Proxy Configuration

Forward Proxy

BindPlane OP and BindPlane Agent support the use of an HTTP forward proxy for (egress) connections. The Proxy is configured using the HTTP_PROXY and HTTPS_PROXY environment variables.

Configure BindPlane OP

You can configure the proxy environment variables by using a Systemd override. Run the following command:

bash
1sudo systemctl edit bindplane

Modify the unit file's override to look like this:

observIQ docs - Proxy Systemd Override - image 1

Note that this example is using http for both HTTP_PROXY and HTTPS_PROXY. This is because the proxy server is not configured to use TLS. Connections to https sites (such as github.com and Google Cloud API) are still encrypted with TLS. See the TLS for more details.

After saving the file, you can reload systemd and restart BindPlane.

bash
1sudo systemctl daemon-reload
2sudo systemctl restart bindplane

BindPlane will now proxy outgoing requests using the configured proxy.

Configure BindPlane Agent

The process for BindPlane Agent is identical to BindPlane OP.

Create a Systemd override.

bash
1sudo systemctl edit observiq-otel-collector

Configure the HTTP_PROXY and HTTPS_PROXY environment variables.

Reload systemd and restart the service.

bash
1sudo systemctl daemon-reload
2sudo systemctl restart observiq-otel-collector

Authentication

Username and password authentication is supported using the following form:

bash
1HTTP_PROXY=http://user:password@proxy.corp:3128

TLS

TLS is always used between the proxy and the destination when connecting to a TLS secured endpoint, such as https://logging.googleapis.com or https://otlp-gateway-prod-us-central-0.grafana.net/otlp.

This is often confusing because TLS is not required for the connection between BindPlane / BindPlane Agent and the proxy.

If your proxy has a TLS listener, you can use TLS for the connection between BindPlane / BindPlane Agent and the proxy like this:

bash
1HTTP_PROXY=https://proxy.corp.net:3128
2HTTPS_PROXY=https://proxy.corp.net:3128

This will proxy http and https requests using TLS between your proxy client and server.

Note that your BindPlane OP server and your BindPlane Agents must trust the certificate that is in use by the proxy.

You can read more about adding ca certificates to your servers by reviewing the following: