HTTPS proxy configuration not working

Problem

The Infrastructure agent's HTTP/HTTPS proxy configuration is not working.

For best proxy results, we recommend using the most recent Infrastructure agent.

Solution

If the proxy configuration for your New Relic Infrastructure agent isn't working, the problem may be due to proxy precedence.

Review the section below for your New Relic Infrastructure agent version:

New Relic Infrastructure agent versions 1.3.1 or higher uses the following proxy precedence:

Configuration Precedence Windows Linux
NRIA_PROXY 1 HTTP/HTTPS HTTP/HTTPS
proxy (in newrelic-infra.yml) 2 HTTP/HTTPS HTTP/HTTPS
HTTPS_PROXY 3 HTTPS HTTPS
HTTP_PROXY 4 HTTP HTTP

The following options affect TLS certificate configuration:

  • If you use an HTTPS proxy, you probably need to set one of these:
    • The configuration option proxy_validate_certificates: true
    • The environment variable NRIA_PROXY_VALIDATE_CERTIFICATES=true
  • If you use your own self-signed certificates for the HTTPS proxy, keep the default value proxy_validate_certificates: false

Here are some additional factors that affect proxy configuration:

  • The NRIA_PROXY and proxy configuration options enable HTTP or HTTPS depending on the URL scheme.
  • The HTTP_PROXY and HTTPS_PROXY environment variables are ignored if either of the these configuration options is set:
    • NRIA_IGNORE_SYSTEM_PROXY=true
    • ignore_system_proxy: true
  • The certificate validation won't work in Centos 5 systems.

For New Relic Infrastructure agent versions 1.0.1002 to 1.2.25, review the section below based on your configuration:

Ignore proxy is false

If NRIA_IGNORE_SYSTEM_PROXY=FALSE or ignore_system_proxy=FALSE:

Configuration Precedence Windows Linux
HTTPS_PROXY 1 HTTP 1 HTTP 1
NRIA_PROXY 2 HTTP 1 HTTP 1
proxy (in newrelic-infra.yml) 3 HTTP 1 HTTP 1
HTTP_PROXY 4 HTTP HTTP

1 HTTPS proxy not supported (redirected to HTTP)

Ignore proxy is true

If NRIA_IGNORE_SYSTEM_PROXY=TRUE or ignore_system_proxy=TRUE:

Configuration Precedence Windows Linux
NRIA_PROXY 1 HTTP 1 HTTP 1
proxy (in newrelic-infra.yml) 2 HTTP 1 HTTP 1

1 HTTPS proxy not supported (redirected to HTTP)

New Relic Infrastructure agent versions 1.0.956 to 1.0.989 uses the following proxy precedence:

Configuration Precedence Windows Linux
HTTPS_PROXY 1 HTTPS HTTP 1
NRIA_PROXY 2 HTTP/HTTPS 2 HTTP 1
proxy (in newrelic-infra.yml) 3 HTTP/HTTPS HTTP 1
HTTP_PROXY 4 HTTP/HTTPS TTP

1 HTTPS proxy not supported (redirected to HTTP)

2 When using a HTTPS proxy with a custom TLS/SSL or self-signed certificate, provide either:

  • The certificate file location in ca_bundle_file
  • The certificates directory path in ca_bundle_dir

New Relic Infrastructure agent versions 1.0.944 or lower uses the following proxy precedence:

Configuration Precedence Windows Linux
HTTPS_PROXY 1 HTTP 1 HTTP 1
NRIA_PROXY 2 HTTP 1 HTTP 1
proxy (in newrelic-infra.yml) 3 HTTP 1 HTTP 1
HTTP_PROXY 4 HTTP HTTP

1 HTTPS proxy not supported (redirected to HTTP)

2 When using a HTTPS proxy with a custom TLS/SSL or self-signed certificate, provide either:

  • The certificate file location in ca_bundle_file
  • The certificates directory path in ca_bundle_dir

For more help

Recommendations for learning more: