Install script for Guacamole 0.9.9 on Ubuntu 15.10 with Tomcat8, Mysql 5.1.38 and a script to notify when public IP changes

new_guac_builder_0.9.9.v2.sh

#!/bin/bash 

# define some variables

guac_version=0.9.9
mysql_version=5.1.38
mysql_root_password=<MYSQL_ROOT_PASSWORD>
mysql_user_password=<MYSQL_USER_PASSWD> #used by guacamole
server_name=<HOSTNAME> #host part of server's FQDN
server_domain=<DOMAIN> #domain part of server's FQDN      
admin_user=<USERNAME>  #user acct on server to setup IP alerts
mail_hub='<MAIL_HUB_AND_PORT>'
mail_userid='<MAIL_USERID>'
mail_password='<MAIL_PASSWORD>'
mail_address_for_alerts='<MAIL_ADDRESS_TO_SEND_ALERTS_TO>'

# Borrowed install procedure mostly from Chase Wright http://chasewright.com/guacamole-with-mysql-on-ubuntu/ 

# WORKING ON UBUNTU 15.10 WITH GUAC 0.9.9 AND TOMCAT8

#Update Everything
apt-get update && apt-get -y dist-upgrade

#Make sure that make is installed
apt-get install make

#Make sure openssh client and server are installed
apt-get -y install openssh-client openssh-server

# Provide mysql root password to automate installation
sudo debconf-set-selections <<< "mysql-server mysql-server/root_password password $mysql_root_password"
sudo debconf-set-selections <<< "mysql-server mysql-server/root_password_again password $mysql_root_password"

#Install Stuff
#You will be prompted for a mysql root password. Remember this for the configuration step; change MYSQLROOTPASSWORD to whatever you enter here.
apt-get -y install libcairo2-dev libpng12-dev libossp-uuid-dev libfreerdp-dev libpango1.0-dev libssh2-1-dev libtelnet-dev libvncserver-dev libpulse-dev libssl-dev libvorbis-dev libwebp-dev mysql-server mysql-client mysql-common mysql-utilities tomcat8

# Install libjpeg-turbo-dev
wget -O libjpeg-turbo-official_1.4.2_amd64.deb http://downloads.sourceforge.net/project/libjpeg-turbo/1.4.2/libjpeg-turbo-official_1.4.2_amd64.deb
dpkg -i libjpeg-turbo-official_1.4.2_amd64.deb

# Add GUACAMOLE_HOME to Tomcat8 ENV
echo "" >> /etc/default/tomcat8
echo "# GUACAMOLE EVN VARIABLE" >> /etc/default/tomcat8
echo "GUACAMOLE_HOME=/etc/guacamole" >> /etc/default/tomcat8

#Download Guacamole Files
wget -O guacamole-$guac_version.war http://downloads.sourceforge.net/project/guacamole/current/binary/guacamole-$guac_version.war
wget -O guacamole-server-$guac_version.tar.gz http://sourceforge.net/projects/guacamole/files/current/source/guacamole-server-$guac_version.tar.gz
wget -O guacamole-auth-jdbc-$guac_version.tar.gz http://sourceforge.net/projects/guacamole/files/current/extensions/guacamole-auth-jdbc-$guac_version.tar.gz
wget -O mysql-connector-java-$mysql_version.tar.gz http://dev.mysql.com/get/Downloads/Connector/j/mysql-connector-java-$mysql_version.tar.gz

#Extract Guac
tar -xzf guacamole-server-$guac_version.tar.gz
tar -xzf guacamole-auth-jdbc-$guac_version.tar.gz
tar -xzf mysql-connector-java-$mysql_version.tar.gz

# MAKE DIRECTORIES
mkdir /etc/guacamole
mkdir /etc/guacamole/lib
mkdir /etc/guacamole/extensions

# Install GUACD
cd guacamole-server-$guac_version
./configure --with-init-dir=/etc/init.d
make
make install
ldconfig
systemctl enable guacd
cd ..

# Move files to correct locations
mv guacamole-$guac_version.war /etc/guacamole/guacamole.war
ln -s /etc/guacamole/guacamole.war /var/lib/tomcat8/webapps/
cp mysql-connector-java-$mysql_version/mysql-connector-java-$mysql_version-bin.jar /etc/guacamole/lib/
cp guacamole-auth-jdbc-$guac_version/mysql/guacamole-auth-jdbc-mysql-$guac_version.jar /etc/guacamole/extensions/

# Fix the audio problem (over RDP) 

mkdir /usr/lib/x86_64-linux-gnu/freerdp
ln -sv /usr/local/lib/freerdp/guacdr-client.so /usr/lib/x86_64-linux-gnu/freerdp
ln -sv /usr/local/lib/freerdp/guacsnd-client.so /usr/lib/x86_64-linux-gnu/freerdp
service guacd restart

# Configure guacamole.properties 
echo "mysql-hostname: localhost" >> /etc/guacamole/guacamole.properties 
echo "mysql-port: 3306" >> /etc/guacamole/guacamole.properties 
echo "mysql-database: guacamole_db" >> /etc/guacamole/guacamole.properties 
echo "mysql-username: guacamole_user" >> /etc/guacamole/guacamole.properties
 
echo "mysql-password: $mysql_user_password" >> /etc/guacamole/guacamole.properties 
rm -rf /usr/share/tomcat8/.guacamole 
ln -s /etc/guacamole /usr/share/tomcat8/.guacamole 

# Restart Tomcat Service 
service tomcat8 restart

#Configure the MySQL database
# Lay down mysql configuration script
sudo cat <<EOF > guacamolemysql.sql
#MySQL Guacamole Script

CREATE DATABASE guacamole_db;

CREATE USER 'guacamole_user'@'localhost' IDENTIFIED BY '$mysql_user_password';

GRANT SELECT,INSERT,UPDATE,DELETE ON guacamole_db.* TO 'guacamole_user'@'localhost';

FLUSH PRIVILEGES;

quit
EOF

# Create Guacamole database and user
sudo mysql -u root -p$mysql_root_password < guacamolemysql.sql

#Populate the database
#Make sure you change tYSQLROOTPASSWORD
cat guacamole-auth-jdbc-$guac_version/mysql/schema/*.sql | mysql -u root -p$mysql_root_password guacamole_db

##########################################
# NGINX Installation and configuration #
##########################################

# Install Nginx
apt-get install -y nginx

# Create directory to store server key and certificate
mkdir /etc/nginx/ssl

# Create self-signed certificate (and "csr" in case a real SSL cert is to be purchased and installed)

openssl << EOF req -subj '/C=US/ST=VA/L=Sterling/O=NA/OU=NA/CN=$server_name.$server_domain' -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.self.key -out /etc/nginx/ssl/nginx.self.csr -extensions v3_ca
EOF

openssl req -x509 -days 365 -in /etc/nginx/ssl/nginx.self.csr -key /etc/nginx/ssl/nginx.self.key -out /etc/nginx/ssl/nginx.self.crt

cat << EOF > /etc/nginx/ssl/README.txt
In order to replace your self generated SSL certificate (nginx.self.crt) with a real (CA verified) cert:

1) Start with:

/etc/nginx/ssl/nginx.self.key
/etc/nginx/ssl/nginx.self.csr

2) Submit the "csr" to a CA authority (SSL certificate provider)

The CA provides you with new:

nginx.real.crt
ca-bundle.crt

3) Concatenate "real cert" with the "ca-bundle" to create a new "ssl-bundle.real.crt"

cat nginx.real.crt ca-bundle.crt /etc/nginx/ssl/ssl-bundle.real.crt

4) configure nginx to use the "real" certificates (bundle) and the original self generated key


    ssl_certificate      /etc/nginx/ssl/ssl-bundle.real.crt;
    ssl_certificate_key  /etc/nginx/ssl/nginx.self.key;

5) Regenerate CSR (and key) every year (when real cert expires) and re-submit to CA to get a new "real" key and up-to-date CA-Bundle

openssl req -subj '/C=US/ST=VA/L=Sterling/O=NA/OU=NA/CN=$server_name.$server_domain' -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.self.key -out /etc/nginx/ssl/nginx.self.csr -extensions v3_ca

6) Repeat steps #1 - #5

[the end]
EOF

# Add proxy settings to nginx config file (/etc/nginx/sites-enabled/default)
# Borrowed configuration from Eric Oud Ammerveled (http://sourceforge.net/p/guacamole/discussion/1110834/thread/6961d682/#aca9)

cat <<EOF > /etc/nginx/sites-enabled/default
# ANOTHER SERVER LISTENING ON PORT 443 (SSL) to secure the Guacamole traffic and proxy the requests to Tomcat7
server {
    listen 443 ssl;

    server_name $server_name.$server_domain;

EOF

cat << 'EOF' >> /etc/nginx/sites-enabled/default

# This part is for SSL config only
    ssl_certificate      /etc/nginx/ssl/nginx.self.crt;
    ssl_certificate_key  /etc/nginx/ssl/nginx.self.key;
    ssl_session_cache shared:SSL:10m;
    ssl_ciphers 'AES256+EECDH:AES256+EDH:!aNULL';
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_prefer_server_ciphers on;
#    ssl_dhparam /etc/ssl/certs/dhparam.pem;

# Found below settings to be performing best but it will work with your own
    tcp_nodelay    on;
    tcp_nopush     off;
    sendfile       on;
    client_body_buffer_size 10K;
    client_header_buffer_size 1k;
    client_max_body_size 8m;
    large_client_header_buffers 2 1k;
    client_body_timeout 12;
    client_header_timeout 12;
    keepalive_timeout 15;
    send_timeout 10;

# HINT: You might want to enable access_log during the testing!
    access_log off;

# Don't turn ON proxy_buffering!; this will impact the line quality
    proxy_buffering off;
    proxy_redirect  off;

# Enabling websockets using the first 3 lines; Check /var/log/tomcat8/catalina.out while testing; guacamole will show you a fallback message if websockets fail to work.
    proxy_http_version 1.1;
    proxy_set_header host $http_host;
    proxy_set_header Connection "host";

# Just something that was advised by someone from the dev team; worked fine without it too.
    proxy_cookie_path /guacamole/ /;

    location / {
            # I am running the Tomcat8 and Guacamole on the local server
            proxy_pass http://localhost:8080;
            break;
    }
}
EOF

# Restart nginx service
service nginx restart

# Restart tomcat7
service tomcat8 restart

# Restart guacd
service guacd restart

################################################
#           Firewall Configuration             #
################################################

# Disable Firewall
ufw disable

# Allow HTTPS access
ufw allow https

# Allow SSH access
ufw allow ssh

# Enable Firewall
ufw --force enable

# Disable IPv6
cat <<EOF >> /etc/sysctl.conf
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
EOF

# Comment out the unused IPV6 lines in /etc/hosts so localhost is bound only to IPV4 127.0.0.1 in the logs
sed -i -e 's/^::1/#::1/g' -e 's/^ff02/#ff02/g' /etc/hosts

# Activate sysctl to pickup the changes to /etc/syscrl.conf
sysctl -p

echo "Setup of Guacamole complete, performing cleanup and final tuning"
echo "  "


# Cleanup Downloads
rm libjpeg-turbo-official_1.4.2_amd64.deb
rm guacamole-server-$guac_version.tar.gz
rm guacamole-auth-jdbc-$guac_version.tar.gz
rm mysql-connector-java-$mysql_version.tar.gz

#Remove tempfile
rm guacamolemysql.sql

# Cleanup Folders
rm -rf mysql-connector-java-$mysql_version/
rm -rf guacamole-auth-jdbc-$guac_version/
rm -rf guacamole-server-$guac_version/
rm -rf tomcat8-tomcat8-tmp

# Here are some customizations useful when installing Guacamole on a VMware ESXi as a 
# guest VM that has promiscuity enabled on the virtual network interface (aka CCIE lab) 

# In particular, don't log UFW (firewall) block messages when home router sends out IGMP multicast

ufw disable
ufw deny in to 224.0.0.1
ufw --force enable

# load the open-vm-tools

sudo apt-get -y install open-vm-tools

# Setup cron script to report changes to public IP address
apt-get -y install ssmtp

cat << EOF > /etc/ssmtp/ssmtp.conf
#
# Config file for sSMTP sendmail
#
root=
hostname=$server_name
AuthUser=$mail_userid
AuthPass=$mail_password
FromLineOverride=YES
mailhub=$mail_hub
UseSTARTTLS=YES
EOF

cat << EOF > /usr/local/bin/check_public_ip.sh
#!/bin/bash

# define some variables
mail_address_for_alerts=$mail_address_for_alerts
from_address=$mail_userid

EOF

cat << 'EOF' >> /usr/local/bin/check_public_ip.sh
new_public_ip=`dig +short myip.opendns.com @resolver1.opendns.com`

if [ -f "/tmp/saved_public_ip.txt" ]
   then
       saved_public_ip=`cat /tmp/saved_public_ip.txt`
   else
       touch /tmp/saved_public_ip.txt
       echo $new_public_ip  > /tmp/saved_public_ip.txt

       sudo cat << EOF2 > /tmp/mail_message.txt
From: $from_address
Subject: New home IP $new_public_ip
EOF2
       saved_public_ip=$new_public_ip
fi

if [[ "$saved_public_ip.txt" != "$new_public_ip" ]]
   then
       echo $new_public_ip  > /tmp/saved_public_ip.txt

       sudo cat << EOF2 > /tmp/mail_message.txt
From: $from_address
Subject: New home IP $new_public_ip
EOF2
       /usr/sbin/ssmtp $mail_address_for_alerts < /tmp/mail_message.txt
fi 
EOF

chmod +x /usr/local/bin/check_public_ip.sh

/usr/local/bin/check_public_ip.sh

# schedule root crontab run check_public_ip.sh script every six hours 
#
#write out current crontab
if [ -f "/var/spool/cron/crontabs/root" ]
   then
      crontab -l > /tmp/my_crontab
fi        
#echo new cron into cron file
echo "0 0,6,12,18 * * * /usr/local/bin/check_public_ip.sh" >> /tmp/my_crontab
#install new cron file
crontab /tmp/my_crontab
rm /tmp/my_crontab

cat << EOF > /home/$admin_user/README.how_to_setup_public_ip_email_alerts
In order to setup e-mail alerts when your public IP changes (forcing you to manually 
update the FQDN a-record with a DNS service provider (i.e. godaddy):

1) edit (as root) the /etc/ssmtp/ssmtp.conf and enter the info needed to use your email providers SMTP/IMAP/POP mailbub FQDN and listening port:

sudo vi /etc/ssmtp/ssmtp.conf

AuthUser=<MAIL_USERID>        (example:  [email protected])
AuthPass=<MAIL_PASSWORD>      (example:  pasSword!1!)
mailhub=<MAIL_HUB_AND_PORT>   (example:  smtp.gmail.com:587    )


2) Edit /usr/local/bin/check_public_ip.sh and change the mail address to send the alerts to:

sudi vi  /usr/local/bin/check_public_ip.sh

mail_address_for_alerts=<MAIL_ADDRESS_TO_SEND_ALERTS_TO>   (example:  [email protected] to send a text message to a Verizon cell phone)


3) You can change the time of day and frequency of the public IP check by editing the root crontab:

sudo crontab -e

0 0,6,12,18 * * * /usr/local/bin/check_public_ip.sh

4) Test to see if outgoing e-mail works

ssmtp [email protected] < /tmp/mail_message.txt    (use whatever e-mail destination you want)

(if you receive a text message showing your current IP address, then it works.


5) Test to see if you get an e-mail alert when your pub IP changes (force a change):

edit /tmp/saved_public_ip     (and change the IP address to be something different)

   sudo vi /tmp/saved_public_ip

(if you receive a text message showing your current IP address, then it works.

By default, the public IP will be checked every six hours at 0000h, 0600h, 1200h, 1800h

[The End]
EOF

#change the hostname using $server_name 
current_hostname=`hostname`
sed -i 's,'"$current_hostname"','"$server_name"',g' /etc/hosts
sed -i 's,'"$current_hostname.home"','"$server_name.$server_domain"',' /etc/hosts
hostname $server_name

echo "Installation complete"
echo "  "
echo "Test access to guacamole using:"

/sbin/ifconfig -a | grep 'inet addr:' | cut -d: -f2 | awk '{printf "\nhttps://%s:/guacamole/#/login\n", $1}'

# end