED}Failed. See ${LOG_LOCATION}${GREY}" 1>&2
 	exit 1
@@ -41,10 +68,9 @@ fi
 # Install Guacamole build dependencies.
 echo
 echo -e "${GREY}Installing dependencies required for building Guacamole, this might take a few minutes..."
-apt-get -y install ${JPEGTURBO} ${LIBPNG} ufw htop pwgen wget crudini build-essential libcairo2-dev libtool-bin uuid-dev libavcodec-dev libavformat-dev libavutil-dev \
+apt-get -qq -y install ${JPEGTURBO} ${LIBPNG} ufw htop pwgen wget crudini build-essential libcairo2-dev libtool-bin uuid-dev libavcodec-dev libavformat-dev libavutil-dev \
 libswscale-dev freerdp2-dev libpango1.0-dev libssh2-1-dev libtelnet-dev libvncserver-dev libwebsockets-dev libpulse-dev libssl-dev \
-libvorbis-dev libwebp-dev ghostscript \
-${MYSQL} ${TOMCAT_VERSION} &>> ${LOG_LOCATION}
+libvorbis-dev libwebp-dev ghostscript ${MYSQL} ${TOMCAT_VERSION} &>> ${LOG_LOCATION}
 if [ $? -ne 0 ]; then
 	echo -e "${RED}Failed. See ${LOG_LOCATION}${GREY}" 1>&2
 	exit 1
@@ -56,10 +82,10 @@ fi
 echo
 echo -e "${GREY}Setting up SMTP for backup alerts (requires SMTP relay be permitted from this server's IP address)..."
 echo "postfix postfix/mailname string ${EMAIL_DOMAIN} | debconf-set-selections" &>> ${LOG_LOCATION}
-DEBIAN_FRONTEND="noninteractive" apt-get install postfix -y &>> ${LOG_LOCATION}
-apt-get install mailutils -y &>> ${LOG_LOCATION}
-sed -i 's/inet_interfaces = all/inet_interfaces = loopback-only/g' /etc/postfix/main.cf &>> ${LOG_LOCATION}
-service postfix restart &>> ${LOG_LOCATION}
+DEBIAN_FRONTEND="noninteractive" apt-get install postfix -qq -y &>> ${LOG_LOCATION}
+apt-get install mailutils -qq -y &>> ${LOG_LOCATION}
+sed -i 's/inet_interfaces = all/inet_interfaces = loopback-only/g' /etc/postfix/main.cf
+service postfix restart 
 if [ $? -ne 0 ]; then
 	echo -e "${RED}Failed. See ${LOG_LOCATION}${GREY}" 1>&2
 	exit 1
@@ -150,7 +176,6 @@ if [ $? -ne 0 ]; then
 fi
 echo -e "${LGREEN}Downloaded mysql-connector-java-${MYSQLJCON}.tar.gz${GREY}"
 
-echo
 echo -e "${LGREEN}Source download complete.${GREY}"
 
 # Option to pause script here as we might want to make final tweaks to source code just before compiling
@@ -181,7 +206,7 @@ echo -e "${GREY}Compiling Guacamole-Server from source with with GCC $( gcc --ve
 export CFLAGS="-Wno-error"
 
 # Configure Guacamole Server source
-./configure --with-systemd-dir=/etc/systemd/system  &>> ${LOG_LOCATION}
+./configure --with-systemd-dir=/etc/systemd/system &>> ${LOG_LOCATION}
 if [ $? -ne 0 ]; then
 	echo "Failed to configure guacamole-server"
 	echo "Trying again with --enable-allow-freerdp-snapshots"
@@ -227,7 +252,13 @@ ln -sf /etc/guacamole/guacamole.war /var/lib/${TOMCAT_VERSION}/webapps/
 # Move MySQL connector/j files
 echo -e "${GREY}Moving mysql-connector-java-${MYSQLJCON}.jar (/etc/guacamole/lib/mysql-connector-java.jar)..."
 mv -f mysql-connector-java-${MYSQLJCON}/mysql-connector-java-${MYSQLJCON}.jar /etc/guacamole/lib/mysql-connector-java.jar
-echo
+if [ $? -ne 0 ]; then
+	echo -e "${RED}Failed. See ${LOG_LOCATION}${GREY}" 1>&2
+	exit 1
+	else
+	echo -e "${LGREEN}OK${GREY}"
+	echo
+fi
 
 # Move TOTP files
 if [ "${INSTALL_TOTP}" = true ]; then
@@ -467,7 +498,6 @@ if [ $? -ne 0 ]; then
 	exit 1
 	else
 	echo -e "${LGREEN}OK${GREY}"
-	echo
 fi
 
 # Done
 
@@ -7,11 +7,35 @@
 # August 2023
 #######################################################################################################################
 
+# Prepare text output colours
+GREY='\033[0;37m'
+DGREY='\033[0;90m'
+GREYB='\033[1;37m'
+RED='\033[0;31m'
+LRED='\033[0;91m'
+GREEN='\033[0;32m'
+LGREEN='\033[0;92m'
+YELLOW='\033[0;33m'
+LYELLOW='\033[0;93m'
+BLUE='\033[0;34m'
+LBLUE='\033[0;94m'
+CYAN='\033[0;36m'
+LCYAN='\033[0;96m'
+MAGENTA='\033[0;35m'
+LMAGENTA='\033[0;95m'
+NC='\033[0m' #No Colour
+
+echo
+echo
+echo -e "${LGREEN}Installing Nginx...${DGREY}"
+echo
+
 # Install Nginx
-sudo apt-get install nginx -y &>> ${LOG_LOCATION}
+sudo apt-get install nginx -qq -y &>> ${LOG_LOCATION}
 
+echo -e "${GREY}Configuring Nginx as a proxy for Guacamole's Apache Tomcat front end...${DGREY}"
 # Configure /etc/nginx/sites-available/(local dns site name)
-cat >/etc/nginx/sites-available/$PROXY_SITE <<EOL
+cat <<EOF | tee /etc/nginx/sites-available/$PROXY_SITE
 server {
     listen 80 default_server;
     root /var/www/html;
@@ -27,10 +51,7 @@ server {
         access_log off;
     }
 }
-EOL
-
-echo
-echo -e "${GREY}Configuring Nginx proxy to connect to Guacamole's Apache front end..."
+EOF
 if [ $? -ne 0 ]; then
 	echo -e "${RED}Failed. See ${LOG_LOCATION}${GREY}" 1>&2
 	exit 1
@@ -46,8 +67,9 @@ ln -s /etc/nginx/sites-available/$PROXY_SITE /etc/nginx/sites-enabled/
 unlink /etc/nginx/sites-enabled/default
 
 # Do mandatory Nginx tweaks for logging actual client IPs through a proxy IP of 127.0.0.1 - DO NOT CHANGE COMMAND FORMATING!
+echo -e "${GREY}Configuring Apache Tomcat's valve to support for pass through of client IPs to Guacamole logs...${GREY}"
 sudo sed -i '/pattern="%h %l %u %t &quot;%r&quot; %s %b"/a        \        <!-- Allow host IP to pass through to guacamole.-->\n        <Valve className="org.apache.catalina.valves.RemoteIpValve"\n               internalProxies="127\.0\.0\.1|0:0:0:0:0:0:0:1"\n               remoteIpHeader="x-forwarded-for"\n               remoteIpProxiesHeader="x-forwarded-by"\n               protocolHeader="x-forwarded-proto" />' /etc/$TOMCAT_VERSION/server.xml
-echo -e "${GREY}Configuring Apache Tomcat's internal proxy valve to support proxy client IP4 & IPv6 address passthough for correct logging and ACL support...${GREY}"
+
 if [ $? -ne 0 ]; then
 	echo -e "${RED}Failed. See ${LOG_LOCATION}${GREY}" 1>&2
 	exit 1
@@ -85,13 +107,12 @@ fi
 
 # Update general ufw rules so force traffic via reverse proxy. Only Nginx and SSH will be available over the network.
 echo -e "${GREY}Updating firewall rules to allow only SSH and tcp 80/443..."
-sudo ufw default allow outgoing &>> ${LOG_LOCATION}
-sudo ufw default deny incoming &>> ${LOG_LOCATION}
-sudo ufw delete allow 8080/tcp &>> ${LOG_LOCATION}
-sudo ufw allow OpenSSH &>> ${LOG_LOCATION}
-sudo ufw allow 80/tcp &>> ${LOG_LOCATION}
-sudo ufw allow 443/tcp &>> ${LOG_LOCATION}
-echo "y" | sudo ufw enable &>> ${LOG_LOCATION}
+sudo ufw default allow outgoing > /dev/null 2>&1
+sudo ufw default deny incoming > /dev/null 2>&1
+sudo ufw allow OpenSSH > /dev/null 2>&1
+sudo ufw allow 80/tcp > /dev/null 2>&1
+sudo ufw allow 443/tcp > /dev/null 2>&1
+echo "y" | sudo ufw enable > /dev/null 2>&1
 if [ $? -ne 0 ]; then
 	echo -e "${RED}Failed. See ${LOG_LOCATION}${GREY}" 1>&2
 	exit 1
@@ -102,15 +123,14 @@ fi
 
 # Reload everything
 echo -e "${GREY}Restaring Guacamole & Ngnix..."
-sudo systemctl restart $TOMCAT_VERSION &>> ${LOG_LOCATION}
-sudo systemctl restart guacd &>> ${LOG_LOCATION}
-sudo systemctl restart nginx &>> ${LOG_LOCATION}
+sudo systemctl restart $TOMCAT_VERSION
+sudo systemctl restart guacd
+sudo systemctl restart nginx
 if [ $? -ne 0 ]; then
 	echo -e "${RED}Failed. See ${LOG_LOCATION}${GREY}" 1>&2
 	exit 1
 	else
 	echo -e "${LGREEN}OK${GREY}"
-	echo
 fi
 
 # Done
 
@@ -11,12 +11,34 @@
 # to provide certifacate outputs correctly. Runing just as sudo will save certs to sudo's home path
 # sudo -E ./4a-install-ssl-self-signed-nginx.sh [your-dns-name.local] [3650]
 
+# Prepare text output colours
+GREY='\033[0;37m'
+DGREY='\033[0;90m'
+GREYB='\033[1;37m'
+RED='\033[0;31m'
+LRED='\033[0;91m'
+GREEN='\033[0;32m'
+LGREEN='\033[0;92m'
+YELLOW='\033[0;33m'
+LYELLOW='\033[0;93m'
+BLUE='\033[0;34m'
+LBLUE='\033[0;94m'
+CYAN='\033[0;36m'
+LCYAN='\033[0;96m'
+MAGENTA='\033[0;35m'
+LMAGENTA='\033[0;95m'
+NC='\033[0m' #No Colour
+
+echo
+echo
+echo -e "${LGREEN}Setting up self signed SSL certificates for Nginx...${GREY}"
+echo
+
 # Hack to assist with displaying "$" symbols and " ' quotes in a (cut/pasteable) bash screen output format for Nginx configs
 SHOWASTEXT1='$mypwd'
 SHOWASTEXT2='"Cert:\LocalMachine\Root"'
 
 # Discover all IPv4 interfaces addresses to bind to new SSL certficates
-echo
 	echo -e "${GREY}Discovering the default route interface and DNS names to bind with the new SSL certificate..."
 	# Dump interface info and copy this output to a temp file
 	DUMP_IPS=$(ip -o addr show up primary scope global | while read -r num dev fam addr rest; do echo ${addr%/*}; done)
@@ -38,14 +60,11 @@ if [ $? -ne 0 ]; then
 	echo -e "${RED}Failed. See ${LOG_LOCATION}${GREY}" 1>&2
 	exit 1
 	else
-	echo -e "${GREEN}OK${GREY}"
+	echo -e "${LGREEN}OK${GREY}"
 	echo
 fi
 
-echo
-echo -e "${GREY}New self signed SSL certificate attributes are shown below...${GREY}"
-echo -e "${DGREY}"
-
+echo -e "${GREY}New self signed SSL certificate attributes are shown below...${DGREY}"
 # Display the new SSL cert parameters. Prompt for change if required
 cat <<EOF | tee -a $TMP_DIR/cert_attributes.txt
 [req]
@@ -86,13 +105,6 @@ DIR_SSL_KEY="/etc/nginx/ssl/private"
 SSLNAME=$1
 SSLDAYS=$2
 
-if [[ $SSLDAYS == "" ]]; then
-$SSLDAYS = 3650
-fi
-
-echo "Creating a new Certificate ..."
-openssl req -x509 -nodes -newkey rsa:2048 -keyout $SSLNAME.key -out $SSLNAME.crt -days $SSLDAYS -config $TMP_DIR/cert_attributes.txt
-
 # Make directories to place SSL Certificate if they don't exist
 if [[ ! -d $DIR_SSL_KEY ]]; then
 	sudo mkdir -p $DIR_SSL_KEY
@@ -102,19 +114,34 @@ if [[ ! -d $DIR_SSL_CERT ]]; then
 	sudo mkdir -p $DIR_SSL_CERT
 fi
 
+if [[ $SSLDAYS == "" ]]; then
+$SSLDAYS = 3650
+fi
+
+echo
+echo "{$GREY}Creating a new Nginx SSL Certificate ..."
+openssl req -x509 -nodes -newkey rsa:2048 -keyout $SSLNAME.key -out $SSLNAME.crt -days $SSLDAYS -config $TMP_DIR/cert_attributes.txt
+if [ $? -ne 0 ]; then
+	echo -e "${RED}Failed. See ${LOG_LOCATION}${GREY}" 1>&2
+	exit 1
+	else
+	echo -e "${LGREEN}OK${GREY}"
+	echo
+fi
+
 # Place SSL Certificate within defined path
 	sudo cp $SSLNAME.key $DIR_SSL_KEY/$SSLNAME.key
 	sudo cp $SSLNAME.crt $DIR_SSL_CERT/$SSLNAME.crt
 
 # Create a PFX formatted key for easier import to Windows hosts and change permissions to enable copying elsewhere
+	echo -e "${GREY}Creating client certificates for Windows & Linux...${GREY}"
 	sudo openssl pkcs12 -export -out $SSLNAME.pfx -inkey $SSLNAME.key -in $SSLNAME.crt -password pass:1234
 	sudo chmod 0774 $SSLNAME.pfx
-	echo -e "${GREY}Creating a selection of self signed certificates for Nginx and Windows/Linux browser clients...${GREY}"
 if [ $? -ne 0 ]; then
 	echo -e "${RED}Failed. See ${LOG_LOCATION}${GREY}" 1>&2
 	exit 1
 	else
-	echo -e "${GREEN}OK${GREY}"
+	echo -e "${LGREEN}OK${GREY}"
 	echo
 fi
 
@@ -125,12 +152,14 @@ if [ $? -ne 0 ]; then
 	echo -e "${RED}Failed. See ${LOG_LOCATION}${GREY}" 1>&2
 	exit 1
 	else
-	echo -e "${GREEN}OK${GREY}"
+	echo -e "${LGREEN}OK${GREY}"
 	echo
 fi
 
 # Update Nginx config to accept the new certificates
-cat > /etc/nginx/sites-available/$PROXY_SITE <<EOL | > /dev/null
+echo -e "${GREY}Configuring Nginx proxy to use self signed SSL certificates and setting up automatic HTTP to HTTPS redirect...${DGREY}"
+#cat > /etc/nginx/sites-available/$PROXY_SITE <<EOL | > /dev/null
+cat <<EOF | tee /etc/nginx/sites-available/$PROXY_SITE
 server {
     #listen 80 default_server;
     root /var/www/html;
@@ -167,31 +196,30 @@ server {
         access_log off;
     }
 }
-EOL
-
-echo -e "${GREY}Configuring Nginx proxy to use self signed SSL certificates and setting up automatic HTTP to HTTPS redirect...${GREY}"
+EOF
 if [ $? -ne 0 ]; then
 	echo -e "${RED}Failed. See ${LOG_LOCATION}${GREY}" 1>&2
 	exit 1
 	else
-	echo -e "${GREEN}OK${GREY}"
+	echo -e "${LGREEN}OK${GREY}"
 	echo
 fi
 
+
 printf "${GREY}+-------------------------------------------------------------------------------------------------------------
-${GREEN}+ WINDOWS CLIENT SELF SIGNED SSL BROWSER CONFIG - SAVE THIS BEFORE CONTINUING!${GREY}
+${LGREEN}+ WINDOWS CLIENT SELF SIGNED SSL BROWSER CONFIG - SAVE THIS BEFORE CONTINUING!${GREY}
 +
-+ 1. In ${DOWNLOAD_DIR} is a Windows friendly version of the new certificate ${LYELLOW}$SSLNAME.pfx${GREY}
++ 1. In ${DOWNLOAD_DIR} is a new Windows friendly version of the new certificate ${LYELLOW}$SSLNAME.pfx${GREY}
 + 2. Copy this .pfx file to a location accessible by Windows.
-+ 3. Import the PFX file into your Windows client with the below Powershell commands (as administrator):
++ 3. Import the PFX file into your Windows client with the below Powershell commands (as Administrator):
 \n"
 echo -e "${SHOWASTEXT1} = ConvertTo-SecureString -String "1234" -Force -AsPlainText"
 echo -e "Import-pfxCertificate -FilePath $SSLNAME.pfx -Password "${SHOWASTEXT1}" -CertStoreLocation "${SHOWASTEXT2}""
 echo -e "(Clear your browser cache and restart your browser to test.)"
 printf "${GREY}+-------------------------------------------------------------------------------------------------------------
-${GREEN}+ LINUX CLIENT SELF SIGNED SSL BROWSER CONFIG - SAVE THIS BEFORE CONTINUING!${GREY}
+${LGREEN}+ LINUX CLIENT SELF SIGNED SSL BROWSER CONFIG - SAVE THIS BEFORE CONTINUING!${GREY}
 +
-+ 1. In In ${DOWNLOAD_DIR} is also the Linux native OpenSSL certificate ${LYELLOW}$SSLNAME.crt${GREY}
++ 1. In ${DOWNLOAD_DIR} is a new Linux native OpenSSL certificate ${LYELLOW}$SSLNAME.crt${GREY}
 + 2. Copy this file to a location accessible by Linux.
 + 3. Import the CRT file into your Linux client certificate store with the below command (as sudo):
 \n"
@@ -212,7 +240,6 @@ if [ $? -ne 0 ]; then
 	exit 1
 else
 	echo -e "${LGREEN}OK${GREY}"
-	echo
 fi
 
 # Done