It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Campus Barracuda Campus
Barracuda CloudGen Access
Overview Documentation Training Certification Materials

How to Deploy a Proxy For Bare Metal / Virtual Machine

  • Last updated on

This article offers the option to choose either the install script, or to use the manual steps listed below. Before you begin, check the prerequisites.

Minimum required hardware is 1 CPU and 1024MB of RAM. If using this as a proxy, then depending on the number of requests, you might need to increased those resources, and monitor for resource exhaustion and performance.

Minimum OS supported versions:

Requirement

Requires a valid CloudGen access proxy enrollment link. See step #4 of Add Proxy to get the link.

Choose Install Script or the Manual Steps for CentOS or Ubuntu to proceed. See Troubleshooting for help.

Install Script

  • The steps below will download and execute a script obtained externally. Barracuda Networks recommends that you inspect the contents before execution.

  • The script will install and enable a chrony service for time synchronization. This is required to ensure that tokens are validated properly.

  • Download and execute the installation script:

    sudo bash -c "$(curl -fsSL https://url.access.barracuda.com/proxy-linux)"

  • This script can also be used for unattended installations:

    curl -fsSLo install-proxy-linux.sh https://url.access.barracuda.com/proxy-linux 
chmod +x install-proxy-linux.sh 
./install-proxy-linux.sh -h

Install CloudGen Access Proxy script

Available parameters:

Parameter

Action

-h

Show this help

-l string

Loglevel (debug, info, warning, error, critical), defaults to info.

-n

Do not start services after install

-p int

Specify public port (1-65535), required for unattended installation

-r string

Specify Redis host to use for token cache <only required for HA architecture>

-s int

Specify Redis port <optional>

-t token

Specify Barracuda CloudGen Access Proxy token

-u

Unattended install, skip requesting input <optional>

Example for unattended installation with CloudGen Access Proxy token:  

Specify the CloudGen Access Proxy token inside quotes:

./install-proxy-linux.sh -p 443 -t "https://xxxxxxxxxxxx" -u

Example for unattended installation with CloudGen Access Proxy token with Redis endpoint:

Specify the CloudGen Access Proxy token inside quotes: 

./install-proxy-linux.sh -p 443 -t "https://xxxxxxxxxxxx" -u -r localhost -s 6379

Example for unattended installation, skipping services start, without CloudGen Access Proxy token:

  • The token can also be obtained automatically via AWS SSM/Secrets Manager.

  • For more information, see Access Proxy Parameters.

./install-proxy-linux.sh -n -p 443 -u

CentOS/RHEL - Manual Steps

  1. Install prerequisites.

    sudo yum -y install yum-utils chrony

  2. Ensure chrony daemon is enabled on system boot and started.

    sudo systemctl enable chronyd
sudo systemctl start chronyd

  3. Ensure time synchronization is enabled.

    sudo timedatectl set-ntp on

  4. Add CloudGen Access repository.

    sudo yum-config-manager -y --add-repo https://downloads.access.barracuda.com/fyde.repo

  5. Install Envoy Proxy.

    sudo yum -y install envoy
sudo systemctl enable envoy

  6.  Add CAP_NET_BIND_SERVICE to Envoy using a service unit override. If you choose to configure your proxy to run in a port below 1024, you will need to add the CAP_NET_BIND_SERVICE capability to Envoy.

    sudo mkdir -p /etc/systemd/system/envoy.service.d
sudo bash -c "cat > /etc/systemd/system/envoy.service.d/10-add-cap-net-bind.conf <<EOF
[Service]
Capabilities=CAP_NET_BIND_SERVICE+ep
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
SecureBits=keep-caps
EOF"
sudo chmod 600 /etc/systemd/system/envoy.service.d/10-add-cap-net-bind.conf

  7. Reload and start Envoy Proxy. 

    sudo systemctl --system daemon-reload  
sudo systemctl start envoy

  8. Install CloudGen Access Proxy Orchestrator and authz system.

    sudo yum -y install fydeproxy
sudo systemctl enable fydeproxy

  9. Configure environment using a service unit override.

    sudo mkdir -p /etc/systemd/system/fydeproxy.service.d
sudo bash -c "cat > /etc/systemd/system/fydeproxy.service.d/10-environment.conf <<EOF
[Service]
Environment='FYDE_ENROLLMENT_TOKEN=<paste here your CloudGen Access Proxy enrollment link>'
Environment='FYDE_ENVOY_LISTENER_PORT=<replace with the corresponding CloudGen Access Proxy port, as configured in CloudGen Access Enterprise Console>'
Environment='FYDE_LOGLEVEL=info'
EOF"
sudo chmod 600 /etc/systemd/system/fydeproxy.service.d/10-environment.conf

  10. For high availablity installations, access to a redis server is required for communication between CloudGen Access Orchestrators.

    sudo bash -c "cat >> /etc/systemd/system/fydeproxy.service.d/10-environment.conf <<EOF
Environment='FYDE_REDIS_HOST=<specify redis host ip or dns>'
Environment='FYDE_REDIS_PORT=<specify redis port, defaults for 6379 if not included>'
EOF"

  11. Reload and start CloudGen Access Proxy Orchestrator daemon.

    sudo systemctl --system daemon-reload
sudo systemctl start fydeproxy

  12. Configure the firewall (if enabled). 

    sudo firewall-cmd --zone=public --add-port="<replace with the corresponding CloudGen Access Proxy port, as configured in CloudGen Access Enterprise Console>/tcp" --permanent
sudo firewall-cmd --reload

Upgrading CloudGen Access Proxy

To upgrade your CloudGen Access Proxy to the latest version, execute the following command:

 sudo yum upgrade fydeproxy envoy

Debian / Ubuntu - Manual Steps

  1. Ensure time synchronization is enabled.

    sudo timedatectl set-ntp on

  2. Add CloudGen Access repository.

    REPO_URL="downloads.access.barracuda.com"
wget -q -O - "https://$REPO_URL/fyde-public-key.asc" | sudo apt-key add -
sudo bash -c "cat > /etc/apt/sources.list.d/fyde.list <<EOF
deb https://$REPO_URL/apt stable main
EOF"
sudo apt update

  3. Install Envoy Proxy.

    sudo apt -y install envoy
sudo systemctl enable envoy

  4. Add CAP_NET_BIND_SERVICE to Envoy using a service unit override. If you choose to configure your proxy to run in a port below 1024, you will need to add the CAP_NET_BIND_SERVICE capability to Envoy.

    sudo mkdir -p /etc/systemd/system/envoy.service.d
sudo bash -c "cat > /etc/systemd/system/envoy.service.d/10-add-cap-net-bind.conf <<EOF
[Service]
Capabilities=CAP_NET_BIND_SERVICE+ep
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
SecureBits=keep-caps
EOF"
sudo chmod 600 /etc/systemd/system/envoy.service.d/10-add-cap-net-bind.conf

  5. Reload and start Envoy Proxy.

    sudo systemctl --system daemon-reload
sudo systemctl start envoy

  6. Install CloudGen Access Proxy Orchestrator and authz system.

    sudo apt -y install fydeproxy
sudo systemctl enable fydeproxy

  7. Configure environment using a service unit override.

    sudo mkdir -p /etc/systemd/system/fydeproxy.service.d
sudo bash -c "cat > /etc/systemd/system/fydeproxy.service.d/10-environment.conf <<EOF
[Service]
Environment='FYDE_ENROLLMENT_TOKEN=<paste here your CloudGen Access Proxy enrollment link>'
Environment='FYDE_ENVOY_LISTENER_PORT=<replace with the corresponding CloudGen Access Proxy port, as configured in CloudGen Access Enterprise Console>'
Environment='FYDE_LOGLEVEL=info'
EOF"
sudo chmod 600 /etc/systemd/system/fydeproxy.service.d/10-environment.conf

    For highly available installations, access to a redis server is required for communication between CloudGen Access Orchestrators.

    sudo bash -c "cat >> /etc/systemd/system/fydeproxy.service.d/10-environment.conf <<EOF
Environment='FYDE_REDIS_HOST=<specify redis host ip or dns>'
Environment='FYDE_REDIS_PORT=<specify redis port, defaults for 6379 if not included>'
EOF"

  8. Reload and start CloudGen Access Proxy Orchestrator daemon.

    sudo systemctl --system daemon-reload
sudo systemctl start fydeproxy

  9. Configure the firewall (if enabled).

    sudo firewall-cmd --zone=public --add-port="<replace with the corresponding CloudGen Access Proxy port, as configured in CloudGen Access Enterprise Console>/tcp" --permanent
sudo firewall-cmd --reload

Upgrading CloudGen Access Proxy

To upgrade your CloudGen Access Proxy to the latest version, execute the following command:

sudo apt upgrade fydeproxy envoy

CentOS 7 System Updates

As RedHat has discontinued support for CentOS 7 system updates, use the following instructions to continue to receive updates for system packages for CentOS.

  1. Copy this shell script to update_repos.sh in CentOS:

    #!/bin/bash

# Check if the script is being run as root
if [ "$EUID" -ne 0 ]; then
  exec sudo "$0" "$@"
fi

# Update CentOS repository URLs to use the vault
sed -i 's/mirror.centos.org/vault.centos.org/g' /etc/yum.repos.d/*.repo
sed -i 's/^#.*baseurl=http/baseurl=http/g' /etc/yum.repos.d/*.repo
sed -i 's/^mirrorlist=http/#mirrorlist=http/g' /etc/yum.repos.d/*.repo

# Remove outdated fyde repos
sudo rm -rf /var/cache/dnf/fyde*

  2. Enter Shell under /System/Shell.

  3. Run chmod +x ./update_repos.sh to make it executable.

  4. Run ./update_repos.sh.

  5. Run sudo yum upgrade -y.

Troubleshooting

See Troubleshooting the CloudGen Access Proxy in Barracuda Campus.