Proxy Configuration for Edge Delta

Overview

In environments with restricted internet access, Edge Delta agents can route their outbound traffic through an HTTP or HTTPS proxy server. This is commonly required in enterprise networks where direct internet access is blocked for security or compliance reasons.

Edge Delta agents communicate with the Edge Delta backend API (api.edgedelta.com) and may also upload data to cloud storage endpoints (such as Amazon S3). All of this traffic can be routed through a proxy.

How Proxy Configuration Works

Edge Delta agents use standard proxy environment variables to determine which proxy server to use:

• HTTP_PROXY or httpProxy: Routes HTTP traffic through the specified proxy
• HTTPS_PROXY or httpsProxy: Routes HTTPS traffic through the specified proxy
• NO_PROXY or noProxy: Comma-separated list of hosts, domains, or CIDR ranges that should bypass the proxy

These settings are applied to all Edge Delta agent types:

• Processing agents (DaemonSet or Deployment)
• Rollup agents (Deployment)
• Compactor agents (Deployment)

Kubernetes Proxy Configuration

Using Helm Values

When installing Edge Delta with Helm, use the httpProxy, httpsProxy, and noProxy values to configure proxy settings.

Basic Proxy Configuration

helm upgrade edgedelta edgedelta/edgedelta -i \
  --set secretApiKey.value=<your-pipeline-id> \
  --set httpProxy="http://proxy.example.com:8080" \
  --set httpsProxy="http://proxy.example.com:8080" \
  -n edgedelta --create-namespace

Proxy with Bypass List

To bypass the proxy for specific internal services or cluster-local traffic:

helm upgrade edgedelta edgedelta/edgedelta -i \
  --set secretApiKey.value=<your-pipeline-id> \
  --set httpProxy="http://proxy.example.com:8080" \
  --set httpsProxy="http://proxy.example.com:8080" \
  --set noProxy="169.254.169.254,10.0.0.0/8,.svc.cluster.local" \
  -n edgedelta --create-namespace

Common entries for noProxy:

• 169.254.169.254 - AWS EC2 metadata service
• 10.0.0.0/8 - Internal cluster network (adjust to match your cluster CIDR)
• .svc.cluster.local - Kubernetes cluster-local services
• localhost,127.0.0.1 - Local loopback addresses

Using a Values File

For complex configurations, create a values.yaml file:

secretApiKey:
  value: <your-pipeline-id>

httpProxy: "http://proxy.example.com:8080"
httpsProxy: "http://proxy.example.com:8080"
noProxy: "169.254.169.254,10.0.0.0/8,.svc.cluster.local,localhost,127.0.0.1"

# Optional: Additional configuration
edClusterName: "production-cluster"

Install with:

helm upgrade edgedelta edgedelta/edgedelta -i \
  --values values.yaml \
  -n edgedelta --create-namespace

Verification

After installation, verify that the proxy environment variables are set correctly on the Edge Delta pods:

kubectl get pods -n edgedelta -o yaml | grep -A 2 "HTTP_PROXY\|HTTPS_PROXY\|NO_PROXY"

Expected output:

- name: HTTP_PROXY
  value: http://proxy.example.com:8080
- name: HTTPS_PROXY
  value: http://proxy.example.com:8080
- name: NO_PROXY
  value: 169.254.169.254,10.0.0.0/8,.svc.cluster.local

Checking Proxy Connectivity

Monitor the Edge Delta agent logs to ensure successful connectivity through the proxy:

kubectl logs -n edgedelta -l app.kubernetes.io/name=edgedelta --tail=50

Look for successful configuration loading messages:

INFO    agent/agent_v1.go:850    Configuration loaded and running

If you have access to your proxy server logs, you should see CONNECT requests to Edge Delta endpoints:

CONNECT api.edgedelta.com:443 HTTP/1.1
CONNECT ed-data-hub.s3.us-west-2.amazonaws.com:443 HTTP/1.1

Other Deployment Environments

Linux and macOS

For Linux and macOS installations, configure proxy settings using environment variables.

During Installation

Pass proxy variables via ED_ENV_VARS during installation:

ED_API_KEY=<your-pipeline-id> \
ED_ENV_VARS="HTTP_PROXY=http://proxy.example.com:8080,HTTPS_PROXY=http://proxy.example.com:8080,NO_PROXY=localhost,127.0.0.1" \
bash -c "$(curl -L https://release.edgedelta.com/release/install.sh)"

Post-Installation (Linux systemd)

For agents running as systemd services, set environment variables in /etc/sysconfig/edgedelta:

sudo mkdir -p /etc/sysconfig/
sudo vi /etc/sysconfig/edgedelta

Add the proxy configuration:

HTTP_PROXY=http://proxy.example.com:8080
HTTPS_PROXY=http://proxy.example.com:8080
NO_PROXY=localhost,127.0.0.1

Restart the agent:

sudo systemctl daemon-reload
sudo systemctl restart edgedelta

See Environment Variables for detailed configuration instructions.

Windows

For Windows installations, proxy configuration must be set as MSI properties during installation, or configured post-installation through the Windows Registry or environment variables.

During Installation (PowerShell)

Add proxy properties to the MSI installation command:

# Download and install with proxy settings
Invoke-WebRequest https://release.edgedelta.com/release/edgedelta-64-bit.msi -o edgedelta-64-bit.msi
msiexec /qn /i edgedelta-64-bit.msi `
  APIKEY="<your-pipeline-id>" `
  HTTP_PROXY="http://proxy.example.com:8080" `
  HTTPS_PROXY="http://proxy.example.com:8080" `
  NO_PROXY="localhost,127.0.0.1"

Post-Installation (Environment Variables)

Alternatively, set system-level environment variables after installation:

[System.Environment]::SetEnvironmentVariable("HTTP_PROXY", "http://proxy.example.com:8080", [System.EnvironmentVariableTarget]::Machine)
[System.Environment]::SetEnvironmentVariable("HTTPS_PROXY", "http://proxy.example.com:8080", [System.EnvironmentVariableTarget]::Machine)
[System.Environment]::SetEnvironmentVariable("NO_PROXY", "localhost,127.0.0.1", [System.EnvironmentVariableTarget]::Machine)

Then restart the Edge Delta service:

Restart-Service edgedelta

See Windows Installation for detailed instructions.

Docker

Add proxy environment variables to the docker run command using the -e flag:

docker run --rm -d --name edgedelta \
  -v /var/run/docker.sock:/var/run/docker.sock:ro \
  -e "ED_API_KEY=<your-pipeline-id>" \
  -e "HTTP_PROXY=http://proxy.example.com:8080" \
  -e "HTTPS_PROXY=http://proxy.example.com:8080" \
  -e "NO_PROXY=localhost,127.0.0.1" \
  gcr.io/edgedelta/agent:latest

See Docker Installation for detailed instructions.

Amazon ECS

Add proxy environment variables to the ECS task definition’s container environment section:

{
  "containerDefinitions": [
    {
      "name": "edgedelta",
      "image": "gcr.io/edgedelta/agent:latest",
      "environment": [
        {
          "name": "ED_API_KEY",
          "value": "<your-pipeline-id>"
        },
        {
          "name": "HTTP_PROXY",
          "value": "http://proxy.example.com:8080"
        },
        {
          "name": "HTTPS_PROXY",
          "value": "http://proxy.example.com:8080"
        },
        {
          "name": "NO_PROXY",
          "value": "localhost,127.0.0.1,169.254.169.254"
        }
      ]
    }
  ]
}

See Amazon ECS Installation for detailed instructions.

Proxy Server Requirements

Supported Proxy Types

Edge Delta agents support standard HTTP/HTTPS forward proxies, including:

• Squid
• Corporate proxies (Zscaler, BlueCoat, etc.)
• Cloud provider proxies
• Any proxy supporting HTTP CONNECT tunneling

Required Proxy Configuration

Your proxy server must allow CONNECT tunneling for HTTPS traffic to the following endpoints:

• api.edgedelta.com:443 - Edge Delta API
• *.s3.us-west-2.amazonaws.com:443 - Data upload (if using S3 backend)
• *.s3.amazonaws.com:443 - Alternative S3 endpoints (region-dependent)

Authentication

Edge Delta currently supports unauthenticated proxies. If your proxy requires authentication, you can include credentials in the proxy URL:

--set httpProxy="http://username:password@proxy.example.com:8080"

Security Note: Avoid storing credentials in plain text. Use Kubernetes secrets or your organization’s secret management solution for production deployments.

Troubleshooting

Agents Not Connecting Through Proxy

Symptoms: Edge Delta agents fail to start or cannot connect to the backend.

Checks:

1. Verify proxy environment variables are set on the pods:

   kubectl describe pod -n edgedelta <pod-name> | grep -A 5 "Environment:"
   

2. Test proxy connectivity from within the cluster:

   kubectl run -it --rm debug --image=curlimages/curl --restart=Never -- \
     sh -c 'http_proxy=http://proxy.example.com:8080 curl -I https://api.edgedelta.com'
   

3. Check proxy server logs for connection attempts and any denied requests.

Cluster-Local Traffic Using Proxy

Symptoms: Internal Kubernetes traffic (e.g., rollup agents connecting to compactor) goes through the proxy unnecessarily.

Solution: Add cluster-local domains to NO_PROXY:

--set noProxy=".svc.cluster.local,.cluster.local,10.0.0.0/8"

Adjust the CIDR range to match your cluster’s pod and service network.

DNS Resolution Issues

Symptoms: Proxy works for IPs but not for hostnames, or vice versa.

Solution: Ensure your proxy server can resolve both internal Kubernetes DNS names and external internet hostnames. Configure NO_PROXY to include both hostnames and IP ranges:

--set noProxy="169.254.169.254,10.0.0.0/8,.svc.cluster.local,localhost,127.0.0.1"

SSL/TLS Certificate Issues

Symptoms: Connection failures with certificate errors when using HTTPS proxy.

Solution: If your proxy performs SSL inspection, you may need to:

1. Configure Edge Delta to trust your proxy’s CA certificate (contact support)
2. Use HTTP proxy for HTTPS traffic (CONNECT tunneling):

   --set httpsProxy="http://proxy.example.com:8080"
   

   Note: This uses HTTP to connect to the proxy, but the tunneled traffic to Edge Delta remains encrypted.

Example: Testing Proxy Configuration

Here’s a complete example to test proxy configuration in a Kubernetes environment:

1. Deploy a Test Proxy (Squid)

kubectl create namespace proxy-test
kubectl apply -f - <<EOF
apiVersion: v1
kind: ConfigMap
metadata:
  name: squid-config
  namespace: proxy-test
data:
  squid.conf: |
    http_port 3128
    access_log /var/log/squid/access.log
    acl all src 0.0.0.0/0
    http_access allow all
    cache deny all
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: squid-proxy
  namespace: proxy-test
spec:
  replicas: 1
  selector:
    matchLabels:
      app: squid
  template:
    metadata:
      labels:
        app: squid
    spec:
      containers:
      - name: squid
        image: ubuntu/squid:latest
        ports:
        - containerPort: 3128
        volumeMounts:
        - name: config
          mountPath: /etc/squid/squid.conf
          subPath: squid.conf
      volumes:
      - name: config
        configMap:
          name: squid-config
---
apiVersion: v1
kind: Service
metadata:
  name: squid-proxy
  namespace: proxy-test
spec:
  selector:
    app: squid
  ports:
  - port: 3128
    targetPort: 3128
EOF

2. Install Edge Delta with Proxy

helm upgrade edgedelta edgedelta/edgedelta -i \
  --set secretApiKey.value=<your-pipeline-id> \
  --set httpProxy="http://squid-proxy.proxy-test.svc.cluster.local:3128" \
  --set httpsProxy="http://squid-proxy.proxy-test.svc.cluster.local:3128" \
  -n edgedelta --create-namespace

3. Verify Proxy Traffic

Check the Squid proxy logs to confirm Edge Delta traffic is flowing through it:

kubectl logs -n proxy-test -l app=squid --tail=50 | grep "api.edgedelta.com"

You should see CONNECT requests:

CONNECT api.edgedelta.com:443 HTTP/1.1" 200

See Also

• Environment Variables - Complete list of Edge Delta environment variables
• Helm Values - All available Helm chart configuration options
• Install with Helm - Kubernetes installation guide
• Docker Installation - Docker-specific proxy configuration
• Linux Installation - Linux proxy configuration details