It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Campus Barracuda Campus
Barracuda CloudGen Access
Overview Documentation Training Certification Materials

How to Deploy a Proxy For Bare Metal / Virtual Machine

  • Last updated on

This article offers the option to choose either the install script, or to use the manual steps listed below. Before you begin, check the prerequisites.

Minimum required hardware is 1 CPU and 1024MB of RAM. If using this as a proxy, then depending on the number of requests, you might need to increased those resources, and monitor for resource exhaustion and performance.

Minimum OS supported versions:

  • CentOS 7
  • RHEL 8
  • Any modern Debian-based OS (Ubuntu 20.04)

 

Requires a valid CloudGen access proxy enrollment link. See step #4 of Add Proxy to get the link.

Choose  Install Script  or  Manual Steps  to proceed.

Install Script

  • The steps below will download and execute a script obtained externally. Barracuda Networks recommends that you inspect the contents before execution.
  • The script will install and enable a chrony service for time synchronization. This is required to ensure that tokens are validated properly.

  • Download and execute the installation script:

    sudo bash -c "$(curl -fsSL https://url.access.barracuda.com/proxy-linux)"

  • This script can also be used for unattended installations:

    curl -fsSLo install-proxy-linux.sh https://url.access.barracuda.com/proxy-linux 
chmod +x install-proxy-linux.sh 
./install-proxy-linux.sh -h

Install  CloudGen Access Proxy script

Available parameters:

ParameterAction
-hShow this help
-l stringLoglevel (debug, info, warning, error, critical), defaults to info.
-nDo not start services after install
-p int

Specify public port (1-65535), required for unattended installation

-r stringSpecify Redis host to use for token cache <only required for HA architecture>
-s intSpecify Redis port <optional>
-t tokenSpecify Barracuda CloudGen Access Proxy token
-uUnattended install, skip requesting input <optional>

 

Example for unattended installation with CloudGen Access Proxy token:  

Specify the  CloudGen Access Proxy token inside quotes:

 

./install-proxy-linux.sh -p 443 -t "https://xxxxxxxxxxxx" -u

Example for unattended installation with CloudGen Access Proxy token with Redis endpoint:

Specify the  CloudGen Access Proxy token inside quotes: 

./install-proxy-linux.sh -p 443 -t "https://xxxxxxxxxxxx" -u -r localhost -s 6379

Example for unattended installation, skipping services start, without CloudGen Access Proxy token:

  • The token can also be obtained automatically via AWS SSM/Secrets Manager.
  • For more information, see Access Proxy Parameters.
./install-proxy-linux.sh -n -p 443 -u

CentOS/RHEL - Manual Steps

  1. Install prerequisites.

    sudo yum -y install yum-utils chrony

  2. Ensure chrony daemon is enabled on system boot and started.

    sudo systemctl enable chronyd
sudo systemctl start chronyd

  3. Ensure time synchronization is enabled.

    sudo timedatectl set-ntp on

  4. Add CloudGen Access repository.

    sudo yum-config-manager -y --add-repo https://downloads.access.barracuda.com/fyde.repo

        

  5. Install Envoy Proxy.

    sudo yum -y install envoy
sudo systemctl enable envoy

  6.  Add CAP_NET_BIND_SERVICE to Envoy using a service unit override. If you choose to configure your proxy to run in a port below 1024, you will need to add the CAP_NET_BIND_SERVICE capability to Envoy.

    sudo mkdir -p /etc/systemd/system/envoy.service.d
sudo bash -c "cat > /etc/systemd/system/envoy.service.d/10-add-cap-net-bind.conf <<EOF
[Service]
Capabilities=CAP_NET_BIND_SERVICE+ep
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
SecureBits=keep-caps
EOF"
sudo chmod 600 /etc/systemd/system/envoy.service.d/10-add-cap-net-bind.conf

  7. Reload and start Envoy Proxy. 

    sudo systemctl --system daemon-reload  
sudo systemctl start envoy

  8. Install CloudGen Access Proxy Orchestrator and authz system.

    sudo yum -y install fydeproxy
sudo systemctl enable fydeproxy

  9. Configure environment using a service unit override

    sudo mkdir -p /etc/systemd/system/fydeproxy.service.d
sudo bash -c "cat > /etc/systemd/system/fydeproxy.service.d/10-environment.conf <<EOF
[Service]
Environment='FYDE_ENROLLMENT_TOKEN=<paste here your CloudGen Access Proxy enrollment link>'
Environment='FYDE_ENVOY_LISTENER_PORT=<replace with the corresponding CloudGen Access Proxy port, as configured in CloudGen Access Enterprise Console>'
Environment='FYDE_LOGLEVEL=info'
EOF"
sudo chmod 600 /etc/systemd/system/fydeproxy.service.d/10-environment.conf

  10. For highly available installations, access to a redis server is required for communication between CloudGen Access Orchestrators.

    sudo bash -c "cat >> /etc/systemd/system/fydeproxy.service.d/10-environment.conf <<EOF
Environment='FYDE_REDIS_HOST=<specify redis host ip or dns>'
Environment='FYDE_REDIS_PORT=<specify redis port, defaults for 6379 if not included>'
EOF"

  11. Reload and start CloudGen Access Proxy Orchestrator daemon.

    sudo systemctl --system daemon-reload
sudo systemctl start fydeproxy

  12. Configure the firewall (if enabled). 

    sudo firewall-cmd --zone=public --add-port="<replace with the corresponding CloudGen Access Proxy port, as configured in CloudGen Access Enterprise Console>/tcp" --permanent
sudo firewall-cmd --reload

Debian / Ubuntu - Manual Steps

  1. Ensure time synchronization is enabled.

    sudo timedatectl set-ntp on

  2. Add CloudGen Access repository.

    REPO_URL="downloads.access.barracuda.com"
wget -q -O - "https://$REPO_URL/fyde-public-key.asc" | sudo apt-key add -
sudo bash -c "cat > /etc/apt/sources.list.d/fyde.list <<EOF
deb https://$REPO_URL/apt stable main
EOF"
sudo apt update

  3. Install Envoy Proxy.

    sudo apt -y install envoy
sudo systemctl enable envoy

  4. Add CAP_NET_BIND_SERVICE to Envoy using a service unit override. If you choose to configure your proxy to run in a port below 1024, you will need to add the CAP_NET_BIND_SERVICE capability to Envoy.

    sudo mkdir -p /etc/systemd/system/envoy.service.d
sudo bash -c "cat > /etc/systemd/system/envoy.service.d/10-add-cap-net-bind.conf <<EOF
[Service]
Capabilities=CAP_NET_BIND_SERVICE+ep
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
SecureBits=keep-caps
EOF"
sudo chmod 600 /etc/systemd/system/envoy.service.d/10-add-cap-net-bind.conf

  5. Reload and start Envoy Proxy.

    sudo systemctl --system daemon-reload
sudo systemctl start envoy

  6. Install CloudGen Access Proxy Orchestrator and authz system.

    sudo apt -y install fydeproxy
sudo systemctl enable fydeproxy

  7. Configure environment using a service unit override.

    sudo mkdir -p /etc/systemd/system/fydeproxy.service.d
sudo bash -c "cat > /etc/systemd/system/fydeproxy.service.d/10-environment.conf <<EOF
[Service]
Environment='FYDE_ENROLLMENT_TOKEN=<paste here your CloudGen Access Proxy enrollment link>'
Environment='FYDE_ENVOY_LISTENER_PORT=<replace with the corresponding CloudGen Access Proxy port, as configured in CloudGen Access Enterprise Console>'
Environment='FYDE_LOGLEVEL=info'
EOF"
sudo chmod 600 /etc/systemd/system/fydeproxy.service.d/10-environment.conf

  8. For highly available installations, access to a redis server is required for communication between CloudGen Access Orchestrators.

    sudo bash -c "cat >> /etc/systemd/system/fydeproxy.service.d/10-environment.conf <<EOF
Environment='FYDE_REDIS_HOST=<specify redis host ip or dns>'
Environment='FYDE_REDIS_PORT=<specify redis port, defaults for 6379 if not included>'
EOF"

  9. Reload and start CloudGen Access Proxy Orchestrator daemon.

    sudo systemctl --system daemon-reload
sudo systemctl start fydeproxy

  10. Configure the firewall (if enabled).

    sudo firewall-cmd --zone=public --add-port="<replace with the corresponding CloudGen Access Proxy port, as configured in CloudGen Access Enterprise Console>/tcp" --permanent
sudo firewall-cmd --reload

Upgrading CloudGen Access Proxy

To upgrade your CloudGen Access Proxy to the latest version, execute one of the following.

For Debian/Ubuntu:

sudo apt upgrade fydeproxy envoy

For CentOS/RHELL:

 sudo yum upgrade fydeproxy envoy

Troubleshooting

See Troubleshooting the CloudGen Access Proxy in Barracuda Campus.


 

Previous Article Next Article