Configure a forward proxy

You can configure a forward HTTP proxy when you install your Edge site. We support 2 kinds of forward proxy configuration:

Explicit proxy
Transparent Proxy

For more information, go to Supported forward proxy configurations for Edge.

Note

For direct forward proxy configurations, complete steps 1-3 to update proxy.properties before installing the Edge site.
For traffic intercepting configurations, such as a Man-in-the-Middle (MITM) proxy, complete all 4 steps to configure the forward proxy and enable the MITM proxy.

Steps

Download the Edge site installer:
1. Open a site.
  1. On the main toolbar, click → Settings.
    The Settings page opens.
  2. In the tab pane, click Edge.
    The Sites tab opens and shows a table with an overview of your sites.
  3. In the site overview, click the name of a site.
    The site page appears.
2. Click Download Installer.
3. Depending on your operating system and browser, follow the regular steps for downloading files.
  The installer file is a TGZ archive that contains the files proxy.properties and registries.yaml.
  Note If you download an installer, all previously downloaded installers become invalid.
Extract the TGZ archive on the server on which you want to install the Edge site.
Copy
```
tar -xf <edge-site-id>-installer.tgz
```
Note
- Keep the installer or the contents of the extracted installer in a secure location on your server. These contents contain various tools that you may need later, for example to troubleshoot issues.
- If you want to run a script or executable file from the extracted directory, ensure that the directory is not mounted as noexec. If a directory is mounted as noexec, scripts and executable files will be prevented from being run within the directory.
Open the proxy.properties file.

Remove the "#" symbol from the following lines to uncomment and update the outbound-proxy properties:

#noProxy=<host IP addresses>,<host DNS names>,<k8s-svc-ip-addresses>,<k8s-pod-ip-addresses,<others>
#proxyHost=<proxy domain name or IP address>
#proxyPort=<proxy-port>
#proxyUsername=<proxy username>
#proxyPassword=<proxy password>

Setting	Value
noProxy	A comma-separated list of IP or DNS addresses that can bypass the proxy server. This list must include at least the Kubernetes cluster's internal IP addresses and the Kubernetes nodes' IP and DNS addresses. The list may not contain spaces. Tip To get the values for this setting, you can use the edge-get-noproxy.sh script, which you can find in the extracted installer directory under /resources/tools. However, make sure that your network administrator reviews these values. where: <host-ip-addresses>: for example `172.20.0.0/16`. <host-dns-names>: for example `.compute.internal`. <k8s-svc-ip-addresses>: is by default `10.43.0.0/16`, but this can differ for other k8s flavors or configurations. <k8s-pod-ip-addresses>: is by default `10.42.0.0/16`, but this can differ for other k8s flavors or configurations. <others>: other IP addresses that don't need to be proxied. Add at least `169.254.169.254.` for AWS. Example `noProxy=172.20.0.0/16,.compute.internal,10.43.0.0/16,10.42.0.0/16,169.254.169.254`
proxyHost	The IP or DNS address of the proxy server. Example `proxyHost=site4-proxy.shared.edge.collibra.dev`
proxyPort	The TCP port of the proxy server. This value must be a quoted string and not an integer value. Example `"proxyPort=3128"`
proxyUsername	The username to authenticate at the proxy server. Example `proxyUsername=edge` Note Usernames with single quotations ', double quotations ", and backslashes \ need to be escaped using an additional backslash. For example, if the username is ge'smith\, it would need to be entered into proxy.properties as username: ge\'smith\\.
proxyPassword	The password to authenticate at the proxy server. Example `proxyPassword=la;fs90jpo4j3rR%` Note Passwords with single quotations ', double quotations ", and backslashes \ need to be escaped using an additional backslash. For example, if the password is te"st\1234', it would need to be entered into proxy.properties as password: te\"st\\1234\'.

Important If you are installing your Edge site on a managed Kubernetes cluster, and you add a new node to a cluster, you should review and update, if necessary, the noProxy and implicitly forward proxy settings, unless the subnet used for nodes and their DNS suffix are added to noProxy.

Optional, if you want to enable Edge via a MITM proxy (a forward proxy that decrypts TLS traffic), follow the steps below:
Note On-the-fly TLS certificates that are generated by the MITM proxy must use the subjectAltName (SAN) extension.
1. Export your proxy server's CA certificate in PEM format.
  - When using your own "ca.pem" file be sure to only include the certificate or certificate chain of the MITM proxy. A custom "ca.pem" file cannot exceed 100kb.
2. Save this certificate as "ca.pem" in the same directory as the Edge site installer.
  Note If you save the certificate in another directory, use the --ca argument in the Edge site installation command.
Run the install command for your Edge site, beginning from step 3.

What's next

If this is a new installation, install the Edge site.
If you use a MITM proxy and the "ca.pem" has changed or was not included in the initial Edge site installation, you must reinstall your Edge site.
If you want to update the forward proxy afterwards, you can use the update script.