Guacamole Install Script Features

The Apache Guacamole install script for RHEL 7 and CentOS 7 named guac-install.sh is a bash script intended to be used to help automate most of the installation process when setting up Apache Guacamole on a fresh RHEL 7 or CentOS 7 server. The Guacamole installation script provides an interactive, organized and intuitive set of menus to help an administrator configure Apache Guacamole. The goal is to make setting up an Apache Guacamole server as easy as possible while affording advanced options and configurations for additional features and security.

This wiki page will detail the features afforded by the Guacamole install script and what software gets installed by the script.

Features

Below is a list of some of the major features offered by using this Apache Guacamole install script.

General

• Simplifies the process of installing Apache Guacamole and other software required for a complete implementation.
• Guided, interactive menu system prompts for all the information required to properly configure Apache Guacamole.
• Menu system allows for review and adjustment of parameters prior to execution, with options to abort and exit or abort and re-start the script.
• Error handling covering the installation process. On error the line number, line that failed and exit code are displayed as well as logged. The script is stopped on error.
• Generates a log of its activities to help with troubleshooting. More detail on the Logs wiki page.
• Tomcat configured automatically for use with Guacamole and Nginx.
• Firewalld ports opened for HTTP (80), HTTPS (443), ports 8080 and 8443 automatically.
• Ability to change the URI path using Nginx. In other words, customize the portion of the URL after the public domain, hostname or IP used to access the Guacamole web client. IE: https://mydomain.com/ vs https://mydomain.com/guacamole/ or https://mydomain.com/mycustomURI/
• Option to install a custom Guacamole extension from a local .jar file, like my Apache Guacamole Login Branding extension template.

Security

• SELinux properly configured with the correct booleans and context for Apache Guacamole and the accompanying software to operate.
• Option to acquire a Let's Encrypt SSL certificate (with automated renewal).
• Alternatively, generate and use a self-signed SSL certificate (or no certificate to configure SSL manually).
• Nginx configured for a high level of security with an option for even greater security using only 256-bit or greater ciphers. Includes HSTS, forcing HTTPS, OCSP Stapling (when using a Let's Encrypt cert), and more. See the Nginx wiki page for details.
• Nginx Content-Security-Policy (CSP) option to enable/disable CSP. Scores A+, 100/100 on Mozilla Observatory test. See the CSP wiki page for details.

Authentication

• MariaDB primary authentication by default, completely configured for use with Apache Guacamole. When using another method of primary authentication MariaDB is used to store user metadata.
• MariaDB hardened using mysql_secure_installation command automatically.
• LDAP as an optional primary authentication method using existing AD/LDAP credentials for authentication without needing to alter the existing (and separate) AD/LDAPS server/database.
• When using LDAP, support for LDAPS (LDAP over SSL). More information on LDAP/LDAPS configuration can be see on the LDAP and LDAPS wiki page.
• TOTP as an optional 2FA method for further security. Compatible with all available primary authentication methods. More ifnormation on the TOTP wiki page.

Anticipated Features & Requests

To get a glimpse at my plans for the future of the script see the To-Do wiki page. If you have an idea for a feature that would benefit the majority of users, see the How to Report Issues wiki page and if applicable fill out an issue using the "Feature Request" template.

Installed Software

This Guacamole installation script installs and configures all of the major Guacamole software along with all of its required dependencies and some "optional" software. The intent is to include all of the software needed to operate Guacamole along with the options/features selected when running the script. All efforts are taken to only include software required for the script, Guacamole and selected features to function.

Major software installed by the Apache Guacamole install script:

• Guacamole Server - The core of Apache Guacamole. The script downloads the sourcecode .tar.gz file direct from Apache's official site and compiles it locally on the server.
• Guacamole Client - Web GUI portion of Apache Guacamole. The script downloads the .war binary file direct from Apache's official site.
• MySQL Connector J - The JDBC driver in .jar file format that helps connect the MariaDB back-end database to Guacamole. It is downloaded directly from the MySQL website.
• Guacamole JDBC (mysql) Extension - An extension that facilitates communication between the MariaDB back-end database and Guacamole. It is downloaded direct from Apache's official site.
• MariaDB - This is the database software used for base authentication by Guacamole. This is downloaded and installed via yum from the available repos.
• Nginx - A reverse proxy used to provide a security layer between the internet and Tomcat/Guacamole. Is used to provide and configure HTTPS/SSL. This is acquired by adding the official Nginx repo to yum and installing via yum.
• Tomcat - A web server/servlet container used to serve up Guacamole. This is downloaded and installed via yum from the available repos.
• Java KeyStore (JKS) - This is used as a repository to safely store security certificates.
• libjpeg-turbo - libguac uses this package to provide jpeg support, Guacamole will not build without it. Installed via libjpeg-turbo official repo.
• ffmpeg-devel - The libavcodec, libavutil, and libswscale libraries provided by FFmpeg are used by guacenc to encode video streams when translating recordings of Guacamole sessions. Without FFmpeg, the guacenc utility will simply not be built. Installed via RPMFusion repo.
• EPEL repo - "Extra Packages for Enterprise Linux" is a repo that contains additional software not available in the official OS repos.
• RPMFusion repo - Another repo that contains additional software not available in the official OS repos.

There are many other smaller/lesser known packages installed by the script not listed above. If you want to review all software installed with the script, I recommend reviewing the source code of the script itself.

Major Optional/Conditional software installed by the Apache Guacamole installation script:

• git - Installed and used only if the source of install chosen is Git. This is downloaded and installed via yum from the available repos.
• Apache Maven - Only installed and used if the source of install chosen is Git. This is used to build Guacamole Client from Git.
• yum-versionlock - Installed on RHEL/CentOS 7.7 and higher. Prevents freerdp from being installed/updated past version 1.0.2 (in version 7.7 they introduced 2.x which is not compatible with Guacamole 1.0.0)
• Guacamole Auth LDAP Extension - An extension installed if the LDAP(S) was selected as the primary method of authentication. This allows Guacamole to use existing AD/LDAP for authentication. It is downloaded direct from Apache's official site.
• Guacamole Auth TOTP Extension - An extension installed when selecting TOTP as the 2FA option for secondary authentication. This will allow using a TOTP app/generator to use 6 digit one time use codes for 2FA. It is downloaded direct from Apache's official site.

Note on software versions: Software versions depend on what sources they are acquired from. Typically, when downloading the software from the official site or sources outside of a repo, the latest available stable version is chosen. When the software comes from a repo, it is whatever the latest version offered by the repo is, which can often be behind the latest version of that software.