diff --git a/config/_default/menus/main.en.yaml b/config/_default/menus/main.en.yaml index 2e79bda9a8bb6..043ce238669c4 100644 --- a/config/_default/menus/main.en.yaml +++ b/config/_default/menus/main.en.yaml @@ -469,6 +469,11 @@ menu: url: agent/configuration/proxy/ parent: agent_configuration weight: 606 + - name: Squid proxy configuration + identifier: proxy_squid + url: agent/configuration/proxy_squid + parent: agent_configuration_proxy + weight: 6001 - name: FIPS Compliance identifier: agent_configuration_fips_compliance url: agent/configuration/fips-compliance/ diff --git a/content/en/agent/configuration/proxy.md b/content/en/agent/configuration/proxy.md index 6abb4d64184c6..88594f56bbab2 100644 --- a/content/en/agent/configuration/proxy.md +++ b/content/en/agent/configuration/proxy.md @@ -1,5 +1,5 @@ --- -title: Agent Proxy Configuration +title: Datadog Agent Proxy Configuration aliases: - /account_management/faq/can-i-use-a-proxy-to-connect-my-servers-to-datadog/ - /agent/proxy @@ -20,1209 +20,88 @@ algolia: tags: ['agent proxy'] --- -## Overview +You can configure the Datadog Agent to send traffic through an HTTP/HTTPS proxy. A proxy is typically used to send traffic from a host that is not directly connected to the public internet. -If your network configuration restricted outbound traffic, proxy all Agent traffic through one or several hosts that have more permissive outbound policies. +## Configure the Datadog Agent -A few options are available to send traffic to Datadog over SSL/TLS for hosts that are not directly connected to the Internet. +There are two options for configuring the Datadog Agent to use a proxy. +- You can use the Agent configuration file. +- You can use environment variables. Environment variables override configuration file settings. -1. Using a web proxy, such as Squid or Microsoft Web Proxy, that is already deployed to your network -2. Using HAProxy (if you want to proxy **more than 16-20 Agents** through the same proxy) - -## FIPS compliance - -For information on setting up the Datadog Agent FIPS Proxy with the Datadog Agent, see [Datadog FIPS Compliance][1]. The FIPS proxy is only available in the US1-FED region. The Datadog Agent FIPS Proxy cannot be used together with a regular proxy. - -## Web proxy - -For specific information regarding Squid, see the [Squid](#squid) section of this page. - -Traditional web proxies are supported natively by the Agent. If you need to connect to the Internet through a proxy, edit your Agent configuration file. - -Set different proxy servers for `https` and `http` requests in your Agent `datadog.yaml` configuration file. The Agent uses `https` to send data to Datadog, but integrations might use `http` to gather metrics. No matter the proxied requests, you can activate SSL on your proxy server. Below are some configuration examples for your `datadog.yaml` file. - -
-If log collection is enabled, make sure that a specific transport is enforced. -The recommended setup is to use HTTPS. In that case, the <HOST>:<PORT> used to proxy metrics is used to proxy logs. -If you are using TCP transport, see TCP Proxy for Logs. -
- -Setting an HTTP proxy for all `https` requests: +### Configuration file +To configure a proxy using a configuration file, edit or add the `proxy` section to the main Agent configuration file (`datadog.yaml`) and then [restart the Datadog Agent][1]. ```yaml proxy: - https: "http://:" -``` - -Note: When setting up an HTTP proxy for `https` requests, the actual communication between the Agent and Datadog is encrypted end-to-end with TLS and cannot be decrypted by the proxy. The only unencrypted communication is the `HTTP CONNECT` request that's made between the Agent and the proxy to establish the initial TCP connection between the Agent and Datadog. As such, when using a proxy for `https` requests, there is no need to use an HTTPS proxy in order to have encrypted communication between the Agent and Datadog. - -Setting an HTTPS proxy for both `https` and `http` requests: - -```yaml -proxy: - https: "https://:" - http: "https://:" -``` - -Setting a `` and `` to contact the proxy server for both `https` and `http` requests: - -```yaml -proxy: - https: "http://:@:" - http: "http://:@:" -``` - -Using the `no_proxy` list to specify hosts that must bypass the proxy: - -```yaml -proxy: - https: "http://:@:" - http: "http://:@:" - no_proxy: - - host1 - - host2 -``` - -**Note**: All integrations that make HTTP(S) requests default back to proxy settings defined in `datadog.yaml` configuration file if none are specified at the integration level. If this is undesired, set `skip_proxy` to true or `use_agent_proxy` to false in every instance config or in the `init_config` fallback for your integration. - -##### NO_PROXY accepted values - -By default, `no_proxy`/`NO_PROXY` must match endpoints exactly for Agent HTTP(S) requests (except requests performed by Agent integrations). It is recommended to enable `no_proxy_nonexact_match` to make the Agent match `NO_PROXY` values with the same rules (below) used for Agent integrations. - -```yaml -no_proxy_nonexact_match: true -``` - -The following rules apply to Agent integrations (and the whole Agent when `no_proxy_nonexact_match` is enabled): -* A domain name matches that name and all subdomains, for example: - - `datadoghq.com` matches `app.agent.datadoghq.com`, `www.datadoghq.com`, `datadoghq.com`, but **not** `www.notdatadoghq.com` - - `datadoghq` matches `frontend.datadoghq`, `backend.datadoghq`, but **not** `www.datadoghq.com` nor `www.datadoghq.eu` -* A domain name with a leading "." matches subdomains only, for example: - - `.datadoghq.com` matches `app.agent.datadoghq.com`, `www.datadoghq.com`, but **not** `datadoghq.com` -* A CIDR range matches an IP address within the subnet, for example: - - `192.168.1.0/24` matches IP range `192.168.1.1` through `192.168.1.254` -* An exact IP address, for example: - - `169.254.169.254` -* A hostname, for example: - - `webserver1` - -#### Environment variables - -Starting with Agent v6.4, you can set your proxy settings through environment variables: - -* `DD_PROXY_HTTPS`: Sets a proxy server for `https` requests. -* `DD_PROXY_HTTP`: Sets a proxy server for `http` requests. -* `DD_PROXY_NO_PROXY`: Sets a list of hosts that should bypass the proxy. The list is space-separated. - -Environment variables have precedence over values in the `datadog.yaml` file. If the environment variables are present with an empty value, for example: ``DD_PROXY_HTTP=""``, the Agent uses the empty values instead of lower-precedence options. - -On Unix hosts, a system-wide proxy might be specified using standard environment variables, such as `HTTPS_PROXY`, `HTTP_PROXY`, and `NO_PROXY`. The Agent uses these if present. Be careful, as such variables also impact every requests from integrations, including orchestrators like Docker, ECS, and Kubernetes. - -The Agent uses the following values in order of precedence: - -1. `DD_PROXY_HTTPS`, `DD_PROXY_HTTP`, and `DD_PROXY_NO_PROXY` environment variables -2. `HTTPS_PROXY`, `HTTP_PROXY`, and `NO_PROXY` environment variables -3. Values inside `datadog.yaml` - -Do not forget to [restart the Agent][2] for the new settings to take effect. - -### Squid - -[Squid][3] is a forward proxy for the web supporting HTTP, HTTPS, FTP, and more. It runs on most available operating systems, including Windows, and is licensed under the GNU GPL license. Squid is a straightforward option if you do not already have a running web proxy in your network. - -#### Proxy forwarding with Squid - -##### Configure Squid to only send traffic to Datadog - -Install Squid on a host that has connectivity to both your internal Agents and Datadog. Use your operating system's package manager, or install the software directly from [Squid's project page][3]. - -To configure Squid, edit the configuration file. This file is usually located at `/etc/squid/squid.conf` on Linux or `C:\squid\etc\squid.conf` in Windows. - -Edit your `squid.conf` configuration file so that Squid is able to accept local traffic and forward it to the necessary Datadog intakes: - -```conf -http_port 0.0.0.0:3128 - -acl local src 127.0.0.1/32 - -acl Datadog dstdomain .{{< region-param key="dd_site" >}} - -http_access allow Datadog -http_access allow local manager -``` - -##### Start Squid - -Start (or restart) Squid so that your new configurations can be applied. - -{{< tabs >}} -{{% tab "Linux" %}} - -```bash -sudo systemctl start squid -``` - -If Squid is already running, restart Squid instead with the following command: - -```bash -sudo systemctl restart squid -``` - -{{% /tab %}} -{{% tab "Windows" %}} - -If you are configuring Squid on Windows, you must first [configure Squid as a system service][1]. You can then run the following in an Administrator command prompt: - -```bash -net start squid -``` - -If Squid is already running, restart Squid instead with the following commands: - -```bash -net stop squid -net start squid -``` - -[1]: https://wiki.squid-cache.org/KnowledgeBase/Windows -{{% /tab %}} -{{< /tabs >}} - -##### Datadog Agent configuration - -Modify the Agent's configuration file (`datadog.yaml`) to include the following: - -```yaml -proxy: - http: http://127.0.0.1:3128 - https: http://127.0.0.1:3128 -``` - -After saving these changes, [restart the Agent][2]. - -Verify that Datadog is able to receive the data from your Agent(s) by checking your [Infrastructure Overview][4]. - -## HAProxy - -[HAProxy][5] is a free, fast, and reliable solution offering proxying for TCP and HTTP applications. While HAProxy is usually used as a load balancer to distribute incoming requests to pool servers, you can also use it to proxy Agent traffic to Datadog from hosts that have no outside connectivity: - -`agent ---> haproxy ---> Datadog` - -This is another good option if you do not have a web proxy readily available in your network and you wish to proxy a large number of Agents. In some cases, a single HAProxy instance is sufficient to handle local Agent traffic in your network, because each proxy can accommodate upwards of 1000 Agents. - -**Note**: This figure is a conservative estimate based on the performance of `m3.xl` instances specifically. Numerous network-related and host-related variables can influence throughput of HAProxy, so you should keep an eye on your proxy deployment both before and after putting it into service. See the [HAProxy documentation][5] for additional information. - -The communication between HAProxy and Datadog is always encrypted with TLS. The communication between the Agent host and the HAProxy host is not encrypted by default, because the proxy and the Agent are assumed to be on the same host. However, it is recommended that you secure this communication with TLS encryption if the HAproxy host and Agent host are not located on the same isolated local network. -To encrypt data between the Agent and HAProxy, you need to create an x509 certificate with the Subject Alternative Name (SAN) extension for the HAProxy host. This certificate bundle (*.pem) should contain both the public certificate and private key. See this [HAProxy blog post][6] for more information. - - -**Note**: Download the Datadog certificate with one of the following commands: - -```shell -sudo apt-get install ca-certificates # (Debian, Ubuntu) -yum install ca-certificates # (CentOS, Red Hat) -``` - -The path to the certificate is `/etc/ssl/certs/ca-certificates.crt` for Debian and Ubuntu, or `/etc/ssl/certs/ca-bundle.crt` for CentOS and Red Hat. - -### Proxy forwarding with HAProxy - -#### HAProxy configuration - -HAProxy should be installed on a host that has connectivity to Datadog. You can use one of the following configuration files if you do not already have it configured. The configuration is dependent on the Datadog service and site. To see configurations based on your [Datadog site][7], use the `DATADOG SITE` selector on the right. - -**Note**: It is recommended to use the `HTTPS` configuration file if the Agent and HAProxy are not part of the same isolated local network. - -##### HTTP - -```conf -# Basic configuration -global - log 127.0.0.1 local0 - maxconn 4096 - stats socket /tmp/haproxy - -# Some sane defaults -defaults - log global - option dontlognull - retries 3 - option redispatch - timeout client 5s - timeout server 5s - timeout connect 5s - -# This declares a view into HAProxy statistics, on port 3833 -# You do not need credentials to view this page and you can -# turn it off once you are done with setup. -listen stats - bind *:3833 - mode http - stats enable - stats uri / - -# This section is to reload DNS Records -# Replace and with your DNS Server IP addresses. -# For HAProxy 1.8 and newer -resolvers my-dns - nameserver dns1 :53 - nameserver dns2 :53 - resolve_retries 3 - timeout resolve 2s - timeout retry 1s - accepted_payload_size 8192 - hold valid 10s - hold obsolete 60s - -# This declares the endpoint where your Agents connects for -# sending metrics (for example, the value of "dd_url"). -frontend metrics-forwarder - bind *:3834 - mode http - option tcplog - default_backend datadog-metrics - - use_backend datadog-api if { path_beg -i /api/v1/validate } - use_backend datadog-flare if { path_beg -i /support/flare/ } - -# This declares the endpoint where your Agents connects for -# sending traces (for example, the value of "endpoint" in the APM -# configuration section). -frontend traces-forwarder - bind *:3835 - mode tcp - option tcplog - default_backend datadog-traces - -# This declares the endpoint where your Agents connects for -# sending profiles (for example, the value of "apm_config.profiling_dd_url"). -frontend profiles-forwarder - bind *:3836 - mode tcp - option tcplog - default_backend datadog-profiles - -# This declares the endpoint where your agents connects for -# sending processes (for example, the value of "url" in the process -# configuration section). -frontend processes-forwarder - bind *:3837 - mode tcp - option tcplog - default_backend datadog-processes - -# This declares the endpoint where your Agents connects for -# sending Logs (e.g the value of "logs.config.logs_dd_url") -# If sending logs with force_use_http: true -frontend logs_http_frontend - bind *:3838 - mode http - option tcplog - default_backend datadog-logs-http - -# If sending logs with force_use_tcp: true -# frontend logs_frontend -# bind *:10514 -# mode tcp -# option tcplog -# default_backend datadog-logs - -# This declares the endpoint where your Agents connects for -# sending database monitoring metrics and activity (e.g the value of "database_monitoring.metrics.dd_url" and "database_monitoring.activity.dd_url") -frontend database_monitoring_metrics_frontend - bind *:3839 - mode http - option tcplog - default_backend datadog-database-monitoring-metrics - -# This declares the endpoint where your Agents connects for -# sending database monitoring samples (e.g the value of "database_monitoring.samples.dd_url") -frontend database_monitoring_samples_frontend - bind *:3840 - mode http - option tcplog - default_backend datadog-database-monitoring-samples - -# This declares the endpoint where your Agents connects for -# sending Network Devices Monitoring metadata (e.g the value of "network_devices.metadata.dd_url") -frontend network_devices_metadata_frontend - bind *:3841 - mode http - option tcplog - default_backend datadog-network-devices-metadata - -# This declares the endpoint where your Agents connects for -# sending Network Devices SNMP Traps data (e.g the value of "network_devices.snmp_traps.forwarder.dd_url") -frontend network_devices_snmp_traps_frontend - bind *:3842 - mode http - option tcplog - default_backend datadog-network-devices-snmp-traps - -# This declares the endpoint where your Agents connect for -# sending Instrumentation Telemetry data (e.g. the value of "apm_config.telemetry.dd_url") -frontend instrumentation_telemetry_data_frontend - bind *:3843 - mode tcp - option tcplog - default_backend datadog-instrumentations-telemetry - -# This declares the endpoint where your Agents connect for -# sending Network Devices Monitoring NetFlow flows (for example, the value of "network_devices.netflow.forwarder.dd_url") -frontend network_devices_netflow_frontend - bind *:3845 - mode http - option tcplog - default_backend datadog-network-devices-netflow - -# This declares the endpoint where your Agents connects for -# receiving Remote Configurations (for example, the value of "remote_configuration.rc_dd_url") -frontend remote_configuration_frontend - bind *:3846 - mode http - option tcplog - default_backend datadog-remote-configuration - -# This declares the endpoint where your Agents connect for -# sending Network Path data (for example, the value of "network_path.forwarder.dd_url") -frontend network_path_frontend - bind *:3847 - mode http - option tcplog - default_backend datadog-network-path - -# This is the Datadog server. In effect, any TCP request coming -# to the forwarder frontends defined above are proxied to -# Datadog's public endpoints. -backend datadog-metrics - balance roundrobin - mode http - # The following configuration is for HAProxy 1.8 and newer - server-template mothership 5 metrics.agent.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 - # Uncomment the following configuration for older HAProxy versions - # server mothership metrics.agent.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file - -backend datadog-api - mode http - # The following configuration is for HAProxy 1.8 and newer - server-template mothership 5 api.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 - # Uncomment the following configuration for older HAProxy versions - # server mothership api.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file - -backend datadog-flare - mode http - # The following configuration is for HAProxy 1.8 and newer - server-template mothership 5 flare.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 - # Uncomment the following configuration for older HAProxy versions - # server mothership flare.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file - -backend datadog-traces - balance roundrobin - mode tcp - # The following configuration is for HAProxy 1.8 and newer - server-template mothership 5 trace.agent.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 - # Uncomment the following configuration for older HAProxy versions - # server mothership trace.agent.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file - -backend datadog-profiles - balance roundrobin - mode tcp - # The following configuration is for HAProxy 1.8 and newer - server-template mothership 5 intake.profile.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 - # Uncomment the following configuration for older HAProxy versions - # server mothership profile.agent.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file - -backend datadog-processes - balance roundrobin - mode tcp - # The following configuration is for HAProxy 1.8 and newer - server-template mothership 5 process.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 - # Uncomment the following configuration for older HAProxy versions - # server mothership process.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file - -backend datadog-logs-http - balance roundrobin - mode http - # The following configuration is for HAProxy 1.8 and newer - server-template mothership 5 agent-http-intake.logs.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 - # Uncomment the following configuration for older HAProxy versions - # server datadog agent-http-intake.logs.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file - -backend datadog-database-monitoring-metrics - balance roundrobin - mode http - # The following configuration is for HAProxy 1.8 and newer - server-template mothership 5 dbm-metrics-intake.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 - # Uncomment the following configuration for older HAProxy versions - # server datadog agent-http-intake.logs.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file - -backend datadog-database-monitoring-samples - balance roundrobin - mode http - # The following configuration is for HAProxy 1.8 and newer - server-template mothership 5 dbquery-intake.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 - # Uncomment the following configuration for older HAProxy versions - # server datadog agent-http-intake.logs.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file - -backend datadog-network-devices-metadata - balance roundrobin - mode http - # The following configuration is for HAProxy 1.8 and newer - server-template mothership 5 ndm-intake.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 - # Uncomment the following configuration for older HAProxy versions - # server mothership ndm-intake.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file - -backend datadog-network-devices-snmp-traps - balance roundrobin - mode http - # The following configuration is for HAProxy 1.8 and newer - server-template mothership 5 snmp-traps-intake.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 - # Uncomment the following configuration for older HAProxy versions - # server mothership snmp-traps-intake.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file - -backend datadog-instrumentations-telemetry - balance roundrobin - mode tcp - # The following configuration is for HAProxy 1.8 and newer - server-template mothership 5 instrumentation-telemetry-intake.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 - # Uncomment the following configuration for older HAProxy versions - # server mothership instrumentation-telemetry-intake.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file - -backend datadog-network-devices-netflow - balance roundrobin - mode http - # The following configuration is for HAProxy 1.8 and newer - server-template mothership 5 ndmflow-intake.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 - # Uncomment the following configuration for older HAProxy versions - # server mothership ndmflow-intake.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file - -backend datadog-remote-configuration - balance roundrobin - mode http - # The following configuration is for HAProxy 1.8 and newer - server-template mothership 5 config.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 - # Uncomment the following configuration for older HAProxy versions - # server mothership config.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file - -backend datadog-network-path - balance roundrobin - mode http - # The following configuration is for HAProxy 1.8 and newer - server-template mothership 5 netpath-intake.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 - # Uncomment the following configuration for older HAProxy versions - # server mothership netpath-intake.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file -``` - -##### HTTPS - -This configuration adds SSL/TLS encryption on communication between the Agent and HAProxy. Replace the variable `` with the path to the proxy certificate bundle (*.pem). - -```conf -# Basic configuration -global - log 127.0.0.1 local0 - maxconn 4096 - stats socket /tmp/haproxy - -# Some sane defaults -defaults - log global - option dontlognull - retries 3 - option redispatch - timeout client 5s - timeout server 5s - timeout connect 5s - -# This declares a view into HAProxy statistics, on port 3833 -# You do not need credentials to view this page and you can -# turn it off once you are done with setup. -listen stats - bind *:3833 - mode http - stats enable - stats uri / - -# This section is to reload DNS Records -# Replace and with your DNS Server IP addresses. -# For HAProxy 1.8 and newer -resolvers my-dns - nameserver dns1 :53 - nameserver dns2 :53 - resolve_retries 3 - timeout resolve 2s - timeout retry 1s - accepted_payload_size 8192 - hold valid 10s - hold obsolete 60s - -# This declares the endpoint where your Agents connect for -# sending metrics (for example, the value of "dd_url"). -frontend metrics-forwarder - bind *:3834 ssl crt - mode http - option tcplog - default_backend datadog-metrics - - use_backend datadog-api if { path_beg -i /api/v1/validate } - use_backend datadog-flare if { path_beg -i /support/flare/ } - -# This declares the endpoint where your Agents connect for -# sending traces (for example, the value of "endpoint" in the APM -# configuration section). -frontend traces-forwarder - bind *:3835 ssl crt - mode tcp - option tcplog - default_backend datadog-traces - -# This declares the endpoint where your Agents connect for -# sending profiles (for example, the value of "apm_config.profiling_dd_url"). -frontend profiles-forwarder - bind *:3836 ssl crt - mode tcp - option tcplog - default_backend datadog-profiles - -# This declares the endpoint where your Agents connect for -# sending processes (for example, the value of "url" in the process -# configuration section). -frontend processes-forwarder - bind *:3837 ssl crt - mode tcp - option tcplog - default_backend datadog-processes - -# This declares the endpoint where your Agents connect for -# sending Logs (e.g the value of "logs.config.logs_dd_url") -# If sending logs with force_use_http: true -frontend logs_http_frontend - bind *:3838 ssl crt - mode http - option tcplog - default_backend datadog-logs-http - -# If sending logs with force_use_tcp: true -# frontend logs_frontend -# bind *:10514 ssl crt -# mode tcp -# option tcplog -# default_backend datadog-logs - -# This declares the endpoint where your Agents connect for -# sending database monitoring metrics and activity (e.g the value of "database_monitoring.metrics.dd_url" and "database_monitoring.activity.dd_url") -frontend database_monitoring_metrics_frontend - bind *:3839 ssl crt - mode http - option tcplog - default_backend datadog-database-monitoring-metrics - -# This declares the endpoint where your Agents connect for -# sending database monitoring samples (e.g the value of "database_monitoring.samples.dd_url") -frontend database_monitoring_samples_frontend - bind *:3840 ssl crt - mode http - option tcplog - default_backend datadog-database-monitoring-samples - -# This declares the endpoint where your Agents connect for -# sending Network Devices Monitoring metadata (e.g the value of "network_devices.metadata.dd_url") -frontend network_devices_metadata_frontend - bind *:3841 ssl crt - mode http - option tcplog - default_backend datadog-network-devices-metadata - -# This declares the endpoint where your Agents connect for -# sending Network Devices SNMP Traps data (e.g the value of "network_devices.snmp_traps.forwarder.dd_url") -frontend network_devices_snmp_traps_frontend - bind *:3842 ssl crt - mode http - option tcplog - default_backend datadog-network-devices-snmp-traps - - -# This declares the endpoint where your Agents connect for -# sending Instrumentation Telemetry data (e.g. the value of "apm_config.telemetry.dd_url") -frontend instrumentation_telemetry_data_frontend - bind *:3843 ssl crt - mode tcp - option tcplog - default_backend datadog-instrumentations-telemetry - -# This declares the endpoint where your Agents connect for -# sending Network Devices Monitoring NetFlow flows (for example, the value of "network_devices.netflow.forwarder.dd_url") -frontend network_devices_netflow_frontend - bind *:3845 ssl crt - mode http - option tcplog - default_backend datadog-network-devices-netflow - -# This declares the endpoint where your Agents connects for -# receiving Remote Configurations (for example, the value of "remote_configuration.rc_dd_url") -frontend remote_configuration_frontend - bind *:3846 ssl crt - mode http - option tcplog - default_backend datadog-remote-configuration - -# This declares the endpoint where your Agents connect for -# sending Network Path data (for example, the value of "network_path.forwarder.dd_url") -frontend network_path_frontend - bind *:3847 ssl crt - mode http - option tcplog - default_backend datadog-network-path - -# This is the Datadog server. In effect any TCP request coming -# to the forwarder frontends defined above are proxied to -# Datadog's public endpoints. -backend datadog-metrics - balance roundrobin - mode http - # The following configuration is for HAProxy 1.8 and newer - server-template mothership 5 metrics.agent.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 - # Uncomment the following configuration for older HAProxy versions - # server mothership metrics.agent.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file - -backend datadog-api - mode http - # The following configuration is for HAProxy 1.8 and newer - server-template mothership 5 api.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 - # Uncomment the following configuration for older HAProxy versions - # server mothership api.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file - -backend datadog-flare - mode http - # The following configuration is for HAProxy 1.8 and newer - server-template mothership 5 flare.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 - # Uncomment the following configuration for older HAProxy versions - # server mothership flare.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file - -backend datadog-traces - balance roundrobin - mode tcp - # The following configuration is for HAProxy 1.8 and newer - server-template mothership 5 trace.agent.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 - # Uncomment the following configuration for older HAProxy versions - # server mothership trace.agent.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file - -backend datadog-profiles - balance roundrobin - mode tcp - # The following configuration is for HAProxy 1.8 and newer - server-template mothership 5 intake.profile.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 - # Uncomment the following configuration for older HAProxy versions - # server mothership profile.agent.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file - -backend datadog-processes - balance roundrobin - mode tcp - # The following configuration is for HAProxy 1.8 and newer - server-template mothership 5 process.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 - # Uncomment the following configuration for older HAProxy versions - # server mothership process.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file - -backend datadog-logs-http - balance roundrobin - mode http - # The following configuration is for HAProxy 1.8 and newer - server-template mothership 5 agent-http-intake.logs.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 - # Uncomment the following configuration for older HAProxy versions - # server datadog agent-http-intake.logs.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file - -backend datadog-database-monitoring-metrics - balance roundrobin - mode http - # The following configuration is for HAProxy 1.8 and newer - server-template mothership 5 dbm-metrics-intake.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 - # Uncomment the following configuration for older HAProxy versions - # server datadog agent-http-intake.logs.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file - -backend datadog-database-monitoring-samples - balance roundrobin - mode http - # The following configuration is for HAProxy 1.8 and newer - server-template mothership 5 dbquery-intake.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 - # Uncomment the following configuration for older HAProxy versions - # server datadog agent-http-intake.logs.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file - -backend datadog-network-devices-metadata - balance roundrobin - mode http - # The following configuration is for HAProxy 1.8 and newer - server-template mothership 5 ndm-intake.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 - # Uncomment the following configuration for older HAProxy versions - # server mothership ndm-intake.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file - -backend datadog-network-devices-snmp-traps - balance roundrobin - mode http - # The following configuration is for HAProxy 1.8 and newer - server-template mothership 5 snmp-traps-intake.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 - # Uncomment the following configuration for older HAProxy versions - # server mothership snmp-traps-intake.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file - -backend datadog-instrumentations-telemetry - balance roundrobin - mode tcp - # The following configuration is for HAProxy 1.8 and newer - server-template mothership 5 instrumentation-telemetry-intake.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 - # Uncomment the following configuration for older HAProxy versions - # server mothership instrumentation-telemetry-intake.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file - -backend datadog-network-devices-netflow - balance roundrobin - mode http - # The following configuration is for HAProxy 1.8 and newer - server-template mothership 5 ndmflow-intake.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 - # Uncomment the following configuration for older HAProxy versions - # server mothership ndmflow-intake.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file - -backend datadog-remote-configuration - balance roundrobin - mode http - # The following configuration is for HAProxy 1.8 and newer - server-template mothership 5 config.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 - # Uncomment the following configuration for older HAProxy versions - # server mothership config.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file - -backend datadog-network-path - balance roundrobin - mode http - # The following configuration is for HAProxy 1.8 and newer - server-template mothership 5 netpath-intake.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 - # Uncomment the following configuration for older HAProxy versions - # server mothership netpath-intake.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file -``` - -**Note**: You can use `verify none` instead of `verify required ca-file ` if you are unable to get the certificates on the proxy host, but be aware that HAProxy will not be able to verify Datadog's intake certificate in that case. - -HAProxy 1.8 and newer allow DNS service discovery to detect server changes and automatically apply them to your configuration. -If you are using older version of HAProxy, you have to reload or restart HAProxy. **It is recommended to have a `cron` job reload HAProxy every 10 minutes** (such as `service haproxy reload`) to force a refresh of HAProxy's DNS cache, in case {{< region-param key="dd_full_site" code="true" >}} fails over to another IP. - -#### Datadog Agent configuration - -Edit each Agent to point to HAProxy by setting its `dd_url` to the address of HAProxy, for example: `haproxy.example.com`. -This `dd_url` setting can be found in the `datadog.yaml` file. - -`dd_url: ://haproxy.example.com:3834` - -Replace `` with `https` if you previously chose the HAProxy HTTPS configuration, or with `http` if you did not choose HTTPS. - -To send traces, profiles, processes, and logs through the proxy, setup the following in the `datadog.yaml` file: - -```yaml -apm_config: - apm_dd_url: ://haproxy.example.com:3835 - profiling_dd_url: ://haproxy.example.com:3836/api/v2/profile - telemetry: - dd_url: ://haproxy.example.com:3843 - -process_config: - process_dd_url: ://haproxy.example.com:3837 - -logs_config: + # Required: Proxy endpoint for HTTP connections + http: http://:@: + # Required: Proxy endpoint for HTTPS connections (most Datadog traffic) + https: http://:@: + + # Optional: List of hosts or CIDR ranges to bypass the proxy + # Example: + # no_proxy: + # - 192.168.0.0/24 + # - localhost + # - .myinternaldomain.com + no_proxy: + - + - + # Recommended: Set to true to ensure no_proxy behaves in a standard way + no_proxy_nonexact_match: true + + # Recommended: Force the Agent to use HTTP to send logs (if logs is enabled) + logs_config: force_use_http: true - logs_dd_url: haproxy.example.com:3838 - # Comment the line below to use encryption between the Agent and HAProxy - logs_no_ssl: true - -database_monitoring: - metrics: - logs_dd_url: haproxy.example.com:3839 - # Comment the line below to use encryption between the Agent and HAProxy - logs_no_ssl: true - activity: - logs_dd_url: haproxy.example.com:3839 - # Comment the line below to use encryption between the Agent and HAProxy - logs_no_ssl: true - samples: - logs_dd_url: haproxy.example.com:3840 - # Comment the line below to use encryption between the Agent and HAProxy - logs_no_ssl: true - -network_devices: - metadata: - logs_dd_url: haproxy.example.com:3841 - # Comment the line below to use encryption between the Agent and HAProxy - logs_no_ssl: true - snmp_traps: - forwarder: - logs_dd_url: haproxy.example.com:3842 - # Comment the line below to use encryption between the Agent and HAProxy - logs_no_ssl: true - netflow: - forwarder: - logs_dd_url: haproxy.example.com:3845 - # Comment the line below to use encryption between the Agent and HAProxy - logs_no_ssl: true - -remote_configuration: - rc_dd_url: haproxy.example.com:3846 - # Comment the line below to use encryption between the Agent and HAProxy - no_tls: true -``` - -When using encryption between the Agent and HAProxy, if the Agent does not have access to the proxy certificate, is unable to validate it, or the validation is not needed, you can edit the `datadog.yaml` Agent configuration file and set `skip_ssl_validation` to `true`. -With this option set to `true`, the Agent skips the certificate validation step and does not verify the identity of the proxy, but the communication is still encrypted with SSL/TLS. - -```yaml -skip_ssl_validation: true ``` -Finally [restart the Agent][2]. - -To verify that everything is working properly, review the HAProxy statistics at `http://haproxy.example.com:3833` as well as the [Infrastructure Overview][4]. - -## NGINX - -[NGINX][8] is a web server which can also be used as a reverse proxy, load balancer, mail proxy, and HTTP cache. You can also use NGINX as a proxy for your Datadog Agents: - -`agent ---> nginx ---> Datadog` - -The communication between NGINX and Datadog is always encrypted with TLS. The communication between the Agent host and the NGINX host is not encrypted by default, because the proxy and the Agent are assumed to be on the same host. However, it is recommended that you secure this communication with TLS encryption if they are not located on the same isolated local network. -In order to encrypt data between the Agent and NGINX, you need to create an x509 certificate with the Subject Alternative Name (SAN) extension for the NGINX host. - -**Note**: Download the Datadog certificate with one of the following commands: - -```shell -sudo apt-get install ca-certificates # (Debian, Ubuntu) -yum install ca-certificates # (CentOS, Red Hat) -``` - -The path to the certificate is `/etc/ssl/certs/ca-certificates.crt` for Debian and Ubuntu or `/etc/ssl/certs/ca-bundle.crt` for CentOS and Red Hat. - -### Proxy forwarding with NGINX - -#### NGINX configuration - -NGINX should be installed on a host that has connectivity to Datadog. You can use one of the following configuration files if you do not already have it configured. The configuration is dependent on the Datadog service and site. To see configurations based on your [Datadog site][7], use the `DATADOG SITE` selector on the right. - -**Note**: It is recommended to use the `HTTPS` configuration file if the Agent and NGINX are not part of the same isolated local network. - -##### HTTP +* Replace ``, ``, ``, and `` with your proxy credentials and address. +* A username and password are optional. +* Specify `http`, `https`, or both, depending on your proxy setup and needs. Most Datadog traffic uses HTTPS. +* Use `no_proxy` to specify hosts the Agent should connect to directly, bypassing the proxy. +* **[Restart the Datadog Agent][1]** for changes to take effect. -```conf -user nginx; -worker_processes auto; -error_log /var/log/nginx/error.log; -pid /run/nginx.pid; +For more information on locating the configuration file on your operating system, see [Agent Configuration Files][2]. -events { - worker_connections 1024; -} -# HTTP Proxy for Datadog Agent -http { +### Environment variables - proxy_ssl_trusted_certificate ; +Alternatively, you can configure a proxy by setting the following environment variables. When you're done, [restart the Datadog Agent][1]. - server { - listen 3834; #listen for metrics - access_log off; - - location /api/v1/validate { - proxy_ssl_verify on; - proxy_pass https://api.{{< region-param key="dd_site" >}}:443/api/v1/validate; - } - location /support/flare/ { - proxy_ssl_verify on; - proxy_pass https://flare.{{< region-param key="dd_site" >}}:443/support/flare/; - } - location / { - proxy_ssl_verify on; - proxy_pass https://metrics.agent.{{< region-param key="dd_site" >}}:443/; - } - } -} -# TCP Proxy for Datadog Agent -stream { - - proxy_ssl_trusted_certificate ; - - server { - listen 3835; #listen for traces - proxy_ssl_verify on; - proxy_ssl on; - proxy_pass trace.agent.{{< region-param key="dd_site" >}}:443; - } - server { - listen 3836; #listen for profiles - proxy_ssl_verify on; - proxy_ssl on; - proxy_pass intake.profile.{{< region-param key="dd_site" >}}:443; - } - server { - listen 3837; #listen for processes - proxy_ssl_verify on; - proxy_ssl on; - proxy_pass process.{{< region-param key="dd_site" >}}:443; - } - server { - listen 3838; #listen for logs with force_use_http: true - proxy_ssl_verify on; - proxy_ssl on; - proxy_pass agent-http-intake.logs.{{< region-param key="dd_site" >}}:443; - } - server { - listen 3839; #listen for database monitoring metrics - proxy_ssl_verify on; - proxy_ssl on; - proxy_pass dbm-metrics-intake.{{< region-param key="dd_site" >}}:443; - } - server { - listen 3840; #listen for database monitoring samples - proxy_ssl_verify on; - proxy_ssl on; - proxy_pass dbquery-intake.{{< region-param key="dd_site" >}}:443; - } - server { - listen 3841; #listen for network devices metadata - proxy_ssl_verify on; - proxy_ssl on; - proxy_pass ndm-intake.{{< region-param key="dd_site" >}}:443; - } - server { - listen 3842; #listen for network devices traps - proxy_ssl_verify on; - proxy_ssl on; - proxy_pass snmp-traps-intake.{{< region-param key="dd_site" >}}:443; - } - server { - listen 3843; #listen for instrumentations telemetry data - proxy_ssl_verify on; - proxy_ssl on; - proxy_pass instrumentation-telemetry-intake.{{< region-param key="dd_site" >}}:443; - } - server { - listen 3845; #listen for network devices netflow - proxy_ssl_verify on; - proxy_ssl on; - proxy_pass ndmflow-intake.{{< region-param key="dd_site" >}}:443; - } - server { - listen 3846; #listen for Remote Configuration requests - proxy_ssl_verify on; - proxy_ssl on; - proxy_pass config.{{< region-param key="dd_site" >}}:443; - } - server { - listen 3847; #listen for network path - proxy_ssl_verify on; - proxy_ssl on; - proxy_pass netpath-intake.{{< region-param key="dd_site" >}}:443; - } -} -``` - -##### HTTPS - - -This configuration adds SSL/TLS encryption on communication between the Agent and NGINX. Replace `` with the path to the proxy public certificate and `` with the path to the private key. - -```conf -user nginx; -worker_processes auto; -error_log /var/log/nginx/error.log; -pid /run/nginx.pid; - -events { - worker_connections 1024; -} -# HTTP Proxy for Datadog Agent -http { - - proxy_ssl_trusted_certificate ; - - ssl_certificate ; - ssl_certificate_key ; - - server { - listen 3834 ssl; #listen for metrics - access_log off; - - location /api/v1/validate { - proxy_ssl_verify on; - proxy_pass https://api.{{< region-param key="dd_site" >}}:443/api/v1/validate; - } - location /support/flare/ { - proxy_ssl_verify on; - proxy_pass https://flare.{{< region-param key="dd_site" >}}:443/support/flare/; - } - location / { - proxy_ssl_verify on; - proxy_pass https://metrics.agent.{{< region-param key="dd_site" >}}:443/; - } - } -} -# TCP Proxy for Datadog Agent -stream { - - proxy_ssl_trusted_certificate ; +```bash +DD_PROXY_HTTP="http://:@:" +DD_PROXY_HTTPS="http://:@:" - ssl_certificate ; - ssl_certificate_key ; +DD_PROXY_NO_PROXY="," +DD_PROXY_NO_PROXY_NONE_EXACT_MATCH=true - server { - listen 3835 ssl; #listen for traces - proxy_ssl_verify on; - proxy_ssl on; - proxy_pass trace.agent.{{< region-param key="dd_site" >}}:443; - } - server { - listen 3836 ssl; #listen for profiles - proxy_ssl_verify on; - proxy_ssl on; - proxy_pass intake.profile.{{< region-param key="dd_site" >}}:443; - } - server { - listen 3837 ssl; #listen for processes - proxy_ssl_verify on; - proxy_ssl on; - proxy_pass process.{{< region-param key="dd_site" >}}:443; - } - server { - listen 3838 ssl; #listen for logs with force_use_http: true - proxy_ssl_verify on; - proxy_ssl on; - proxy_pass agent-http-intake.logs.{{< region-param key="dd_site" >}}:443; - } - server { - listen 3839 ssl; #listen for database monitoring metrics - proxy_ssl_verify on; - proxy_ssl on; - proxy_pass dbm-metrics-intake.{{< region-param key="dd_site" >}}:443; - } - server { - listen 3840 ssl; #listen for database monitoring samples - proxy_ssl_verify on; - proxy_ssl on; - proxy_pass dbquery-intake.{{< region-param key="dd_site" >}}:443; - } - server { - listen 3841 ssl; #listen for network devices metadata - proxy_ssl_verify on; - proxy_ssl on; - proxy_pass ndm-intake.{{< region-param key="dd_site" >}}:443; - } - server { - listen 3842 ssl; #listen for network devices traps - proxy_ssl_verify on; - proxy_ssl on; - proxy_pass snmp-traps-intake.{{< region-param key="dd_site" >}}:443; - } - server { - listen 3843 ssl; #listen for instrumentations telemetry data - proxy_ssl_verify on; - proxy_ssl on; - proxy_pass instrumentation-telemetry-intake.{{< region-param key="dd_site" >}}:443; - } - server { - listen 3845 ssl; #listen for network devices netflow - proxy_ssl_verify on; - proxy_ssl on; - proxy_pass ndmflow-intake.{{< region-param key="dd_site" >}}:443; - } - server { - listen 3846 ssl; #listen for Remote Configuration requests - proxy_ssl_verify on; - proxy_ssl on; - proxy_pass config.{{< region-param key="dd_site" >}}:443; - } - server { - listen 3847 ssl; #listen for network path - proxy_ssl_verify on; - proxy_ssl on; - proxy_pass netpath-intake.{{< region-param key="dd_site" >}}:443; - } -} +DD_LOGS_CONFIG_FORCE_USE_HTTP=true ``` -**Note**: You can remove `proxy_ssl_verify on` if you are unable to get the certificates on the proxy host, but be aware that NGINX will not be able to verify Datadog's intake certificate in that case. - -#### Datadog Agent configuration - -Edit each Agent configuration file to point to Nginx by setting its `dd_url` to the address of Nginx, for example: `nginx.example.com`. -This `dd_url` setting can be found in the `datadog.yaml` file. - -`dd_url: "://nginx.example.com:3834"` - -Replace `` with `https` if you previously chose the HAProxy HTTPS configuration, or with `http` if you did not choose HTTPS. - -To send traces, profiles, processes, and logs through the proxy, setup the following in the `datadog.yaml` file: - -```yaml -apm_config: - apm_dd_url: ://nginx.example.com:3835 - profiling_dd_url: ://nginx.example.com:3836/api/v2/profile - telemetry: - dd_url: ://nginx.example.com:3843 - -process_config: - process_dd_url: ://nginx.example.com:3837 +## Proxy Server Setup Examples -logs_config: - force_use_http: true - logs_dd_url: nginx.example.com:3838 - # Comment the line below to use encryption between the Agent and NGINX - logs_no_ssl: true +If you don't have an existing proxy server, Datadog recommends using an HTTP proxy like **Squid**. -database_monitoring: - metrics: - logs_dd_url: nginx.example.com:3839 - # Comment the line below to use encryption between the Agent and NGINX - logs_no_ssl: true - activity: - logs_dd_url: nginx.example.com:3839 - # Comment the line below to use encryption between the Agent and NGINX - logs_no_ssl: true - samples: - logs_dd_url: nginx.example.com:3840 - # Comment the line below to use encryption between the Agent and NGINX - logs_no_ssl: true +1. **Squid (Recommended)**: A robust HTTP/HTTPS proxy that simplifies configuration by transparently proxying all outbound HTTP/HTTPS Agent traffic. [Using a Squid proxy][3]. +2. **HAProxy (Not Recommended)**: Can forward traffic to Datadog, but this requires maintaining an up-to-date list of Datadog domains and is more complex to manage. [See HAProxy Example Setup][4]. +3. **NGINX (Not Recommended)**: Similar to HAProxy, using NGINX to forward traffic to Datadog is discouraged due to the maintenance overhead of keeping domain lists current. [See NGINX Example Setup][5]. -network_devices: - metadata: - logs_dd_url: nginx.example.com:3841 - # Comment the line below to use encryption between the Agent and NGINX - logs_no_ssl: true - snmp_traps: - forwarder: - logs_dd_url: nginx.example.com:3842 - # Comment the line below to use encryption between the Agent and NGINX - logs_no_ssl: true - netflow: - forwarder: - logs_dd_url: nginx.example.com:3845 - # Comment the line below to use encryption between the Agent and NGINX - logs_no_ssl: true +Datadog discourages forwarding traffic using software like HAProxy or NGINX because it requires you to manually configure and maintain the list of specific Datadog endpoints the Agent needs to reach. This list can change, leading to potential data loss if not kept up-to-date. The only exception is if you need Deep Packet Inspection (DPI) capabilities, in which case you might consider using HAProxy or NGINX as they allow you to disable TLS or use your own TLS certificates and inspect the traffic. -remote_configuration: - rc_dd_url: nginx.example.com:3846 - # Comment the line below to use encryption between the Agent and NGINX - no_tls: true -``` +## Verification +Check the Agent status command and review the Agent logs (`agent.log`, `trace-agent.log`, etc.) for any connection errors after restarting. -When using encryption between the Agent and NGINX, if the Agent does not have access to the proxy certificate, is unable to validate it, or the validation is not needed, you can edit the `datadog.yaml` Agent configuration file and set `skip_ssl_validation` to `true`. -With this option set to `true`, the Agent skips the certificate validation step and does not verify the identity of the proxy, but the communication is still encrypted with SSL/TLS. - -```yaml -skip_ssl_validation: true -``` +## FIPS Proxy (US1-FED) -When sending logs over TCP, see [TCP Proxy for Logs][9]. +For information on setting up the Datadog Agent FIPS Proxy with the Datadog Agent, see [Datadog FIPS Compliance][6]. The FIPS proxy is only available in the US1-FED region. The Datadog Agent FIPS Proxy cannot be used together with a regular proxy. -## Further Reading +## Further reading {{< partial name="whats-next/whats-next.html" >}} -[1]: /agent/configuration/fips-compliance -[2]: /agent/configuration/agent-commands/ -[3]: http://www.squid-cache.org/ -[4]: https://app.datadoghq.com/infrastructure -[5]: http://haproxy.1wt.eu -[6]: https://www.haproxy.com/blog/haproxy-ssl-termination/ -[7]: /getting_started/site/ -[8]: https://www.nginx.com -[9]: /agent/logs/proxy +[1]: /agent/configuration/agent-commands/#restart-the-agent +[2]: /agent/configuration/agent-configuration-files/#main-configuration-file +[3]: /agent/configuration/proxy_squid/ +[4]: /agent/faq/proxy_example_haproxy/ +[5]: /agent/faq/proxy_example_nginx/ +[6]: /agent/configuration/fips-compliance/ diff --git a/content/en/agent/configuration/proxy_squid.md b/content/en/agent/configuration/proxy_squid.md new file mode 100644 index 0000000000000..70146116e9ae9 --- /dev/null +++ b/content/en/agent/configuration/proxy_squid.md @@ -0,0 +1,95 @@ +--- +title: Using a Squid proxy +further_reading: +- link: "/agent/configuration/proxy/" + tag: "Documentation" + text: "Agent Proxy Configuration" +algolia: + tags: ['agent proxy'] +--- + +[Squid][2] is a forward proxy for the web supporting HTTP, HTTPS, FTP, and more. It runs on most available operating systems, including Windows, and is licensed under the GNU GPL license. Squid is a straightforward option if you do not already have a running web proxy in your network. **If you already have an existing proxy server, you do not need to use Squid.** Instead, follow the instructions in [Agent Proxy Configuration][5]. + +## Proxy forwarding with Squid + +To configure Squid to send traffic to Datadog, follow the instructions below to configure Squid, start the squid service, and then configure and restart the Datadog Agent. + +### Configure Squid to only send traffic to Datadog + +Install Squid on a host that has connectivity to both your internal Agents and Datadog. Use your operating system's package manager, or install the software directly from [Squid's project page][2]. + +To configure Squid, edit the configuration file. This file is usually located at `/etc/squid/squid.conf` on Linux or `C:\squid\etc\squid.conf` in Windows. For other operating systems, see [Agent configuration directory][6]. + +Edit your `squid.conf` configuration file so that Squid is able to accept local traffic and forward it to the necessary Datadog intakes: + +```conf +http_port 0.0.0.0:3128 + +acl local src 127.0.0.1/32 + +acl Datadog dstdomain .{{< region-param key="dd_site" >}} + +http_access allow Datadog +http_access allow local manager +``` + +### Start Squid + +Start (or restart) Squid so that your new configurations can be applied. + +{{< tabs >}} +{{% tab "Linux" %}} + +```bash +sudo systemctl start squid +``` + +If Squid is already running, restart Squid instead with the following command: + +```bash +sudo systemctl restart squid +``` + +{{% /tab %}} +{{% tab "Windows" %}} + +If you are configuring Squid on Windows, you must first [configure Squid as a system service][4]. You can then run the following in an Administrator command prompt: + +```bash +net start squid +``` + +If Squid is already running, restart Squid instead with the following commands: + +```bash +net stop squid +net start squid +``` + +{{% /tab %}} +{{< /tabs >}} + +### Configure the Datadog Agent + +Modify the Agent's configuration file (`datadog.yaml`) to include the following: + +```yaml +proxy: + http: http://127.0.0.1:3128 + https: http://127.0.0.1:3128 +``` + +After saving these changes, [restart the Agent][1]. + +Verify that Datadog is able to receive the data from your Agent(s) by checking your [Infrastructure Overview][3]. + +## Further Reading + +{{< partial name="whats-next/whats-next.html" >}} + +[1]: /agent/configuration/agent-commands/ +[2]: http://www.squid-cache.org/ +[3]: https://app.datadoghq.com/infrastructure +[4]: https://wiki.squid-cache.org/KnowledgeBase/Windows +[5]: /agent/configuration/proxy/ +[6]: /agent/configuration/agent-configuration-files#agent-configuration-directory diff --git a/content/en/agent/faq/_index.md b/content/en/agent/faq/_index.md index 5afa9296b6a77..015fe68638221 100644 --- a/content/en/agent/faq/_index.md +++ b/content/en/agent/faq/_index.md @@ -25,4 +25,6 @@ aliases: {{< nextlink href="agent/guide/template_variables" >}}Template variables used for Autodiscovery{{< /nextlink >}} {{< nextlink href="logs/guide/commonly-used-log-processing-rules" >}}Commonly Used Log Processing Rules{{< /nextlink >}} {{< nextlink href="agent/faq/docker-hub" >}}Docker Hub{{< /nextlink >}} + {{< nextlink href="agent/faq/proxy_example_haproxy" >}}Send traffix to Datadog using HAProxy{{< /nextlink >}} + {{< nextlink href="agent/faq/proxy_example_nginx" >}}Send traffix to Datadog using NGINX{{< /nextlink >}} {{< /whatsnext >}} diff --git a/content/en/agent/faq/proxy_example_haproxy.md b/content/en/agent/faq/proxy_example_haproxy.md new file mode 100644 index 0000000000000..d1ef1947fda5d --- /dev/null +++ b/content/en/agent/faq/proxy_example_haproxy.md @@ -0,0 +1,696 @@ +--- +title: Proxy Example with HAProxy +further_reading: +- link: "/agent/configuration/proxy/" + tag: "Documentation" + text: "Agent Proxy Configuration" +algolia: + tags: ['agent proxy'] +private: true +--- + +## Overview + +
+Datadog discourages forwarding traffic using software like HAProxy or NGINX because it requires you to manually configure and maintain the list of specific Datadog endpoints the Agent needs to reach. This list can change, leading to potential data loss if not kept up-to-date. The only exception is if you need Deep Packet Inspection (DPI) capabilities, in which case you might consider using HAProxy or NGINX as they allow you to disable TLS or use your own TLS certificates and inspect the traffic. +
+ +While [HAProxy][3] is usually used as a load balancer to distribute incoming requests to pool servers, it also offers proxying for TCP and HTTP applications, so you can use it to proxy Agent traffic to Datadog from hosts that have no outside connectivity. + +`agent ---> haproxy ---> Datadog` + +This is another good option if you do not have a web proxy readily available in your network and you wish to proxy a large number of Agents. In some cases, a single HAProxy instance is sufficient to handle local Agent traffic in your network, because each proxy can accommodate upwards of 1000 Agents. + +**Note**: This figure is a conservative estimate based on the performance of `m3.xl` instances specifically. Numerous network-related and host-related variables can influence throughput of HAProxy, so you should keep an eye on your proxy deployment both before and after putting it into service. See the [HAProxy documentation][3] for additional information. + +The communication between HAProxy and Datadog is always encrypted with TLS. The communication between the Agent host and the HAProxy host is not encrypted by default, because the proxy and the Agent are assumed to be on the same host. However, it is recommended that you secure this communication with TLS encryption if the HAproxy host and Agent host are not located on the same isolated local network. +To encrypt data between the Agent and HAProxy, you need to create an x509 certificate with the Subject Alternative Name (SAN) extension for the HAProxy host. This certificate bundle (*.pem) should contain both the public certificate and private key. See this [HAProxy blog post][4] for more information. + +**Note**: Download the Datadog certificate with one of the following commands: + +```shell +sudo apt-get install ca-certificates # (Debian, Ubuntu) +yum install ca-certificates # (CentOS, Red Hat) +``` + +The path to the certificate is `/etc/ssl/certs/ca-certificates.crt` for Debian and Ubuntu, or `/etc/ssl/certs/ca-bundle.crt` for CentOS and Red Hat. + +### Proxy forwarding with HAProxy + +#### HAProxy configuration + +HAProxy should be installed on a host that has connectivity to Datadog. You can use one of the following configuration files if you do not already have it configured. The configuration is dependent on the Datadog service and site. To see configurations based on your [Datadog site][5], use the `DATADOG SITE` selector on the right. + +**Note**: It is recommended to use the `HTTPS` configuration file if the Agent and HAProxy are not part of the same isolated local network. + +##### HTTP + +```conf +# Basic configuration +global + log 127.0.0.1 local0 + maxconn 4096 + stats socket /tmp/haproxy + +# Some sane defaults +defaults + log global + option dontlognull + retries 3 + option redispatch + timeout client 5s + timeout server 5s + timeout connect 5s + +# This declares a view into HAProxy statistics, on port 3833 +# You do not need credentials to view this page and you can +# turn it off once you are done with setup. +listen stats + bind *:3833 + mode http + stats enable + stats uri / + +# This section is to reload DNS Records +# Replace and with your DNS Server IP addresses. +# For HAProxy 1.8 and newer +resolvers my-dns + nameserver dns1 :53 + nameserver dns2 :53 + resolve_retries 3 + timeout resolve 2s + timeout retry 1s + accepted_payload_size 8192 + hold valid 10s + hold obsolete 60s + +# This declares the endpoint where your Agents connects for +# sending metrics (for example, the value of "dd_url"). +frontend metrics-forwarder + bind *:3834 + mode http + option tcplog + default_backend datadog-metrics + + use_backend datadog-api if { path_beg -i /api/v1/validate } + use_backend datadog-flare if { path_beg -i /support/flare/ } + +# This declares the endpoint where your Agents connects for +# sending traces (for example, the value of "endpoint" in the APM +# configuration section). +frontend traces-forwarder + bind *:3835 + mode tcp + option tcplog + default_backend datadog-traces + +# This declares the endpoint where your Agents connects for +# sending profiles (for example, the value of "apm_config.profiling_dd_url"). +frontend profiles-forwarder + bind *:3836 + mode tcp + option tcplog + default_backend datadog-profiles + +# This declares the endpoint where your agents connects for +# sending processes (for example, the value of "url" in the process +# configuration section). +frontend processes-forwarder + bind *:3837 + mode tcp + option tcplog + default_backend datadog-processes + +# This declares the endpoint where your Agents connects for +# sending Logs (e.g the value of "logs.config.logs_dd_url") +# If sending logs with force_use_http: true +frontend logs_http_frontend + bind *:3838 + mode http + option tcplog + default_backend datadog-logs-http + +# If sending logs with force_use_tcp: true +# frontend logs_frontend +# bind *:10514 +# mode tcp +# option tcplog +# default_backend datadog-logs + +# This declares the endpoint where your Agents connects for +# sending database monitoring metrics and activity (e.g the value of "database_monitoring.metrics.dd_url" and "database_monitoring.activity.dd_url") +frontend database_monitoring_metrics_frontend + bind *:3839 + mode http + option tcplog + default_backend datadog-database-monitoring-metrics + +# This declares the endpoint where your Agents connects for +# sending database monitoring samples (e.g the value of "database_monitoring.samples.dd_url") +frontend database_monitoring_samples_frontend + bind *:3840 + mode http + option tcplog + default_backend datadog-database-monitoring-samples + +# This declares the endpoint where your Agents connects for +# sending Network Devices Monitoring metadata (e.g the value of "network_devices.metadata.dd_url") +frontend network_devices_metadata_frontend + bind *:3841 + mode http + option tcplog + default_backend datadog-network-devices-metadata + +# This declares the endpoint where your Agents connects for +# sending Network Devices SNMP Traps data (e.g the value of "network_devices.snmp_traps.forwarder.dd_url") +frontend network_devices_snmp_traps_frontend + bind *:3842 + mode http + option tcplog + default_backend datadog-network-devices-snmp-traps + +# This declares the endpoint where your Agents connect for +# sending Instrumentation Telemetry data (e.g. the value of "apm_config.telemetry.dd_url") +frontend instrumentation_telemetry_data_frontend + bind *:3843 + mode tcp + option tcplog + default_backend datadog-instrumentations-telemetry + +# This declares the endpoint where your Agents connect for +# sending Network Devices Monitoring NetFlow flows (for example, the value of "network_devices.netflow.forwarder.dd_url") +frontend network_devices_netflow_frontend + bind *:3845 + mode http + option tcplog + default_backend datadog-network-devices-netflow + +# This declares the endpoint where your Agents connects for +# receiving Remote Configurations (for example, the value of "remote_configuration.rc_dd_url") +frontend remote_configuration_frontend + bind *:3846 + mode http + option tcplog + default_backend datadog-remote-configuration + +# This declares the endpoint where your Agents connect for +# sending Network Path data (for example, the value of "network_path.forwarder.dd_url") +frontend network_path_frontend + bind *:3847 + mode http + option tcplog + default_backend datadog-network-path + +# This is the Datadog server. In effect, any TCP request coming +# to the forwarder frontends defined above are proxied to +# Datadog's public endpoints. +backend datadog-metrics + balance roundrobin + mode http + # The following configuration is for HAProxy 1.8 and newer + server-template mothership 5 metrics.agent.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 + # Uncomment the following configuration for older HAProxy versions + # server mothership metrics.agent.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file + +backend datadog-api + mode http + # The following configuration is for HAProxy 1.8 and newer + server-template mothership 5 api.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 + # Uncomment the following configuration for older HAProxy versions + # server mothership api.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file + +backend datadog-flare + mode http + # The following configuration is for HAProxy 1.8 and newer + server-template mothership 5 flare.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 + # Uncomment the following configuration for older HAProxy versions + # server mothership flare.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file + +backend datadog-traces + balance roundrobin + mode tcp + # The following configuration is for HAProxy 1.8 and newer + server-template mothership 5 trace.agent.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 + # Uncomment the following configuration for older HAProxy versions + # server mothership trace.agent.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file + +backend datadog-profiles + balance roundrobin + mode tcp + # The following configuration is for HAProxy 1.8 and newer + server-template mothership 5 intake.profile.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 + # Uncomment the following configuration for older HAProxy versions + # server mothership profile.agent.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file + +backend datadog-processes + balance roundrobin + mode tcp + # The following configuration is for HAProxy 1.8 and newer + server-template mothership 5 process.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 + # Uncomment the following configuration for older HAProxy versions + # server mothership process.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file + +backend datadog-logs-http + balance roundrobin + mode http + # The following configuration is for HAProxy 1.8 and newer + server-template mothership 5 agent-http-intake.logs.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 + # Uncomment the following configuration for older HAProxy versions + # server datadog agent-http-intake.logs.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file + +backend datadog-database-monitoring-metrics + balance roundrobin + mode http + # The following configuration is for HAProxy 1.8 and newer + server-template mothership 5 dbm-metrics-intake.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 + # Uncomment the following configuration for older HAProxy versions + # server datadog agent-http-intake.logs.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file + +backend datadog-database-monitoring-samples + balance roundrobin + mode http + # The following configuration is for HAProxy 1.8 and newer + server-template mothership 5 dbquery-intake.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 + # Uncomment the following configuration for older HAProxy versions + # server datadog agent-http-intake.logs.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file + +backend datadog-network-devices-metadata + balance roundrobin + mode http + # The following configuration is for HAProxy 1.8 and newer + server-template mothership 5 ndm-intake.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 + # Uncomment the following configuration for older HAProxy versions + # server mothership ndm-intake.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file + +backend datadog-network-devices-snmp-traps + balance roundrobin + mode http + # The following configuration is for HAProxy 1.8 and newer + server-template mothership 5 snmp-traps-intake.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 + # Uncomment the following configuration for older HAProxy versions + # server mothership snmp-traps-intake.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file + +backend datadog-instrumentations-telemetry + balance roundrobin + mode tcp + # The following configuration is for HAProxy 1.8 and newer + server-template mothership 5 instrumentation-telemetry-intake.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 + # Uncomment the following configuration for older HAProxy versions + # server mothership instrumentation-telemetry-intake.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file + +backend datadog-network-devices-netflow + balance roundrobin + mode http + # The following configuration is for HAProxy 1.8 and newer + server-template mothership 5 ndmflow-intake.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 + # Uncomment the following configuration for older HAProxy versions + # server mothership ndmflow-intake.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file + +backend datadog-remote-configuration + balance roundrobin + mode http + # The following configuration is for HAProxy 1.8 and newer + server-template mothership 5 config.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 + # Uncomment the following configuration for older HAProxy versions + # server mothership config.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file + +backend datadog-network-path + balance roundrobin + mode http + # The following configuration is for HAProxy 1.8 and newer + server-template mothership 5 netpath-intake.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 + # Uncomment the following configuration for older HAProxy versions + # server mothership netpath-intake.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file +``` + +##### HTTPS + +This configuration adds SSL/TLS encryption on communication between the Agent and HAProxy. Replace the variable `` with the path to the proxy certificate bundle (*.pem). + +```conf +# Basic configuration +global + log 127.0.0.1 local0 + maxconn 4096 + stats socket /tmp/haproxy + +# Some sane defaults +defaults + log global + option dontlognull + retries 3 + option redispatch + timeout client 5s + timeout server 5s + timeout connect 5s + +# This declares a view into HAProxy statistics, on port 3833 +# You do not need credentials to view this page and you can +# turn it off once you are done with setup. +listen stats + bind *:3833 + mode http + stats enable + stats uri / + +# This section is to reload DNS Records +# Replace and with your DNS Server IP addresses. +# For HAProxy 1.8 and newer +resolvers my-dns + nameserver dns1 :53 + nameserver dns2 :53 + resolve_retries 3 + timeout resolve 2s + timeout retry 1s + accepted_payload_size 8192 + hold valid 10s + hold obsolete 60s + +# This declares the endpoint where your Agents connect for +# sending metrics (for example, the value of "dd_url"). +frontend metrics-forwarder + bind *:3834 ssl crt + mode http + option tcplog + default_backend datadog-metrics + + use_backend datadog-api if { path_beg -i /api/v1/validate } + use_backend datadog-flare if { path_beg -i /support/flare/ } + +# This declares the endpoint where your Agents connect for +# sending traces (for example, the value of "endpoint" in the APM +# configuration section). +frontend traces-forwarder + bind *:3835 ssl crt + mode tcp + option tcplog + default_backend datadog-traces + +# This declares the endpoint where your Agents connect for +# sending profiles (for example, the value of "apm_config.profiling_dd_url"). +frontend profiles-forwarder + bind *:3836 ssl crt + mode tcp + option tcplog + default_backend datadog-profiles + +# This declares the endpoint where your Agents connect for +# sending processes (for example, the value of "url" in the process +# configuration section). +frontend processes-forwarder + bind *:3837 ssl crt + mode tcp + option tcplog + default_backend datadog-processes + +# This declares the endpoint where your Agents connect for +# sending Logs (e.g the value of "logs.config.logs_dd_url") +# If sending logs with force_use_http: true +frontend logs_http_frontend + bind *:3838 ssl crt + mode http + option tcplog + default_backend datadog-logs-http + +# If sending logs with force_use_tcp: true +# frontend logs_frontend +# bind *:10514 ssl crt +# mode tcp +# option tcplog +# default_backend datadog-logs + +# This declares the endpoint where your Agents connect for +# sending database monitoring metrics and activity (e.g the value of "database_monitoring.metrics.dd_url" and "database_monitoring.activity.dd_url") +frontend database_monitoring_metrics_frontend + bind *:3839 ssl crt + mode http + option tcplog + default_backend datadog-database-monitoring-metrics + +# This declares the endpoint where your Agents connect for +# sending database monitoring samples (e.g the value of "database_monitoring.samples.dd_url") +frontend database_monitoring_samples_frontend + bind *:3840 ssl crt + mode http + option tcplog + default_backend datadog-database-monitoring-samples + +# This declares the endpoint where your Agents connect for +# sending Network Devices Monitoring metadata (e.g the value of "network_devices.metadata.dd_url") +frontend network_devices_metadata_frontend + bind *:3841 ssl crt + mode http + option tcplog + default_backend datadog-network-devices-metadata + +# This declares the endpoint where your Agents connect for +# sending Network Devices SNMP Traps data (e.g the value of "network_devices.snmp_traps.forwarder.dd_url") +frontend network_devices_snmp_traps_frontend + bind *:3842 ssl crt + mode http + option tcplog + default_backend datadog-network-devices-snmp-traps + + +# This declares the endpoint where your Agents connect for +# sending Instrumentation Telemetry data (e.g. the value of "apm_config.telemetry.dd_url") +frontend instrumentation_telemetry_data_frontend + bind *:3843 ssl crt + mode tcp + option tcplog + default_backend datadog-instrumentations-telemetry + +# This declares the endpoint where your Agents connect for +# sending Network Devices Monitoring NetFlow flows (for example, the value of "network_devices.netflow.forwarder.dd_url") +frontend network_devices_netflow_frontend + bind *:3845 ssl crt + mode http + option tcplog + default_backend datadog-network-devices-netflow + +# This declares the endpoint where your Agents connects for +# receiving Remote Configurations (for example, the value of "remote_configuration.rc_dd_url") +frontend remote_configuration_frontend + bind *:3846 ssl crt + mode http + option tcplog + default_backend datadog-remote-configuration + +# This declares the endpoint where your Agents connect for +# sending Network Path data (for example, the value of "network_path.forwarder.dd_url") +frontend network_path_frontend + bind *:3847 ssl crt + mode http + option tcplog + default_backend datadog-network-path + +# This is the Datadog server. In effect any TCP request coming +# to the forwarder frontends defined above are proxied to +# Datadog's public endpoints. +backend datadog-metrics + balance roundrobin + mode http + # The following configuration is for HAProxy 1.8 and newer + server-template mothership 5 metrics.agent.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 + # Uncomment the following configuration for older HAProxy versions + # server mothership metrics.agent.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file + +backend datadog-api + mode http + # The following configuration is for HAProxy 1.8 and newer + server-template mothership 5 api.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 + # Uncomment the following configuration for older HAProxy versions + # server mothership api.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file + +backend datadog-flare + mode http + # The following configuration is for HAProxy 1.8 and newer + server-template mothership 5 flare.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 + # Uncomment the following configuration for older HAProxy versions + # server mothership flare.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file + +backend datadog-traces + balance roundrobin + mode tcp + # The following configuration is for HAProxy 1.8 and newer + server-template mothership 5 trace.agent.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 + # Uncomment the following configuration for older HAProxy versions + # server mothership trace.agent.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file + +backend datadog-profiles + balance roundrobin + mode tcp + # The following configuration is for HAProxy 1.8 and newer + server-template mothership 5 intake.profile.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 + # Uncomment the following configuration for older HAProxy versions + # server mothership profile.agent.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file + +backend datadog-processes + balance roundrobin + mode tcp + # The following configuration is for HAProxy 1.8 and newer + server-template mothership 5 process.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 + # Uncomment the following configuration for older HAProxy versions + # server mothership process.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file + +backend datadog-logs-http + balance roundrobin + mode http + # The following configuration is for HAProxy 1.8 and newer + server-template mothership 5 agent-http-intake.logs.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 + # Uncomment the following configuration for older HAProxy versions + # server datadog agent-http-intake.logs.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file + +backend datadog-database-monitoring-metrics + balance roundrobin + mode http + # The following configuration is for HAProxy 1.8 and newer + server-template mothership 5 dbm-metrics-intake.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 + # Uncomment the following configuration for older HAProxy versions + # server datadog agent-http-intake.logs.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file + +backend datadog-database-monitoring-samples + balance roundrobin + mode http + # The following configuration is for HAProxy 1.8 and newer + server-template mothership 5 dbquery-intake.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 + # Uncomment the following configuration for older HAProxy versions + # server datadog agent-http-intake.logs.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file + +backend datadog-network-devices-metadata + balance roundrobin + mode http + # The following configuration is for HAProxy 1.8 and newer + server-template mothership 5 ndm-intake.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 + # Uncomment the following configuration for older HAProxy versions + # server mothership ndm-intake.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file + +backend datadog-network-devices-snmp-traps + balance roundrobin + mode http + # The following configuration is for HAProxy 1.8 and newer + server-template mothership 5 snmp-traps-intake.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 + # Uncomment the following configuration for older HAProxy versions + # server mothership snmp-traps-intake.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file + +backend datadog-instrumentations-telemetry + balance roundrobin + mode tcp + # The following configuration is for HAProxy 1.8 and newer + server-template mothership 5 instrumentation-telemetry-intake.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 + # Uncomment the following configuration for older HAProxy versions + # server mothership instrumentation-telemetry-intake.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file + +backend datadog-network-devices-netflow + balance roundrobin + mode http + # The following configuration is for HAProxy 1.8 and newer + server-template mothership 5 ndmflow-intake.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 + # Uncomment the following configuration for older HAProxy versions + # server mothership ndmflow-intake.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file + +backend datadog-remote-configuration + balance roundrobin + mode http + # The following configuration is for HAProxy 1.8 and newer + server-template mothership 5 config.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 + # Uncomment the following configuration for older HAProxy versions + # server mothership config.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file + +backend datadog-network-path + balance roundrobin + mode http + # The following configuration is for HAProxy 1.8 and newer + server-template mothership 5 netpath-intake.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file check resolvers my-dns init-addr none resolve-prefer ipv4 + # Uncomment the following configuration for older HAProxy versions + # server mothership netpath-intake.{{< region-param key="dd_site" >}}:443 check port 443 ssl verify required ca-file +``` + +**Note**: You can use `verify none` instead of `verify required ca-file ` if you are unable to get the certificates on the proxy host, but be aware that HAProxy will not be able to verify Datadog's intake certificate in that case. + +HAProxy 1.8 and newer allow DNS service discovery to detect server changes and automatically apply them to your configuration. +If you are using older version of HAProxy, you have to reload or restart HAProxy. **It is recommended to have a `cron` job reload HAProxy every 10 minutes** (such as `service haproxy reload`) to force a refresh of HAProxy's DNS cache, in case {{< region-param key="dd_full_site" code="true" >}} fails over to another IP. + +#### Datadog Agent configuration + +Edit each Agent to point to HAProxy by setting its `dd_url` to the address of HAProxy, for example: `haproxy.example.com`. +This `dd_url` setting can be found in the `datadog.yaml` file. + +`dd_url: ://haproxy.example.com:3834` + +Replace `` with `https` if you previously chose the HAProxy HTTPS configuration, or with `http` if you did not choose HTTPS. + +To send traces, profiles, processes, and logs through the proxy, setup the following in the `datadog.yaml` file: + +```yaml +apm_config: + apm_dd_url: ://haproxy.example.com:3835 + profiling_dd_url: ://haproxy.example.com:3836/api/v2/profile + telemetry: + dd_url: ://haproxy.example.com:3843 + +process_config: + process_dd_url: ://haproxy.example.com:3837 + +logs_config: + force_use_http: true + logs_dd_url: haproxy.example.com:3838 + # Comment the line below to use encryption between the Agent and HAProxy + logs_no_ssl: true + +database_monitoring: + metrics: + logs_dd_url: haproxy.example.com:3839 + # Comment the line below to use encryption between the Agent and HAProxy + logs_no_ssl: true + activity: + logs_dd_url: haproxy.example.com:3839 + # Comment the line below to use encryption between the Agent and HAProxy + logs_no_ssl: true + samples: + logs_dd_url: haproxy.example.com:3840 + # Comment the line below to use encryption between the Agent and HAProxy + logs_no_ssl: true + +network_devices: + metadata: + logs_dd_url: haproxy.example.com:3841 + # Comment the line below to use encryption between the Agent and HAProxy + logs_no_ssl: true + snmp_traps: + forwarder: + logs_dd_url: haproxy.example.com:3842 + # Comment the line below to use encryption between the Agent and HAProxy + logs_no_ssl: true + netflow: + forwarder: + logs_dd_url: haproxy.example.com:3845 + # Comment the line below to use encryption between the Agent and HAProxy + logs_no_ssl: true + +remote_configuration: + rc_dd_url: haproxy.example.com:3846 + # Comment the line below to use encryption between the Agent and HAProxy + no_tls: true +``` + +When using encryption between the Agent and HAProxy, if the Agent does not have access to the proxy certificate, is unable to validate it, or the validation is not needed, you can edit the `datadog.yaml` Agent configuration file and set `skip_ssl_validation` to `true`. +With this option set to `true`, the Agent skips the certificate validation step and does not verify the identity of the proxy, but the communication is still encrypted with SSL/TLS. + +```yaml +skip_ssl_validation: true +``` + +Finally [restart the Agent][1]. + +To verify that everything is working properly, review the HAProxy statistics at `http://haproxy.example.com:3833` as well as the [Infrastructure Overview][2]. + +## Further Reading + +{{< partial name="whats-next/whats-next.html" >}} + +[1]: /agent/configuration/agent-commands/ +[2]: https://app.datadoghq.com/infrastructure +[3]: http://haproxy.1wt.eu +[4]: https://www.haproxy.com/blog/haproxy-ssl-termination/ +[5]: /getting_started/site/ diff --git a/content/en/agent/faq/proxy_example_nginx.md b/content/en/agent/faq/proxy_example_nginx.md new file mode 100644 index 0000000000000..93415ca250560 --- /dev/null +++ b/content/en/agent/faq/proxy_example_nginx.md @@ -0,0 +1,356 @@ +--- +title: Proxy Example with NGINX +further_reading: +- link: "/agent/configuration/proxy/" + tag: "Documentation" + text: "Agent Proxy Configuration" +private: true +--- + +## Overview + +
+Datadog discourages forwarding traffic using software like HAProxy or NGINX because it requires you to manually configure and maintain the list of specific Datadog endpoints the Agent needs to reach. This list can change, leading to potential data loss if not kept up-to-date. The only exception is if you need Deep Packet Inspection (DPI) capabilities, in which case you might consider using HAProxy or NGINX as they allow you to disable TLS or use your own TLS certificates and inspect the traffic. +
+ +[NGINX][2] is a web server which can also be used as a reverse proxy, load balancer, mail proxy, and HTTP cache. You can also use NGINX as a proxy for your Datadog Agents: + +`agent ---> nginx ---> Datadog` + +The communication between NGINX and Datadog is always encrypted with TLS. The communication between the Agent host and the NGINX host is not encrypted by default, because the proxy and the Agent are assumed to be on the same host. However, it is recommended that you secure this communication with TLS encryption if they are not located on the same isolated local network. +In order to encrypt data between the Agent and NGINX, you need to create an x509 certificate with the Subject Alternative Name (SAN) extension for the NGINX host. + +**Note**: Download the Datadog certificate with one of the following commands: + +```shell +sudo apt-get install ca-certificates # (Debian, Ubuntu) +yum install ca-certificates # (CentOS, Red Hat) +``` + +The path to the certificate is `/etc/ssl/certs/ca-certificates.crt` for Debian and Ubuntu or `/etc/ssl/certs/ca-bundle.crt` for CentOS and Red Hat. + +### Proxy forwarding with NGINX + +#### NGINX configuration + +NGINX should be installed on a host that has connectivity to Datadog. You can use one of the following configuration files if you do not already have it configured. The configuration is dependent on the Datadog service and site. To see configurations based on your [Datadog site][1], use the `DATADOG SITE` selector on the right. + +**Note**: It is recommended to use the `HTTPS` configuration file if the Agent and NGINX are not part of the same isolated local network. + +##### HTTP + +```conf +user nginx; +worker_processes auto; +error_log /var/log/nginx/error.log; +pid /run/nginx.pid; + +events { + worker_connections 1024; +} +# HTTP Proxy for Datadog Agent +http { + + proxy_ssl_trusted_certificate ; + + server { + listen 3834; #listen for metrics + access_log off; + + location /api/v1/validate { + proxy_ssl_verify on; + proxy_pass https://api.{{< region-param key="dd_site" >}}:443/api/v1/validate; + } + location /support/flare/ { + proxy_ssl_verify on; + proxy_pass https://flare.{{< region-param key="dd_site" >}}:443/support/flare/; + } + location / { + proxy_ssl_verify on; + proxy_pass https://metrics.agent.{{< region-param key="dd_site" >}}:443/; + } + } +} +# TCP Proxy for Datadog Agent +stream { + + proxy_ssl_trusted_certificate ; + + server { + listen 3835; #listen for traces + proxy_ssl_verify on; + proxy_ssl on; + proxy_pass trace.agent.{{< region-param key="dd_site" >}}:443; + } + server { + listen 3836; #listen for profiles + proxy_ssl_verify on; + proxy_ssl on; + proxy_pass intake.profile.{{< region-param key="dd_site" >}}:443; + } + server { + listen 3837; #listen for processes + proxy_ssl_verify on; + proxy_ssl on; + proxy_pass process.{{< region-param key="dd_site" >}}:443; + } + server { + listen 3838; #listen for logs with force_use_http: true + proxy_ssl_verify on; + proxy_ssl on; + proxy_pass agent-http-intake.logs.{{< region-param key="dd_site" >}}:443; + } + server { + listen 3839; #listen for database monitoring metrics + proxy_ssl_verify on; + proxy_ssl on; + proxy_pass dbm-metrics-intake.{{< region-param key="dd_site" >}}:443; + } + server { + listen 3840; #listen for database monitoring samples + proxy_ssl_verify on; + proxy_ssl on; + proxy_pass dbquery-intake.{{< region-param key="dd_site" >}}:443; + } + server { + listen 3841; #listen for network devices metadata + proxy_ssl_verify on; + proxy_ssl on; + proxy_pass ndm-intake.{{< region-param key="dd_site" >}}:443; + } + server { + listen 3842; #listen for network devices traps + proxy_ssl_verify on; + proxy_ssl on; + proxy_pass snmp-traps-intake.{{< region-param key="dd_site" >}}:443; + } + server { + listen 3843; #listen for instrumentations telemetry data + proxy_ssl_verify on; + proxy_ssl on; + proxy_pass instrumentation-telemetry-intake.{{< region-param key="dd_site" >}}:443; + } + server { + listen 3845; #listen for network devices netflow + proxy_ssl_verify on; + proxy_ssl on; + proxy_pass ndmflow-intake.{{< region-param key="dd_site" >}}:443; + } + server { + listen 3846; #listen for Remote Configuration requests + proxy_ssl_verify on; + proxy_ssl on; + proxy_pass config.{{< region-param key="dd_site" >}}:443; + } + server { + listen 3847; #listen for network path + proxy_ssl_verify on; + proxy_ssl on; + proxy_pass netpath-intake.{{< region-param key="dd_site" >}}:443; + } +} +``` + +##### HTTPS + +This configuration adds SSL/TLS encryption on communication between the Agent and NGINX. Replace `` with the path to the proxy public certificate and `` with the path to the private key. + +```conf +user nginx; +worker_processes auto; +error_log /var/log/nginx/error.log; +pid /run/nginx.pid; + +events { + worker_connections 1024; +} +# HTTP Proxy for Datadog Agent +http { + + proxy_ssl_trusted_certificate ; + + ssl_certificate ; + ssl_certificate_key ; + + server { + listen 3834 ssl; #listen for metrics + access_log off; + + location /api/v1/validate { + proxy_ssl_verify on; + proxy_pass https://api.{{< region-param key="dd_site" >}}:443/api/v1/validate; + } + location /support/flare/ { + proxy_ssl_verify on; + proxy_pass https://flare.{{< region-param key="dd_site" >}}:443/support/flare/; + } + location / { + proxy_ssl_verify on; + proxy_pass https://metrics.agent.{{< region-param key="dd_site" >}}:443/; + } + } +} +# TCP Proxy for Datadog Agent +stream { + + proxy_ssl_trusted_certificate ; + + ssl_certificate ; + ssl_certificate_key ; + + server { + listen 3835 ssl; #listen for traces + proxy_ssl_verify on; + proxy_ssl on; + proxy_pass trace.agent.{{< region-param key="dd_site" >}}:443; + } + server { + listen 3836 ssl; #listen for profiles + proxy_ssl_verify on; + proxy_ssl on; + proxy_pass intake.profile.{{< region-param key="dd_site" >}}:443; + } + server { + listen 3837 ssl; #listen for processes + proxy_ssl_verify on; + proxy_ssl on; + proxy_pass process.{{< region-param key="dd_site" >}}:443; + } + server { + listen 3838 ssl; #listen for logs with force_use_http: true + proxy_ssl_verify on; + proxy_ssl on; + proxy_pass agent-http-intake.logs.{{< region-param key="dd_site" >}}:443; + } + server { + listen 3839 ssl; #listen for database monitoring metrics + proxy_ssl_verify on; + proxy_ssl on; + proxy_pass dbm-metrics-intake.{{< region-param key="dd_site" >}}:443; + } + server { + listen 3840 ssl; #listen for database monitoring samples + proxy_ssl_verify on; + proxy_ssl on; + proxy_pass dbquery-intake.{{< region-param key="dd_site" >}}:443; + } + server { + listen 3841 ssl; #listen for network devices metadata + proxy_ssl_verify on; + proxy_ssl on; + proxy_pass ndm-intake.{{< region-param key="dd_site" >}}:443; + } + server { + listen 3842 ssl; #listen for network devices traps + proxy_ssl_verify on; + proxy_ssl on; + proxy_pass snmp-traps-intake.{{< region-param key="dd_site" >}}:443; + } + server { + listen 3843 ssl; #listen for instrumentations telemetry data + proxy_ssl_verify on; + proxy_ssl on; + proxy_pass instrumentation-telemetry-intake.{{< region-param key="dd_site" >}}:443; + } + server { + listen 3845 ssl; #listen for network devices netflow + proxy_ssl_verify on; + proxy_ssl on; + proxy_pass ndmflow-intake.{{< region-param key="dd_site" >}}:443; + } + server { + listen 3846 ssl; #listen for Remote Configuration requests + proxy_ssl_verify on; + proxy_ssl on; + proxy_pass config.{{< region-param key="dd_site" >}}:443; + } + server { + listen 3847 ssl; #listen for network path + proxy_ssl_verify on; + proxy_ssl on; + proxy_pass netpath-intake.{{< region-param key="dd_site" >}}:443; + } +} +``` + +**Note**: You can remove `proxy_ssl_verify on` if you are unable to get the certificates on the proxy host, but be aware that NGINX will not be able to verify Datadog's intake certificate in that case. + +#### Datadog Agent configuration + +Edit each Agent configuration file to point to NGINX by setting its `dd_url` to the address of NGINX, for example: `nginx.example.com`. +This `dd_url` setting can be found in the `datadog.yaml` file. + +`dd_url: "://nginx.example.com:3834"` + +Replace `` with `https` if you previously chose the HAProxy HTTPS configuration, or with `http` if you did not choose HTTPS. + +To send traces, profiles, processes, and logs through the proxy, setup the following in the `datadog.yaml` file: + +```yaml +apm_config: + apm_dd_url: ://nginx.example.com:3835 + profiling_dd_url: ://nginx.example.com:3836/api/v2/profile + telemetry: + dd_url: ://nginx.example.com:3843 + +process_config: + process_dd_url: ://nginx.example.com:3837 + +logs_config: + force_use_http: true + logs_dd_url: nginx.example.com:3838 + # Comment the line below to use encryption between the Agent and NGINX + logs_no_ssl: true + +database_monitoring: + metrics: + logs_dd_url: nginx.example.com:3839 + # Comment the line below to use encryption between the Agent and NGINX + logs_no_ssl: true + activity: + logs_dd_url: nginx.example.com:3839 + # Comment the line below to use encryption between the Agent and NGINX + logs_no_ssl: true + samples: + logs_dd_url: nginx.example.com:3840 + # Comment the line below to use encryption between the Agent and NGINX + logs_no_ssl: true + +network_devices: + metadata: + logs_dd_url: nginx.example.com:3841 + # Comment the line below to use encryption between the Agent and NGINX + logs_no_ssl: true + snmp_traps: + forwarder: + logs_dd_url: nginx.example.com:3842 + # Comment the line below to use encryption between the Agent and NGINX + logs_no_ssl: true + netflow: + forwarder: + logs_dd_url: nginx.example.com:3845 + # Comment the line below to use encryption between the Agent and NGINX + logs_no_ssl: true + +remote_configuration: + rc_dd_url: nginx.example.com:3846 + # Comment the line below to use encryption between the Agent and NGINX + no_tls: true +``` + +When using encryption between the Agent and NGINX, if the Agent does not have access to the proxy certificate, is unable to validate it, or the validation is not needed, you can edit the `datadog.yaml` Agent configuration file and set `skip_ssl_validation` to `true`. +With this option set to `true`, the Agent skips the certificate validation step and does not verify the identity of the proxy, but the communication is still encrypted with SSL/TLS. + +```yaml +skip_ssl_validation: true +``` + +When sending logs over TCP, see [TCP Proxy for Logs][3]. + +## Further Reading + +{{< partial name="whats-next/whats-next.html" >}} + +[1]: /getting_started/site/ +[2]: https://www.nginx.com +[3]: /agent/logs/proxy diff --git a/layouts/partials/nav/left-nav.html b/layouts/partials/nav/left-nav.html index a10cf40fd31c0..e33cf3426ca26 100644 --- a/layouts/partials/nav/left-nav.html +++ b/layouts/partials/nav/left-nav.html @@ -69,7 +69,7 @@
    + "application_security_code_security_setup" "appsec_threats_management_setup" "observability_pipelines_log_volume_control" "observability_pipelines_dual_ship_logs" "observability_pipelines_archive_logs" "observability_pipelines_split_logs" "observability_pipelines_sensitive_data_redaction" "observability_pipelines_log_enrichment" "csm_setup_agentless_scanning" "observability_pipelines_generate_metrics" "log_explorer_calculated_fields" "test_impact_analysis_setup" "dbm_setup_postgres_rds" "sca_setup_runtime" "ndm_setup" "otel-setup-collector-exporter" "otel-setup-intake-endpoint" "otel_guides_migration" "otel-api-dd-sdk" "csm_setup_iac_scanning" "agent_configuration_proxy" "ide_plugins_idea") .Identifier) }}d-none{{ end }}"> {{/* LEVEL 4 */}} {{ range .Children }}