Contact Us 1-800-596-4880
  1. Homepage
  2. Flex Gateway (1.5)
  3. Configuring Flex Gateway in Connected Mode

  4. Configure a Forward Proxy

Configuring a Forward Proxy for Flex Gateway in Connected Mode

A forward proxy, such as Squid, enables you to route external HTTP Flex Gateway connections through a proxy connection.

For both Connected Mode and Local Mode, you configure a forward proxy using YAML configuration files.

The following diagram demonstrates how an internal network communicates with an external network using a forward proxy.

This is an image of all connections to your Flex Gateway first traveling through a forward proxy

As in the diagram, when using a forward proxy, HTTP communication out of your internal network must travel through the forward proxy.

In this example, all HTTP API upstream communication must also pass through the forward proxy. For more information about how to enable some connections to communicate directly without the forward proxy, see noProxy Parameter.

20%

25%

20%

Configure a Forward Proxy for Flex Gateway as a Linux Service

Configure a Forward Proxy for Flex Gateway in a Docker Container

Configure a Forward Proxy for Flex Gateway in a Kubernetes Cluster

Forward Proxy Connections

Only HTTP connections route through the forward proxy.

The following connections route through the forward proxy:

  • Connections to Anypoint Platform

  • Outbound policy connections

  • Connections to upstream services

  • HTTP (Fluent Bit) log connections

Using the noProxy parameter, you can configure HTTP and HTTPS connections to connect directly without using the forward proxy.

Configuring a forward proxy does not alter these connections:

  • Connections to shared storage

  • Lightweight Directory Access Protocol (LDAP) connections

  • Non-HTTP log connections

noProxy Parameter

Adding the noProxy parameter enables HTTP services you trust to communicate without using the forward proxy.

For example, when you enable noProxy, you can list HTTP log connections and connections to upstream services to have them connect directly to Flex Gateway.

When using the noProxy parameter in the YAML configuration file to communicate with HTTP logs, you must list the exact domain name. You cannot list the domain suffix, for example, .svc.cluster.local. You need to list full domain name, <logging-name>.svc.cluster.local, for all HTTP log connections.

The following diagram demonstrates the differences in communication using noProxy:

This is an image demonstrating the differences in internal connections when you do or do not enable noProxy

In the diagram, when you do not enable noProxy, Flex Gateway communicates with the internal API endpoint using the forward proxy. When you enable noProxy and list the API Upstream domain, Flex Gateway communicates directly with the internal API endpoint.

Configuring Forward Proxy Parameters

apiVersion: gateway.mulesoft.com/v1alpha1
kind: Configuration
metadata:
  name: forward-proxy
spec:
  forwardProxy:
    https:
      address: http://proxy:8888
      basicAuth:
        username: <string>
        password: <string>
    noProxy:
       - fluentd
       - .svc.cluster.local
Parameter Required or Optional Description

https.address

required

Proxy adddress

basicAuth

Optional

Supplies the authentication username and password

basicAuth.username

Required when basicAuth configured

Authentication username

basicAuth.Password

Required when basicAuth configured

Authentication password

noProxy

Optional

Array containing domain names to communicate to without using the forward proxy

Configure a Forward Proxy for Flex Gateway as a Linux Service

  1. Create a YAML configuration file in the Flex Gateway configuration directory:

    sudo touch /usr/local/share/mulesoft/flex-gateway/conf.d/forward-config.yaml

  2. Update the file with your desired forward proxy configuration details.

  3. If your Flex Gateway does not have direct internet access, see Forward Proxy Flex Gateway Registration.

Configure a Forward Proxy for Flex Gateway in a Docker Container

If you have already added a volume for a folder with your Flex Gateway configuration files, skip to the create and save a YAML file step.

  1. Press Ctrl+C to stop your Flex Gateway and any replicas.

  2. Create a folder named app in the directory with your Flex Gateway configuration files.

  3. Restart your Flex Gateway with an additional volume for the new app directory:

    docker run --rm \
-v "$(pwd)":/usr/local/share/mulesoft/flex-gateway/conf.d \
-p 8080:8080 \
mulesoft/flex-gateway
    Specify an optional name you want to assign to your Flex Replica by including the following: -e FLEX_NAME=<name-for-flex-replica> \.

  4. Create and save a YAML file with your desired forward proxy configuration details.

  5. If your Flex Gateway does not have direct internet access, see Forward Proxy Flex Gateway Registration.

Configure a Forward Proxy for Flex Gateway in a Kubernetes Cluster

To configure a forward proxy for Flex Gateway, create a new YAML configuration resource with your forward proxy details.

If your Flex Gateway does not have direct internet access, see Forward Proxy Flex Gateway Registration.

Forward Proxy Flex Gateway Registration

If your Flex Gateway is in an internal network where all internet connections pass through the forward proxy, you must add the --https-proxy flag when registering a Flex Gateway.

Add the --https-proxy flag with your proxy address parameter:

--https-proxy=http://proxy:8888

Provide your username and password parameters if you enable basicAuth:

--https-proxy=http://<username>:<password>@proxy:8888

The following sample registration command shows flag placement:

flexctl register \
--username=<your-username> \
--password=<your-password> \
--environment=<your-environment-id> \
--organization=<your-org-id> \
--output-directory=/usr/local/share/mulesoft/flex-gateway/conf.d \
--https-proxy=http://<username>:<password>@proxy:8888 \
my-gateway
Use the relevant registration command for your Flex Gateway deployment.

See also