Forward Proxy on Debian 13 (Linode)
Referred from this official doc.
By default, a Linode server within a VPC cannot access other networks, or the internet. However, you'll need internet access to download and install software packages (for example, updating apt packages).
To achieve this, you need to either enable NAT or send traffic to a forward proxy, which acts as a gateway between the VPC and the public internet. NAT allows the server to present a public IP address to the wider network while using a VPC-based address inside the private network. A proxy, on the other hand, is a general term for any intermediate device or application lying between a client and the target server.
Using the forward proxy is recommended, as it greatly enhances security by hiding some or all of the original addressing information. To the destination server, the request appears to come directly from the forward proxy. All details about the originating VPC remain hidden.
NOTE
This setup uses a Public Subnet, so the proxy server can access the internet. The other servers in your VPC (like your database) will remain safely in a Private Subnet and route their outbound traffic through this proxy.
NOTE
You can follow the steps in this guide as written, but replace the following placeholders with your own names:
<Forward Proxy Server IP Address>: Your Linode's Public IP Addressnon_root: Your non-root username
You should also update the IP addresses and VPC CIDR blocks, to match your VPC settings.
Launch a Linode (Debian) for Forward Proxy
| Parameter | Value |
|---|---|
| Region | in-maa (Chennai) |
| OS | Debian (Debian 13 as of 22-Feb-2026) |
| Plan | Nanode 1 GB (Shared CPU) |
| Label | Give your preferred label (Label can't have spaces) |
| Root Password | Create a Strong Password and store it somewhere safe |
| SSH Keys | You can add an existing SSH key or add this later when you deploy a new server |
| Disk Encryption | Enable |
| VPC | Create and assign a VPC |
| Subnet | Select a different subnet under the same VPC |
| Auto-assign a VPC IPv4 | Enable |
| Allow public IPv4 access | Enable |
| Network Interface Type | Linode Interfaces |
| VPC Interface Firewall | Create and assign a Firewall (that allows all outbound and no inbound - configured later in this guide) |
| Backups | Disable |
Upgrade Packages
TIP
Use the LISH Console to connect to the Linode server. If you added an SSH key above, you can log in from your local machine directly.
Upgrade the packages on the server:
sudo apt update && sudo apt upgrade -ySet Timezone
Install all locales first to disable locale warnings:
sudo apt install locales-allAll new Linode servers are set to UTC time by default. To change it to IST, use:
timedatectl set-timezone 'Asia/Kolkata'Confirm the date by running the date command in the terminal.
Disable Root Login
NOTE
The LISH Console doesn't rely on SSH, so you can still access the internals of your system using it, including root login.
First, create a limited user account:
adduser non_root
# You'll be prompted to provide passwordAdd the new user to the sudo group for administrative privileges:
adduser non_root sudoExit the session and SSH back into the server as your new user:
exit
ssh non_root@<Forward Proxy Server IP Address>Create an SSH directory and add the public key of your local Mac machine to the authorized keys file:
mkdir ~/.ssh && vi ~/.ssh/authorized_keysDisable Root login and Password Authentication:
sudo vi /etc/ssh/sshd_config
# Set `PasswordAuthentication` to `no`
# Set `PermitRootLogin` to `no`
# Set `AddressFamily` to `inet` (to disable IPv6 connections)Finally, restart the SSH service to apply the changes:
sudo systemctl restart sshdConfigure Firewall
Add the following inbound rules to the Forward Proxy Firewall to explicitly allow the necessary internal and administrative connections:
| Rule Purpose | Label | Protocol | Ports | IP / Netmask | Action |
|---|---|---|---|---|---|
| Allow ICMP (ping) traffic within the VPC | Choose a label | ICMP | Leave blank | VPC CIDR block (Ex: 10.0.0.0/24) | Accept |
| Allow proxy traffic from other servers | Choose a label | TCP | Custom (8080) | All VPC Subnet CIDR blocks | Accept |
| Allow SSH connections from admin systems | Choose a label | TCP | SSH (22) | Admin system's IP address (use /32) | Accept |
Install and Configure Apache
Install Apache package:
sudo apt install apache2 -yEnable the Apache modules that provide the forward proxy functionality:
sudo a2enmod proxy proxy_http proxy_connectCreate and edit an Apache configuration file to store the forward proxy settings:
sudo vi /etc/apache2/sites-available/fwd-proxy.confUse following config. Be sure to change the IP addresses to match your VPC setup, where 10.0.2.2 represents the Proxy Server's Private IP and 10.0.0.0/24 represents your VPC IP range:
Listen 10.0.2.2:8080
<VirtualHost *:8080>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/fwd-proxy-error.log
CustomLog ${APACHE_LOG_DIR}/fwd-proxy-access.log combined
ProxyRequests On
ProxyVia On
<Proxy "*">
Require ip 10.0.0.0/24
</Proxy>
</VirtualHost>Set the owner of the file to root:root and set the correct file permissions:
sudo chown root:root /etc/apache2/sites-available/fwd-proxy.conf
sudo chmod 0644 /etc/apache2/sites-available/fwd-proxy.confEnable the Apache configuration file that was created in a previous step:
sudo a2ensite fwd-proxyRestart the Apache server to activate the new configuration:
sudo systemctl restart apache2Test connectivity
SSH into another Linode, preferably a server in a private subnet, using Launch LISH Console link.
Add the following line to the apt proxy configuration:
echo 'Acquire::http::proxy "http://10.0.2.2:8080";' | sudo tee /etc/apt/apt.conf.d/proxy.conf > /dev/nullTest connectivity through forward proxy using:
sudo apt update && sudo apt upgrade -yTo transmit curl requests, append the --proxy parameter to the request:
curl --proxy 10.0.2.2:8080 http://google.comAt this point, you have a working Forward Proxy server.