All Collections
CloudGen Access Proxy
Install proxy in Bare Metal / Virtual Machine
Install proxy in Bare Metal / Virtual Machine
Barracuda Admin avatar
Written by Barracuda Admin
Updated over a week ago

Before You Begin

Minimum OS supported versions:

  • CentOS 7

  • RHEL 8

  • Any modern Debian-based OS (Ubuntu)

Requires a valid CloudGen Access Proxy enrollment link

Choose Install Script or Manual Steps to proceed.


Manual Steps

Install Script

The steps below will execute a script obtained externally. It is recommended that you inspect the content before execution.

The script will install and enable a chrony service for time synchronization. This is required to ensure tokens are validated properly.

  • Download and execute the installation script

sudo bash -c "$(curl -fsSL https://url.fyde.me/install-fyde-proxy-linux)"

  • This script can also be used for unattended installations.

curl -fsSLo install-fyde-proxy-linux.sh https://url.fyde.me/install-fyde-proxy-linux

chmod +x install-fyde-proxy-linux.sh ./install-fyde-proxy-linux.sh -h

Install CloudGen Access Proxy script
Available parameters:

  • -h - Show this help

  • -l string - Loglevel (debug, info, warning, error, critical), defaults to info.

  • -n - Don't start services after install

  • -p int - Specify public port (1-65535), required for unattended instalation

  • -r string - Specify Redis host to use for token cache <only required for HA architecture>

  • -s int - Specify Redis port <optional>

  • -t token - Specify CloudGen Access Proxy token

  • -u - Unattended install, skip requesting input <optional>

Example for unattended installation with CloudGen Access Proxy token:

  • Specify the CloudGen Access Proxy token inside quotes
    ./install-fyde-proxy-linux.sh -p 443 -t "https://xxxxxxxxxxxx" -u

Example for unattended installation with CloudGen Access Proxy token with Redis endpoint:

  • Specify the CloudGen Access Proxy token inside quotes
    ./install-fyde-proxy-linux.sh -p 443 -t "https://xxxxxxxxxxxx" -u -r localhost -s 6379

Example for unattended installation, skipping services start, without CloudGen Access Proxy token:

  • The token can also be obtained automatically via AWS SSM/Secrets Manager

  • For more information, see Access Proxy Parameters.
    ./install-fyde-proxy-linux.sh -n -p 443 -u

CentOS/RHEL - Manual Steps

1. Install prerequisites.

sudo yum -y install yum-utils chrony


2. Ensure chrony daemon is enabled on system boot and started.

sudo systemctl enable chronyd 
sudo systemctl start chronyd

3. Ensure time synchronization is enabled.

sudo timedatectl set-ntp on

4. Add CloudGen Access repository.

sudo yum-config-manager -y --add-repo https://downloads.fyde.com/fyde.repo


5. Install Envoy Proxy.

sudo yum -y install envoy 
sudo systemctl enable envoy

6. Add CAP_NET_BIND_SERVICE to Envoy using a service unit override.
If you choose to configure your proxy to run in a port below 1024, you will need to add the CAP_NET_BIND_SERVICE capability to Envoy.

sudo mkdir -p /etc/systemd/system/envoy.service.d 
sudo bash -c "cat > /etc/systemd/system/envoy.service.d/10-add-cap-net-bind.conf <<EOF 
[Service]
Capabilities=CAP_NET_BIND_SERVICE+ep CapabilityBoundingSet=CAP_NET_BIND_SERVICE AmbientCapabilities=CAP_NET_BIND_SERVICE
SecureBits=keep-caps
EOF"
sudo chmod 600 /etc/systemd/system/envoy.service.d/10-add-cap-net-bind.conf

7. Reload and start Envoy Proxy.

sudo systemctl --system daemon-reload
sudo systemctl start envoy

8. Install CloudGen Access Proxy Orchestrator and authz system

sudo yum -y install fydeproxy
sudo systemctl enable fydeproxy

9.Configure the environment using a service unit override.

sudo mkdir -p /etc/systemd/system/fydeproxy.service.d
sudo bash -c "cat > /etc/systemd/system/fydeproxy.service.d/10-environment.conf <<EOF
[Service]
Environment='FYDE_ENROLLMENT_TOKEN=<paste here your CloudGen Access Proxy enrollment link>'
Environment='FYDE_ENVOY_LISTENER_PORT=<replace with the corresponding CloudGen Access Proxy port, as configured in CloudGen Access Enterprise Console>'
Environment='FYDE_LOGLEVEL=info'
EOF"
sudo chmod 600 /etc/systemd/system/fydeproxy.service.d/10-environment.conf

For highly available installations, access to a redis server is required for communication between CloudGen Access Orchestrators.

sudo bash -c "cat >> /etc/systemd/system/fydeproxy.service.d/10-environment.conf <<EOF
Environment='FYDE_REDIS_HOST=<specify redis host ip or dns>'
Environment='FYDE_REDIS_PORT=<specify redis port, defaults for 6379 if not included>'
EOF"

10. Reload and start CloudGen Access Proxy Orchestrator daemon.

sudo systemctl --system daemon-reload
sudo systemctl start fydeproxy

11. Configure the firewall (if enabled).

sudo firewall-cmd --zone=public --add-port="<replace with the corresponding CloudGen Access Proxy port, as configured in CloudGen Access Enterprise Console>/tcp" --permanent
sudo firewall-cmd --reload

Debian / Ubuntu - Manual Steps

1. Ensure time synchronization is enabled.

sudo timedatectl set-ntp on

2. Add CloudGen Access repository.

REPO_URL="downloads.fyde.com"
wget -q -O - "https://$REPO_URL/fyde-public-key.asc" | sudo apt-key add -
sudo bash -c "cat > /etc/apt/sources.list.d/fyde.list <<EOF
deb https://$REPO_URL/apt stable main
EOF"
sudo apt update

3. Install Envoy Proxy.

sudo apt -y install envoy
sudo systemctl enable envoy

4. Add CAP_NET_BIND_SERVICE to Envoy using a service unit override.
If you choose to configure your proxy to run in a port below 1024, you will need to add the CAP_NET_BIND_SERVICE capability to Envoy.

sudo mkdir -p /etc/systemd/system/envoy.service.d
sudo bash -c "cat > /etc/systemd/system/envoy.service.d/10-add-cap-net-bind.conf <<EOF
[Service]
Capabilities=CAP_NET_BIND_SERVICE+ep
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
SecureBits=keep-caps
EOF"
sudo chmod 600 /etc/systemd/system/envoy.service.d/10-add-cap-net-bind.conf

5. Reload and start Envoy Proxy.

sudo systemctl --system daemon-reload
sudo systemctl start envoy

6. Install CloudGen Access Proxy Orchestrator and authz system

sudo apt -y install fydeproxy
sudo systemctl enable fydeproxy

7. Configure environment using a service unit override.

sudo mkdir -p /etc/systemd/system/fydeproxy.service.d
sudo bash -c "cat > /etc/systemd/system/fydeproxy.service.d/10-environment.conf <<EOF
[Service]
Environment='FYDE_ENROLLMENT_TOKEN=<paste here your CloudGen Access Proxy enrollment link>'
Environment='FYDE_ENVOY_LISTENER_PORT=<replace with the corresponding CloudGen Access Proxy port, as configured in CloudGen Access Enterprise Console>'
Environment='FYDE_LOGLEVEL=info'
EOF"
sudo chmod 600 /etc/systemd/system/fydeproxy.service.d/10-environment.conf

For highly available installations, access to a redis server is required for communication between CloudGen Access Orchestrators.

sudo bash -c "cat >> /etc/systemd/system/fydeproxy.service.d/10-environment.conf <<EOF
Environment='FYDE_REDIS_HOST=<specify redis host ip or dns>'
Environment='FYDE_REDIS_PORT=<specify redis port, defaults for 6379 if not included>'
EOF"

8. Reload and start CloudGen Access Proxy Orchestrator daemon.

sudo systemctl --system daemon-reload
sudo systemctl start fydeproxy

9. Configure the firewall (if enabled).

sudo firewall-cmd --zone=public --add-port="<replace with the corresponding CloudGen Access Proxy port, as configured in CloudGen Access Enterprise Console>/tcp" --permanent
sudo firewall-cmd --reload


Did this answer your question?