It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Access

Install in Bare Metal / Virtual Machine

  • Last updated on

Before You Begin

Minimum OS supported versions:

  • CentOS 7
  • RHEL 8
  • Any modern Debian-based OS (Ubuntu)

Requires a valid CloudGen Access Proxy enrollment link

Choose Install Script or Manual Steps to proceed.

Install Script

The steps below will execute a script obtained externally. It is recommended that you inspect the content before execution.

The script will install and enable a chrony service for time synchronization. This is required to ensure tokens are validated properly.

  • Download and execute installation script

    sudo bash -c "$(curl -fsSL https://url.fyde.me/proxy-linux)"
  • This script can also be used for unattended installations.

    curl -fsSLo install-proxy-linux.sh https://url.fyde.me/proxy-linux
    chmod +x install-proxy-linux.sh
    ./install-proxy-linux.sh -h
  • Install CloudGen Access Proxy script
    Available parameters:
    • -h - Show this help
    • -l string - Loglevel (debug, info, warning, error, critical), defaults to info.
    • -n - Don't start services after install
    • -p int - Specify public port (1-65535), required for unattended instalation
    • -r string - Specify Redis host to use for token cache <only required for HA architecture>
    • -s int - Specify Redis port <optional>
    • -t token - Specify CloudGen Access Proxy token
    • -u - Unattended install, skip requesting input <optional>

Example for unattended installation with CloudGen Access Proxy token:

  • Specify the CloudGen Access Proxy token inside quotes
    • ./install-fyde-proxy-linux.sh -p 443 -t "https://xxxxxxxxxxxx" -u

Example for unattended installation with CloudGen Access Proxy token with Redis endpoint:

  • Specify the CloudGen Access Proxy token inside quotes
    • ./install-fyde-proxy-linux.sh -p 443 -t "https://xxxxxxxxxxxx" -u -r localhost -s 6379

Example for unattended installation, skipping services start, without CloudGen Access Proxy token:

  • The token can also be obtained automatically via AWS SSM/Secrets Manager
  • For more information, see Access Proxy Parameters.
    • ./install-fyde-proxy-linux.sh -n -p 443 -u

CentOS/RHEL - Manual Steps

  1. Install prerequisites.

    sudo yum -y install yum-utils chrony
  2. Ensure chrony daemon is enabled on system boot and started.

    sudo systemctl enable chronyd
    sudo systemctl start chronyd
  3. Ensure time synchronization is enabled.

    sudo timedatectl set-ntp on
  4. Add CloudGen Access repository.

    sudo yum-config-manager -y --add-repo https://downloads.fyde.com/fyde.repo
  5. Install Envoy Proxy.

    sudo yum -y install envoy
    sudo systemctl enable envoy
  6. Add CAP_NET_BIND_SERVICE to Envoy using a service unit override.
    If you choose to configure your proxy to run in a port below 1024, you will need to add the CAP_NET_BIND_SERVICE capability to Envoy.

    sudo mkdir -p /etc/systemd/system/envoy.service.d
    sudo bash -c "cat > /etc/systemd/system/envoy.service.d/10-add-cap-net-bind.conf <<EOF
    [Service]
    Capabilities=CAP_NET_BIND_SERVICE+ep
    CapabilityBoundingSet=CAP_NET_BIND_SERVICE
    AmbientCapabilities=CAP_NET_BIND_SERVICE
    SecureBits=keep-caps
    EOF"
    sudo chmod 600 /etc/systemd/system/envoy.service.d/10-add-cap-net-bind.conf
  7. Reload and start Envoy Proxy.

    sudo systemctl --system daemon-reload
    sudo systemctl start envoy
  8. Install CloudGen Access Proxy Orchestrator and authz system

    sudo yum -y install fydeproxy
    sudo systemctl enable fydeproxy
  9. Configure environment using a service unit override.

    sudo mkdir -p /etc/systemd/system/fydeproxy.service.d
    sudo bash -c "cat > /etc/systemd/system/fydeproxy.service.d/10-environment.conf <<EOF
    [Service]
    Environment='FYDE_ENROLLMENT_TOKEN=<paste here your CloudGen Access Proxy enrollment link>'
    Environment='FYDE_ENVOY_LISTENER_PORT=<replace with the corresponding CloudGen Access Proxy port, as configured in CloudGen Access Enterprise Console>'
    Environment='FYDE_LOGLEVEL=info'
    EOF"
    sudo chmod 600 /etc/systemd/system/fydeproxy.service.d/10-environment.conf

    For highly available installations, access to a redis server is required for communication between CloudGen Access Orchestrators.

    sudo bash -c "cat >> /etc/systemd/system/fydeproxy.service.d/10-environment.conf <<EOF
    Environment='FYDE_REDIS_HOST=<specify redis host ip or dns>'
    Environment='FYDE_REDIS_PORT=<specify redis port, defaults for 6379 if not included>'
    EOF"
  10. Reload and start CloudGen Access Proxy Orchestrator daemon.

    sudo systemctl --system daemon-reload
    sudo systemctl start fydeproxy
  11. Configure the firewall (if enabled).

    sudo firewall-cmd --zone=public --add-port="<replace with the corresponding CloudGen Access Proxy port, as configured in CloudGen Access Enterprise Console>/tcp" --permanent
    sudo firewall-cmd --reload

Debian / Ubuntu - Manual Steps

  1. Ensure time synchronization is enabled.

    sudo timedatectl set-ntp on
  2. Add CloudGen Access repository.

    REPO_URL="downloads.fyde.com"
    wget -q -O - "https://$REPO_URL/fyde-public-key.asc" | sudo apt-key add -
    sudo bash -c "cat > /etc/apt/sources.list.d/fyde.list <<EOF
    deb https://$REPO_URL/apt stable main
    EOF"
    sudo apt update
  3. Install Envoy Proxy.

    sudo apt -y install envoy
    sudo systemctl enable envoy
  4. Add CAP_NET_BIND_SERVICE to Envoy using a service unit override.
    If you choose to configure your proxy to run in a port below 1024, you will need to add the CAP_NET_BIND_SERVICE capability to Envoy.

    sudo mkdir -p /etc/systemd/system/envoy.service.d
    sudo bash -c "cat > /etc/systemd/system/envoy.service.d/10-add-cap-net-bind.conf <<EOF
    [Service]
    Capabilities=CAP_NET_BIND_SERVICE+ep
    CapabilityBoundingSet=CAP_NET_BIND_SERVICE
    AmbientCapabilities=CAP_NET_BIND_SERVICE
    SecureBits=keep-caps
    EOF"
    sudo chmod 600 /etc/systemd/system/envoy.service.d/10-add-cap-net-bind.conf
  5. Reload and start Envoy Proxy.

    sudo systemctl --system daemon-reload
    sudo systemctl start envoy
  6. Install CloudGen Access Proxy Orchestrator and authz system

    sudo apt -y install fydeproxy
    sudo systemctl enable fydeproxy
  7. Configure environment using a service unit override.

    sudo mkdir -p /etc/systemd/system/fydeproxy.service.d
    sudo bash -c "cat > /etc/systemd/system/fydeproxy.service.d/10-environment.conf <<EOF
    [Service]
    Environment='FYDE_ENROLLMENT_TOKEN=<paste here your CloudGen Access Proxy enrollment link>'
    Environment='FYDE_ENVOY_LISTENER_PORT=<replace with the corresponding CloudGen Access Proxy port, as configured in CloudGen Access Enterprise Console>'
    Environment='FYDE_LOGLEVEL=info'
    EOF"
    sudo chmod 600 /etc/systemd/system/fydeproxy.service.d/10-environment.conf

    For highly available installations, access to a redis server is required for communication between CloudGen Access Orchestrators.

    sudo bash -c "cat >> /etc/systemd/system/fydeproxy.service.d/10-environment.conf <<EOF
    Environment='FYDE_REDIS_HOST=<specify redis host ip or dns>'
    Environment='FYDE_REDIS_PORT=<specify redis port, defaults for 6379 if not included>'
    EOF"
  8. Reload and start CloudGen Access Proxy Orchestrator daemon.

    sudo systemctl --system daemon-reload
    sudo systemctl start fydeproxy
  9. Configure the firewall (if enabled).

    sudo firewall-cmd --zone=public --add-port="<replace with the corresponding CloudGen Access Proxy port, as configured in CloudGen Access Enterprise Console>/tcp" --permanent
    sudo firewall-cmd --reload

Upgrading CloudGen Access Proxy

To upgrade your CloudGen Access Proxy to the latest version, execute the following command:

sudo yum upgrade fydeproxy envoy

Troubleshoot

For troubleshooting, see Troubleshooting.

Last updated on