apiVersion: gateway.mulesoft.com/v1alpha1
kind: Configuration
metadata:
name: forward-proxy
spec:
forwardProxy:
https:
address: http://proxy:8888
basicAuth:
username: <string>
password: <string>
noProxy:
- fluentd
- .svc.cluster.local
Configuring a Forward Proxy for Flex Gateway in Local Mode
A forward proxy, such as Squid, enables you to route external HTTP Flex Gateway connections through a proxy connection.
For both Connected Mode and Local Mode, you configure a forward proxy using YAML configuration files.
The following diagram demonstrates how an internal network communicates with an external network using a forward proxy.
As in the diagram, when using a forward proxy, HTTP communication out of your internal network must travel through the forward proxy.
In this example, all HTTP API upstream communication must also pass through the forward proxy. For more information about how to enable some connections to communicate directly without the forward proxy, see noProxy Parameter.
Forward Proxy Connections
Only HTTP connections route through the forward proxy.
The following connections route through the forward proxy:
-
Connections to Anypoint Platform
-
Outbound policy connections
-
Connections to upstream services
-
HTTP (Fluent Bit) log connections
Using the noProxy
parameter, you can configure HTTP and HTTPS connections to connect directly without using the forward proxy.
Configuring a forward proxy does not alter these connections:
-
Connections to shared storage
-
Lightweight Directory Access Protocol (LDAP) connections
-
Non-HTTP log connections
noProxy Parameter
Adding the noProxy
parameter enables HTTP services you trust to communicate without using the forward proxy.
For example, when you enable noProxy
, you can list HTTP log connections and connections to upstream services to have them connect directly to Flex Gateway.
When using the noProxy
parameter in the YAML configuration file to communicate with HTTP logs, you must list the exact domain name. You cannot list the domain suffix, for example, .svc.cluster.local
. You need to list full domain name, <logging-name>.svc.cluster.local
, for all HTTP log connections.
The following diagram demonstrates the differences in communication using noProxy:
In the diagram, when you do not enable noProxy
, Flex Gateway communicates with the internal API endpoint using the forward proxy. When you enable noProxy
and list the API Upstream domain, Flex Gateway communicates directly with the internal API endpoint.
Configuring Forward Proxy Parameters
Parameter | Required or Optional | Description |
---|---|---|
|
required |
Proxy adddress |
|
Optional |
Supplies the authentication username and password |
|
Required when |
Authentication username |
|
Required when |
Authentication password |
|
Optional |
Array containing domain names to communicate to without using the forward proxy |
File Configuration
-
Create a configuration file with a
.yaml
file extension:-
Give the file a custom name, such as
forward-proxy
. -
Save the file in the Flex Gateway configuration directory
/etc/mulesoft/flex-gateway/conf.d/forward-proxy.yaml
. This directory can contain multiple configuration files.
-
-
Copy and paste the following YAML snippet into the file, substituting your values:
apiVersion: gateway.mulesoft.com/v1alpha1 kind: Configuration metadata: name: forward-proxy spec: forwardProxy: https: address: http://proxy:8888 basicAuth: // OPTIONAL username: username password: password noProxy: // OPTIONAL - fluentd - .svc.cluster.local
Forward Proxy Flex Gateway Registration
If registering your Flex Gateway forward proxy in an internal network without internet, you must add the --https-proxy
when registering a Flex Gateway in Local Mode.
Add the --https-proxy
flag with your proxy address
parameter:
--https-proxy=http://proxy:8888
Provide your username
and password
parameters if you enable basicAuth
:
--https-proxy=http://<username>:<password>@proxy:8888
The following sample registration command shows flag placement:
flexctl register \
--username=<your-username> \
--password=<your-password> \
--environment=<your-environment-id> \
--organization=<your-org-id> \
--output-directory=/usr/local/share/mulesoft/flex-gateway/conf.d \
--https-proxy=http://<username>:<password>@proxy:8888 \
--no-proxy=.svc.cluster.local \
my-gateway