Configure a forward proxy

For security reasons, it is possible that an Edge site has to connect via a forward HTTP proxy. In that case, you have to update proxy.properties before installing the Edge site.

If the forward proxy server is responsible to decrypt TLS traffic, you also have to use the proxy server's CA certificate during the installation.

Steps

  1. Download the Edge site installer:
    1. Open an Edge site.
      1. In the main menu, click , then Settings.
        The Collibra settings page opens.
      2. Click Edge
        The Edge sites overview appears.
      3. In the Edge site overview, click the name of an Edge site.
        The Edge site page appears.
    2. In the Installer and properties files section, click Download.
    3. Depending on your operating system and browser, follow the regular steps for downloading files.
      The installer file is a TGZ archive that contains the files proxy.properties, properties.yaml and registries.yaml.

      Note If you download an installer, all previously downloaded installers become invalid.

  2. Open the proxy.properties file.
  3. Uncomment and update the outbound-proxy properties by removing "#" at the beginning of the following lines:
    • Proxy configuration K3S
    • Proxy configuration EKS
    #noProxy=<host IP addresses>,<host DNS names>,<k8s-svc-ip-addresses>,<k8s-pod-ip-addresses,<others>
#proxyHost=<proxy domain name or IP address>
    #proxyPort=<proxy-port>
#proxyUsername=<proxy username>
#proxyPassword=<proxy password>

    Setting

    Value

    noProxy

    A comma-separated list of IP or DNS addresses that can bypass the proxy server.

    This list must include at least the Kubernetes cluster's internal IP addresses and the Kubernetes nodes' IP and DNS addresses.

    The list may not contain spaces.

    Tip To get the values for this setting, you can use the edge-get-noproxy.sh script, which you can find in the extracted installer directory under /resources/tools. However, make sure that your network administrator reviews these values.

    where:

    • <host-ip-addresses>: for example 172.20.0.0/16.
    • <host-dns-names>: for example *.compute.internal.
    • <k8s-svc-ip-addresses>: is by default 10.43.0.0/16, but this can differ for other k8s flavors or configurations.
    • <k8s-pod-ip-addresses>: is by default 10.42.0.0/16, but this can differ for other k8s flavors or configurations.
    • <others>: other IP addresses that don't need to be proxied. Add at least 169.254.169.254. for AWS.

    Example 
    noProxy=172.20.0.0/16,*.compute.internal,10.43.0.0/16,10.42.0.0/16,169.254.169.254

    proxyHost

    The IP or DNS address of the proxy server.

    Example proxyHost=site4-proxy.shared.edge.collibra.dev

    proxyPort

    The TCP port of the proxy server. This value must be a quoted string and not an integer value.

    Example proxyPort="3128"

    proxyUsername

    The username to authenticate at the proxy server.

    Example proxyUsername=edge

    proxyPassword

    The password to authenticate at the proxy server.

    Example proxyPassword=la;fs90jpo4j3rR%

    #noProxy=<host IP addresses>,<host DNS names>,<k8s-svc-ip-addresses>,<k8s-pod-ip-addresses,<others>
#proxyHost=<proxy domain name or IP address>
    #proxyPort=<proxy-port>
#proxyUsername=<proxy username>
#proxyPassword=<proxy password>

    Setting

    Value

    noProxy

    A comma-separated list of IP or DNS addresses that can bypass the proxy server.

    This list must include at least the Kubernetes cluster's internal IP addresses and the Kubernetes nodes' IP and DNS addresses.

    The list may not contain spaces.

    Tip To get the values for this setting, you can use the edge-get-noproxy.sh script. However, make sure that your network administrator reviews these values.

    where:

    • <host-ip-addresses>: for example 172.20.0.0/16.
    • <host-dns-names>: for example *.compute.internal.
    • <k8s-svc-ip-addresses>: depends on your EKS installation. Typically this is 10.100.0.0/16 or 172.20.0.0/16.
    • <k8s-pod-ip-addresses>: depends on your EKS installation. Typically they are the same subnets as in the VPC, for example 172.20.0.0/16.
    • <others>: other IP addresses that don't need to be proxied, for EKS, always add 169.254.169.254..

    Example 
    noProxy=172.20.0.0/16,*.compute.internal,10.100.0.0/16,169.254.169.254

    proxyHost

    The IP or DNS address of the proxy server.

    Example proxyHost=site4-proxy.shared.edge.collibra.dev

    proxyPort

    The TCP port of the proxy server. This value must be a quoted string and not an integer value.

    Example proxyPort="3128"

    proxyUsername

    The username to authenticate at the proxy server.

    Example proxyUsername=edge

    proxyPassword

    The password to authenticate at the proxy server.

    Example proxyPassword=la;fs90jpo4j3rR%

    Important When you add a new node to a cluster, review and update, if necessary, the noProxy and implicitly forward proxy settings, unless the subnet used for nodes and their DNS suffix are added to noProxy.

  4. If you use a forward proxy that decrypts TLS traffic, a so-called man-in-the-middle proxy or MITM proxy, then on-the-fly TLS certificates that are generated by the MITM proxy, must use the subjectAltName (SAN) extension. To enable Edge via a MITM proxy, perform also the following steps.
    If the proxy server does not decrypt the TLS traffic, you can skip the following steps.
    1. Export your proxy server's CA certificate in PEM format.
    2. Save this certificate as ca.pem in the same directory as the Edge site installer.

      Note If you save the certificate in another directory, use the --ca argument in the Edge site installation command.

What's next?

Install the Edge site

If you want to update the forward proxy afterwards, you can use the update script.