If your network configuration restricted outbound traffic, proxy all Agent traffic through one or several hosts that have more permissive outbound policies.
A few options are available to send traffic to Datadog over SSL/TLS for hosts that are not directly connected to the Internet.
Using a web proxy, such as Squid or Microsoft Web Proxy, that is already deployed to your network
Using HAProxy (if you want to proxy more than 16-20 Agents through the same proxy)
For information on setting up the Datadog Agent FIPS Proxy with the Datadog Agent, see Datadog FIPS Compliance. The FIPS proxy is only available in the US1-FED region. The Datadog Agent FIPS Proxy cannot be used together with a regular proxy.
For specific information regarding Squid, see the Squid section of this page.
Traditional web proxies are supported natively by the Agent. If you need to connect to the Internet through a proxy, edit your Agent configuration file.
Set different proxy servers for https and http requests in your Agent datadog.yaml configuration file. The Agent uses https to send data to Datadog, but integrations might use http to gather metrics. No matter the proxied requests, you can activate SSL on your proxy server. Below are some configuration examples for your datadog.yaml file.
If log collection is enabled, make sure that a specific transport is enforced.
The recommended setup is to use HTTPS. In that case, the <HOST>:<PORT> used to proxy metrics is used to proxy logs.
If you are using TCP transport, see TCP Proxy for Logs.
Note: When setting up an HTTP proxy for https requests, the actual communication between the Agent and Datadog is encrypted end-to-end with TLS and cannot be decrypted by the proxy. The only unencrypted communication is the HTTP CONNECT request that’s made between the Agent and the proxy to establish the initial TCP connection between the Agent and Datadog. As such, when using a proxy for https requests, there is no need to use an HTTPS proxy in order to have encrypted communication between the Agent and Datadog.
Setting an HTTPS proxy for both https and http requests:
Note: All integrations that make HTTP(S) requests default back to proxy settings defined in datadog.yaml configuration file if none are specified at the integration level. If this is undesired, set skip_proxy to true or use_agent_proxy to false in every instance config or in the init_config fallback for your integration.
By default, no_proxy/NO_PROXY must match endpoints exactly for Agent HTTP(S) requests (except requests performed by Agent integrations). It is recommended to enable no_proxy_nonexact_match to make the Agent match NO_PROXY values with the same rules (below) used for Agent integrations.
no_proxy_nonexact_match:true
The following rules apply to Agent integrations (and the whole Agent when no_proxy_nonexact_match is enabled):
A domain name matches that name and all subdomains, for example:
datadoghq.com matches app.agent.datadoghq.com, www.datadoghq.com, datadoghq.com, but notwww.notdatadoghq.com
datadoghq matches frontend.datadoghq, backend.datadoghq, but notwww.datadoghq.com nor www.datadoghq.eu
A domain name with a leading “.” matches subdomains only, for example:
.datadoghq.com matches app.agent.datadoghq.com, www.datadoghq.com, but notdatadoghq.com
A CIDR range matches an IP address within the subnet, for example:
192.168.1.0/24 matches IP range 192.168.1.1 through 192.168.1.254
Starting with Agent v6.4, you can set your proxy settings through environment variables:
DD_PROXY_HTTPS: Sets a proxy server for https requests.
DD_PROXY_HTTP: Sets a proxy server for http requests.
DD_PROXY_NO_PROXY: Sets a list of hosts that should bypass the proxy. The list is space-separated.
Environment variables have precedence over values in the datadog.yaml file. If the environment variables are present with an empty value, for example: DD_PROXY_HTTP="", the Agent uses the empty values instead of lower-precedence options.
On Unix hosts, a system-wide proxy might be specified using standard environment variables, such as HTTPS_PROXY, HTTP_PROXY, and NO_PROXY. The Agent uses these if present. Be careful, as such variables also impact every requests from integrations, including orchestrators like Docker, ECS, and Kubernetes.
The Agent uses the following values in order of precedence:
DD_PROXY_HTTPS, DD_PROXY_HTTP, and DD_PROXY_NO_PROXY environment variables
HTTPS_PROXY, HTTP_PROXY, and NO_PROXY environment variables
Values inside datadog.yaml
Do not forget to restart the Agent for the new settings to take effect.
Squid is a forward proxy for the web supporting HTTP, HTTPS, FTP, and more. It runs on most available operating systems, including Windows, and is licensed under the GNU GPL license. Squid is a straightforward option if you do not already have a running web proxy in your network.
Install Squid on a host that has connectivity to both your internal Agents and Datadog. Use your operating system’s package manager, or install the software directly from Squid’s project page.
To configure Squid, edit the configuration file. This file is usually located at /etc/squid/squid.conf on Linux or C:\squid\etc\squid.conf in Windows.
Edit your squid.conf configuration file so that Squid is able to accept local traffic and forward it to the necessary Datadog intakes:
http_port 0.0.0.0:3128
acl local src 127.0.0.1/32
acl Datadog dstdomain .datadoghq.comhttp_access allow Datadog
http_access allow local manager
If Squid is already running, restart Squid instead with the following command:
sudo systemctl restart squid
If you are configuring Squid on Windows, you must first configure Squid as a system service. You can then run the following in an Administrator command prompt:
net start squid
If Squid is already running, restart Squid instead with the following commands:
HAProxy is a free, fast, and reliable solution offering proxying for TCP and HTTP applications. While HAProxy is usually used as a load balancer to distribute incoming requests to pool servers, you can also use it to proxy Agent traffic to Datadog from hosts that have no outside connectivity:
agent ---> haproxy ---> Datadog
This is another good option if you do not have a web proxy readily available in your network and you wish to proxy a large number of Agents. In some cases, a single HAProxy instance is sufficient to handle local Agent traffic in your network, because each proxy can accommodate upwards of 1000 Agents.
Note: This figure is a conservative estimate based on the performance of m3.xl instances specifically. Numerous network-related and host-related variables can influence throughput of HAProxy, so you should keep an eye on your proxy deployment both before and after putting it into service. See the HAProxy documentation for additional information.
The communication between HAProxy and Datadog is always encrypted with TLS. The communication between the Agent host and the HAProxy host is not encrypted by default, because the proxy and the Agent are assumed to be on the same host. However, it is recommended that you secure this communication with TLS encryption if the HAproxy host and Agent host are not located on the same isolated local network.
To encrypt data between the Agent and HAProxy, you need to create an x509 certificate with the Subject Alternative Name (SAN) extension for the HAProxy host. This certificate bundle (*.pem) should contain both the public certificate and private key. See this HAProxy blog post for more information.
Note: Download the Datadog certificate with one of the following commands:
HAProxy should be installed on a host that has connectivity to Datadog. You can use one of the following configuration files if you do not already have it configured. The configuration is dependent on the Datadog service and site. To see configurations based on your Datadog site, use the DATADOG SITE selector on the right.
Note: It is recommended to use the HTTPS configuration file if the Agent and HAProxy are not part of the same isolated local network.
# Basic configurationgloballog127.0.0.1local0maxconn4096statssocket/tmp/haproxy# Some sane defaultsdefaultslogglobaloptiondontlognullretries3optionredispatchtimeoutclient5stimeoutserver5stimeoutconnect5s# This declares a view into HAProxy statistics, on port 3833# You do not need credentials to view this page and you can# turn it off once you are done with setup.listenstatsbind*:3833modehttpstatsenablestatsuri/# This section is to reload DNS Records# Replace <DNS_SERVER_IP> and <DNS_SECONDARY_SERVER_IP> with your DNS Server IP addresses.# For HAProxy 1.8 and newerresolversmy-dnsnameserverdns1<DNS_SERVER_IP>:53nameserverdns2<DNS_SECONDARY_SERVER_IP>:53resolve_retries3timeoutresolve2stimeoutretry1saccepted_payload_size8192holdvalid10sholdobsolete60s# This declares the endpoint where your Agents connects for# sending metrics (for example, the value of "dd_url").frontendmetrics-forwarderbind*:3834modehttpoptiontcplogdefault_backenddatadog-metricsuse_backenddatadog-apiif{path_beg-i/api/v1/validate}use_backenddatadog-flareif{path_beg-i/support/flare/}# This declares the endpoint where your Agents connects for# sending traces (for example, the value of "endpoint" in the APM# configuration section).frontendtraces-forwarderbind*:3835modetcpoptiontcplogdefault_backenddatadog-traces# This declares the endpoint where your Agents connects for# sending profiles (for example, the value of "apm_config.profiling_dd_url").frontendprofiles-forwarderbind*:3836modetcpoptiontcplogdefault_backenddatadog-profiles# This declares the endpoint where your agents connects for# sending processes (for example, the value of "url" in the process# configuration section).frontendprocesses-forwarderbind*:3837modetcpoptiontcplogdefault_backenddatadog-processes# This declares the endpoint where your Agents connects for# sending Logs (e.g the value of "logs.config.logs_dd_url")# If sending logs with force_use_http: truefrontendlogs_http_frontendbind*:3838modehttpoptiontcplogdefault_backenddatadog-logs-http# If sending logs with force_use_tcp: true# frontend logs_frontend# bind *:10514# mode tcp# option tcplog# default_backend datadog-logs# This declares the endpoint where your Agents connects for# sending database monitoring metrics and activity (e.g the value of "database_monitoring.metrics.dd_url" and "database_monitoring.activity.dd_url")frontenddatabase_monitoring_metrics_frontendbind*:3839modehttpoptiontcplogdefault_backenddatadog-database-monitoring-metrics# This declares the endpoint where your Agents connects for# sending database monitoring samples (e.g the value of "database_monitoring.samples.dd_url")frontenddatabase_monitoring_samples_frontendbind*:3840modehttpoptiontcplogdefault_backenddatadog-database-monitoring-samples# This declares the endpoint where your Agents connects for# sending Network Devices Monitoring metadata (e.g the value of "network_devices.metadata.dd_url")frontendnetwork_devices_metadata_frontendbind*:3841modehttpoptiontcplogdefault_backenddatadog-network-devices-metadata# This declares the endpoint where your Agents connects for# sending Network Devices SNMP Traps data (e.g the value of "network_devices.snmp_traps.forwarder.dd_url")frontendnetwork_devices_snmp_traps_frontendbind*:3842modehttpoptiontcplogdefault_backenddatadog-network-devices-snmp-traps# This declares the endpoint where your Agents connect for# sending Instrumentation Telemetry data (e.g. the value of "apm_config.telemetry.dd_url")frontendinstrumentation_telemetry_data_frontendbind*:3843modetcpoptiontcplogdefault_backenddatadog-instrumentations-telemetry# This declares the endpoint where your Agents connect for# sending Network Devices Monitoring NetFlow flows (for example, the value of "network_devices.netflow.forwarder.dd_url")frontendnetwork_devices_netflow_frontendbind*:3845modehttpoptiontcplogdefault_backenddatadog-network-devices-netflow# This declares the endpoint where your Agents connects for# receiving Remote Configurations (for example, the value of "remote_configuration.rc_dd_url")frontendremote_configuration_frontendbind*:3846modehttpoptiontcplogdefault_backenddatadog-remote-configuration# This declares the endpoint where your Agents connect for# sending Network Path data (for example, the value of "network_path.forwarder.dd_url")frontendnetwork_path_frontendbind*:3847modehttpoptiontcplogdefault_backenddatadog-network-path# This is the Datadog server. In effect, any TCP request coming# to the forwarder frontends defined above are proxied to# Datadog's public endpoints.backenddatadog-metricsbalanceroundrobinmodehttp# The following configuration is for HAProxy 1.8 and newerserver-templatemothership5metrics.agent.datadoghq.com:443checkport443sslverifyrequiredca-file<PATH_TO_CERTIFICATES>checkresolversmy-dnsinit-addrnoneresolve-preferipv4# Uncomment the following configuration for older HAProxy versions# server mothership metrics.agent.datadoghq.com:443 check port 443 ssl verify required ca-file <PATH_TO_CERTIFICATES>backenddatadog-apimodehttp# The following configuration is for HAProxy 1.8 and newerserver-templatemothership5api.datadoghq.com:443checkport443sslverifyrequiredca-file<PATH_TO_CERTIFICATES>checkresolversmy-dnsinit-addrnoneresolve-preferipv4# Uncomment the following configuration for older HAProxy versions# server mothership api.datadoghq.com:443 check port 443 ssl verify required ca-file <PATH_TO_CERTIFICATES>backenddatadog-flaremodehttp# The following configuration is for HAProxy 1.8 and newerserver-templatemothership5flare.datadoghq.com:443checkport443sslverifyrequiredca-file<PATH_TO_CERTIFICATES>checkresolversmy-dnsinit-addrnoneresolve-preferipv4# Uncomment the following configuration for older HAProxy versions# server mothership flare.datadoghq.com:443 check port 443 ssl verify required ca-file <PATH_TO_CERTIFICATES>backenddatadog-tracesbalanceroundrobinmodetcp# The following configuration is for HAProxy 1.8 and newerserver-templatemothership5trace.agent.datadoghq.com:443checkport443sslverifyrequiredca-file<PATH_TO_CERTIFICATES>checkresolversmy-dnsinit-addrnoneresolve-preferipv4# Uncomment the following configuration for older HAProxy versions# server mothership trace.agent.datadoghq.com:443 check port 443 ssl verify required ca-file <PATH_TO_CERTIFICATES>backenddatadog-profilesbalanceroundrobinmodetcp# The following configuration is for HAProxy 1.8 and newerserver-templatemothership5intake.profile.datadoghq.com:443checkport443sslverifyrequiredca-file<PATH_TO_CERTIFICATES>checkresolversmy-dnsinit-addrnoneresolve-preferipv4# Uncomment the following configuration for older HAProxy versions# server mothership profile.agent.datadoghq.com:443 check port 443 ssl verify required ca-file <PATH_TO_CERTIFICATES>backenddatadog-processesbalanceroundrobinmodetcp# The following configuration is for HAProxy 1.8 and newerserver-templatemothership5process.datadoghq.com:443checkport443sslverifyrequiredca-file<PATH_TO_CERTIFICATES>checkresolversmy-dnsinit-addrnoneresolve-preferipv4# Uncomment the following configuration for older HAProxy versions# server mothership process.datadoghq.com:443 check port 443 ssl verify required ca-file <PATH_TO_CERTIFICATES>backenddatadog-logs-httpbalanceroundrobinmodehttp# The following configuration is for HAProxy 1.8 and newerserver-templatemothership5agent-http-intake.logs.datadoghq.com:443checkport443sslverifyrequiredca-file<PATH_TO_CERTIFICATES>checkresolversmy-dnsinit-addrnoneresolve-preferipv4# Uncomment the following configuration for older HAProxy versions# server datadog agent-http-intake.logs.datadoghq.com:443 check port 443 ssl verify required ca-file <PATH_TO_CERTIFICATES>backenddatadog-database-monitoring-metricsbalanceroundrobinmodehttp# The following configuration is for HAProxy 1.8 and newerserver-templatemothership5dbm-metrics-intake.datadoghq.com:443checkport443sslverifyrequiredca-file<PATH_TO_CERTIFICATES>checkresolversmy-dnsinit-addrnoneresolve-preferipv4# Uncomment the following configuration for older HAProxy versions# server datadog agent-http-intake.logs.datadoghq.com:443 check port 443 ssl verify required ca-file <PATH_TO_CERTIFICATES>backenddatadog-database-monitoring-samplesbalanceroundrobinmodehttp# The following configuration is for HAProxy 1.8 and newerserver-templatemothership5dbquery-intake.datadoghq.com:443checkport443sslverifyrequiredca-file<PATH_TO_CERTIFICATES>checkresolversmy-dnsinit-addrnoneresolve-preferipv4# Uncomment the following configuration for older HAProxy versions# server datadog agent-http-intake.logs.datadoghq.com:443 check port 443 ssl verify required ca-file <PATH_TO_CERTIFICATES>backenddatadog-network-devices-metadatabalanceroundrobinmodehttp# The following configuration is for HAProxy 1.8 and newerserver-templatemothership5ndm-intake.datadoghq.com:443checkport443sslverifyrequiredca-file<PATH_TO_CERTIFICATES>checkresolversmy-dnsinit-addrnoneresolve-preferipv4# Uncomment the following configuration for older HAProxy versions# server mothership ndm-intake.datadoghq.com:443 check port 443 ssl verify required ca-file <PATH_TO_CERTIFICATES>backenddatadog-network-devices-snmp-trapsbalanceroundrobinmodehttp# The following configuration is for HAProxy 1.8 and newerserver-templatemothership5snmp-traps-intake.datadoghq.com:443checkport443sslverifyrequiredca-file<PATH_TO_CERTIFICATES>checkresolversmy-dnsinit-addrnoneresolve-preferipv4# Uncomment the following configuration for older HAProxy versions# server mothership snmp-traps-intake.datadoghq.com:443 check port 443 ssl verify required ca-file <PATH_TO_CERTIFICATES>backenddatadog-instrumentations-telemetrybalanceroundrobinmodetcp# The following configuration is for HAProxy 1.8 and newerserver-templatemothership5instrumentation-telemetry-intake.datadoghq.com:443checkport443sslverifyrequiredca-file<PATH_TO_CERTIFICATES>checkresolversmy-dnsinit-addrnoneresolve-preferipv4# Uncomment the following configuration for older HAProxy versions# server mothership instrumentation-telemetry-intake.datadoghq.com:443 check port 443 ssl verify required ca-file <PATH_TO_CERTIFICATES>backenddatadog-network-devices-netflowbalanceroundrobinmodehttp# The following configuration is for HAProxy 1.8 and newerserver-templatemothership5ndmflow-intake.datadoghq.com:443checkport443sslverifyrequiredca-file<PATH_TO_CERTIFICATES>checkresolversmy-dnsinit-addrnoneresolve-preferipv4# Uncomment the following configuration for older HAProxy versions# server mothership ndmflow-intake.datadoghq.com:443 check port 443 ssl verify required ca-file <PATH_TO_CERTIFICATES>backenddatadog-remote-configurationbalanceroundrobinmodehttp# The following configuration is for HAProxy 1.8 and newerserver-templatemothership5config.datadoghq.com:443checkport443sslverifyrequiredca-file<PATH_TO_CERTIFICATES>checkresolversmy-dnsinit-addrnoneresolve-preferipv4# Uncomment the following configuration for older HAProxy versions# server mothership config.datadoghq.com:443 check port 443 ssl verify required ca-file <PATH_TO_CERTIFICATES>backenddatadog-network-pathbalanceroundrobinmodehttp# The following configuration is for HAProxy 1.8 and newerserver-templatemothership5netpath-intake.datadoghq.com:443checkport443sslverifyrequiredca-file<PATH_TO_CERTIFICATES>checkresolversmy-dnsinit-addrnoneresolve-preferipv4# Uncomment the following configuration for older HAProxy versions# server mothership netpath-intake.datadoghq.com:443 check port 443 ssl verify required ca-file <PATH_TO_CERTIFICATES>
This configuration adds SSL/TLS encryption on communication between the Agent and HAProxy. Replace the variable <PATH_TO_PROXY_CERTIFICATE_PEM> with the path to the proxy certificate bundle (*.pem).
# Basic configurationgloballog127.0.0.1local0maxconn4096statssocket/tmp/haproxy# Some sane defaultsdefaultslogglobaloptiondontlognullretries3optionredispatchtimeoutclient5stimeoutserver5stimeoutconnect5s# This declares a view into HAProxy statistics, on port 3833# You do not need credentials to view this page and you can# turn it off once you are done with setup.listenstatsbind*:3833modehttpstatsenablestatsuri/# This section is to reload DNS Records# Replace <DNS_SERVER_IP> and <DNS_SECONDARY_SERVER_IP> with your DNS Server IP addresses.# For HAProxy 1.8 and newerresolversmy-dnsnameserverdns1<DNS_SERVER_IP>:53nameserverdns2<DNS_SECONDARY_SERVER_IP>:53resolve_retries3timeoutresolve2stimeoutretry1saccepted_payload_size8192holdvalid10sholdobsolete60s# This declares the endpoint where your Agents connect for# sending metrics (for example, the value of "dd_url").frontendmetrics-forwarderbind*:3834sslcrt<PATH_TO_PROXY_CERTIFICATE_PEM>modehttpoptiontcplogdefault_backenddatadog-metricsuse_backenddatadog-apiif{path_beg-i/api/v1/validate}use_backenddatadog-flareif{path_beg-i/support/flare/}# This declares the endpoint where your Agents connect for# sending traces (for example, the value of "endpoint" in the APM# configuration section).frontendtraces-forwarderbind*:3835sslcrt<PATH_TO_PROXY_CERTIFICATE_PEM>modetcpoptiontcplogdefault_backenddatadog-traces# This declares the endpoint where your Agents connect for# sending profiles (for example, the value of "apm_config.profiling_dd_url").frontendprofiles-forwarderbind*:3836sslcrt<PATH_TO_PROXY_CERTIFICATE_PEM>modetcpoptiontcplogdefault_backenddatadog-profiles# This declares the endpoint where your Agents connect for# sending processes (for example, the value of "url" in the process# configuration section).frontendprocesses-forwarderbind*:3837sslcrt<PATH_TO_PROXY_CERTIFICATE_PEM>modetcpoptiontcplogdefault_backenddatadog-processes# This declares the endpoint where your Agents connect for# sending Logs (e.g the value of "logs.config.logs_dd_url")# If sending logs with force_use_http: truefrontendlogs_http_frontendbind*:3838sslcrt<PATH_TO_PROXY_CERTIFICATE_PEM>modehttpoptiontcplogdefault_backenddatadog-logs-http# If sending logs with force_use_tcp: true# frontend logs_frontend# bind *:10514 ssl crt <PATH_TO_PROXY_CERTIFICATE_PEM># mode tcp# option tcplog# default_backend datadog-logs# This declares the endpoint where your Agents connect for# sending database monitoring metrics and activity (e.g the value of "database_monitoring.metrics.dd_url" and "database_monitoring.activity.dd_url")frontenddatabase_monitoring_metrics_frontendbind*:3839sslcrt<PATH_TO_PROXY_CERTIFICATE_PEM>modehttpoptiontcplogdefault_backenddatadog-database-monitoring-metrics# This declares the endpoint where your Agents connect for# sending database monitoring samples (e.g the value of "database_monitoring.samples.dd_url")frontenddatabase_monitoring_samples_frontendbind*:3840sslcrt<PATH_TO_PROXY_CERTIFICATE_PEM>modehttpoptiontcplogdefault_backenddatadog-database-monitoring-samples# This declares the endpoint where your Agents connect for# sending Network Devices Monitoring metadata (e.g the value of "network_devices.metadata.dd_url")frontendnetwork_devices_metadata_frontendbind*:3841sslcrt<PATH_TO_PROXY_CERTIFICATE_PEM>modehttpoptiontcplogdefault_backenddatadog-network-devices-metadata# This declares the endpoint where your Agents connect for# sending Network Devices SNMP Traps data (e.g the value of "network_devices.snmp_traps.forwarder.dd_url")frontendnetwork_devices_snmp_traps_frontendbind*:3842sslcrt<PATH_TO_PROXY_CERTIFICATE_PEM>modehttpoptiontcplogdefault_backenddatadog-network-devices-snmp-traps# This declares the endpoint where your Agents connect for# sending Instrumentation Telemetry data (e.g. the value of "apm_config.telemetry.dd_url")frontendinstrumentation_telemetry_data_frontendbind*:3843sslcrt<PATH_TO_PROXY_CERTIFICATE_PEM>modetcpoptiontcplogdefault_backenddatadog-instrumentations-telemetry# This declares the endpoint where your Agents connect for# sending Network Devices Monitoring NetFlow flows (for example, the value of "network_devices.netflow.forwarder.dd_url")frontendnetwork_devices_netflow_frontendbind*:3845sslcrt<PATH_TO_PROXY_CERTIFICATE_PEM>modehttpoptiontcplogdefault_backenddatadog-network-devices-netflow# This declares the endpoint where your Agents connects for# receiving Remote Configurations (for example, the value of "remote_configuration.rc_dd_url")frontendremote_configuration_frontendbind*:3846sslcrt<PATH_TO_PROXY_CERTIFICATE_PEM>modehttpoptiontcplogdefault_backenddatadog-remote-configuration# This declares the endpoint where your Agents connect for# sending Network Path data (for example, the value of "network_path.forwarder.dd_url")frontendnetwork_path_frontendbind*:3847sslcrt<PATH_TO_PROXY_CERTIFICATE_PEM>modehttpoptiontcplogdefault_backenddatadog-network-path# This is the Datadog server. In effect any TCP request coming# to the forwarder frontends defined above are proxied to# Datadog's public endpoints.backenddatadog-metricsbalanceroundrobinmodehttp# The following configuration is for HAProxy 1.8 and newerserver-templatemothership5metrics.agent.datadoghq.com:443checkport443sslverifyrequiredca-file<PATH_TO_DATADOG_CERTIFICATES_CRT>checkresolversmy-dnsinit-addrnoneresolve-preferipv4# Uncomment the following configuration for older HAProxy versions# server mothership metrics.agent.datadoghq.com:443 check port 443 ssl verify required ca-file <PATH_TO_DATADOG_CERTIFICATES_CRT>backenddatadog-apimodehttp# The following configuration is for HAProxy 1.8 and newerserver-templatemothership5api.datadoghq.com:443checkport443sslverifyrequiredca-file<PATH_TO_DATADOG_CERTIFICATES_CRT>checkresolversmy-dnsinit-addrnoneresolve-preferipv4# Uncomment the following configuration for older HAProxy versions# server mothership api.datadoghq.com:443 check port 443 ssl verify required ca-file <PATH_TO_DATADOG_CERTIFICATES_CRT>backenddatadog-flaremodehttp# The following configuration is for HAProxy 1.8 and newerserver-templatemothership5flare.datadoghq.com:443checkport443sslverifyrequiredca-file<PATH_TO_DATADOG_CERTIFICATES_CRT>checkresolversmy-dnsinit-addrnoneresolve-preferipv4# Uncomment the following configuration for older HAProxy versions# server mothership flare.datadoghq.com:443 check port 443 ssl verify required ca-file <PATH_TO_DATADOG_CERTIFICATES_CRT>backenddatadog-tracesbalanceroundrobinmodetcp# The following configuration is for HAProxy 1.8 and newerserver-templatemothership5trace.agent.datadoghq.com:443checkport443sslverifyrequiredca-file<PATH_TO_DATADOG_CERTIFICATES_CRT>checkresolversmy-dnsinit-addrnoneresolve-preferipv4# Uncomment the following configuration for older HAProxy versions# server mothership trace.agent.datadoghq.com:443 check port 443 ssl verify required ca-file <PATH_TO_DATADOG_CERTIFICATES_CRT>backenddatadog-profilesbalanceroundrobinmodetcp# The following configuration is for HAProxy 1.8 and newerserver-templatemothership5intake.profile.datadoghq.com:443checkport443sslverifyrequiredca-file<PATH_TO_DATADOG_CERTIFICATES_CRT>checkresolversmy-dnsinit-addrnoneresolve-preferipv4# Uncomment the following configuration for older HAProxy versions# server mothership profile.agent.datadoghq.com:443 check port 443 ssl verify required ca-file <PATH_TO_DATADOG_CERTIFICATES_CRT>backenddatadog-processesbalanceroundrobinmodetcp# The following configuration is for HAProxy 1.8 and newerserver-templatemothership5process.datadoghq.com:443checkport443sslverifyrequiredca-file<PATH_TO_DATADOG_CERTIFICATES_CRT>checkresolversmy-dnsinit-addrnoneresolve-preferipv4# Uncomment the following configuration for older HAProxy versions# server mothership process.datadoghq.com:443 check port 443 ssl verify required ca-file <PATH_TO_DATADOG_CERTIFICATES_CRT>backenddatadog-logs-httpbalanceroundrobinmodehttp# The following configuration is for HAProxy 1.8 and newerserver-templatemothership5agent-http-intake.logs.datadoghq.com:443checkport443sslverifyrequiredca-file<PATH_TO_DATADOG_CERTIFICATES_CRT>checkresolversmy-dnsinit-addrnoneresolve-preferipv4# Uncomment the following configuration for older HAProxy versions# server datadog agent-http-intake.logs.datadoghq.com:443 check port 443 ssl verify required ca-file <PATH_TO_DATADOG_CERTIFICATES_CRT>backenddatadog-database-monitoring-metricsbalanceroundrobinmodehttp# The following configuration is for HAProxy 1.8 and newerserver-templatemothership5dbm-metrics-intake.datadoghq.com:443checkport443sslverifyrequiredca-file<PATH_TO_DATADOG_CERTIFICATES_CRT>checkresolversmy-dnsinit-addrnoneresolve-preferipv4# Uncomment the following configuration for older HAProxy versions# server datadog agent-http-intake.logs.datadoghq.com:443 check port 443 ssl verify required ca-file <PATH_TO_DATADOG_CERTIFICATES_CRT>backenddatadog-database-monitoring-samplesbalanceroundrobinmodehttp# The following configuration is for HAProxy 1.8 and newerserver-templatemothership5dbquery-intake.datadoghq.com:443checkport443sslverifyrequiredca-file<PATH_TO_DATADOG_CERTIFICATES_CRT>checkresolversmy-dnsinit-addrnoneresolve-preferipv4# Uncomment the following configuration for older HAProxy versions# server datadog agent-http-intake.logs.datadoghq.com:443 check port 443 ssl verify required ca-file <PATH_TO_DATADOG_CERTIFICATES_CRT>backenddatadog-network-devices-metadatabalanceroundrobinmodehttp# The following configuration is for HAProxy 1.8 and newerserver-templatemothership5ndm-intake.datadoghq.com:443checkport443sslverifyrequiredca-file<PATH_TO_DATADOG_CERTIFICATES_CRT>checkresolversmy-dnsinit-addrnoneresolve-preferipv4# Uncomment the following configuration for older HAProxy versions# server mothership ndm-intake.datadoghq.com:443 check port 443 ssl verify required ca-file <PATH_TO_DATADOG_CERTIFICATES_CRT>backenddatadog-network-devices-snmp-trapsbalanceroundrobinmodehttp# The following configuration is for HAProxy 1.8 and newerserver-templatemothership5snmp-traps-intake.datadoghq.com:443checkport443sslverifyrequiredca-file<PATH_TO_DATADOG_CERTIFICATES_CRT>checkresolversmy-dnsinit-addrnoneresolve-preferipv4# Uncomment the following configuration for older HAProxy versions# server mothership snmp-traps-intake.datadoghq.com:443 check port 443 ssl verify required ca-file <PATH_TO_DATADOG_CERTIFICATES_CRT>backenddatadog-instrumentations-telemetrybalanceroundrobinmodetcp# The following configuration is for HAProxy 1.8 and newerserver-templatemothership5instrumentation-telemetry-intake.datadoghq.com:443checkport443sslverifyrequiredca-file<PATH_TO_DATADOG_CERTIFICATES_CRT>checkresolversmy-dnsinit-addrnoneresolve-preferipv4# Uncomment the following configuration for older HAProxy versions# server mothership instrumentation-telemetry-intake.datadoghq.com:443 check port 443 ssl verify required ca-file <PATH_TO_DATADOG_CERTIFICATES_CRT>backenddatadog-network-devices-netflowbalanceroundrobinmodehttp# The following configuration is for HAProxy 1.8 and newerserver-templatemothership5ndmflow-intake.datadoghq.com:443checkport443sslverifyrequiredca-file<PATH_TO_DATADOG_CERTIFICATES_CRT>checkresolversmy-dnsinit-addrnoneresolve-preferipv4# Uncomment the following configuration for older HAProxy versions# server mothership ndmflow-intake.datadoghq.com:443 check port 443 ssl verify required ca-file <PATH_TO_DATADOG_CERTIFICATES_CRT>backenddatadog-remote-configurationbalanceroundrobinmodehttp# The following configuration is for HAProxy 1.8 and newerserver-templatemothership5config.datadoghq.com:443checkport443sslverifyrequiredca-file<PATH_TO_DATADOG_CERTIFICATES_CRT>checkresolversmy-dnsinit-addrnoneresolve-preferipv4# Uncomment the following configuration for older HAProxy versions# server mothership config.datadoghq.com:443 check port 443 ssl verify required ca-file <PATH_TO_DATADOG_CERTIFICATES_CRT>backenddatadog-network-pathbalanceroundrobinmodehttp# The following configuration is for HAProxy 1.8 and newerserver-templatemothership5netpath-intake.datadoghq.com:443checkport443sslverifyrequiredca-file<PATH_TO_DATADOG_CERTIFICATES_CRT>checkresolversmy-dnsinit-addrnoneresolve-preferipv4# Uncomment the following configuration for older HAProxy versions# server mothership netpath-intake.datadoghq.com:443 check port 443 ssl verify required ca-file <PATH_TO_DATADOG_CERTIFICATES_CRT>
Note: You can use verify none instead of verify required ca-file <PATH_TO_DATADOG_CERTIFICATES_CRT> if you are unable to get the certificates on the proxy host, but be aware that HAProxy will not be able to verify Datadog’s intake certificate in that case.
HAProxy 1.8 and newer allow DNS service discovery to detect server changes and automatically apply them to your configuration.
If you are using older version of HAProxy, you have to reload or restart HAProxy. It is recommended to have a cron job reload HAProxy every 10 minutes (such as service haproxy reload) to force a refresh of HAProxy’s DNS cache, in case app.datadoghq.com fails over to another IP.
Edit each Agent to point to HAProxy by setting its dd_url to the address of HAProxy, for example: haproxy.example.com.
This dd_url setting can be found in the datadog.yaml file.
dd_url: <SCHEME>://haproxy.example.com:3834
Replace <SCHEME> with https if you previously chose the HAProxy HTTPS configuration, or with http if you did not choose HTTPS.
To send traces, profiles, processes, and logs through the proxy, setup the following in the datadog.yaml file:
apm_config:apm_dd_url:<SCHEME>://haproxy.example.com:3835profiling_dd_url:<SCHEME>://haproxy.example.com:3836/api/v2/profiletelemetry:dd_url:<SCHEME>://haproxy.example.com:3843process_config:process_dd_url:<SCHEME>://haproxy.example.com:3837logs_config:force_use_http:truelogs_dd_url:haproxy.example.com:3838# Comment the line below to use encryption between the Agent and HAProxylogs_no_ssl:truedatabase_monitoring:metrics:logs_dd_url:haproxy.example.com:3839# Comment the line below to use encryption between the Agent and HAProxylogs_no_ssl:trueactivity:logs_dd_url:haproxy.example.com:3839# Comment the line below to use encryption between the Agent and HAProxylogs_no_ssl:truesamples:logs_dd_url:haproxy.example.com:3840# Comment the line below to use encryption between the Agent and HAProxylogs_no_ssl:truenetwork_devices:metadata:logs_dd_url:haproxy.example.com:3841# Comment the line below to use encryption between the Agent and HAProxylogs_no_ssl:truesnmp_traps:forwarder:logs_dd_url:haproxy.example.com:3842# Comment the line below to use encryption between the Agent and HAProxylogs_no_ssl:truenetflow:forwarder:logs_dd_url:haproxy.example.com:3845# Comment the line below to use encryption between the Agent and HAProxylogs_no_ssl:trueremote_configuration:rc_dd_url:haproxy.example.com:3846# Comment the line below to use encryption between the Agent and HAProxyno_tls:true
When using encryption between the Agent and HAProxy, if the Agent does not have access to the proxy certificate, is unable to validate it, or the validation is not needed, you can edit the datadog.yaml Agent configuration file and set skip_ssl_validation to true.
With this option set to true, the Agent skips the certificate validation step and does not verify the identity of the proxy, but the communication is still encrypted with SSL/TLS.
To verify that everything is working properly, review the HAProxy statistics at http://haproxy.example.com:3833 as well as the Infrastructure Overview.
NGINX is a web server which can also be used as a reverse proxy, load balancer, mail proxy, and HTTP cache. You can also use NGINX as a proxy for your Datadog Agents:
agent ---> nginx ---> Datadog
The communication between NGINX and Datadog is always encrypted with TLS. The communication between the Agent host and the NGINX host is not encrypted by default, because the proxy and the Agent are assumed to be on the same host. However, it is recommended that you secure this communication with TLS encryption if they are not located on the same isolated local network.
In order to encrypt data between the Agent and NGINX, you need to create an x509 certificate with the Subject Alternative Name (SAN) extension for the NGINX host.
Note: Download the Datadog certificate with one of the following commands:
NGINX should be installed on a host that has connectivity to Datadog. You can use one of the following configuration files if you do not already have it configured. The configuration is dependent on the Datadog service and site. To see configurations based on your Datadog site, use the DATADOG SITE selector on the right.
Note: It is recommended to use the HTTPS configuration file if the Agent and NGINX are not part of the same isolated local network.
usernginx;worker_processesauto;error_log/var/log/nginx/error.log;pid/run/nginx.pid;events{worker_connections1024;}# HTTP Proxy for Datadog Agenthttp{proxy_ssl_trusted_certificate<PATH_TO_CERTIFICATES>;server{listen3834;#listen for metricsaccess_logoff;location/api/v1/validate{proxy_ssl_verifyon;proxy_passhttps://api.datadoghq.com:443/api/v1/validate;}location/support/flare/{proxy_ssl_verifyon;proxy_passhttps://flare.datadoghq.com:443/support/flare/;}location/{proxy_ssl_verifyon;proxy_passhttps://metrics.agent.datadoghq.com:443/;}}}# TCP Proxy for Datadog Agentstream{proxy_ssl_trusted_certificate<PATH_TO_CERTIFICATES>;server{listen3835;#listen for tracesproxy_ssl_verifyon;proxy_sslon;proxy_passtrace.agent.datadoghq.com:443;}server{listen3836;#listen for profilesproxy_ssl_verifyon;proxy_sslon;proxy_passintake.profile.datadoghq.com:443;}server{listen3837;#listen for processesproxy_ssl_verifyon;proxy_sslon;proxy_passprocess.datadoghq.com:443;}server{listen3838;#listen for logs with force_use_http: trueproxy_ssl_verifyon;proxy_sslon;proxy_passagent-http-intake.logs.datadoghq.com:443;}server{listen3839;#listen for database monitoring metricsproxy_ssl_verifyon;proxy_sslon;proxy_passdbm-metrics-intake.datadoghq.com:443;}server{listen3840;#listen for database monitoring samplesproxy_ssl_verifyon;proxy_sslon;proxy_passdbquery-intake.datadoghq.com:443;}server{listen3841;#listen for network devices metadataproxy_ssl_verifyon;proxy_sslon;proxy_passndm-intake.datadoghq.com:443;}server{listen3842;#listen for network devices trapsproxy_ssl_verifyon;proxy_sslon;proxy_passsnmp-traps-intake.datadoghq.com:443;}server{listen3843;#listen for instrumentations telemetry dataproxy_ssl_verifyon;proxy_sslon;proxy_passinstrumentation-telemetry-intake.datadoghq.com:443;}server{listen3845;#listen for network devices netflowproxy_ssl_verifyon;proxy_sslon;proxy_passndmflow-intake.datadoghq.com:443;}server{listen3846;#listen for Remote Configuration requestsproxy_ssl_verifyon;proxy_sslon;proxy_passconfig.datadoghq.com:443;}server{listen3847;#listen for network pathproxy_ssl_verifyon;proxy_sslon;proxy_passnetpath-intake.datadoghq.com:443;}}
This configuration adds SSL/TLS encryption on communication between the Agent and NGINX. Replace <PATH_TO_PROXY_CERTIFICATE> with the path to the proxy public certificate and <PATH_TO_PROXY_CERTIFICATE_KEY> with the path to the private key.
usernginx;worker_processesauto;error_log/var/log/nginx/error.log;pid/run/nginx.pid;events{worker_connections1024;}# HTTP Proxy for Datadog Agenthttp{proxy_ssl_trusted_certificate<PATH_TO_CERTIFICATES>;ssl_certificate<PATH_TO_PROXY_CERTIFICATE>;ssl_certificate_key<PATH_TO_PROXY_CERTIFICATE_KEY>;server{listen3834ssl;#listen for metricsaccess_logoff;location/api/v1/validate{proxy_ssl_verifyon;proxy_passhttps://api.datadoghq.com:443/api/v1/validate;}location/support/flare/{proxy_ssl_verifyon;proxy_passhttps://flare.datadoghq.com:443/support/flare/;}location/{proxy_ssl_verifyon;proxy_passhttps://metrics.agent.datadoghq.com:443/;}}}# TCP Proxy for Datadog Agentstream{proxy_ssl_trusted_certificate<PATH_TO_CERTIFICATES>;ssl_certificate<PATH_TO_PROXY_CERTIFICATE>;ssl_certificate_key<PATH_TO_PROXY_CERTIFICATE_KEY>;server{listen3835ssl;#listen for tracesproxy_ssl_verifyon;proxy_sslon;proxy_passtrace.agent.datadoghq.com:443;}server{listen3836ssl;#listen for profilesproxy_ssl_verifyon;proxy_sslon;proxy_passintake.profile.datadoghq.com:443;}server{listen3837ssl;#listen for processesproxy_ssl_verifyon;proxy_sslon;proxy_passprocess.datadoghq.com:443;}server{listen3838ssl;#listen for logs with force_use_http: trueproxy_ssl_verifyon;proxy_sslon;proxy_passagent-http-intake.logs.datadoghq.com:443;}server{listen3839ssl;#listen for database monitoring metricsproxy_ssl_verifyon;proxy_sslon;proxy_passdbm-metrics-intake.datadoghq.com:443;}server{listen3840ssl;#listen for database monitoring samplesproxy_ssl_verifyon;proxy_sslon;proxy_passdbquery-intake.datadoghq.com:443;}server{listen3841ssl;#listen for network devices metadataproxy_ssl_verifyon;proxy_sslon;proxy_passndm-intake.datadoghq.com:443;}server{listen3842ssl;#listen for network devices trapsproxy_ssl_verifyon;proxy_sslon;proxy_passsnmp-traps-intake.datadoghq.com:443;}server{listen3843ssl;#listen for instrumentations telemetry dataproxy_ssl_verifyon;proxy_sslon;proxy_passinstrumentation-telemetry-intake.datadoghq.com:443;}server{listen3845ssl;#listen for network devices netflowproxy_ssl_verifyon;proxy_sslon;proxy_passndmflow-intake.datadoghq.com:443;}server{listen3846ssl;#listen for Remote Configuration requestsproxy_ssl_verifyon;proxy_sslon;proxy_passconfig.datadoghq.com:443;}server{listen3847ssl;#listen for network pathproxy_ssl_verifyon;proxy_sslon;proxy_passnetpath-intake.datadoghq.com:443;}}
Note: You can remove proxy_ssl_verify on if you are unable to get the certificates on the proxy host, but be aware that NGINX will not be able to verify Datadog’s intake certificate in that case.
Edit each Agent configuration file to point to Nginx by setting its dd_url to the address of Nginx, for example: nginx.example.com.
This dd_url setting can be found in the datadog.yaml file.
dd_url: "<SCHEME>://nginx.example.com:3834"
Replace <SCHEME> with https if you previously chose the HAProxy HTTPS configuration, or with http if you did not choose HTTPS.
To send traces, profiles, processes, and logs through the proxy, setup the following in the datadog.yaml file:
apm_config:apm_dd_url:<SCHEME>://nginx.example.com:3835profiling_dd_url:<SCHEME>://nginx.example.com:3836/api/v2/profiletelemetry:dd_url:<SCHEME>://nginx.example.com:3843process_config:process_dd_url:<SCHEME>://nginx.example.com:3837logs_config:force_use_http:truelogs_dd_url:nginx.example.com:3838# Comment the line below to use encryption between the Agent and NGINXlogs_no_ssl:truedatabase_monitoring:metrics:logs_dd_url:nginx.example.com:3839# Comment the line below to use encryption between the Agent and NGINXlogs_no_ssl:trueactivity:logs_dd_url:nginx.example.com:3839# Comment the line below to use encryption between the Agent and NGINXlogs_no_ssl:truesamples:logs_dd_url:nginx.example.com:3840# Comment the line below to use encryption between the Agent and NGINXlogs_no_ssl:truenetwork_devices:metadata:logs_dd_url:nginx.example.com:3841# Comment the line below to use encryption between the Agent and NGINXlogs_no_ssl:truesnmp_traps:forwarder:logs_dd_url:nginx.example.com:3842# Comment the line below to use encryption between the Agent and NGINXlogs_no_ssl:truenetflow:forwarder:logs_dd_url:nginx.example.com:3845# Comment the line below to use encryption between the Agent and NGINXlogs_no_ssl:trueremote_configuration:rc_dd_url:nginx.example.com:3846# Comment the line below to use encryption between the Agent and NGINXno_tls:true
When using encryption between the Agent and NGINX, if the Agent does not have access to the proxy certificate, is unable to validate it, or the validation is not needed, you can edit the datadog.yaml Agent configuration file and set skip_ssl_validation to true.
With this option set to true, the Agent skips the certificate validation step and does not verify the identity of the proxy, but the communication is still encrypted with SSL/TLS.
