|
| 1 | +#!/bin/bash |
| 2 | +####################################################################################################################### |
| 3 | +# Add Nginx reverse proxy front end to default Guacamole install |
| 4 | +# For Ubuntu / Debian / Raspbian |
| 5 | +# 3 of 4 |
| 6 | +# David Harrop |
| 7 | +# August 2023 |
| 8 | +####################################################################################################################### |
| 9 | + |
| 10 | +# If run as standalone and not from the main installer script, check the below variables are correct. |
| 11 | +# To run standalone: sudo -E ./3-install-nginx.sh |
| 12 | + |
| 13 | +# Prepare text output colours |
| 14 | +GREY='\033[0;37m' |
| 15 | +DGREY='\033[0;90m' |
| 16 | +GREYB='\033[1;37m' |
| 17 | +LRED='\033[0;91m' |
| 18 | +LGREEN='\033[0;92m' |
| 19 | +LYELLOW='\033[0;93m' |
| 20 | +NC='\033[0m' #No Colour |
| 21 | + |
| 22 | +if ! [[ $(id -u) = 0 ]]; then |
| 23 | + echo |
| 24 | + echo -e "${LRED}Please run this script as sudo or root${NC}" 1>&2 |
| 25 | + exit 1 |
| 26 | +fi |
| 27 | + |
| 28 | +echo |
| 29 | +echo |
| 30 | +echo -e "${LGREEN}Installing Nginx...${DGREY}" |
| 31 | +echo |
| 32 | + |
| 33 | +TOMCAT_VERSION=$(ls /etc/ | grep tomcat) |
| 34 | +# Below variables are automatically updated by the 1-setup.sh script with the respective values given at install (manually update if blank) |
| 35 | +PROXY_SITE= |
| 36 | +INSTALL_LOG= |
| 37 | +GUAC_URL= |
| 38 | + |
| 39 | +# Install Nginx |
| 40 | +apt-get update -qq >/dev/null |
| 41 | +apt-get install nginx -qq -y &>>${INSTALL_LOG} |
| 42 | + |
| 43 | +echo -e "${GREY}Configuring Nginx as a reverse proxy for Guacamole's Apache Tomcat front end...${DGREY}" |
| 44 | +# Configure /etc/nginx/sites-available/(local dns site name) |
| 45 | +cat <<EOF | tee /etc/nginx/sites-available/$PROXY_SITE |
| 46 | +server { |
| 47 | + listen 80 default_server; |
| 48 | + server_name $GUAC_URL; |
| 49 | + location / { |
| 50 | + proxy_pass $GUAC_URL; |
| 51 | + proxy_buffering off; |
| 52 | + proxy_http_version 1.1; |
| 53 | + proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; |
| 54 | + proxy_set_header Upgrade \$http_upgrade; |
| 55 | + proxy_set_header Connection \$http_connection; |
| 56 | + access_log off; |
| 57 | + } |
| 58 | +} |
| 59 | +EOF |
| 60 | +if [[ $? -ne 0 ]]; then |
| 61 | + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 |
| 62 | + exit 1 |
| 63 | +else |
| 64 | + echo -e "${LGREEN}OK${GREY}" |
| 65 | + echo |
| 66 | +fi |
| 67 | + |
| 68 | +# Force nginx to require tls1.2 and above |
| 69 | +sed -i -e '/ssl_protocols/s/^/#/' /etc/nginx/nginx.conf |
| 70 | +sed -i "/SSL Settings/a \ ssl_protocols TLSv1.2 TLSv1.3;" /etc/nginx/nginx.conf |
| 71 | + |
| 72 | +# Symlink new reverse proxy site config from sites-available to sites-enabled |
| 73 | +ln -s /etc/nginx/sites-available/$PROXY_SITE /etc/nginx/sites-enabled/ |
| 74 | + |
| 75 | +# Make sure the default Nginx site is unlinked |
| 76 | +unlink /etc/nginx/sites-enabled/default |
| 77 | + |
| 78 | +# Do mandatory Nginx tweaks for logging actual client IPs through a proxy IP of 127.0.0.1 - DO NOT CHANGE COMMAND FORMATING! |
| 79 | +echo -e "${GREY}Configuring Apache Tomcat valve for pass through of client IPs to Guacamole logs...${GREY}" |
| 80 | +sed -i '/pattern="%h %l %u %t "%r" %s %b"/a \ <!-- Allow host IP to pass through to guacamole.-->\n <Valve className="org.apache.catalina.valves.RemoteIpValve"\n internalProxies="127\.0\.0\.1|0:0:0:0:0:0:0:1"\n remoteIpHeader="x-forwarded-for"\n remoteIpProxiesHeader="x-forwarded-by"\n protocolHeader="x-forwarded-proto" />' /etc/$TOMCAT_VERSION/server.xml |
| 81 | +if [[ $? -ne 0 ]]; then |
| 82 | + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 |
| 83 | + exit 1 |
| 84 | +else |
| 85 | + echo -e "${LGREEN}OK${GREY}" |
| 86 | + echo |
| 87 | +fi |
| 88 | + |
| 89 | +# Allow large file transfers through Nginx |
| 90 | +sed -i '/client_max_body_size/d' /etc/nginx/nginx.conf # remove this line if it already exists to prevent duplicates |
| 91 | +sed -i "/Basic Settings/a \ client_max_body_size 1000000000M;" /etc/nginx/nginx.conf # Add larger file transfer size, should be enough! |
| 92 | +echo -e "${GREY}Boosting Nginx's 'maximum body size' parameter to allow large file transfers...${GREY}" |
| 93 | +if [[ $? -ne 0 ]]; then |
| 94 | + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 |
| 95 | + exit 1 |
| 96 | +else |
| 97 | + echo -e "${LGREEN}OK${GREY}" |
| 98 | + echo |
| 99 | +fi |
| 100 | + |
| 101 | +# Update general ufw rules so force traffic via reverse proxy. Only Nginx and SSH will be available over the network. |
| 102 | +echo -e "${GREY}Updating firewall rules to allow only SSH and tcp 80/443..." |
| 103 | +ufw default allow outgoing >/dev/null 2>&1 |
| 104 | +ufw default deny incoming >/dev/null 2>&1 |
| 105 | +ufw allow OpenSSH >/dev/null 2>&1 |
| 106 | +ufw allow 80/tcp >/dev/null 2>&1 |
| 107 | +ufw delete allow 8080/tcp >/dev/null 2>&1 |
| 108 | +echo "y" | sudo ufw enable >/dev/null 2>&1 |
| 109 | +if [[ $? -ne 0 ]]; then |
| 110 | + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 |
| 111 | + exit 1 |
| 112 | +else |
| 113 | + echo -e "${LGREEN}OK${GREY}" |
| 114 | + echo |
| 115 | +fi |
| 116 | + |
| 117 | +# Reload everything |
| 118 | +echo -e "${GREY}Restaring Guacamole & Ngnix..." |
| 119 | +systemctl restart $TOMCAT_VERSION |
| 120 | +systemctl restart guacd |
| 121 | +systemctl restart nginx |
| 122 | +if [[ $? -ne 0 ]]; then |
| 123 | + echo -e "${LRED}Failed. See ${INSTALL_LOG}${GREY}" 1>&2 |
| 124 | + exit 1 |
| 125 | +else |
| 126 | + echo -e "${LGREEN}OK${GREY}" |
| 127 | +fi |
| 128 | + |
| 129 | +# Done |
| 130 | +echo -e ${NC} |
0 commit comments