Proxy Example with HAProxy
Overview
Datadog discourages forwarding traffic using software like HAProxy or NGINX because it requires you to manually configure and maintain the list of specific Datadog endpoints the Agent needs to reach. This list can change, leading to potential data loss if not kept up-to-date. The only exception is if you need Deep Packet Inspection (DPI) capabilities, in which case you might consider using HAProxy or NGINX as they allow you to disable TLS or use your own TLS certificates and inspect the traffic.
While HAProxy is usually used as a load balancer to distribute incoming requests to pool servers, it also offers proxying for TCP and HTTP applications, so you can use it to proxy Agent traffic to Datadog from hosts that have no outside connectivity.
agent ---> haproxy ---> Datadog
This is another good option if you do not have a web proxy readily available in your network and you wish to proxy a large number of Agents. In some cases, a single HAProxy instance is sufficient to handle local Agent traffic in your network, because each proxy can accommodate upwards of 1000 Agents.
Note: This figure is a conservative estimate based on the performance of m3.xl instances specifically. Numerous network-related and host-related variables can influence throughput of HAProxy, so you should keep an eye on your proxy deployment both before and after putting it into service. See the HAProxy documentation for additional information.
The communication between HAProxy and Datadog is always encrypted with TLS. The communication between the Agent host and the HAProxy host is not encrypted by default, because the proxy and the Agent are assumed to be on the same host. However, it is recommended that you secure this communication with TLS encryption if the HAproxy host and Agent host are not located on the same isolated local network.
To encrypt data between the Agent and HAProxy, you need to create an x509 certificate with the Subject Alternative Name (SAN) extension for the HAProxy host. This certificate bundle (*.pem) should contain both the public certificate and private key. See this HAProxy blog post for more information.
Note: Download the Datadog certificate with one of the following commands:
sudo apt-get install ca-certificates # (Debian, Ubuntu)
yum install ca-certificates # (CentOS, Red Hat)
The path to the certificate is /etc/ssl/certs/ca-certificates.crt for Debian and Ubuntu, or /etc/ssl/certs/ca-bundle.crt for CentOS and Red Hat.
Proxy forwarding with HAProxy
HAProxy configuration
HAProxy should be installed on a host that has connectivity to Datadog. You can use one of the following configuration files if you do not already have it configured. The configuration is dependent on the Datadog service and site. To see configurations based on your Datadog site, use the DATADOG SITE selector on the right.
Note: It is recommended to use the HTTPS configuration file if the Agent and HAProxy are not part of the same isolated local network.
HTTP
# Basic configuration
global
log 127.0.0.1 local0
maxconn 4096
stats socket /tmp/haproxy
# Some sane defaults
defaults
log global
option dontlognull
retries 3
option redispatch
timeout client 5s
timeout server 5s
timeout connect 5s
# This declares a view into HAProxy statistics, on port 3833
# You do not need credentials to view this page and you can
# turn it off once you are done with setup.
listen stats
bind *:3833
mode http
stats enable
stats uri /
# This section is to reload DNS Records
# Replace <DNS_SERVER_IP> and <DNS_SECONDARY_SERVER_IP> with your DNS Server IP addresses.
# For HAProxy 1.8 and newer
resolvers my-dns
nameserver dns1 <DNS_SERVER_IP>:53
nameserver dns2 <DNS_SECONDARY_SERVER_IP>:53
resolve_retries 3
timeout resolve 2s
timeout retry 1s
accepted_payload_size 8192
hold valid 10s
hold obsolete 60s
# This declares the endpoint where your Agents connects for
# sending metrics (for example, the value of "dd_url").
frontend metrics-forwarder
bind *:3834
mode http
option tcplog
default_backend datadog-metrics
use_backend datadog-api if { path_beg -i /api/v1/validate }
use_backend datadog-flare if { path_beg -i /support/flare/ }
# This declares the endpoint where your Agents connects for
# sending traces (for example, the value of "endpoint" in the APM
# configuration section).
frontend traces-forwarder
bind *:3835
mode tcp
option tcplog
default_backend datadog-traces
# This declares the endpoint where your Agents connects for
# sending profiles (for example, the value of "apm_config.profiling_dd_url").
frontend profiles-forwarder
bind *:3836
mode tcp
option tcplog
default_backend datadog-profiles
# This declares the endpoint where your agents connects for
# sending processes (for example, the value of "url" in the process
# configuration section).
frontend processes-forwarder
bind *:3837
mode tcp
option tcplog
default_backend datadog-processes
# This declares the endpoint where your Agents connects for
# sending Logs (e.g the value of "logs.config.logs_dd_url")
# If sending logs with force_use_http: true
frontend logs_http_frontend
bind *:3838
mode http
option tcplog
default_backend datadog-logs-http
# If sending logs with force_use_tcp: true
# frontend logs_frontend
# bind *:10514
# mode tcp
# option tcplog
# default_backend datadog-logs
# This declares the endpoint where your Agents connects for
# sending database monitoring metrics and activity (e.g the value of "database_monitoring.metrics.dd_url" and "database_monitoring.activity.dd_url")
frontend database_monitoring_metrics_frontend
bind *:3839
mode http
option tcplog
default_backend datadog-database-monitoring-metrics
# This declares the endpoint where your Agents connects for
# sending database monitoring samples (e.g the value of "database_monitoring.samples.dd_url")
frontend database_monitoring_samples_frontend
bind *:3840
mode http
option tcplog
default_backend datadog-database-monitoring-samples
# This declares the endpoint where your Agents connects for
# sending Network Devices Monitoring metadata (e.g the value of "network_devices.metadata.dd_url")
frontend network_devices_metadata_frontend
bind *:3841
mode http
option tcplog
default_backend datadog-network-devices-metadata
# This declares the endpoint where your Agents connects for
# sending Network Devices SNMP Traps data (e.g the value of "network_devices.snmp_traps.forwarder.dd_url")
frontend network_devices_snmp_traps_frontend
bind *:3842
mode http
option tcplog
default_backend datadog-network-devices-snmp-traps
# This declares the endpoint where your Agents connect for
# sending Instrumentation Telemetry data (e.g. the value of "apm_config.telemetry.dd_url")
frontend instrumentation_telemetry_data_frontend
bind *:3843
mode tcp
option tcplog
default_backend datadog-instrumentations-telemetry
# This declares the endpoint where your Agents connect for
# sending Network Devices Monitoring NetFlow flows (for example, the value of "network_devices.netflow.forwarder.dd_url")
frontend network_devices_netflow_frontend
bind *:3845
mode http
option tcplog
default_backend datadog-network-devices-netflow
# This declares the endpoint where your Agents connects for
# receiving Remote Configurations (for example, the value of "remote_configuration.rc_dd_url")
frontend remote_configuration_frontend
bind *:3846
mode http
option tcplog
default_backend datadog-remote-configuration
# This declares the endpoint where your Agents connect for
# sending Network Path data (for example, the value of "network_path.forwarder.dd_url")
frontend network_path_frontend
bind *:3847
mode http
option tcplog
default_backend datadog-network-path
# This is the Datadog server. In effect, any TCP request coming
# to the forwarder frontends defined above are proxied to
# Datadog's public endpoints.
backend datadog-metrics
balance roundrobin
mode http
# The following configuration is for HAProxy 1.8 and newer
server-template mothership 5 metrics.agent.:443 check port 443 ssl verify required ca-file <PATH_TO_CERTIFICATES> check resolvers my-dns init-addr none resolve-prefer ipv4
# Uncomment the following configuration for older HAProxy versions
# server mothership metrics.agent.:443 check port 443 ssl verify required ca-file <PATH_TO_CERTIFICATES>
backend datadog-api
mode http
# The following configuration is for HAProxy 1.8 and newer
server-template mothership 5 api.:443 check port 443 ssl verify required ca-file <PATH_TO_CERTIFICATES> check resolvers my-dns init-addr none resolve-prefer ipv4
# Uncomment the following configuration for older HAProxy versions
# server mothership api.:443 check port 443 ssl verify required ca-file <PATH_TO_CERTIFICATES>
backend datadog-flare
mode http
# The following configuration is for HAProxy 1.8 and newer
server-template mothership 5 flare.:443 check port 443 ssl verify required ca-file <PATH_TO_CERTIFICATES> check resolvers my-dns init-addr none resolve-prefer ipv4
# Uncomment the following configuration for older HAProxy versions
# server mothership flare.:443 check port 443 ssl verify required ca-file <PATH_TO_CERTIFICATES>
backend datadog-traces
balance roundrobin
mode tcp
# The following configuration is for HAProxy 1.8 and newer
server-template mothership 5 trace.agent.:443 check port 443 ssl verify required ca-file <PATH_TO_CERTIFICATES> check resolvers my-dns init-addr none resolve-prefer ipv4
# Uncomment the following configuration for older HAProxy versions
# server mothership trace.agent.:443 check port 443 ssl verify required ca-file <PATH_TO_CERTIFICATES>
backend datadog-profiles
balance roundrobin
mode tcp
# The following configuration is for HAProxy 1.8 and newer
server-template mothership 5 intake.profile.:443 check port 443 ssl verify required ca-file <PATH_TO_CERTIFICATES> check resolvers my-dns init-addr none resolve-prefer ipv4
# Uncomment the following configuration for older HAProxy versions
# server mothership profile.agent.:443 check port 443 ssl verify required ca-file <PATH_TO_CERTIFICATES>
backend datadog-processes
balance roundrobin
mode tcp
# The following configuration is for HAProxy 1.8 and newer
server-template mothership 5 process.:443 check port 443 ssl verify required ca-file <PATH_TO_CERTIFICATES> check resolvers my-dns init-addr none resolve-prefer ipv4
# Uncomment the following configuration for older HAProxy versions
# server mothership process.:443 check port 443 ssl verify required ca-file <PATH_TO_CERTIFICATES>
backend datadog-logs-http
balance roundrobin
mode http
# The following configuration is for HAProxy 1.8 and newer
server-template mothership 5 agent-http-intake.logs.:443 check port 443 ssl verify required ca-file <PATH_TO_CERTIFICATES> check resolvers my-dns init-addr none resolve-prefer ipv4
# Uncomment the following configuration for older HAProxy versions
# server datadog agent-http-intake.logs.:443 check port 443 ssl verify required ca-file <PATH_TO_CERTIFICATES>
backend datadog-database-monitoring-metrics
balance roundrobin
mode http
# The following configuration is for HAProxy 1.8 and newer
server-template mothership 5 dbm-metrics-intake.:443 check port 443 ssl verify required ca-file <PATH_TO_CERTIFICATES> check resolvers my-dns init-addr none resolve-prefer ipv4
# Uncomment the following configuration for older HAProxy versions
# server datadog agent-http-intake.logs.:443 check port 443 ssl verify required ca-file <PATH_TO_CERTIFICATES>
backend datadog-database-monitoring-samples
balance roundrobin
mode http
# The following configuration is for HAProxy 1.8 and newer
server-template mothership 5 dbquery-intake.:443 check port 443 ssl verify required ca-file <PATH_TO_CERTIFICATES> check resolvers my-dns init-addr none resolve-prefer ipv4
# Uncomment the following configuration for older HAProxy versions
# server datadog agent-http-intake.logs.:443 check port 443 ssl verify required ca-file <PATH_TO_CERTIFICATES>
backend datadog-network-devices-metadata
balance roundrobin
mode http
# The following configuration is for HAProxy 1.8 and newer
server-template mothership 5 ndm-intake.:443 check port 443 ssl verify required ca-file <PATH_TO_CERTIFICATES> check resolvers my-dns init-addr none resolve-prefer ipv4
# Uncomment the following configuration for older HAProxy versions
# server mothership ndm-intake.:443 check port 443 ssl verify required ca-file <PATH_TO_CERTIFICATES>
backend datadog-network-devices-snmp-traps
balance roundrobin
mode http
# The following configuration is for HAProxy 1.8 and newer
server-template mothership 5 snmp-traps-intake.:443 check port 443 ssl verify required ca-file <PATH_TO_CERTIFICATES> check resolvers my-dns init-addr none resolve-prefer ipv4
# Uncomment the following configuration for older HAProxy versions
# server mothership snmp-traps-intake.:443 check port 443 ssl verify required ca-file <PATH_TO_CERTIFICATES>
backend datadog-instrumentations-telemetry
balance roundrobin
mode tcp
# The following configuration is for HAProxy 1.8 and newer
server-template mothership 5 instrumentation-telemetry-intake.:443 check port 443 ssl verify required ca-file <PATH_TO_CERTIFICATES> check resolvers my-dns init-addr none resolve-prefer ipv4
# Uncomment the following configuration for older HAProxy versions
# server mothership instrumentation-telemetry-intake.:443 check port 443 ssl verify required ca-file <PATH_TO_CERTIFICATES>
backend datadog-network-devices-netflow
balance roundrobin
mode http
# The following configuration is for HAProxy 1.8 and newer
server-template mothership 5 ndmflow-intake.:443 check port 443 ssl verify required ca-file <PATH_TO_CERTIFICATES> check resolvers my-dns init-addr none resolve-prefer ipv4
# Uncomment the following configuration for older HAProxy versions
# server mothership ndmflow-intake.:443 check port 443 ssl verify required ca-file <PATH_TO_CERTIFICATES>
backend datadog-remote-configuration
balance roundrobin
mode http
# The following configuration is for HAProxy 1.8 and newer
server-template mothership 5 config.:443 check port 443 ssl verify required ca-file <PATH_TO_CERTIFICATES> check resolvers my-dns init-addr none resolve-prefer ipv4
# Uncomment the following configuration for older HAProxy versions
# server mothership config.:443 check port 443 ssl verify required ca-file <PATH_TO_CERTIFICATES>
backend datadog-network-path
balance roundrobin
mode http
# The following configuration is for HAProxy 1.8 and newer
server-template mothership 5 netpath-intake.:443 check port 443 ssl verify required ca-file <PATH_TO_CERTIFICATES> check resolvers my-dns init-addr none resolve-prefer ipv4
# Uncomment the following configuration for older HAProxy versions
# server mothership netpath-intake.:443 check port 443 ssl verify required ca-file <PATH_TO_CERTIFICATES>
HTTPS
This configuration adds SSL/TLS encryption on communication between the Agent and HAProxy. Replace the variable <PATH_TO_PROXY_CERTIFICATE_PEM> with the path to the proxy certificate bundle (*.pem).
# Basic configuration
global
log 127.0.0.1 local0
maxconn 4096
stats socket /tmp/haproxy
# Some sane defaults
defaults
log global
option dontlognull
retries 3
option redispatch
timeout client 5s
timeout server 5s
timeout connect 5s
# This declares a view into HAProxy statistics, on port 3833
# You do not need credentials to view this page and you can
# turn it off once you are done with setup.
listen stats
bind *:3833
mode http
stats enable
stats uri /
# This section is to reload DNS Records
# Replace <DNS_SERVER_IP> and <DNS_SECONDARY_SERVER_IP> with your DNS Server IP addresses.
# For HAProxy 1.8 and newer
resolvers my-dns
nameserver dns1 <DNS_SERVER_IP>:53
nameserver dns2 <DNS_SECONDARY_SERVER_IP>:53
resolve_retries 3
timeout resolve 2s
timeout retry 1s
accepted_payload_size 8192
hold valid 10s
hold obsolete 60s
# This declares the endpoint where your Agents connect for
# sending metrics (for example, the value of "dd_url").
frontend metrics-forwarder
bind *:3834 ssl crt <PATH_TO_PROXY_CERTIFICATE_PEM>
mode http
option tcplog
default_backend datadog-metrics
use_backend datadog-api if { path_beg -i /api/v1/validate }
use_backend datadog-flare if { path_beg -i /support/flare/ }
# This declares the endpoint where your Agents connect for
# sending traces (for example, the value of "endpoint" in the APM
# configuration section).
frontend traces-forwarder
bind *:3835 ssl crt <PATH_TO_PROXY_CERTIFICATE_PEM>
mode tcp
option tcplog
default_backend datadog-traces
# This declares the endpoint where your Agents connect for
# sending profiles (for example, the value of "apm_config.profiling_dd_url").
frontend profiles-forwarder
bind *:3836 ssl crt <PATH_TO_PROXY_CERTIFICATE_PEM>
mode tcp
option tcplog
default_backend datadog-profiles
# This declares the endpoint where your Agents connect for
# sending processes (for example, the value of "url" in the process
# configuration section).
frontend processes-forwarder
bind *:3837 ssl crt <PATH_TO_PROXY_CERTIFICATE_PEM>
mode tcp
option tcplog
default_backend datadog-processes
# This declares the endpoint where your Agents connect for
# sending Logs (e.g the value of "logs.config.logs_dd_url")
# If sending logs with force_use_http: true
frontend logs_http_frontend
bind *:3838 ssl crt <PATH_TO_PROXY_CERTIFICATE_PEM>
mode http
option tcplog
default_backend datadog-logs-http
# If sending logs with force_use_tcp: true
# frontend logs_frontend
# bind *:10514 ssl crt <PATH_TO_PROXY_CERTIFICATE_PEM>
# mode tcp
# option tcplog
# default_backend datadog-logs
# This declares the endpoint where your Agents connect for
# sending database monitoring metrics and activity (e.g the value of "database_monitoring.metrics.dd_url" and "database_monitoring.activity.dd_url")
frontend database_monitoring_metrics_frontend
bind *:3839 ssl crt <PATH_TO_PROXY_CERTIFICATE_PEM>
mode http
option tcplog
default_backend datadog-database-monitoring-metrics
# This declares the endpoint where your Agents connect for
# sending database monitoring samples (e.g the value of "database_monitoring.samples.dd_url")
frontend database_monitoring_samples_frontend
bind *:3840 ssl crt <PATH_TO_PROXY_CERTIFICATE_PEM>
mode http
option tcplog
default_backend datadog-database-monitoring-samples
# This declares the endpoint where your Agents connect for
# sending Network Devices Monitoring metadata (e.g the value of "network_devices.metadata.dd_url")
frontend network_devices_metadata_frontend
bind *:3841 ssl crt <PATH_TO_PROXY_CERTIFICATE_PEM>
mode http
option tcplog
default_backend datadog-network-devices-metadata
# This declares the endpoint where your Agents connect for
# sending Network Devices SNMP Traps data (e.g the value of "network_devices.snmp_traps.forwarder.dd_url")
frontend network_devices_snmp_traps_frontend
bind *:3842 ssl crt <PATH_TO_PROXY_CERTIFICATE_PEM>
mode http
option tcplog
default_backend datadog-network-devices-snmp-traps
# This declares the endpoint where your Agents connect for
# sending Instrumentation Telemetry data (e.g. the value of "apm_config.telemetry.dd_url")
frontend instrumentation_telemetry_data_frontend
bind *:3843 ssl crt <PATH_TO_PROXY_CERTIFICATE_PEM>
mode tcp
option tcplog
default_backend datadog-instrumentations-telemetry
# This declares the endpoint where your Agents connect for
# sending Network Devices Monitoring NetFlow flows (for example, the value of "network_devices.netflow.forwarder.dd_url")
frontend network_devices_netflow_frontend
bind *:3845 ssl crt <PATH_TO_PROXY_CERTIFICATE_PEM>
mode http
option tcplog
default_backend datadog-network-devices-netflow
# This declares the endpoint where your Agents connects for
# receiving Remote Configurations (for example, the value of "remote_configuration.rc_dd_url")
frontend remote_configuration_frontend
bind *:3846 ssl crt <PATH_TO_PROXY_CERTIFICATE_PEM>
mode http
option tcplog
default_backend datadog-remote-configuration
# This declares the endpoint where your Agents connect for
# sending Network Path data (for example, the value of "network_path.forwarder.dd_url")
frontend network_path_frontend
bind *:3847 ssl crt <PATH_TO_PROXY_CERTIFICATE_PEM>
mode http
option tcplog
default_backend datadog-network-path
# This is the Datadog server. In effect any TCP request coming
# to the forwarder frontends defined above are proxied to
# Datadog's public endpoints.
backend datadog-metrics
balance roundrobin
mode http
# The following configuration is for HAProxy 1.8 and newer
server-template mothership 5 metrics.agent.:443 check port 443 ssl verify required ca-file <PATH_TO_DATADOG_CERTIFICATES_CRT> check resolvers my-dns init-addr none resolve-prefer ipv4
# Uncomment the following configuration for older HAProxy versions
# server mothership metrics.agent.:443 check port 443 ssl verify required ca-file <PATH_TO_DATADOG_CERTIFICATES_CRT>
backend datadog-api
mode http
# The following configuration is for HAProxy 1.8 and newer
server-template mothership 5 api.:443 check port 443 ssl verify required ca-file <PATH_TO_DATADOG_CERTIFICATES_CRT> check resolvers my-dns init-addr none resolve-prefer ipv4
# Uncomment the following configuration for older HAProxy versions
# server mothership api.:443 check port 443 ssl verify required ca-file <PATH_TO_DATADOG_CERTIFICATES_CRT>
backend datadog-flare
mode http
# The following configuration is for HAProxy 1.8 and newer
server-template mothership 5 flare.:443 check port 443 ssl verify required ca-file <PATH_TO_DATADOG_CERTIFICATES_CRT> check resolvers my-dns init-addr none resolve-prefer ipv4
# Uncomment the following configuration for older HAProxy versions
# server mothership flare.:443 check port 443 ssl verify required ca-file <PATH_TO_DATADOG_CERTIFICATES_CRT>
backend datadog-traces
balance roundrobin
mode tcp
# The following configuration is for HAProxy 1.8 and newer
server-template mothership 5 trace.agent.:443 check port 443 ssl verify required ca-file <PATH_TO_DATADOG_CERTIFICATES_CRT> check resolvers my-dns init-addr none resolve-prefer ipv4
# Uncomment the following configuration for older HAProxy versions
# server mothership trace.agent.:443 check port 443 ssl verify required ca-file <PATH_TO_DATADOG_CERTIFICATES_CRT>
backend datadog-profiles
balance roundrobin
mode tcp
# The following configuration is for HAProxy 1.8 and newer
server-template mothership 5 intake.profile.:443 check port 443 ssl verify required ca-file <PATH_TO_DATADOG_CERTIFICATES_CRT> check resolvers my-dns init-addr none resolve-prefer ipv4
# Uncomment the following configuration for older HAProxy versions
# server mothership profile.agent.:443 check port 443 ssl verify required ca-file <PATH_TO_DATADOG_CERTIFICATES_CRT>
backend datadog-processes
balance roundrobin
mode tcp
# The following configuration is for HAProxy 1.8 and newer
server-template mothership 5 process.:443 check port 443 ssl verify required ca-file <PATH_TO_DATADOG_CERTIFICATES_CRT> check resolvers my-dns init-addr none resolve-prefer ipv4
# Uncomment the following configuration for older HAProxy versions
# server mothership process.:443 check port 443 ssl verify required ca-file <PATH_TO_DATADOG_CERTIFICATES_CRT>
backend datadog-logs-http
balance roundrobin
mode http
# The following configuration is for HAProxy 1.8 and newer
server-template mothership 5 agent-http-intake.logs.:443 check port 443 ssl verify required ca-file <PATH_TO_DATADOG_CERTIFICATES_CRT> check resolvers my-dns init-addr none resolve-prefer ipv4
# Uncomment the following configuration for older HAProxy versions
# server datadog agent-http-intake.logs.:443 check port 443 ssl verify required ca-file <PATH_TO_DATADOG_CERTIFICATES_CRT>
backend datadog-database-monitoring-metrics
balance roundrobin
mode http
# The following configuration is for HAProxy 1.8 and newer
server-template mothership 5 dbm-metrics-intake.:443 check port 443 ssl verify required ca-file <PATH_TO_DATADOG_CERTIFICATES_CRT> check resolvers my-dns init-addr none resolve-prefer ipv4
# Uncomment the following configuration for older HAProxy versions
# server datadog agent-http-intake.logs.:443 check port 443 ssl verify required ca-file <PATH_TO_DATADOG_CERTIFICATES_CRT>
backend datadog-database-monitoring-samples
balance roundrobin
mode http
# The following configuration is for HAProxy 1.8 and newer
server-template mothership 5 dbquery-intake.:443 check port 443 ssl verify required ca-file <PATH_TO_DATADOG_CERTIFICATES_CRT> check resolvers my-dns init-addr none resolve-prefer ipv4
# Uncomment the following configuration for older HAProxy versions
# server datadog agent-http-intake.logs.:443 check port 443 ssl verify required ca-file <PATH_TO_DATADOG_CERTIFICATES_CRT>
backend datadog-network-devices-metadata
balance roundrobin
mode http
# The following configuration is for HAProxy 1.8 and newer
server-template mothership 5 ndm-intake.:443 check port 443 ssl verify required ca-file <PATH_TO_DATADOG_CERTIFICATES_CRT> check resolvers my-dns init-addr none resolve-prefer ipv4
# Uncomment the following configuration for older HAProxy versions
# server mothership ndm-intake.:443 check port 443 ssl verify required ca-file <PATH_TO_DATADOG_CERTIFICATES_CRT>
backend datadog-network-devices-snmp-traps
balance roundrobin
mode http
# The following configuration is for HAProxy 1.8 and newer
server-template mothership 5 snmp-traps-intake.:443 check port 443 ssl verify required ca-file <PATH_TO_DATADOG_CERTIFICATES_CRT> check resolvers my-dns init-addr none resolve-prefer ipv4
# Uncomment the following configuration for older HAProxy versions
# server mothership snmp-traps-intake.:443 check port 443 ssl verify required ca-file <PATH_TO_DATADOG_CERTIFICATES_CRT>
backend datadog-instrumentations-telemetry
balance roundrobin
mode tcp
# The following configuration is for HAProxy 1.8 and newer
server-template mothership 5 instrumentation-telemetry-intake.:443 check port 443 ssl verify required ca-file <PATH_TO_DATADOG_CERTIFICATES_CRT> check resolvers my-dns init-addr none resolve-prefer ipv4
# Uncomment the following configuration for older HAProxy versions
# server mothership instrumentation-telemetry-intake.:443 check port 443 ssl verify required ca-file <PATH_TO_DATADOG_CERTIFICATES_CRT>
backend datadog-network-devices-netflow
balance roundrobin
mode http
# The following configuration is for HAProxy 1.8 and newer
server-template mothership 5 ndmflow-intake.:443 check port 443 ssl verify required ca-file <PATH_TO_DATADOG_CERTIFICATES_CRT> check resolvers my-dns init-addr none resolve-prefer ipv4
# Uncomment the following configuration for older HAProxy versions
# server mothership ndmflow-intake.:443 check port 443 ssl verify required ca-file <PATH_TO_DATADOG_CERTIFICATES_CRT>
backend datadog-remote-configuration
balance roundrobin
mode http
# The following configuration is for HAProxy 1.8 and newer
server-template mothership 5 config.:443 check port 443 ssl verify required ca-file <PATH_TO_DATADOG_CERTIFICATES_CRT> check resolvers my-dns init-addr none resolve-prefer ipv4
# Uncomment the following configuration for older HAProxy versions
# server mothership config.:443 check port 443 ssl verify required ca-file <PATH_TO_DATADOG_CERTIFICATES_CRT>
backend datadog-network-path
balance roundrobin
mode http
# The following configuration is for HAProxy 1.8 and newer
server-template mothership 5 netpath-intake.:443 check port 443 ssl verify required ca-file <PATH_TO_DATADOG_CERTIFICATES_CRT> check resolvers my-dns init-addr none resolve-prefer ipv4
# Uncomment the following configuration for older HAProxy versions
# server mothership netpath-intake.:443 check port 443 ssl verify required ca-file <PATH_TO_DATADOG_CERTIFICATES_CRT>
Note: You can use verify none instead of verify required ca-file <PATH_TO_DATADOG_CERTIFICATES_CRT> if you are unable to get the certificates on the proxy host, but be aware that HAProxy will not be able to verify Datadog’s intake certificate in that case.
HAProxy 1.8 and newer allow DNS service discovery to detect server changes and automatically apply them to your configuration.
If you are using older version of HAProxy, you have to reload or restart HAProxy. It is recommended to have a cron job reload HAProxy every 10 minutes (such as service haproxy reload) to force a refresh of HAProxy’s DNS cache, in case
Datadog Agent configuration
Edit each Agent to point to HAProxy by setting its dd_url to the address of HAProxy, for example: haproxy.example.com.
This dd_url setting can be found in the datadog.yaml file.
dd_url: <SCHEME>://haproxy.example.com:3834
Replace <SCHEME> with https if you previously chose the HAProxy HTTPS configuration, or with http if you did not choose HTTPS.
To send traces, profiles, processes, and logs through the proxy, setup the following in the datadog.yaml file:
apm_config:
apm_dd_url: <SCHEME>://haproxy.example.com:3835
profiling_dd_url: <SCHEME>://haproxy.example.com:3836/api/v2/profile
telemetry:
dd_url: <SCHEME>://haproxy.example.com:3843
process_config:
process_dd_url: <SCHEME>://haproxy.example.com:3837
logs_config:
force_use_http: true
logs_dd_url: haproxy.example.com:3838
# Comment the line below to use encryption between the Agent and HAProxy
logs_no_ssl: true
database_monitoring:
metrics:
logs_dd_url: haproxy.example.com:3839
# Comment the line below to use encryption between the Agent and HAProxy
logs_no_ssl: true
activity:
logs_dd_url: haproxy.example.com:3839
# Comment the line below to use encryption between the Agent and HAProxy
logs_no_ssl: true
samples:
logs_dd_url: haproxy.example.com:3840
# Comment the line below to use encryption between the Agent and HAProxy
logs_no_ssl: true
network_devices:
metadata:
logs_dd_url: haproxy.example.com:3841
# Comment the line below to use encryption between the Agent and HAProxy
logs_no_ssl: true
snmp_traps:
forwarder:
logs_dd_url: haproxy.example.com:3842
# Comment the line below to use encryption between the Agent and HAProxy
logs_no_ssl: true
netflow:
forwarder:
logs_dd_url: haproxy.example.com:3845
# Comment the line below to use encryption between the Agent and HAProxy
logs_no_ssl: true
remote_configuration:
rc_dd_url: haproxy.example.com:3846
# Comment the line below to use encryption between the Agent and HAProxy
no_tls: true
When using encryption between the Agent and HAProxy, if the Agent does not have access to the proxy certificate, is unable to validate it, or the validation is not needed, you can edit the datadog.yaml Agent configuration file and set skip_ssl_validation to true.
With this option set to true, the Agent skips the certificate validation step and does not verify the identity of the proxy, but the communication is still encrypted with SSL/TLS.
skip_ssl_validation: true
Finally restart the Agent.
To verify that everything is working properly, review the HAProxy statistics at http://haproxy.example.com:3833 as well as the Infrastructure Overview.
Further Reading
Additional helpful documentation, links, and articles:
