/
How to Deploy a Proxy For Bare Metal / Virtual Machine

How to Deploy a Proxy For Bare Metal / Virtual Machine

This article offers the option to choose either the install script, or to use the manual steps listed below. Before you begin, check the prerequisites.

Minimum required hardware is 1 CPU and 1024MB of RAM. If using this as a proxy, then depending on the number of requests, you might need to increased those resources, and monitor for resource exhaustion and performance.

Minimum OS supported versions:

Requirement

Requires a valid CloudGen access proxy enrollment link. See step #4 of Add Proxy to get the link.

Choose Install Script or the Manual Steps for CentOS or Ubuntu to proceed. See Troubleshooting for help.

Install Script

  • The steps below will download and execute a script obtained externally. Barracuda Networks recommends that you inspect the contents before execution.

  • The script will install and enable a chrony service for time synchronization. This is required to ensure that tokens are validated properly.

  • Download and execute the installation script:

    sudo bash -c "$(curl -fsSL https://url.access.barracuda.com/proxy-linux)"

  • This script can also be used for unattended installations:

    curl -fsSLo install-proxy-linux.sh https://url.access.barracuda.com/proxy-linux chmod +x install-proxy-linux.sh ./install-proxy-linux.sh -h

Install CloudGen Access Proxy script

Available parameters:

Parameter

Action

Parameter

Action

-h

Show this help

-l string

Loglevel (debug, info, warning, error, critical), defaults to info.

-n

Do not start services after install

-p int

Specify public port (1-65535), required for unattended installation

-r string

Specify Redis host to use for token cache <only required for HA architecture>

-s int

Specify Redis port <optional>

-t token

Specify Barracuda CloudGen Access Proxy token

-u

Unattended install, skip requesting input <optional>

Example for unattended installation with CloudGen Access Proxy token:  

Specify the CloudGen Access Proxy token inside quotes:

./install-proxy-linux.sh -p 443 -t "https://xxxxxxxxxxxx" -u

Example for unattended installation with CloudGen Access Proxy token with Redis endpoint:

Specify the CloudGen Access Proxy token inside quotes:

./install-proxy-linux.sh -p 443 -t "https://xxxxxxxxxxxx" -u -r localhost -s 6379

Example for unattended installation, skipping services start, without CloudGen Access Proxy token:

  • The token can also be obtained automatically via AWS SSM/Secrets Manager.

  • For more information, see Access Proxy Parameters.

./install-proxy-linux.sh -n -p 443 -u

CentOS/RHEL - Manual Steps

  1. Install prerequisites.

    sudo yum -y install yum-utils chrony

  2. Ensure chrony daemon is enabled on system boot and started.

    sudo systemctl enable chronyd sudo systemctl start chronyd

  3. Ensure time synchronization is enabled.

    sudo timedatectl set-ntp on

  4. Add CloudGen Access repository.

    sudo yum-config-manager -y --add-repo https://downloads.access.barracuda.com/fyde.repo

  5. Install Envoy Proxy.

    sudo yum -y install envoy sudo systemctl enable envoy

  6.  Add CAP_NET_BIND_SERVICE to Envoy using a service unit override. If you choose to configure your proxy to run in a port below 1024, you will need to add the CAP_NET_BIND_SERVICE capability to Envoy.

    sudo mkdir -p /etc/systemd/system/envoy.service.d sudo bash -c "cat > /etc/systemd/system/envoy.service.d/10-add-cap-net-bind.conf <<EOF [Service] Capabilities=CAP_NET_BIND_SERVICE+ep CapabilityBoundingSet=CAP_NET_BIND_SERVICE AmbientCapabilities=CAP_NET_BIND_SERVICE SecureBits=keep-caps EOF" sudo chmod 600 /etc/systemd/system/envoy.service.d/10-add-cap-net-bind.conf

  7. Reload and start Envoy Proxy.

    sudo systemctl --system daemon-reload sudo systemctl start envoy

  8. Install CloudGen Access Proxy Orchestrator and authz system.

    sudo yum -y install fydeproxy sudo systemctl enable fydeproxy

  9. Configure environment using a service unit override.

    sudo mkdir -p /etc/systemd/system/fydeproxy.service.d sudo bash -c "cat > /etc/systemd/system/fydeproxy.service.d/10-environment.conf <<EOF [Service] Environment='FYDE_ENROLLMENT_TOKEN=<paste here your CloudGen Access Proxy enrollment link>' Environment='FYDE_ENVOY_LISTENER_PORT=<replace with the corresponding CloudGen Access Proxy port, as configured in CloudGen Access Enterprise Console>' Environment='FYDE_LOGLEVEL=info' EOF" sudo chmod 600 /etc/systemd/system/fydeproxy.service.d/10-environment.conf

  10. For high availablity installations, access to a redis server is required for communication between CloudGen Access Orchestrators.

    sudo bash -c "cat >> /etc/systemd/system/fydeproxy.service.d/10-environment.conf <<EOF Environment='FYDE_REDIS_HOST=<specify redis host ip or dns>' Environment='FYDE_REDIS_PORT=<specify redis port, defaults for 6379 if not included>' EOF"

  11. Reload and start CloudGen Access Proxy Orchestrator daemon.

    sudo systemctl --system daemon-reload sudo systemctl start fydeproxy

  12. Configure the firewall (if enabled).

    sudo firewall-cmd --zone=public --add-port="<replace with the corresponding CloudGen Access Proxy port, as configured in CloudGen Access Enterprise Console>/tcp" --permanent sudo firewall-cmd --reload

Contact Us
Barracuda Campus
Barracuda Support