Forward Proxy on Debian 12 Linode
NOTE
If you want a faster setup, see this guide.
Referred from this official doc.
By default, a Linode server within a VPC cannot access other networks, or the internet. However, you'll need internet access to download and install software packages (for ex, updating apt packages).
To achieve this, you need to either enable NAT or send traffic to a forward proxy, which acts as a gateway between the VPC and the public internet. NAT allows the server to present a public IP address to the wider network while using a VPC-based address inside the private network. A proxy, on the other hand, is a general term for any intermediate device or application lying between a client and the target server.
Using the forward proxy is recommended, as it greatly enhances security by hiding some or all of the original addressing information. To the destination server, the request appears to come from the forward proxy. All details about the originating VPC remain hidden.
This setup utilizes a Public (Proxy) Subnet, since the proxy server should be able to connect to internet.
Launch Linode for Forward Proxy
| Parameter | Value |
|---|---|
| Region | in-maa (Chennai) |
| OS | Debian (Debian 12 as of 5-Jun-2025) |
| Plan | Nanode 1 GB (Shared CPU) |
| Label | Give your preferred label (Label can't have spaces) |
| Root Password | Create a Strong Password and store it in iCloud Passwords |
| SSH Keys | You can add an existing SSH key or add this later when you deploy a new server |
| Disk Encryption | Enable |
| VPC | Create and assign a VPC |
| Subnet | Select a different subnet under the same VPC |
| Auto-assign a VPC IPv4 | Enable |
| Assign a public IPv4 | Enable |
| Firewall | Create and assign a Firewall (that allows all outbound and no inbound) |
| Backups | Disable |
| Private IP | Disable |
TIP
Use LISH Console to connect to the Linode server.
Set timezone
Install all locales first to disable locale warnings:
sudo apt-get install locales-allAll new Linode servers are set to UTC time by default. To change it to IST, use:
timedatectl set-timezone 'Asia/Kolkata'Confirm date by running date command in the terminal.
Disable Root Login
NOTE
LISH Console doesn't rely on SSH, so you can still access internals of your system using it, including root login.
- First create a limited user account using:
adduser piratedev
# You'll be prompted to provide password- Add new user to the
sudogroup for administrative privileges:
adduser piratedev sudo- Exit and SSH as the new user using password:
exit
ssh piratedev@<Linode IP>- Add SSH Public key (of your administrative system - Mac Mini in my case) to authorized keys:
vi ~/.ssh/authorized_keys- Disable Root login and Password Authentication:
sudo vi /etc/ssh/sshd_config
# Set `PasswordAuthentication` to `no`
# Set `PermitRootLogin` to `no`
# Set `AddressFamily` to `inet` (to disable IPv6 connections)- Restart SSH service:
sudo systemctl restart sshdConfigure Firewall
Add the following inbound rules to the Forward proxy Firewall:
- Allow ICMP (ping) traffic within the VPC:
- Label: Choose a label
- Protocol:
ICMP - Ports: Leave this field blank
- IP / Netmask: VPC CIDR block (
10.0.0.0/24) - Action:
Accept
- Allow proxy traffic from other Linode servers within the VPC:
- Label: Choose a label
- Protocol:
TCP - Ports:
Custom (8080) - IP / Netmask: All VPC Subnet CIDR blocks
- Action:
Accept
- Allow SSH connections from any administrative systems:
- Label: Choose a label
- Protocol:
TCP - Ports:
SSH (22) - IP / Netmask: Admin system's IP address (use /32 address)
- Action:
Accept
Install and Configure Apache
- Install Apache package using:
sudo apt update -y && sudo apt install apache2 -y- Enable the Apache modules that provide the forward proxy functionality:
sudo a2enmod proxy proxy_http proxy_connect- Create and edit an Apache configuration file to store the forward proxy settings:
sudo nano /etc/apache2/sites-available/fwd-proxy.conf- Use following config (change IP addresses if needed):
10.0.2.2is Proxy Server Private IP.10.0.0.0/24is the VPC IP range.
Listen 10.0.2.2:8080
<VirtualHost *:8080>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/fwd-proxy-error.log
CustomLog ${APACHE_LOG_DIR}/fwd-proxy-access.log combined
ProxyRequests On
ProxyVia On
<Proxy "*">
Require ip 10.0.0.0/24
</Proxy>
</VirtualHost>- Set the owner of the file to root:root and set the correct file permissions:
sudo chown root:root /etc/apache2/sites-available/fwd-proxy.conf
sudo chmod 0644 /etc/apache2/sites-available/fwd-proxy.conf- Enable the Apache configuration file that was created in a previous step:
sudo a2ensite fwd-proxy- Restart the Apache server to activate the new configuration:
sudo systemctl restart apache2Test connectivity from the other server
- SSH into another Linode using
Launch LISH Consolelink. - Add the following line to the apt proxy configuration:
echo 'Acquire::http::proxy "http://10.0.2.2:8080";' > /etc/apt/apt.conf.d/proxy.conf- Test connectivity through forward proxy using:
sudo apt update && sudo apt upgrade -y- To transmit
curlrequests, append the--proxyparameter to the request:
curl --proxy 10.0.2.2:8080 http://google.com🎉 Congrats! You should have a working Forward Proxy Server now.