Configuring a Proxy Server

The following sections describe how to build and configure a proxy server.

A proxy server allows Lucidum connectors that run on your SaaS account to fetch data securely from your on-premises assets.

Deploy and Prep the Virtual Machine or Server

The proxy server must meet these requirements:

• Choose an internal Linux server to use as a proxy.

• You can choose any Linux distribution that supports Docker.

• Server must use Intel x86 based processor.

• Server must have at least 1 GB of free disk space.

• Server must have at least 1 GB of RAM dedicated to the tunnel container.

• Configuring DNS resolution (see: https://linuxconfig.org/linux-dns-server-bind-configuration)

• Configure NTP sync. (see: https://linuxconfig.org/stay-time-synchronized-with-internet-time-server )

• On this internal Linux server, install docker. For step-by-step details, see the section “Install using the repository” at this link: https://docs.docker.com/engine/install/ubuntu/.

Example

•Server is AWS t2.micro (free tier)

•1GB memory

•16GB storage

•64-bit (required for Docker)

•Ubuntu 22.04 (LTS preferred for support)

Validate Network Connectivity

Use the following sections to validate network connectivity on the proxy server.

Update Linux Packages

After configuring Linux on the proxy server, best practice is to update all packages. To do this:

1. Either log in to the console of the proxy server or use SSH to access the server.

2. On the proxy server, open a shell session.

3. At the shell prompt, type:

sudo apt update

sudo apt upgrade -y

These commands not only update the packages on the new server but also test internet connectivity and DNS resolution.

Check NTP Connection

After configuring Linux on the proxy server, check the NTP connection. To do this:

1. Either log in to the console of the proxy server or use SSH to access the server.

2. On the proxy server, open a shell session.

3. To check the NTP source, at the shell prompt, type:

   chronyc sources

4. To check the health of the system clock, at the shell prompt, type:

   sudo apt upgrade -y

Check Lucidum Tunnel Connection

The proxy server must have network connectivity to the Lucidum appliance via outbound port 1194.

To test this connectivity:

1. Either log in to the console of the proxy server or use SSH to access the server.

2. On the proxy server, open a shell session.

3. To check the NTP source, at the shell prompt, type:

   nmap -Pn -p 1194 tunnel.[fully qualified domain name]

   where:

   fully qualified domain name is the fully qualified domain name of the Lucidum SaaS instance. Usually the fqdn is <customer_name>.lucidum.cloud

To view the fully qualified domain name of the Lucidum SaaS instance, you can view the contents of the client.conf file that Lucidum sends you. To do so:

cat client.conf

The nmap command validates that the TCP port 1194 is open outbound from the proxy server and open inbound on the Lucidum SaaS instance.

Install and Configure Docker

The proxy server requires Docker. To install and configure Docker:

1. Either log in to the console of the proxy server or use SSH to access the server.

2. On the proxy server, open a shell session.

3. Create a user called “lucidum”. To do this, at the shell prompt, type:

   sudo adduser lucidum

4. Make note of the password you created for “lucidum”.

5. Add lucidum user to the admin group. This allows lucidum to use sudo commands. At the shell prompt, type:

   sudo usermod –a –G admin lucidum

6. Install docker. For details on installing Docker on all Linux operating systems, see https://docs.docker.com/engine/install/

7. In our example, we will install Docker on Ubuntu and install from repository. For details, see https://docs.docker.com/engine/install/ubuntu/

   • Set up the repository

   • Install the Docker engine

8. Create a “docker” group. At the shell prompt, type:

   sudo groupadd docker

9. Add the “lucidum” user to the “docker” group. This allows lucidum to run docker commands. At the shell prompt, type:

   sudo usermod –a –G docker lucidum

10. To force the proxy server to read the group memberships, log out of the proxy server and log back in.

Copy client.conf to the Proxy Server

To create the proxy server, Lucidum supplies a file called client.conf.

1. Contact Lucidum Customer Success and request a configuration file for the proxy server.

2. Customer Success will generate a file called client.conf and send you that file.

3. The client.conf file includes:

   • FQDN and port for the tunnel endpoint

   • Keys

   • TLS certs

4. Either log in to the console of the proxy server or use SSH to access the server.

5. Using a tool like WinSCP or FTP, copy client.conf to your home directory on the proxy server.

6. On the proxy server, open a shell session.

7. Create the directory /usr/lucidum/tunnel. To do this, at the shell prompt, type:

   mkdir -p /usr/lucidum/tunnel

8. Navigate to the directory where you stored client.conf.

9. Copy client.conf to the directory /usr/lucidum/tunnel. To do this, at the shell prompt, type:

   sudo cp ./clientconf /usr/lucidum/tunnel

10. Make the directory that contains client.conf read-only. To do this, at the shell prompt, type:

    chmod a=r /usr/lucidum/tunnel

Start Docker and Run the Docker Image

Next, you must start docker and run the docker image.

1. On the proxy server, login as user “lucidum”. Either log in to the console of the proxy server or use SSH to access the server.

2. On the proxy server, open a shell session.

3. See if Docker is running. To do this, at the shell prompt, type:

   docker ps

4. If you see the message “Cannot connect to Docker daemon…”, you must start Docker.

5. Start Docker. To do this, at the shell prompt, type:

   sudo systemctl start docker

6. See if Docker is running. To do this, at the shell prompt, type:

   docker ps

7. Start the new Docker container. To do this, at the shell prompt, type:
   docker run -d --cap-add=NET_ADMIN \

   --device=/dev/net/tun \

   --restart=unless-stopped \

   --network=bridge \

   -v /usr/lucidum/tunnel:/data \

   --name=lucidum-tunnel \

   public.ecr.aws/lucidum/tunnel-client:v1.1.0

8. When you have completed configuration on your proxy server and on your Lucidum system, contact Lucidum Customer Success to test your connection and help you troubleshoot if necessary.

Verify Tunnel Connection

To view the logs for the tunnel connection between Lucidum and the proxy server:

1. On the proxy server, login as user “lucidum”. Either log in to the console of the proxy server or use SSH to access the server.

2. On the proxy server, open a shell session.

3. View the logs for the tunnel connection. To do this, at the shell prompt, type:

   docker logs lucidum-tunnel

4. The log should look something like this:

   

Configuring Connectors to Use the Proxy Server

1. Log on to your Lucidum system.

2. In the left pane, click Connector.

   • If this is a new connector, in the Connector page, click Add Connector.

   • If this is an existing connector, scroll until you find the Connector you want to edit. Click Connect. The Settings page appears.

3. If the connector supports a proxy, it will include the Proxy field.

4. Enter the following in the Proxy field:

   • 192.168.255.6:3128

   This is the IP address and port number of the proxy service inside the docker container on the proxy server.

Note that this IP value appeared in the log file in the section above.