Contact Us 1-800-596-4880

Configuring a Forward Proxy for Flex Gateway in Local Mode

A forward proxy, such as Squid, enables you to route external HTTP Flex Gateway connections through a proxy connection.

For both Connected Mode and Local Mode, you configure a forward proxy using YAML configuration files.

The following diagram demonstrates how an internal network communicates with an external network using a forward proxy.

This is an image of all connections to your Flex Gateway first traveling through a forward proxy

As in the diagram, when using a forward proxy, HTTP communication out of your internal network must travel through the forward proxy.

In this example, all HTTP API upstream communication must also pass through the forward proxy. For more information about how to enable some connections to communicate directly without the forward proxy, see noProxy Parameter.

Forward Proxy Connections

Only HTTP connections route through the forward proxy.

The following connections route through the forward proxy:

  • Connections to Anypoint Platform

  • Outbound policy connections

  • Connections to upstream services

  • HTTP (Fluent Bit) log connections

Using the noProxy parameter, you can configure HTTP and HTTPS connections to connect directly without using the forward proxy.

Configuring a forward proxy does not alter these connections:

  • Connections to shared storage

  • Lightweight Directory Access Protocol (LDAP) connections

  • Non-HTTP log connections

noProxy Parameter

Adding the noProxy parameter enables HTTP services you trust to communicate without using the forward proxy.

For example, when you enable noProxy, you can list HTTP log connections and connections to upstream services to have them connect directly to Flex Gateway.

When using the noProxy parameter in the YAML configuration file to communicate with HTTP logs, you must list the exact domain name. You cannot list the domain suffix, for example, .svc.cluster.local. You need to list full domain name, <logging-name>.svc.cluster.local, for all HTTP log connections.

The following diagram demonstrates the differences in communication using noProxy:

This is an image demonstrating the differences in internal connections when you do or do not enable noProxy

In the diagram, when you do not enable noProxy, Flex Gateway communicates with the internal API endpoint using the forward proxy. When you enable noProxy and list the API Upstream domain, Flex Gateway communicates directly with the internal API endpoint.

Configuring Forward Proxy Parameters

apiVersion: gateway.mulesoft.com/v1alpha1
kind: Configuration
metadata:
  name: forward-proxy
spec:
  forwardProxy:
    https:
      address: http://proxy:8888
      basicAuth:
        username: <string>
        password: <string>
    noProxy:
       - fluentd
       - .svc.cluster.local
Parameter Required or Optional Description

https.address

required

Proxy adddress

basicAuth

Optional

Supplies the authentication username and password

basicAuth.username

Required when basicAuth configured

Authentication username

basicAuth.Password

Required when basicAuth configured

Authentication password

noProxy

Optional

Array containing domain names to communicate to without using the forward proxy

File Configuration

  1. Create a configuration file with a .yaml file extension:

    1. Give the file a custom name, such as forward-proxy.

    2. Save the file in the Flex Gateway configuration directory /etc/mulesoft/flex-gateway/conf.d/forward-proxy.yaml. This directory can contain multiple configuration files.

  2. Copy and paste the following YAML snippet into the file, substituting your values:

    apiVersion: gateway.mulesoft.com/v1alpha1
    kind: Configuration
    metadata:
      name: forward-proxy
    spec:
      forwardProxy:
        https:
          address: http://proxy:8888
          basicAuth: // OPTIONAL
            username: username
            password: password
        noProxy: // OPTIONAL
          - fluentd
          - .svc.cluster.local

Forward Proxy Flex Gateway Registration

If registering your Flex Gateway forward proxy in an internal network without internet, you must add the --https-proxy when registering a Flex Gateway in Local Mode.

Add the --https-proxy flag with your proxy address parameter:

--https-proxy=http://proxy:8888

Provide your username and password parameters if you enable basicAuth:

--https-proxy=http://<username>:<password>@proxy:8888

The following sample registration command shows flag placement:

flexctl register \
--username=<your-username> \
--password=<your-password> \
--environment=<your-environment-id> \
--organization=<your-org-id> \
--output-directory=/usr/local/share/mulesoft/flex-gateway/conf.d \
--https-proxy=http://<username>:<password>@proxy:8888 \
--no-proxy=.svc.cluster.local \
my-gateway