Adapted for Almalinux 8.4 and it works

[aigors]

Hi, i adatped you script guac-install for Almalinux 8.4 and it works, i'm not able to use git,
`#!/bin/env bash
#Script to install guacamole RDP html5 gateway into Almalinux 8.4
#The script is working in progress is not all my work, i adapted a existent script to my distro

PRE-RUN CHECKS

if ! [ $(id -u) = 0 ]; then echo "This script must be run as sudo or root, try again..."; exit 1; fi
if ! [ $(getenforce) = "Enforcing" ]; then echo "This script requires SELinux to be active and in "Enforcing mode""; exit 1; fi
if ! [ $(uname -m) = "x86_64" ]; then echo "This script will only run on 64 bit versions of RHEL/CentOS"; exit 1; fi

Check that firewalld is installed

if ! rpm -q --quiet "firewalld"; then echo "This script requires firewalld to be installed on the system"; exit 1; fi

Allow trap to work in functions

set -E

######################################################################

VARIABLES

######################################################################

UNIVERSAL VARIABLES

USER CONFIGURABLE

Generic

SCRIPT_BUILD="2021_07_03" # Scripts Date for last modified as "yyyy_mm_dd"
ADM_POC="Local Admin, [email protected]" # Point of contact for the Guac server admin

Versions

GUAC_STBL_VER="1.3.0" # Latest stable version of Guac from https://guacamole.apache.org/releases/
MYSQL_CON_VER="8.0.25" # Working stable release of MySQL Connecter J
MAVEN_VER="3.8.1" # Latest stable version of Apache Maven
TOMCAT_VER="tomcat9" # Tomcat Version

Ports

GUAC_PORT="4822"
MYSQL_PORT="3306"

Key Sizes

JKSTORE_KEY_SIZE_DEF="4096" # Default Java Keystore key-size
LE_KEY_SIZE_DEF="4096" # Default Let's Encrypt key-size
SSL_KEY_SIZE_DEF="4096" # Default Self-signed SSL key-size

Default Credentials

MYSQL_PASSWD_DEF="guacamole" # Default MySQL/MariaDB root password
DB_NAME_DEF="guac_db" # Defualt database name
DB_USER_DEF="guac_adm" # Defualt database user name
DB_PASSWD_DEF="guacamole" # Defualt database password
JKS_GUAC_PASSWD_DEF="guacamole" # Default Java Keystore password
JKS_CACERT_PASSWD_DEF="guacamole" # Default CACert Java Keystore password, used with LDAPS

Misc

GUACD_USER="guacd" # The user name and group of the user running the guacd service
GUAC_URIPATH_DEF="/" # Default URI for Guacamole
DOMAIN_NAME_DEF="localhost" # Default domain name of server
H_ERR=false # Defualt value of if an error has been triggered, should be false
LIBJPEG_EXCLUDE="exclude=libjpeg-turbo-[0-9],libjpeg-turbo-..9[0-9]-"
DEL_TMP_VAR=true # Default behavior to delete the temp var file used by error handler on completion. Set to false to keep the file to review last values
NAME_SERVERS_DEF="1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001" # OCSP resolver DNS name servers defaults !!Only used if the host does not have name servers in resolv.conf!!

ONLY CHANGE IF NOT WORKING

URLS

MYSQL_CON_URL="https://dev.mysql.com/get/Downloads/Connector-J/" #Direct URL for download
LIBJPEG_REPO="https://libjpeg-turbo.org/pmwiki/uploads/Downloads/libjpeg-turbo.repo"

Dirs and File Names

LIB_DIR="/var/lib/guacamole/"
GUAC_CONF="guacamole.properties" # Guacamole configuration/properties file
MYSQL_CON="mysql-connector-java-${MYSQL_CON_VER}"
TMP_VAR_FILE="guac_tmp_vars" # Temp file name used to store varaibles for the error handler

Formats

Black=tput setaf 0 #${Black}
Red=tput setaf 1 #${Red}
Green=tput setaf 2 #${Green}
Yellow=tput setaf 3 #${Yellow}
Blue=tput setaf 4 #${Blue}
Magenta=tput setaf 5 #${Magenta}
Cyan=tput setaf 6 #${Cyan}
White=tput setaf 7 #${White}
Bold=tput bold #${Bold}
UndrLn=tput sgr 0 1 #${UndrLn}
Rev=tput smso #${Rev}
Reset=tput sgr0 #${Reset}

END UNIVERSAL VARIABLES

INITIALIZE COMMON VARIABLES

ONLY CHANGE IF NOT WORKING

init_vars () {

Get the release version of Guacamole from/for Git

GUAC_GIT_VER=curl -s https://raw.githubusercontent.com/apache/guacamole-server/master/configure.ac | grep 'AC_INIT([guacamole-server]*' | awk -F'[][]' -v n=2 '{ print $(2*n) }'
PWD=pwd # Current directory

Set full path/file name of file used to stored temp variables used by the error handler

VAR_FILE="${PWD}/${TMP_VAR_FILE}"
echo "-1" > "${VAR_FILE}" # create file with -1 to set not as background process

Determine if OS is RHEL, CentOS or something else

if grep -q "CentOS" /etc/redhat-release; then
OS_NAME="CentOS"
elif grep -q "Red Hat Enterprise" /etc/redhat-release; then
OS_NAME="RHEL"
elif grep -q "AlmaLinux release 8.4" /etc/redhat-release; then
OS_NAME="CentOS"
else
echo "Unable to verify OS from /etc/redhat-release as CentOS or RHEL, this script is intended only for those distro's, exiting."
exit 1
fi
OS_NAME_L="$(echo $OS_NAME | tr '[:upper:]' '[:lower:]')" # Set lower case rhel or centos for use in some URLs

Outputs the major.minor.release number of the OS, Ex: 7.6.1810 and splits the 3 parts.

MAJOR_VER=cat /etc/redhat-release | grep -oP "[0-9]+" | sed -n 1p # Return the leftmost digit representing major version
MINOR_VER=cat /etc/redhat-release | grep -oP "[0-9]+" | sed -n 2p # Returns the middle digit representing minor version

Placeholder in case this info is ever needed. RHEL does not have release number, only major.minor

RELEASE_VER=cat /etc/redhat-release | grep -oP "[0-9]+" | sed -n 3p # Returns the rightmost digits representing release number

#Set arch used in some paths
MACHINE_ARCH=uname -m
ARCH="64"

Set nginx url for RHEL or CentOS

NGINX_URL="https://nginx.org/packages/$OS_NAME_L/$MAJOR_VER/$MACHINE_ARCH/"
}

SOURCE VARIABLES

src_vars () {

Check if selected source is Git or stable release, set variables based on selection

if [ $GUAC_SOURCE == "Git" ]; then
GUAC_VER=${GUAC_GIT_VER}
GUAC_URL="git://github.com/apache/"
GUAC_SERVER="guacamole-server.git"
GUAC_CLIENT="guacamole-client.git"
MAVEN_MAJOR_VER=${MAVEN_VER:0:1}
MAVEN_URL="https://www-us.apache.org/dist/maven/maven-${MAVEN_MAJOR_VER}/${MAVEN_VER}/binaries/"
MAVEN_FN="apache-maven-${MAVEN_VER}"
MAVEN_BIN="${MAVEN_FN}-bin.tar.gz"
else # Stable release
GUAC_VER=${GUAC_STBL_VER}
GUAC_URL="https://apache.org/dyn/closer.cgi?action=download&filename=guacamole/${GUAC_VER}/"
GUAC_SERVER="guacamole-server-${GUAC_VER}"
GUAC_CLIENT="guacamole-${GUAC_VER}"
fi

JDBC Extension file name

GUAC_JDBC="guacamole-auth-jdbc-${GUAC_VER}"

LDAP extension file name

GUAC_LDAP="guacamole-auth-ldap-${GUAC_VER}"

TOTP extension file name

GUAC_TOTP="guacamole-auth-totp-${GUAC_VER}"

Dirs and file names

INSTALL_DIR="/usr/local/src/guacamole/${GUAC_VER}/" # Guacamole installation dir
FILENAME="${PWD}/guacamole-${GUAC_VER}_"$(date +"%d-%y-%b")"" # Script generated log filename
logfile="${FILENAME}.log" # Script generated log file full name
fwbkpfile="${FILENAME}.firewall.bkp" # Firewall backup file name
}

######################################################################

MENUS

######################################################################

SOURCE MENU

src_menu () {
clear

echo -e " ${Reset}${Bold}----====Gucamole Installation Script====----\n ${Reset}Guacamole Remote Desktop Gateway\n"
echo -e " ${Bold}*** Source Menu ***\n"
echo " OS: ${Yellow}${OS_NAME} ${MAJOR_VER}.${MINOR_VER} ${MACHINE_ARCH}${Reset}"
echo -e " ${Bold}Stable Version: ${Yellow}${GUAC_STBL_VER}${Reset} || ${Bold}Git Version: ${Yellow}${GUAC_GIT_VER}${Reset}\n"

while true; do
echo -n "${Green} Pick the desired source to install from (enter 'stable' or 'git', default is 'stable'): ${Yellow}"
read GUAC_SOURCE
case $GUAC_SOURCE in
[Ss]table|"" ) GUAC_SOURCE="Stable"; break;;
[Gg][Ii][Tt] ) GUAC_SOURCE="Git"; break;;
* ) echo "${Green} Please enter 'stable' or 'git' to select source/version (without quotes)";;
esac
done

tput sgr0
}

START EXECUTION

init_vars
src_menu
src_vars

MENU HEADERS

Called by each menu and summary menu to display the dynamic header

menu_header () {
tput sgr0
clear

echo -e " ${Reset}${Bold}----====Gucamole Installation Script====----\n ${Reset}Guacamole Remote Desktop Gateway\n"
echo -e " ${Bold}*** ${SUB_MENU_TITLE} ***\n"
echo " OS: ${Yellow}${OS_NAME} ${MAJOR_VER}.${MINOR_VER} ${MACHINE_ARCH}${Reset}"
echo -e " ${Bold}Source/Version: ${Yellow}${GUAC_SOURCE} ${GUAC_VER}${Reset}\n"
}

DATABASE AND JKS MENU

db_menu () {
SUB_MENU_TITLE="Database and JKS Menu"

menu_header

echo -n "${Green} Enter the Guacamole DB name (default ${DB_NAME_DEF}): ${Yellow}"
read DB_NAME
DB_NAME=${DB_NAME:-${DB_NAME_DEF}}
echo -n "${Green} Enter the Guacamole DB username (default ${DB_USER_DEF}): ${Yellow}"
read DB_USER
DB_USER=${DB_USER:-${DB_USER_DEF}}
echo -n "${Green} Enter the Java KeyStore key-size to use (default ${JKSTORE_KEY_SIZE_DEF}): ${Yellow}"
read JKSTORE_KEY_SIZE
JKSTORE_KEY_SIZE=${JKSTORE_KEY_SIZE:-${JKSTORE_KEY_SIZE_DEF}}
}

PASSWORDS MENU

pw_menu () {
SUB_MENU_TITLE="Passwords Menu"

menu_header

echo -n "${Green} Enter the root password for MariaDB: ${Yellow}"
read MYSQL_PASSWD
MYSQL_PASSWD=${MYSQL_PASSWD:-${MYSQL_PASSWD_DEF}}
echo -n "${Green} Enter the Guacamole DB password: ${Yellow}"
read DB_PASSWD
DB_PASSWD=${DB_PASSWD:-${DB_PASSWD_DEF}}
echo -n "${Green} Enter the Guacamole Java KeyStore password, must be 6 or more characters: ${Yellow}"
read JKS_GUAC_PASSWD
JKS_GUAC_PASSWD=${JKS_GUAC_PASSWD:-${JKS_GUAC_PASSWD_DEF}}
}

SSL CERTIFICATE TYPE MENU

ssl_cert_type_menu () {
SUB_MENU_TITLE="SSL Certificate Type Menu"

menu_header

echo "${Green} What kind of SSL certificate should be used (default 2)?${Yellow}"
PS3="${Green} Enter the number of the desired SSL certificate type: ${Yellow}"
options=("LetsEncrypt" "Self-signed" "None")
select opt in "${options[@]}"
do
case $opt in
"LetsEncrypt") SSL_CERT_TYPE="LetsEncrypt"; le_menu; break;;
"Self-signed"|"") SSL_CERT_TYPE="Self-signed"; ss_menu; break;;
"None")
SSL_CERT_TYPE="None"
OCSP_USE=false
echo -e "\n\n${Red} No SSL certificate selected. This can be configured manually at a later time."
sleep 3
break;;
* ) echo "${Green} ${REPLY} is not a valid option, enter the number representing your desired cert type.";;
esac
done
}

LETSENCRYPT MENU

le_menu () {
SUB_MENU_TITLE="LetsEncrypt Menu"

menu_header

echo -n "${Green} Enter a valid e-mail for let's encrypt certificate: ${Yellow}"
read EMAIL_NAME
echo -n "${Green} Enter the Let's Encrypt key-size to use (default ${LE_KEY_SIZE_DEF}): ${Yellow}"
read LE_KEY_SIZE
LE_KEY_SIZE=${LE_KEY_SIZE:-${LE_KEY_SIZE_DEF}}

while true; do
echo -n "${Green} Use OCSP Stapling (default yes): ${Yellow}"
read yn
case $yn in
[Yy]|"" ) OCSP_USE=true; break;;
[Nn] ) OCSP_USE=false; break;;
* ) echo "${Green} Please enter yes or no. ${Yellow}";;
esac
done
}

SELF-SIGNED SSL CERTIFICATE MENU

ss_menu () {
OCSP_USE=false
SUB_MENU_TITLE="Self-signed SSL Certificate Menu"

menu_header

echo -n "${Green} Enter the Self-Signed SSL key-size to use (default ${SSL_KEY_SIZE_DEF}): ${Yellow}"
read SSL_KEY_SIZE
SSL_KEY_SIZE=${SSL_KEY_SIZE:-${SSL_KEY_SIZE_DEF}}
}

NGINX OPTIONS MENU

nginx_menu () {
SUB_MENU_TITLE="Nginx Menu"

menu_header

Server LAN IP

GUAC_LAN_IP_DEF=$(hostname -I | sed 's/ .*//')

echo -n "${Green} Enter the LAN IP of this server (default ${GUAC_LAN_IP_DEF}): ${Yellow}"
read GUAC_LAN_IP
GUAC_LAN_IP=${GUAC_LAN_IP:-${GUAC_LAN_IP_DEF}}
echo -n "${Green} Enter a valid hostname or public domain such as mydomain.com (default ${DOMAIN_NAME_DEF}): ${Yellow}"
read DOMAIN_NAME
DOMAIN_NAME=${DOMAIN_NAME:-${DOMAIN_NAME_DEF}}
echo -n "${Green} Enter the URI path, starting and ending with / for example /guacamole/ (default ${GUAC_URIPATH_DEF}): ${Yellow}"
read GUAC_URIPATH
GUAC_URIPATH=${GUAC_URIPATH:-${GUAC_URIPATH_DEF}}

Only prompt if SSL will be used

if [ $SSL_CERT_TYPE != "None" ]; then
while true; do
echo -n "${Green} Use only >= 256-bit SSL ciphers (More secure, less compatible. default: yes)?: ${Yellow}"
read yn
case $yn in
[Yy]|"" ) NGINX_SEC=true; break;;
[Nn] ) NGINX_SEC=false; break;;
* ) echo "${Green} Please enter yes or no. ${Yellow}";;
esac
done

while true; do
	echo -n "${Green} Use Content-Security-Policy [CSP] (More secure, less compatible. default: yes)?: ${Yellow}"
	read yn
	case $yn in
		[Yy]*|"" ) USE_CSP=true; break;;
		[Nn]* ) USE_CSP=false; break;;
		* ) echo "${Green} Please enter yes or no. ${Yellow}";;
	esac
done

else
NGINX_SEC=false
USE_CSP=false
fi
}

PRIMARY AUTHORIZATION EXTENSIONS MENU

prime_auth_ext_menu () {
SUB_MENU_TITLE="Primary Authentication Extensions Menu"

menu_header

INSTALL_LDAP=false
SECURE_LDAP=false
INSTALL_RADIUS=false
INSTALL_CAS=false
INSTALL_OPENID=false

Allows selection of an authentication method in addition to MariaDB/Database or just MariaDB

which is used to store connection and user meta data for all other methods

echo "${Green} What Guacamole extension should be used as the primary user authentication method (default 1)?${Yellow}"
PS3="${Green} Enter the number of the desired authentication method: ${Yellow}"

Removing non-working options from the menu until they are ready

"RADIUS" "OpenID" "CAS"

options=("MariaDB Database" "LDAP(S)")
COLUMNS=1
select opt in "${options[@]}"
do
case $opt in
"MariaDB Database"|"") PRIME_AUTH_TYPE="MariaDB"; break;;
"LDAP(S)") PRIME_AUTH_TYPE="LDAP"; LDAP_ext_menu; break;;
# "RADIUS") PRIME_AUTH_TYPE="RADIUS"; Radius_ext_menu; break;;
# "OpenID") PRIME_AUTH_TYPE="OpenID"; OpenID_ext_menu; break;;
# "CAS") PRIME_AUTH_TYPE="CAS"; CAS_ext_menu; break;;
* ) echo "${Green} ${REPLY} is not a valid option, enter the number representing the desired primary authentication method.";;
esac
done

unset COLUMNS
}

2FA EXTENSIONS MENU

secondary_auth_ext_menu () {
SUB_MENU_TITLE="2FA Extensions Menu"

menu_header

INSTALL_TOTP=false
INSTALL_DUO=false

Allows optional selection of a Two Factor Authentication (2FA) method

echo "${Green} What Guacamole extension should be used as the 2FA authentication method (default 1)?${Yellow}"
PS3="${Green} Enter the number of the desired authentication method: ${Yellow}"

Removing non-working options from the menu until they are ready

"DUO"

options=("None" "TOTP")
COLUMNS=1
select opt in "${options[@]}"
do
case $opt in
"None"|"") TFA_TYPE="None"; break;;
"TOTP") TFA_TYPE="TOTP"; TOTP_ext_menu; break;;
# "DUO") TFA_TYPE="DUO"; Duo_ext_menu; break;;
* ) echo "${Green} ${REPLY} is not a valid option, enter the number representing the desired 2FA method.";;
esac
done

unset COLUMNS
}

LDAP MENU

LDAP_ext_menu () {
INSTALL_LDAP=true
SUB_MENU_TITLE="LDAP Extension Menu"

menu_header

Allow selection of LDAPS

while true; do
echo -n "${Green} Use LDAPS instead of LDAP (Requires having the cert from the server copied locally, default: no): ${Yellow}"
read SECURE_LDAP
case $SECURE_LDAP in
[Yy]* ) SECURE_LDAP=true; break;;
[Nn]*|"" ) SECURE_LDAP=false; break;;
* ) echo "${Green} Please enter yes or no. ${Yellow}";;
esac
done

Check if LDAPS was selected

if [ $SECURE_LDAP = true ]; then
echo -ne "\n${Green} Enter the LDAP Port (default 636): ${Yellow}"
read LDAP_PORT
LDAP_PORT=${LDAP_PORT:-636}

# LDAPS Certificate placeholder values
LDAPS_CERT_FN="mycert.cer"
LDAPS_CERT_FULL="xNULLx"

while [ ! -f ${LDAPS_CERT_FULL} ]; do
	echo -ne "\n${Green} Enter a valid filename of the .cer certificate file (Ex: mycert.cer): ${Yellow}"
		read LDAPS_CERT_FN
		LDAPS_CERT_FN=${LDAPS_CERT_FN:-${LDAPS_CERT_FN}}
	echo -n "${Green} Enter the full path of the dir containing the .cer certificate file (must end with / Ex: /home/me/): ${Yellow}"
		read LDAPS_CERT_DIR
		LDAPS_CERT_DIR=${LDAPS_CERT_DIR:-/home/}
		LDAPS_CERT_FULL=${LDAPS_CERT_DIR}${LDAPS_CERT_FN}
	if [ ! -f ${LDAPS_CERT_FULL} ]; then
		echo "${Red} The file/path: ${LDAPS_CERT_FULL} does not exist! Ensure the file is in the directory and try again..."
	fi
done

echo -ne "\n${Green} Set the password for the CACert Java Keystore, must be 6 or more characters (default ${JKS_CACERT_PASSWD_DEF}): ${Yellow}"
	read JKS_CACERT_PASSWD
	JKS_CACERT_PASSWD=${JKS_CACERT_PASSWD:-${JKS_CACERT_PASSWD_DEF}}

else # Use LDAP not LDAPS
echo -ne "\n${Green} Enter the LDAP Port (default 389): ${Yellow}"
read LDAP_PORT
LDAP_PORT=${LDAP_PORT:-389}
fi

echo -ne "\n${Green} Enter the LDAP Server Hostname (use the FQDN, Ex: ldaphost.domain.com): ${Yellow}"
read LDAP_HOSTNAME
LDAP_HOSTNAME=${LDAP_HOSTNAME:-ldaphost.domain.com}
echo -n "${Green} Enter the LDAP User-Base-DN (Ex: dc=domain,dc=com): ${Yellow}"
read LDAP_BASE_DN
LDAP_BASE_DN=${LDAP_BASE_DN:-dc=domain,dc=com}
echo -n "${Green} Enter the LDAP Search-Bind-DN (Ex: cn=user,ou=Admins,dc=domain,dc=com): ${Yellow}"
read LDAP_BIND_DN
LDAP_BIND_DN=${LDAP_BIND_DN:-cn=user,ou=Admins,dc=domain,dc=com}
echo -n "${Green} Enter the LDAP Search-Bind-Password: ${Yellow}"
read LDAP_BIND_PW
LDAP_BIND_PW=${LDAP_BIND_PW:-password}
echo -n "${Green} Enter the LDAP Username-Attribute (default sAMAccountName): ${Yellow}"
read LDAP_UNAME_ATTR
LDAP_UNAME_ATTR=${LDAP_UNAME_ATTR:-sAMAccountName}

LDAP_SEARCH_FILTER_DEF="(objectClass=*)"
echo -n "${Green} Enter a custom LDAP user search filter (default "${LDAP_SEARCH_FILTER_DEF}"): ${Yellow}"
read LDAP_SEARCH_FILTER
LDAP_SEARCH_FILTER=${LDAP_SEARCH_FILTER:-${LDAP_SEARCH_FILTER_DEF}}
}

TOTP MENU

TOTP_ext_menu () {
INSTALL_TOTP=true
SUB_MENU_TITLE="TOTP Extension Menu"

menu_header

echo -n "${Green} Enter the TOTP issuer (default Apache Guacamole): ${Yellow}"
read TOTP_ISSUER
TOTP_ISSUER=${TOTP_ISSUER:-Apache Guacamole}
echo -n "${Green} Enter the number of digits to use for TOTP (default 6): ${Yellow}"
read TOTP_DIGITS
TOTP_DIGITS=${TOTP_DIGITS:-6}
echo -n "${Green} Enter the TOTP period in seconds (default 30): ${Yellow}"
read TOTP_PER
TOTP_PER=${TOTP_PER:-30}
echo -n "${Green} Enter the TOTP mode (default sha1): ${Yellow}"
read TOTP_MODE
TOTP_MODE=${TOTP_MODE:-sha1}
}

DUO MENU

Duo_ext_menu () {
INSTALL_DUO=false
SUB_MENU_TITLE="DUO Extension Menu"

menu_header

echo "${Red} Duo extension not currently available via this script."
sleep 3
}

RADIUS MENU

Radius_ext_menu () {
INSTALL_RADIUS=false
SUB_MENU_TITLE="RADIUS Extension Menu"

menu_header

echo "${Red} RADIUS extension not currently available via this script."
sleep 3
}

CAS MENU

CAS_ext_menu () {
INSTALL_CAS=false
SUB_MENU_TITLE="CAS Extension Menu"

menu_header

echo "${Red} CAS extension not currently available via this script."
sleep 3
}

OPENID MENU

OpenID_ext_menu () {
INSTALL_OPENID=false
SUB_MENU_TITLE="OpenID Extension Menu"

menu_header

echo "${Red} OpenID extension not currently available via this script."
sleep 3
}

CUSTOM EXTENSION MENU

cust_ext_menu () {
SUB_MENU_TITLE="Custom Extension Menu"

menu_header

while true; do
echo -n "${Green} Would you like to install a custom Guacamole extensions from a local file (default no)? ${Yellow}"
read yn
case $yn in
[Yy]* )
INSTALL_CUST_EXT=true

		# Set placeholder values
		CUST_FN="myextension.jar"
		CUST_FULL="xNULLx"

		while [ ! -f ${CUST_FULL} ]; do
			echo -ne "\n${Green} Enter a valid filename of the .jar extension file (Ex: myextension.jar): ${Yellow}"
				read CUST_FN
				CUST_FN=${CUST_FN:-${CUST_FN}}
			echo -n "${Green} Enter the full path of the dir containing the .jar extension file (must end with / Ex: /home/me/): ${Yellow}"
				read CUST_DIR
				CUST_DIR=${CUST_DIR:-/home/}
				CUST_FULL=${CUST_DIR}${CUST_FN}
			if [ ! -f ${CUST_FULL} ]; then # Check that full path/name exists, otherwise prompt again
				echo "${Red} The file/path: ${CUST_FULL} does not exist! Ensure the file is in the directory and try again..."
			fi
		done
		break;;
	[Nn]*|"" ) INSTALL_CUST_EXT=false; break;;
	* ) echo "${Green} Please enter yes or no. ${Yellow}";;
esac

done
}

######################################################################

SUMMARY MENUS

######################################################################

MAIN SUMMARY MENU

sum_menu () {
SUB_MENU_TITLE="Summary Menu"

menu_header

RUN_INSTALL=false
RET_SUM=false

List categories/menus to review or change

echo "${Green} Select a category to review selections: ${Yellow}"
PS3="${Green} Enter the number of the category to review: ${Yellow}"
options=("Database" "Passwords" "SSL Cert Type" "Nginx" "Primary Authentication Extension" "2FA Extension" "Custom Extension" "Accept and Run Installation" "Cancel and Start Over" "Cancel and Exit Script")
select opt in "${options[@]}"
do
case $opt in
"Database") sum_db; break;;
"Passwords") sum_pw; break;;
"SSL Cert Type") sum_ssl; break;;
"Nginx") sum_nginx; break;;
"Primary Authentication Extension") sum_prime_auth_ext; break;;
"2FA Extension") sum_secondary_auth_ext; break;;
"Custom Extension") sum_cust_ext; break;;
"Accept and Run Installation") RUN_INSTALL=true; break;;
"Cancel and Start Over") ScriptLoc=$(readlink -f "$0"); exec "$ScriptLoc"; break;;
"Cancel and Exit Script") tput sgr0; exit 1; break;;
* ) echo "${Green} ${REPLY} is not a valid option, enter the number representing the category to review.";;
esac
done
}

DATABASE SUMMARY

sum_db () {
SUB_MENU_TITLE="Database Summary"

menu_header

echo "${Green} Guacamole DB name: ${Yellow}${DB_NAME}"
echo "${Green} Guacamole DB username: ${Yellow}${DB_USER}"
echo -e "${Green} Java KeyStore key-size: ${Yellow}${JKSTORE_KEY_SIZE}\n"

while true; do
echo -n "${Green} Would you like to change these selections (default no)? ${Yellow}"
read yn
case $yn in
[Yy]* ) db_menu; break;;
[Nn]*|"" ) break;;
* ) echo "${Green} Please enter yes or no. ${Yellow}";;
esac
done

sum_menu
}

PASSWORD SUMMARY

sum_pw () {
SUB_MENU_TITLE="Passwords Summary"

menu_header

echo "${Green} MariaDB root password: ${Yellow}${MYSQL_PASSWD}"
echo "${Green} Guacamole DB password: ${Yellow}${DB_PASSWD}"
echo -e "${Green} Guacamole Java KeyStore password: ${Yellow}${JKS_GUAC_PASSWD}\n"

while true; do
echo -n "${Green} Would you like to change these selections (default no)? ${Yellow}"
read yn
case $yn in
[Yy]* ) pw_menu; break;;
[Nn]*|"" ) break;;
* ) echo "${Green} Please enter yes or no. ${Yellow}";;
esac
done

sum_menu
}

SSL CERTIFICATE SUMMARY

sum_ssl () {
SUB_MENU_TITLE="SSL Certificate Summary"

menu_header

echo -e "${Green} Certficate Type: ${Yellow}${SSL_CERT_TYPE}\n"

Check the certificate selection to display proper information for selection

case $SSL_CERT_TYPE in
"LetsEncrypt")
echo "${Green} e-mail for LetsEncrypt certificate: ${Yellow}${EMAIL_NAME}"
echo "${Green} LetEncrypt key-size: ${Yellow}${LE_KEY_SIZE}"
echo -e "${Green} Use OCSP Stapling?: ${Yellow}${OCSP_USE}\n"
;;
"Self-signed")
echo -e "${Green} Self-Signed SSL key-size: ${Yellow}${SSL_KEY_SIZE}\n"
;;
"None")
echo -e "${Yellow} As no certificate type was selected, an SSL certificate can be configured manually at a later time.\n"
;;
esac

while true; do
echo -n "${Green} Would you like to change these selections (default no)? ${Yellow}"
read yn
case $yn in
[Yy]* ) ssl_cert_type_menu; break;;
[Nn]*|"" ) break;;
* ) echo "${Green} Please enter yes or no. ${Yellow}";;
esac
done

sum_menu
}

NGINX SUMMARY

sum_nginx () {
SUB_MENU_TITLE="Nginx Summary"

menu_header

echo "${Green} Guacamole Server LAN IP address: ${Yellow}${GUAC_LAN_IP}"
echo "${Green} Guacamole Server hostname or public domain: ${Yellow}${DOMAIN_NAME}"
echo "${Green} URI path: ${Yellow}${GUAC_URIPATH}"
echo "${Green} Using only 256-bit >= ciphers?: ${Yellow}${NGINX_SEC}"
echo -e "${Green} Content-Security-Policy [CSP] enabled?: ${Yellow}${USE_CSP}\n"

while true; do
echo -n "${Green} Would you like to change these selections (default no)? ${Yellow}"
read yn
case $yn in
[Yy]* ) nginx_menu; break;;
[Nn]*|"" ) break;;
* ) echo "${Green} Please enter yes or no. ${Yellow}";;
esac
done

sum_menu
}

STANDARD EXTENSIONS SUMMARY

sum_prime_auth_ext () {
SUB_MENU_TITLE="Primary Authentication Extension Summary"

menu_header

echo -e "${Green} Primary Authentication type: ${Yellow}${PRIME_AUTH_TYPE}\n"

echo "${Yellow}${Bold} -- MariaDB is used with all authentication implementations --${Reset}"
echo "${Green} Default Guacamole username: ${Yellow}guacadmin"
echo -e "${Green} Default Guacamole password: ${Yellow}guacadmin\n"

Check the authentication selection to display proper information for the selection

case $PRIME_AUTH_TYPE in
"LDAP")
echo -e "${Reset}${Bold} -- LDAP Specific Parameters --${Reset}\n"
echo "${Green} Use LDAPS instead of LDAP: ${Yellow}${SECURE_LDAP}"
echo -e "${Green} LDAP(S) port: ${Yellow}${LDAP_PORT}\n"

	if [ $SECURE_LDAP = true ]; then
		echo "${Green} LDAPS full filename and path: ${Yellow}${LDAPS_CERT_FULL}"
		echo -e "${Green} CACert Java Keystroe password: ${Yellow}${JKS_CACERT_PASSWD}\n"
	fi

	echo "${Green} LDAP Server Hostname (should be FQDN, Ex: ldaphost.domain.com): ${Yellow}${LDAP_HOSTNAME}"
	echo "${Green} LDAP User-Base-DN (Ex: dc=domain,dc=com): ${Yellow}${LDAP_BASE_DN}"
	echo "${Green} LDAP Search-Bind-DN (Ex: cn=user,ou=Admins,dc=domain,dc=com): ${Yellow}${LDAP_BIND_DN}"
	echo "${Green} LDAP Search-Bind-Password: ${Yellow}${LDAP_BIND_PW}"
	echo "${Green} LDAP Username-Attribute: ${Yellow}${LDAP_UNAME_ATTR}"
	echo -e "${Green} LDAP user search filter: ${Yellow}${LDAP_SEARCH_FILTER}\n"
	;;
"RADIUS")
	echo -e "${Red} RADIUS cannot currently be installed by this script.\n"
	;;
"OpenID")
	echo -e "${Red} OpenID cannot currently be installed by this script.\n"
	;;
"CAS")
	echo -e "${Red} CAS cannot currently be installed by this script.\n"
	;;

esac

while true; do
echo -n "${Green} Would you like to change the authentication method and properties (default no)? ${Yellow}"
read yn
case $yn in
[Yy]* ) prime_auth_ext_menu; break;;
[Nn]*|"" ) break;;
* ) echo "${Green} Please enter yes or no. ${Yellow}";;
esac
done

sum_menu
}

SELECTED EXTENSIONS SUMMARY

sum_secondary_auth_ext () {
SUB_MENU_TITLE="2FA Extension Summary"

menu_header

echo -e "${Green} 2FA selection: ${Yellow}${TFA_TYPE}\n"

Check the authentication selection to display proper information for the selection

case $TFA_TYPE in
"None")
echo -e "${Yellow}${Bold} -- No form of 2FA will be implemented by this script --${Reset}\n"
;;
"TOTP")
echo "${Green} TOTP issuer: ${Yellow}${TOTP_ISSUER}"
echo "${Green} Number of TOTP digits: ${Yellow}${TOTP_DIGITS}"
echo "${Green} TOTP period in seconds: ${Yellow}${TOTP_PER}"
echo -e "${Green} TOTP mode: ${Yellow}${TOTP_MODE}\n"
;;
"DUO")
echo -e "${Red} DUO cannot currently be installed by this script.\n"
;;
esac

while true; do
echo -n "${Green} Would you like to change the 2FA method and properties (default no)? ${Yellow}"
read yn
case $yn in
[Yy]* ) secondary_auth_ext_menu; break;;
[Nn]*|"" ) break;;
* ) echo "${Green} Please enter yes or no. ${Yellow}";;
esac
done

sum_menu
}

CUSTOM EXTENSION SUMMARY

sum_cust_ext () {
SUB_MENU_TITLE="Custom Extension Summary"

menu_header

echo -e "${Green} Install a custom Guacamole extension: ${Yellow}${INSTALL_CUST_EXT}\n"

if [ $INSTALL_CUST_EXT = true ]; then
echo "${Green} Filename of the .jar extension file: ${Yellow}${CUST_FN}"
echo "${Green} Full path of the dir containing the .jar extension file: ${Yellow}${CUST_DIR}"
echo -e "${Green} Full file path: ${Yellow}${CUST_FULL}\n"
fi

while true; do
echo -n "${Green} Would you like to change these selections (default no)? ${Yellow}"
read yn
case $yn in
[Yy]* ) cust_ext_menu; break;;
[Nn]*|"" ) break;;
* ) echo "${Green} Please enter yes or no. ${Yellow}";;
esac
done

sum_menu
}

MENU EXECUTION

db_menu
pw_menu
ssl_cert_type_menu
nginx_menu
prime_auth_ext_menu
secondary_auth_ext_menu
cust_ext_menu
sum_menu

Sets file descriptor to 3 for this special echo function and spinner

exec 3>&1

######################################################################

UTILITY FUNCTIONS

######################################################################

PROGRESS SPINNER FUNCTION

Used to show a process is making progress/running

spinner () {
pid=$!
#Store the background process id in a temp file to use in err_handler
echo $(jobs -p) > "${VAR_FILE}"

spin[0]="-"
spin[1]="\"
spin[2]="|"
spin[3]="/"

Loop while the process is still running

while kill -0 $pid 2>/dev/null
do
for i in "${spin[@]}"
do
if kill -0 $pid 2>/dev/null; then #Check that the process is running to prevent a full 4 character cycle on error
# Display the spinner in 1/4 states
echo -ne "\b\b\b${Bold}[${Green}$i${Reset}${Bold}]" >&3
sleep .5 # time between each state
else #process has ended, stop next loop from finishing iteration
break
fi
done
done

Check if background process failed once complete

if wait $pid; then # Exit 0
echo -ne "\b\b\b${Bold}[${Green}-done-${Reset}${Bold}]" >&3
else # Any other exit
false
fi

#Set background process id value to -1 representing no background process running to err_handler
echo "-1" > "${VAR_FILE}"

tput sgr0 >&3
}

SPECIAL ECHO FUNCTION

This allows echo to log and stdout (now fd3) while sending all else to log by default via exec

s_echo () {

Use first arg $1 to determine if echo skips a line (yes/no)

Second arg $2 is the message

case $1 in
# No preceeding blank line
[Nn])
echo -ne "\n${2}" | tee -a /dev/fd/3
echo # add new line after in log only
;;
# Preceeding blank line
[Yy]|*)
echo -ne "\n\n${2}" | tee -a /dev/fd/3
echo # add new line after in log only
;;
esac
}

Used to force all stdout and stderr to the log file

s_echo function will be used when echo needs to be displayed and logged

exec &> "${logfile}"

ERROR HANDLER FUNCTION

Called by trap to display/log error info and exit script

err_handler () {
EXITCODE=$?

#Read values from temp file used to store cross process values
F_BG=$(sed -n 1p "${VAR_FILE}")

Check if the temp variable file is greater than 1 line of text

if [ $(wc -l < "${VAR_FILE}") -gt 1 ]; then
# If so, set variable according to value of the 2nd line in the file.
H_ERR=$(sed -n 2p "${VAR_FILE}")
else # Otherwise, set to false, error was not triggered previously
H_ERR=false
fi

#Check this is the first time the err_handler has triggered
if [ $H_ERR = false ]; then
#Check if error occured with a background process running
if [ $F_BG -gt 0 ]; then
echo -ne "\b\b\b${Bold}[${Red}-FAILED-${Reset}${Bold}]" >&3
fi

FAILED_COMMAND=$(eval echo "$BASH_COMMAND") # Used to expand the variables in the command returned by BASH_COMMAND
s_echo "y" "${Reset}${Red}%%% ${Reset}${Bold}ERROR (Script Failed) | Line${Reset} ${BASH_LINENO[0]} ${Bold}| Command:${Reset} ${FAILED_COMMAND} ${Bold}| Exit code:${Reset} ${EXITCODE} ${Red}%%%${Reset}\n\n"

#Flag as trap having been run already skipping double error messages
echo "true" >> "${VAR_FILE}"

fi

Log cleanup to remove escape sequences caused by tput for formatting text

sed -i 's/\x1b[[0-9;]*m|\x1b[(]B\x1b[m//g' ${logfile}

tput sgr0 >&3
exit $EXITCODE
}

CHECK INSTALLED PACKAGE FUNCTION

Query rpm for package without triggering trap when not found

chk_installed () {
if rpm -q "$@"; then
RETVAL=$?
else
RETVAL=$?
fi
}

CHECK REPO ENABLED FUNCTION

Query repos files to view if repo is enabled trigger trap when not enabled

chk_repo_enabled () {
if grep -q "$@"; then
RETVAL=$?
else
RETVAL=$?
fi
}

ERROR TRAP

Trap to call error function to display and log error details

trap err_handler ERR SIGINT SIGQUIT

######################################################################

INSTALLATION

######################################################################

REPOS INSTALLATION

reposinstall () {
s_echo "n" "${Bold} ----==== INSTALLING GUACAMOLE ${GUAC_SOURCE} ${GUAC_VER} ====----"
s_echo "y" "Installing Repos and mandatory software"

Install wget

chk_installed "wget"

if [ $RETVAL -eq 0 ]; then
s_echo "n" "${Reset}-WGET is installed."
else
{ yum -y install wget; } &
s_echo "n" "${Reset}-WGET is missing. Installing... "; spinner
fi

Install make

chk_installed "make"

if [ $RETVAL -eq 0 ]; then
s_echo "n" "${Reset}-MAKE is installed."
else
{ yum -y install make; } &
s_echo "n" "${Reset}-MAKE is missing. Installing... "; spinner
fi

Install EPEL Repo

chk_installed "epel-release"
if [ $RETVAL -eq 0 ]; then
s_echo "n" "${Reset}-EPEL is installed."
else
{ rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-${MAJOR_VER}.noarch.rpm; } &
s_echo "n" "${Reset}-EPEL is missing. Installing... "; spinner
fi

Install RPMFusion Repo

chk_installed "rpmfusion-free-release"

if [ $RETVAL -eq 0 ]; then
s_echo "n" "-RPMFusion is installed."
else
{ rpm -Uvh https://download1.rpmfusion.org/free/el/rpmfusion-free-release-${MAJOR_VER}.noarch.rpm; } &
s_echo "n" "-RPMFusion is missing. Installing... "; spinner
fi

Install RPMFusion nonfree Repo

chk_installed "rpmfusion-nonfree-release"

if [ $RETVAL -eq 0 ]; then
s_echo "n" "-RPMFusion nonfree is installed."
else
{ rpm -Uvh https://download1.rpmfusion.org/nonfree/el/rpmfusion-nonfree-release-${MAJOR_VER}.noarch.rpm; } &
s_echo "n" "-RPMFusion is missing. Installing... "; spinner
fi

Install harbottle.gitlab Repo neede for tomcat9

chk_installed "harbottle-main-release"

if [ $RETVAL -eq 0 ]; then
s_echo "n" "-harbottle is installed."
else
{ rpm -Uvh https://harbottle.gitlab.io/harbottle-main/${MAJOR_VER}/x86_64/harbottle-main-release.rpm; } &
s_echo "n" "-harbottle is missing. Installing... "; spinner
fi

Check if powertool repo is enabled

chk_repo_enabled "enabled=1" /etc/yum.repos.d/almalinux-powertools.repo
if [ $RETVAL -eq 0 ]; then
s_echo "n" "-Powertools enabled."
else
{ dnf config-manager --enable powertools; } &
s_echo "n" "-PowerTools was not enabled, enabled "; spinner
fi

Install Nginx Repo

{ echo "[nginx-stable]
name=Nginx Stable Repo
baseurl=${NGINX_URL}
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true" > /etc/yum.repos.d/nginx.repo; } &
s_echo "n" "${Reset}-Installing Nginx repo... "; spinner

Install libjpeg-turbo Repo

{
yum install -y wget
wget ${LIBJPEG_REPO} -P /etc/yum.repos.d/

# Exclude beta releases
sed -i "s/exclude.*/${LIBJPEG_EXCLUDE}/g" /etc/yum.repos.d/libjpeg-turbo.repo

} &
s_echo "n" "-Installing libjpeg-turbo repo... "; spinner

Enable repos needed if using RHEL

if [ $OS_NAME == "RHEL" ] ; then
{ subscription-manager repos --enable "rhel--optional-rpms" --enable "rhel--extras-rpms"; } &
s_echo "n" "-Enabling ${OS_NAME} optional and extras repos... "; spinner
fi

yumupdate
}

YUM UPDATES

yumupdate () {

Update OS/packages

{ yum update -y; } &
s_echo "y" "${Bold}Updating ${OS_NAME}, please wait... "; spinner

baseinstall
}

INSTALL BASE PACKAGES

baseinstall () {
s_echo "y" "${Bold}Installing Required Dependencies"

Install Required Packages

{
yum install -y cairo-devel ffmpeg-devel freerdp-devel freerdp-plugins gcc gnu-free-mono-fonts make libjpeg-turbo-devel libjpeg-turbo-official libpng-devel libssh2-devel libtelnet-devel libvncserver-devel libvorbis-devel libwebp-devel libwebsockets-devel mariadb mariadb-server nginx openssl-devel pango-devel policycoreutils-python-utils pulseaudio-libs-devel setroubleshoot ${TOMCAT_VER} uuid-devel
} &
s_echo "n" "${Reset}-Installing required packages... "; spinner

Additional packages required by git

if [ $GUAC_SOURCE == "Git" ]; then
{ yum install -y git libtool java-1.8.0-openjdk-devel; } &
s_echo "n" "-Installing packages required for git... "; spinner

#Install Maven
cd /opt
{
	wget ${MAVEN_URL}${MAVEN_BIN}
	tar -xvzf ${MAVEN_BIN}
	ln -s ${MAVEN_FN} maven
	rm -rf /opt/${MAVEN_BIN}
} &
s_echo "n" "-Installing Apache Maven for git...    "; spinner
export PATH=/opt/maven/bin:${PATH}
cd ~

fi

createdirs
}

CREATE DIRECTORIES

createdirs () {
{
rm -fr ${INSTALL_DIR}
mkdir -vp /etc/guacamole
mkdir -vp ${INSTALL_DIR}{client,selinux}
mkdir -vp ${LIB_DIR}{extensions,lib}
mkdir -vp /usr/share/${TOMCAT_VER}/.guacamole/
} &
s_echo "y" "${Bold}Creating Required Directories... "; spinner

cd ${INSTALL_DIR}

downloadguac
}

DOWNLOAD GUACAMOLE

downloadguac () {
s_echo "y" "${Bold}Downloading Guacamole Packages"

# MySQL Connector
downloadmysqlconn () {
	{ wget ${MYSQL_CON_URL}${MYSQL_CON}.tar.gz; } &
	s_echo "n" "-Downloading MySQL Connector package for installation...    "; spinner
}

if [ $GUAC_SOURCE == "Git" ]; then
{ git clone ${GUAC_URL}${GUAC_SERVER}; } &
s_echo "n" "${Reset}-Cloning Guacamole Server package from git... "; spinner
{ git clone ${GUAC_URL}${GUAC_CLIENT}; } &
s_echo "n" "-Cloning Guacamole Client package from git... "; spinner
downloadmysqlconn
else # Stable release
{ wget "${GUAC_URL}source/${GUAC_SERVER}.tar.gz" -O ${GUAC_SERVER}.tar.gz; } &
s_echo "n" "${Reset}-Downloading Guacamole Server package for installation... "; spinner
{ wget "${GUAC_URL}binary/${GUAC_CLIENT}.war" -O ${INSTALL_DIR}client/guacamole.war; } &
s_echo "n" "-Downloading Guacamole Client package for installation... "; spinner
{ wget "${GUAC_URL}binary/${GUAC_JDBC}.tar.gz" -O ${GUAC_JDBC}.tar.gz; } &
s_echo "n" "-Downloading Guacamole JDBC Extension package for installation... "; spinner
downloadmysqlconn

# Decompress Guacamole Packages
s_echo "y" "${Bold}Decompressing Guacamole Packages"

{
	tar xzvf ${GUAC_SERVER}.tar.gz
	rm -f ${GUAC_SERVER}.tar.gz
	mv -v ${GUAC_SERVER} server
} &
s_echo "n" "${Reset}-Decompressing Guacamole Server source...    "; spinner

{
	tar xzvf ${GUAC_JDBC}.tar.gz
	rm -f ${GUAC_JDBC}.tar.gz
	mv -v ${GUAC_JDBC} extension
	mv -v extension/mysql/guacamole-auth-jdbc-mysql-${GUAC_VER}.jar ${LIB_DIR}extensions/
} &
s_echo "n" "-Decompressing Guacamole JDBC extension...    "; spinner

fi

{
tar xzvf ${MYSQL_CON}.tar.gz
rm -f ${MYSQL_CON}.tar.gz
mv -v ${MYSQL_CON}/${MYSQL_CON}.jar ${LIB_DIR}lib/
} &
s_echo "n" "-Decompressing MySQL Connector... "; spinner

installguacserver
}

INSTALL GUACAMOLE SERVER

installguacserver () {
s_echo "y" "${Bold}Install Guacamole Server"

if [ $GUAC_SOURCE == "Git" ]; then
cd guacamole-server/
{ autoreconf -fi; } &
s_echo "n" "${Reset}-Guacamole Server compile prep... "; spinner
else # Stable release
cd server
fi

Compile Guacamole Server

{ ./configure --with-systemd-dir=/usr/lib/systemd/system/; } &
s_echo "n" "${Reset}-Compiling Guacamole Server Stage 1 of 4... "; spinner
{ make; } &
s_echo "n" "-Compiling Guacamole Server Stage 2 of 4... "; spinner
{ make install; } &
s_echo "n" "-Compiling Guacamole Server Stage 3 of 4... "; spinner
{ ldconfig; } &
s_echo "n" "-Compiling Guacamole Server Stage 4 of 4... "; spinner
cd ..

installguacclient
}

INSTALL GUACAMOLE CLIENT

installguacclient () {
s_echo "y" "${Bold}Install Guacamole Client"

if [ $GUAC_SOURCE == "Git" ]; then
cd guacamole-client/
{ mvn package; } &
s_echo "n" "${Reset}-Compiling Guacamole Client... "; spinner

{ mv -v guacamole/target/guacamole-${GUAC_VER}.war ${LIB_DIR}guacamole.war; } &
s_echo "n" "-Moving Guacamole Client...    "; spinner
cd ..

else # Stable release
{ mv -v client/guacamole.war ${LIB_DIR}guacamole.war; } &
s_echo "n" "${Reset}-Moving Guacamole Client... "; spinner
fi

finishguac
}

FINALIZE GUACAMOLE INSTALLATION

finishguac () {
s_echo "y" "${Bold}Setup Guacamole"

Generate Guacamole Configuration File

{ echo "# Hostname and port of guacamole proxy
guacd-hostname: localhost
guacd-port: ${GUAC_PORT}

MySQL properties

mysql-hostname: localhost
mysql-port: ${MYSQL_PORT}
mysql-database: ${DB_NAME}
mysql-username: ${DB_USER}
mysql-password: ${DB_PASSWD}
mysql-default-max-connections-per-user: 0
mysql-default-max-group-connections-per-user: 0" > /etc/guacamole/${GUAC_CONF}; } &
s_echo "n" "${Reset}-Generating Guacamole configuration file... "; spinner

Create Required Symlinks for Guacamole

{
ln -vfs ${LIB_DIR}guacamole.war /var/lib/${TOMCAT_VER}/webapps
ln -vfs /etc/guacamole/${GUAC_CONF} /usr/share/${TOMCAT_VER}/.guacamole/
ln -vfs ${LIB_DIR}lib/ /usr/share/${TOMCAT_VER}/.guacamole/
ln -vfs ${LIB_DIR}extensions/ /usr/share/${TOMCAT_VER}/.guacamole/
ln -vfs /usr/local/lib/freerdp/guac* /usr/lib${ARCH}/freerdp
} &
s_echo "n" "-Making required symlinks... "; spinner

Copy JDBC if using git

if [ $GUAC_SOURCE == "Git" ]; then
# Get JDBC from compiled client
{ find ./guacamole-client/extensions -name "guacamole-auth-jdbc-mysql-${GUAC_VER}.jar" -exec mv -v {} ${LIB_DIR}extensions/ ;; } &
s_echo "n" "-Moving Guacamole JDBC extension to extensions dir... "; spinner
fi

Setup guacd user, group and permissions

{
# Create a user and group for guacd with a home folder but no login
groupadd ${GUACD_USER}
# The guacd user is created as a service account, no login but does get a home dir as needed by freerdp
useradd -r ${GUACD_USER} -m -s "/bin/nologin" -g ${GUACD_USER} -c ${GUACD_USER}

# Set the user that runs the guacd service
sed -i "s/User=daemon/User=${GUACD_USER}/g" /usr/lib/systemd/system/guacd.service

} &
s_echo "n" "-Setup guacd user... "; spinner

appconfigs
}

DATABASE/TOMCAT/JKS SETUP

appconfigs () {
s_echo "y" "${Bold}Configure MariaDB"

Enable/Start MariaDB/MySQL Service

{
systemctl enable mariadb.service
systemctl restart mariadb.service
} &
s_echo "n" "${Reset}-Enable & start MariaDB service... "; spinner

Set MariaDB/MySQL Root Password

{ mysqladmin -u root password ${MYSQL_PASSWD}; } &
s_echo "n" "-Setting root password for MariaDB... "; spinner

Run MariaDB/MySQL Secure Install

{
mysql_secure_installation <<EOF
${MYSQL_PASSWD}
n
y
y
y
y
EOF
} &
s_echo "n" "-Harden MariaDB... "; spinner

Create Database and user

{
mysql -u root -p${MYSQL_PASSWD} -e "CREATE DATABASE ${DB_NAME};"
mysql -u root -p${MYSQL_PASSWD} -e "GRANT SELECT,INSERT,UPDATE,DELETE ON ${DB_NAME}.* TO '${DB_USER}'@'localhost' IDENTIFIED BY '${DB_PASSWD}';"
mysql -u root -p${MYSQL_PASSWD} -e "FLUSH PRIVILEGES;"
} &
s_echo "n" "-Creating Database & User for Guacamole... "; spinner

Create Guacamole Table

{
if [ $GUAC_SOURCE == "Git" ]; then
cat guacamole-client/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-mysql/schema/.sql | mysql -u root -p${MYSQL_PASSWD} -D ${DB_NAME}
else # Stable release
cat extension/mysql/schema/.sql | mysql -u root -p${MYSQL_PASSWD} -D ${DB_NAME}
fi
} &
s_echo "n" "-Creating Guacamole Tables... "; spinner

Populate mysql database with time zones from system

Fixes timezone issues when using MySQLConnectorJ 8.x or geater

{
mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root mysql -p${MYSQL_PASSWD}
MY_CNF_LINE=grep -n "\[mysqld\]" /etc/my.cnf.d/mariadb-server.cnf | grep -o '^[0-9]*'
# MY_CNF_LINE=grep -n "\[mysqld\]" /etc/my.cnf | grep -o '^[0-9]*'
MY_CNF_LINE=$((MY_CNF_LINE + 1 ))
MY_TZ=readlink /etc/localtime | sed "s/.*\/usr\/share\/zoneinfo\///"
sed -i "${MY_CNF_LINE}i default-time-zone='${MY_TZ}'" /etc/my.cnf.d/mariadb-server.cnf
systemctl restart mariadb
} &
s_echo "n" "-Setting Time Zone Database & Config... "; spinner

Setup Tomcat

s_echo "y" "${Bold}Setup Tomcat Server"

{
sed -i '72i URIEncoding="UTF-8"' /etc/${TOMCAT_VER}/server.xml
sed -i '92i <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/var/lib/${TOMCAT_VER}/webapps/.keystore"
keystorePass="JKS_GUAC_PASSWD"
URIEncoding="UTF-8" />' /etc/${TOMCAT_VER}/server.xml
sed -i "s/JKS_GUAC_PASSWD/${JKS_GUAC_PASSWD}/g" /etc/${TOMCAT_VER}/server.xml
} &
s_echo "n" "${Reset}-Base Tomcat configuration... "; spinner

{

Tomcat RemoteIpValve (to pass remote host IP's from proxy to tomcat. Allows Guacamole to log remote host IPs)

sed -i '/<\/Host>/i\<Valve className="org.apache.catalina.valves.RemoteIpValve" \
						internalProxies="GUAC_SERVER_IP" \
						remoteIpHeader="x-forwarded-for" \
						remoteIpProxiesHeader="x-forwarded-by" \
						protocolHeader="x-forwarded-proto" />' /etc/${TOMCAT_VER}/server.xml

sed -i "s/GUAC_SERVER_IP/${GUAC_LAN_IP}/g" /etc/${TOMCAT_VER}/server.xml

} &
s_echo "n" "-Set RemoteIpValve in Tomcat configuration... "; spinner

{

Add ErrorReportingValve to prevent displaying tomcat info on error pages

sed -i '/<\/Host>/i\<Valve className="org.apache.catalina.valves.ErrorReportValve" \
						showReport="false" \
						showServerInfo="false"/>' /etc/${TOMCAT_VER}/server.xml

} &
s_echo "n" "-Set ErrorReportingVavle in ${TOMCAT_VER}n... "; spinner

Java KeyStore Setup

{ keytool -genkey -alias Guacamole -keyalg RSA -keysize ${JKSTORE_KEY_SIZE} -keystore /var/lib/${TOMCAT_VER}/webapps/.keystore -storepass ${JKS_GUAC_PASSWD} -keypass ${JKS_GUAC_PASSWD} -noprompt -dname "CN='', OU='', O='', L='', S='', C=''"; } &
s_echo "y" "${Bold}Configuring the Java KeyStore... "; spinner

Enable/Start Tomcat and Guacamole Services

{
systemctl enable ${TOMCAT_VER}
systemctl restart ${TOMCAT_VER}
systemctl enable guacd
systemctl restart guacd
} &
s_echo "y" "${Bold}Enable & Start Tomcat and Guacamole Services... "; spinner

nginxcfg
}

NGINX CONFIGURATION

nginxcfg () {
s_echo "y" "${Bold}Nginx Configuration"

Backup Nginx Configuration

{ mv /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf.ori.bkp; } &
s_echo "n" "${Reset}-Making Nginx config backup... "; spinner

HTTP Nginx Conf

{ echo "server {
listen 80;
listen [::]:80;
server_name ${DOMAIN_NAME};
return 301 https://$host$request_uri;

location ${GUAC_URIPATH} {
proxy_pass http://${GUAC_LAN_IP}:8080/guacamole/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection \$http_connection;
proxy_cookie_path /guacamole/ ${GUAC_URIPATH};
access_log off;
}

}" > /etc/nginx/conf.d/guacamole.conf
} &
s_echo "n" "${Reset}-Generate Nginx guacamole.config... "; spinner

HTTPS/SSL Nginx Conf

{
echo "server {
#listen 443 ssl http2 default_server;
#listen [::]:443 ssl http2 default_server;
server_name ${DOMAIN_NAME};
server_tokens off;
#ssl_certificate guacamole.crt;
#ssl_certificate_key guacamole.key; " > /etc/nginx/conf.d/guacamole_ssl.conf

# If OCSP Stapling was selected add lines
if [ $OCSP_USE = true ]; then
	if [[ -r /etc/resolv.conf ]]; then
            NAME_SERVERS=$(awk '/^nameserver/{print $2}' /etc/resolv.conf | xargs)
        fi
	    
	if [[ -z $NAME_SERVERS ]]; then
	    NAME_SERVERS=$NAME_SERVERS_DEF
	fi
	
	echo "	#ssl_trusted_certificate guacamole.pem;
	ssl_stapling on;
	ssl_stapling_verify on;
	resolver ${NAME_SERVERS} valid=30s;
	resolver_timeout 30s;" >> /etc/nginx/conf.d/guacamole_ssl.conf
fi

# If using >= 256-bit ciphers
if [ $NGINX_SEC = true ]; then
	echo "	ssl_ciphers 'TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384';" >> /etc/nginx/conf.d/guacamole_ssl.conf
else
	echo "	ssl_ciphers 'TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256';" >> /etc/nginx/conf.d/guacamole_ssl.conf
fi

# Rest of HTTPS/SSL Nginx Conf
echo "	ssl_protocols TLSv1.3 TLSv1.2;
	ssl_ecdh_curve secp521r1:secp384r1:prime256v1;
	ssl_prefer_server_ciphers on;
	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 1d;
	ssl_session_tickets off;
	add_header Referrer-Policy \"no-referrer\";
	add_header Strict-Transport-Security \"max-age=15768000; includeSubDomains\" always;" >> /etc/nginx/conf.d/guacamole_ssl.conf
	
# If CSP was enabled, add line, otherwise add but comment out (to allow easily manual toggle of the feature)
if [ $USE_CSP = true ]; then
	echo "	add_header Content-Security-Policy \"default-src 'none'; script-src 'self' 'unsafe-eval'; connect-src 'self' wss://${DOMAIN_NAME}; object-src 'self'; frame-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; font-src 'self'; form-action 'self'; base-uri 'self'; frame-ancestors 'self';\" always;" >> /etc/nginx/conf.d/guacamole_ssl.conf
else
	echo "	#add_header Content-Security-Policy \"default-src 'none'; script-src 'self' 'unsafe-eval'; connect-src 'self' wss://${DOMAIN_NAME}; object-src 'self'; frame-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; font-src 'self'; form-action 'self'; base-uri 'self'; frame-ancestors 'self';\" always;" >> /etc/nginx/conf.d/guacamole_ssl.conf
fi

echo "	add_header X-Frame-Options \"SAMEORIGIN\" always;
	add_header X-Content-Type-Options \"nosniff\" always;
	add_header X-XSS-Protection \"1; mode=block\" always;
	proxy_hide_header Server;
	proxy_hide_header X-Powered-By;
	client_body_timeout 10;
	client_header_timeout 10;

	location ${GUAC_URIPATH} {
	proxy_pass http://${GUAC_LAN_IP}:8080/guacamole/;
	proxy_buffering off;
	proxy_http_version 1.1;
	proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
	proxy_set_header Upgrade \$http_upgrade;
	proxy_set_header Connection \$http_connection;
	proxy_cookie_path /guacamole/ \"${GUAC_URIPATH}; HTTPOnly; Secure; SameSite\";
	access_log /var/log/nginx/guac_access.log;
	error_log /var/log/nginx/guac_error.log;
	}
}" >> /etc/nginx/conf.d/guacamole_ssl.conf

} &
s_echo "n" "-Generate Nginx guacamole_ssl.config... "; spinner

Nginx CIS hardening v1.0.0

{
# 2.3.2 Restrict access to Nginx files
find /etc/nginx -type d | xargs chmod 750
find /etc/nginx -type f | xargs chmod 640

# 2.4.3 & 2.4.4 set keepalive_timeout and send_timeout to 1-10 seconds, default 65/60.
sed -i '/keepalive_timeout/c\keepalive_timeout 10\;' /etc/nginx/nginx.conf
# sed -i '/send_timeout/c\send_timeout 10\;' /etc/nginx/nginx.conf

# 2.5.2 Reoving mentions of Nginx from index and error pages
! read -r -d '' BLANK_HTML <<"EOF"

EOF

echo "${BLANK_HTML}" > /usr/share/nginx/html/index.html
echo "${BLANK_HTML}" > /usr/share/nginx/html/50x.html

# 3.4 Ensure logs are rotated (may set this as a user defined parameter)
sed -i "s/daily/weekly/" /etc/logrotate.d/nginx
sed -i "s/rotate 52/rotate 13/" /etc/logrotate.d/nginx

} &
s_echo "n" "-Hardening Nginx config... "; spinner

Enable/Start Nginx Service

{
systemctl enable nginx
systemctl restart nginx
} &
s_echo "n" "-Enable & Start Nginx Service... "; spinner

Call each Guac extension function for those selected

if [ $INSTALL_LDAP = true ]; then ldapsetup; fi
if [ $INSTALL_TOTP = true ]; then totpsetup; fi
if [ $INSTALL_DUO = true ]; then duosetup; fi
if [ $INSTALL_RADIUS = true ]; then radiussetup; fi
if [ $INSTALL_CAS = true ]; then cassetup; fi
if [ $INSTALL_OPENID = true ]; then openidsetup; fi
if [ $INSTALL_CUST_EXT = true ]; then custsetup; fi

selinuxsettings
}

LDAP SETUP

ldapsetup () {
s_echo "y" "${Bold}Setup the LDAP Extension"

Append LDAP configuration lines to guacamole.properties

{ echo "

LDAP properties

ldap-hostname: ${LDAP_HOSTNAME}
ldap-port: ${LDAP_PORT}" >> /etc/guacamole/${GUAC_CONF}; } &
s_echo "n" "${Reset}-Updating guacamole.properties file for LDAP... "; spinner

LDAPS specific properties

if [ $SECURE_LDAP = true ]; then
{
KS_PATH=$(find "/usr/lib/jvm/" -name "cacerts")
keytool -storepasswd -new ${JKS_CACERT_PASSWD} -keystore ${KS_PATH} -storepass "changeit"
keytool -importcert -alias "ldaps" -keystore ${KS_PATH} -storepass ${JKS_CACERT_PASSWD} -file ${LDAPS_CERT_FULL} -noprompt

	echo "ldap-encryption-method: ssl" >> /etc/guacamole/${GUAC_CONF}
} &
s_echo "n" "-Updating guacamole.properties file for LDAPS...    "; spinner

fi

Finish appending general LDAP configuration lines to guacamole.properties

{ echo "ldap-user-base-dn: ${LDAP_BASE_DN}
ldap-search-bind-dn: ${LDAP_BIND_DN}
ldap-search-bind-password: ${LDAP_BIND_PW}
ldap-username-attribute: ${LDAP_UNAME_ATTR}
ldap-user-search-filter: ${LDAP_SEARCH_FILTER}
mysql-auto-create-accounts: true" >> /etc/guacamole/${GUAC_CONF}; } &
s_echo "n" "-Finishing updates to the guacamole.properties file for LDAP... "; spinner

if [ $GUAC_SOURCE == "Git" ]; then
# Copy LDAP Extension to Extensions Directory
{ find ./guacamole-client/extensions -name "${GUAC_LDAP}.jar" -exec mv -v {} ${LIB_DIR}extensions/ ;; } &
s_echo "n" "-Moving Guacamole LDAP extension to extensions dir... "; spinner
else # Stable release
# Download LDAP Extension
{ wget "${GUAC_URL}binary/${GUAC_LDAP}.tar.gz" -O ${GUAC_LDAP}.tar.gz; } &
s_echo "n" "-Downloading LDAP extension... "; spinner

# Decompress LDAP Extension
{
	tar xzvf ${GUAC_LDAP}.tar.gz 
	rm -f ${GUAC_LDAP}.tar.gz
	mv ${GUAC_LDAP} extension
} &
s_echo "n" "-Decompressing Guacamole LDAP Extension...    "; spinner

# Copy LDAP Extension to Extensions Directory
{ mv -v extension/${GUAC_LDAP}/${GUAC_LDAP}.jar ${LIB_DIR}extensions/; } &
s_echo "n" "-Moving Guacamole LDAP extension to extensions dir...    "; spinner

fi
}

TOTP SETUP

totpsetup () {
s_echo "y" "${Bold}Setup the TOTP Extension"

Append TOTP configuration lines to guacamole.properties

{ echo "

TOTP properties

totp-issuer: ${TOTP_ISSUER}
totp-digits: ${TOTP_DIGITS}
totp-period: ${TOTP_PER}
totp-mode: ${TOTP_MODE}" >> /etc/guacamole/${GUAC_CONF}; } &
s_echo "n" "${Reset}-Updating guacamole.properties file for TOTP... "; spinner

if [ $GUAC_SOURCE == "Git" ]; then

Copy TOTP Extension to Extensions Directory

{ find ./guacamole-client/extensions -name "${GUAC_TOTP}.jar" -exec mv -v {} ${LIB_DIR}extensions/ ;; } &
s_echo "n" "-Moving Guacamole TOTP extension to extensions dir... "; spinner
else # Stable release

Download TOTP Extension

{ wget "${GUAC_URL}binary/${GUAC_TOTP}.tar.gz" -O ${GUAC_TOTP}.tar.gz; } &
s_echo "n" "-Downloading TOTP extension... "; spinner

Decompress TOTP Extension

{
tar xzvf ${GUAC_TOTP}.tar.gz
rm -f ${GUAC_TOTP}.tar.gz
mv ${GUAC_TOTP} extension
} &
s_echo "n" "-Decompressing Guacamole TOTP Extension... "; spinner

Copy TOTP Extension to Extensions Directory

{ mv -v extension/${GUAC_TOTP}/${GUAC_TOTP}.jar ${LIB_DIR}extensions/; } &
s_echo "n" "-Moving Guacamole TOTP extension to extensions dir... "; spinner
fi
}

DUO SETUP

duosetup () {
# Placehold until extension is added
echo "duosetup"
}

RADIUS SETUP

radiussetup () {
# Placehold until extension is added
echo "radiussetup"
}

CAS SETUP

cassetup () {
# Placehold until extension is added
echo "cassetup"
}

OpenID SETUP

openidsetup () {
# Placehold until extension is added
echo "openidsetup"
}

CUSTOM EXTENSION SETUP

custsetup () {

Copy Custom Extension to Extensions Directory

{ mv -v ${CUST_FULL} ${LIB_DIR}extensions/; } &
s_echo "y" "${Bold}Copying Custom Guacamole Extension to Extensions Dir... "; spinner
}

SELINUX SETTINGS

selinuxsettings () {
{
# Set Booleans
setsebool -P httpd_can_network_connect 1
setsebool -P httpd_can_network_relay 1
setsebool -P tomcat_can_network_connect_db 1

# Guacamole Client Context
semanage fcontext -a -t tomcat_exec_t "${LIB_DIR}guacamole.war"
restorecon -v "${LIB_DIR}guacamole.war"

# Guacamole JDBC Extension Context
semanage fcontext -a -t tomcat_exec_t "${LIB_DIR}extensions/guacamole-auth-jdbc-mysql-${GUAC_VER}.jar"
restorecon -v "${LIB_DIR}extensions/guacamole-auth-jdbc-mysql-${GUAC_VER}.jar"

# MySQL Connector Extension Context
semanage fcontext -a -t tomcat_exec_t "${LIB_DIR}lib/${MYSQL_CON}.jar"
restorecon -v "${LIB_DIR}lib/${MYSQL_CON}.jar"

# Guacamole LDAP Extension Context (If selected)
if [ $INSTALL_LDAP = true ]; then
	semanage fcontext -a -t tomcat_exec_t "${LIB_DIR}extensions/${GUAC_LDAP}.jar"
	restorecon -v "${LIB_DIR}extensions/${GUAC_LDAP}.jar"
fi

# Guacamole TOTP Extension Context (If selected)
if [ $INSTALL_TOTP = true ]; then
	# Placehold until extension is added
	# echo "totp true"
	semanage fcontext -a -t tomcat_exec_t "${LIB_DIR}extensions/${GUAC_TOTP}.jar"
	restorecon -v "${LIB_DIR}extensions/${GUAC_TOTP}.jar"
fi

# Guacamole Duo Extension Context (If selected)
if [ $INSTALL_DUO = true ]; then
	# Placehold until extension is added
	echo "duo true"
	#semanage fcontext -a -t tomcat_exec_t "${LIB_DIR}extensions/${GUAC_LDAP}.jar"
	#restorecon -v "${LIB_DIR}extensions/${GUAC_LDAP}.jar"
fi

# Guacamole RADIUS Extension Context (If selected)
if [ $INSTALL_RADIUS = true ]; then
	# Placehold until extension is added
	echo "radius true"
	#semanage fcontext -a -t tomcat_exec_t "${LIB_DIR}extensions/${GUAC_LDAP}.jar"
	#restorecon -v "${LIB_DIR}extensions/${GUAC_LDAP}.jar"
fi

# Guacamole CAS Extension Context (If selected)
if [ $INSTALL_CAS = true ]; then
	# Placehold until extension is added
	echo "cas true"
	#semanage fcontext -a -t tomcat_exec_t "${LIB_DIR}extensions/${GUAC_LDAP}.jar"
	#restorecon -v "${LIB_DIR}extensions/${GUAC_LDAP}.jar"
fi

# Guacamole OpenID Extension Context (If selected)
if [ $INSTALL_OPENID = true ]; then
	# Placehold until extension is added
	echo "openid true"
	#semanage fcontext -a -t tomcat_exec_t "${LIB_DIR}extensions/${GUAC_LDAP}.jar"
	#restorecon -v "${LIB_DIR}extensions/${GUAC_LDAP}.jar"
fi

# Guacamole Custom Extension Context (If selected)
if [ $INSTALL_CUST_EXT = true ]; then
	semanage fcontext -a -t tomcat_exec_t "${LIB_DIR}extensions/${CUST_FN}"
	restorecon -v "${LIB_DIR}extensions/${CUST_FN}"
fi

} &

s_echo "y" "${Bold}Setting SELinux Context... "; spinner

Log SEL status

sestatus

firewallsettings
}

FIREWALL SETTINGS

firewallsettings () {
s_echo "y" "${Bold}Firewall Configuration"

chk_installed "firewalld"

Ensure firewalld is enabled and started

{
if [ $RETVAL -eq 0 ]; then
systemctl enable firewalld
systemctl restart firewalld
fi
} &
s_echo "n" "${Reset}-firewalld is installed and started on the system... "; spinner

Backup firewall public zone config

{ cp /etc/firewalld/zones/public.xml $fwbkpfile; } &
s_echo "n" "-Backing up firewall public zone to: $fwbkpfile "; spinner

Open HTTP and HTTPS ports

{
echo -e "Add new rule...\nfirewall-cmd --permanent --zone=public --add-service=http"
firewall-cmd --permanent --zone=public --add-service=http
echo -e "Add new rule...\nfirewall-cmd --permanent --zone=public --add-service=https"
firewall-cmd --permanent --zone=public --add-service=https
} &
s_echo "n" "-Opening HTTP and HTTPS service ports... "; spinner

Open 8080 and 8443 ports. Need to review if this is required or not

{
echo -e "Add new rule...\nfirewall-cmd --permanent --zone=public --add-port=8080/tcp"
firewall-cmd --permanent --zone=public --add-port=8080/tcp
echo -e "Add new rule...\nfirewall-cmd --permanent --zone=public --add-port=8443/tcp"
firewall-cmd --permanent --zone=public --add-port=8443/tcp
} &
s_echo "n" "-Opening ports 8080 and 8443 on TCP... "; spinner

#echo -e "Reload firewall...\nfirewall-cmd --reload\n"
{ firewall-cmd --reload; } &
s_echo "n" "-Reloading firewall... "; spinner

sslcerts
}

SSL CERTIFICATE

sslcerts () {
s_echo "y" "${Bold}SSL Certificate Configuration"

if [ $SSL_CERT_TYPE != "None" ]; then
# Lets Encrypt Setup (If selected)
if [ $SSL_CERT_TYPE = "LetsEncrypt" ]; then
# Install certbot from repo
{ yum install -y certbot python2-certbot-nginx; } &
s_echo "n" "${Reset}-Downloading certboot tool... "; spinner

	# OCSP
	{
		if [ $OCSP_USE = true ]; then
			certbot certonly --nginx --must-staple -n --agree-tos --rsa-key-size ${LE_KEY_SIZE} -m "${EMAIL_NAME}" -d "${DOMAIN_NAME}"
		else # Generate without OCSP --must-staple
			certbot certonly --nginx -n --agree-tos --rsa-key-size ${LE_KEY_SIZE} -m "${EMAIL_NAME}" -d "${DOMAIN_NAME}"
		fi
	} &
	s_echo "n" "-Generating a ${SSL_CERT_TYPE} SSL Certificate...    "; spinner

	# Symlink Lets Encrypt certs so renewal does not break Nginx
	{
		ln -vs "/etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem" /etc/nginx/guacamole.crt
		ln -vs "/etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem" /etc/nginx/guacamole.key
		ln -vs "/etc/letsencrypt/live/${DOMAIN_NAME}/chain.pem" /etc/nginx/guacamole.pem
	} &
	s_echo "n" "-Creating symlinks to ${SSL_CERT_TYPE} SSL certificates...    "; spinner

	# Setup automatic cert renewal
	{
		systemctl enable certbot-renew.service
		systemctl enable certbot-renew.timer
		systemctl list-timers --all | grep certbot
	} &
	s_echo "n" "-Setup automatic ${SSL_CERT_TYPE} SSL certificate renewals...    "; spinner

else # Use a Self-Signed Cert
	{ openssl req -x509 -sha512 -nodes -days 365 -newkey rsa:${SSL_KEY_SIZE} -keyout /etc/nginx/guacamole.key -out /etc/nginx/guacamole.crt -subj "/C=''/ST=''/L=''/O=''/OU=''/CN=''"; } &
	s_echo "n" "${Reset}-Generating ${SSL_CERT_TYPE} SSL Certificate...    "; spinner
fi

# Nginx CIS v1.0.0 - 4.1.3 ensure private key permissions are restricted
{
	ls -l /etc/nginx/guacamole.key
	chmod 400 /etc/nginx/guacamole.key
} &
s_echo "n" "${Reset}-Changing permissions on SSL private key...    "; spinner

{
	# Uncomment listen lines from Nginx guacamole_ssl.conf (fixes issue introduced by Nginx 1.16.0)
	sed -i 's/#\(listen.*443.*\)/\1/' /etc/nginx/conf.d/guacamole_ssl.conf
	# Uncomment cert lines from Nginx guacamole_ssl.conf
	sed -i 's/#\(.*ssl_.*certificate.*\)/\1/' /etc/nginx/conf.d/guacamole_ssl.conf
} &
s_echo "n" "${Reset}-Enabling SSL certificate in guacamole_ssl.conf...    "; spinner

HTTPS_ENABLED=true

else # Cert is set to None
s_echo "n" "${Reset}-No SSL Cert selected..."

# Will not force/use HTTPS without a cert, comment out redirect
{ sed -i '/\(return 301 https\)/s/^/#/' /etc/nginx/conf.d/guacamole.conf; } &
s_echo "n" "${Reset}-Update guacamole.conf to allow HTTP connections...    "; spinner

HTTPS_ENABLED=false

fi

showmessages
}

COMPLETION MESSAGES

showmessages () {
s_echo "y" "${Bold}Services"

Restart all services and log status

{
systemctl restart ${TOMCAT_VER}
systemctl status ${TOMCAT_VER}
systemctl restart guacd
systemctl status guacd
systemctl restart mariadb
systemctl status mariadb
systemctl restart nginx
systemctl status nginx

# Verify that the guacd user is running guacd
ps aux | grep ${GUACD_USER}
ps -U ${GUACD_USER}

} &
s_echo "n" "${Reset}-Restarting all services... "; spinner

Completion messages

s_echo "y" "${Bold}${Green}##### Installation Complete! #####${Reset}"

s_echo "y" "${Bold}Log Files"
s_echo "n" "${Reset}-Log file: ${logfile}"
s_echo "n" "-firewall backup file: ${fwbkpfile}"

Determine Guac server URL for web GUI

if [ ${DOMAIN_NAME} = "localhost" ]; then
GUAC_URL=${GUAC_LAN_IP}${GUAC_URIPATH}
else # Not localhost
GUAC_URL=${DOMAIN_NAME}${GUAC_URIPATH}
fi

Determine if HTTPS is used or not

if [ ${HTTPS_ENABLED} = true ]; then
HTTPS_MSG="${Reset} or ${Bold}https://${GUAC_URL}${Reset}"
else # HTTPS not used
HTTPS_MSG="${Reset}. Without a cert, HTTPS is not forced/available."
fi

Manage Guac

s_echo "y" "${Bold}To manage Guacamole"
s_echo "n" "${Reset}-go to: ${Bold}http://${GUAC_URL}${HTTPS_MSG}"
s_echo "n" "-The default username and password are: ${Red}guacadmin"

Recommendations

s_echo "y" "Important Recommendations${Reset}"

if [ $INSTALL_LDAP = false ]; then
s_echo "n" "-It is highly recommended to create an admin account in Guacamole and delete/disable the default asap!"
else
s_echo "n" "-You should assign at least one AD/LDAP user to have full admin, see the directions on how-to at:"
s_echo "n" "${Green} https://github.com/Zer0CoolX/guacamole-install-rhel-7/wiki/LDAP-or-LDAPS-Authentication#important-manual-steps${Reset}"
s_echo "n" "-Afterwards, it is highly recommended to delete/disable the default admin account and/or create a uniquely named local admin account asap!"

if [ $SECURE_LDAP = true ]; then
	s_echo "n" "-Its highly recommended to remove the LDAPS certificate file from: ${LDAPS_CERT_FULL}"
fi

fi

s_echo "y" "${Green}While not technically required, you should consider a reboot after verifying installation${Reset}"
s_echo "y" "${Bold}Contact ${Reset}${ADM_POC}${Bold} with any questions or concerns regarding this script\n"

Log cleanup to remove escape sequences caused by tput for formatting text

sed -i 's/\x1b[[0-9;]*m|\x1b[(]B\x1b[m//g' ${logfile}

tput sgr0 >&3
}

INSTALLATION EXECUTION

Runs the install if the option was selected from the summary menu

if [ ${RUN_INSTALL} = true ]; then
tput sgr0 >&3
clear >&3
reposinstall
if [ $DEL_TMP_VAR = true ]; then
rm "$VAR_FILE"
fi
exit 0
fi
`

You can see parts where i added fwe things to allow running into AlmaLinux 8
Hope it helps
Bye!