Forward Proxy using StackScript
Create a StackScript
shell
#!/bin/bash
set -euxo pipefail
# Variables
TIMEZONE="Asia/Kolkata"
PROXY_IP="10.0.2.2"
VPC_CIDR="10.0.0.0/24"
# Set timezone
apt update -y && apt install -y locales-all
timedatectl set-timezone Asia/Kolkata
# Create new user and grant sudo (TBD after server creation)
# Add SSH key (TBD after server creation)
# Disable root login and password auth in SSH
sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
sed -i 's/^#\?AddressFamily.*/AddressFamily inet/' /etc/ssh/sshd_config
systemctl restart sshd
# Install Apache and enable proxy modules
apt install -y apache2
a2enmod proxy proxy_http proxy_connect
# Create Apache proxy config
cat <<EOF > /etc/apache2/sites-available/fwd-proxy.conf
Listen $PROXY_IP:8080
<VirtualHost *:8080>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/fwd-proxy-error.log
CustomLog ${APACHE_LOG_DIR}/fwd-proxy-access.log combined
ProxyRequests On
ProxyVia On
<Proxy "*">
Require ip $VPC_CIDR
</Proxy>
</VirtualHost>
EOF
chown root:root /etc/apache2/sites-available/fwd-proxy.conf
chmod 0644 /etc/apache2/sites-available/fwd-proxy.conf
# Enable proxy config and restart Apache
a2ensite fwd-proxy
systemctl restart apache2
# Done
echo "Forward proxy setup complete."
echo "You can now route VPC traffic via http://$PROXY_IP:8080"Launch Linode using StackScript
| Parameter | Value |
|---|---|
| Region | in-maa (Chennai) |
| Plan | Nanode 1 GB (Shared CPU) |
| Label | Give your preferred label (Label can't have spaces) |
| Root Password | Create a Strong Password and store it in iCloud Passwords |
| SSH Keys | You can add an existing SSH key or add this later when you deploy a new server |
| Disk Encryption | Enable |
| VPC | Create and assign a VPC |
| Subnet | Select a different subnet under the same VPC |
| Auto-assign a VPC IPv4 | Disable (Provide 10.0.2.2 instead) |
| Assign a public IPv4 | Enable |
| Firewall | Create and assign a Firewall (that allows all outbound and no inbound) |
| Backups | Disable |
| Private IP | Disable |
Configure Firewall
Add the following inbound rules to the Forward proxy Firewall:
- Allow ICMP (ping) traffic within the VPC:
- Label: Choose a label
- Protocol:
ICMP - Ports: Leave this field blank
- IP / Netmask: VPC CIDR block (
10.0.0.0/24) - Action:
Accept
- Allow proxy traffic from other Linode servers within the VPC:
- Label: Choose a label
- Protocol:
TCP - Ports:
Custom (8080) - IP / Netmask: All VPC Subnet CIDR blocks
- Action:
Accept
- Allow SSH connections from any administrative systems:
- Label: Choose a label
- Protocol:
TCP - Ports:
SSH (22) - IP / Netmask: Admin system's IP address (use /32 address)
- Action:
Accept
Create Limited User Account
NOTE
Use LISH Console to connect to the Linode server and login as root.
- Create a limited user account using:
shell
adduser piratedev
# You'll be prompted to provide password- Add new user to the
sudogroup for administrative privileges:
shell
adduser piratedev sudoConfigure SSH
NOTE
Use LISH Console to connect to the Linode server and login as piratedev.
- Add SSH Public key (of your administrative system - Mac Mini in my case) to authorized keys:
shell
mkdir .ssh && vi /home/piratedev/.ssh/authorized_keys- Restart SSH service:
sh
sudo systemctl restart sshd