If your environment routes outbound traffic through a corporate proxy, you can configure the New Relic eBPF agent to send OTLP telemetry through that proxy. This page explains how to configure proxy support on Linux hosts and Kubernetes clusters, the proxy server requirements, and how to troubleshoot common issues.
重要
The eBPF agent supports HTTP CONNECT proxies using the http:// scheme only. Due to gRPC limitations, the agent doesn't support the https:// scheme (a TLS-encrypted connection directly to the proxy). However, your telemetry data is always TLS-encrypted end-to-end between the agent and the New Relic OTLP endpoint. The http:// prefix dictates only how the agent talks to the proxy to establish the tunnel. The proxy itself only sees encrypted traffic and never has access to your data.
How proxy support works
The eBPF agent uses gRPC's built-in HTTP proxy support. When you configure a proxy, the agent:
- Connects to the proxy server.
- Sends an
HTTP CONNECTrequest to open a tunnel to the New Relic OTLP endpoint. - Performs a TLS handshake with the OTLP endpoint through that tunnel.
- Adds a
Proxy-Authorization: Basic <base64>header if you provided credentials.
Proxy server requirements
Your proxy server must support:
- The HTTP
CONNECTmethod (required for TLS tunneling to the OTLP endpoint). - Tunneling to port
443(the OTLP endpoint uses HTTPS). - HTTP Basic Authentication, if you use authenticated proxy access.
Supported proxy servers
Proxy | Supported? | Notes |
|---|---|---|
Squid | Yes | Recommended. Supports |
Apache | Yes | Requires |
nginx | With module | Requires the |
HAProxy | No | HAProxy is a reverse proxy/load balancer and doesn't support the forward-proxy |
Most corporate proxies | Usually yes | Check with your IT or networking team. |
Credential character limitations
注意
If your proxy username contains uppercase letters, or your username or password contains special characters, proxy authentication fails silently. The eBPF agent catches these cases at startup and logs an error so you aren't left debugging a silent failure.
When you configure proxy credentials, only use the following characters:
- Username: Lowercase letters (
a–z), digits (0–9), hyphen (-), underscore (_), period (.), and tilde (~). Uppercase letters aren't allowed. - Password: Letters (
a–z,A–Z), digits (0–9), hyphen (-), underscore (_), period (.), and tilde (~).
The following characters are not allowed in either the username or the password: @, :, /, ?, #, [, ], !, $, &, ', (, ), *, +, ,, ;, =, %, spaces, and other special characters.
If your existing proxy credentials use disallowed characters, ask your proxy administrator to create a dedicated proxy account for the eBPF agent that uses a lowercase alphanumeric username and a simple password.
Configuration precedence
When more than one source defines a proxy, the agent applies them in this order:
otlpProxy.url— Complete proxy URL.otlpProxy.*— Individual proxy settings (host,port,scheme,user,password).
This precedence applies to both Linux host and Kubernetes deployments.
Configure a proxy
For Kubernetes clusters, configure the proxy in your Helm values.yaml file.
Add an otlpProxy: block to your values.yaml:
otlpProxy: host: "proxy.corporate.com" port: 8080 scheme: "http" user: "myuser" password: "mypassword" url: "" existingSecret: ""Alternatively, set url: to http://[user:pass@]host:port to provide a complete proxy URL. The agent supports only the http scheme.
For production deployments, store credentials in a Kubernetes secret instead of setting user: and password: inline. Create the secret with proxy-user and proxy-password keys, and reference it through existingSecret::
$kubectl create secret generic ebpf-proxy-creds \> --namespace newrelic \> --from-literal=proxy-user=myuser \> --from-literal=proxy-password=mypasswordThen apply the change:
$helm upgrade --install nr-ebpf-agent newrelic/nr-ebpf-agent -n newrelic --values values.yamlFor the full list of otlpProxy.* parameters, see K8s configuration parameters on the Kubernetes installation page.
For Linux hosts, configure the proxy in the newrelic-ebpf-agent.yaml configuration file.
Add an otlpProxy: block to /etc/newrelic-ebpf-agent/newrelic-ebpf-agent.yaml:
otlpProxy: host: "proxy.corporate.com" port: 8080 scheme: "http" user: "myuser" password: "mypassword" url: ""Alternatively, set url: to http://[user:pass@]host:port to provide a complete proxy URL. The agent supports only the http scheme.
After saving the file, restrict its permissions and restart the agent:
$sudo chmod 600 /etc/newrelic-ebpf-agent/newrelic-ebpf-agent.yaml$sudo systemctl restart newrelic-ebpf-agentFor the full list of otlpProxy.* parameters, see Configuration parameters on the Linux installation page.
Verify your proxy configuration
After you configure the proxy, validate that the agent is using it as expected.
Check the agent log
Check the agent log for proxy-related messages:
$journalctl -u newrelic-ebpf-agent | grep -i proxyLook for one of these messages:
Using proxy for OTLP endpoint: <endpoint> via http://<host>:<port>— Proxy is enabled.Proxy authentication enabled (username: <user>)— Basic Authentication is configured.Direct connection to OTLP endpoint (no proxy configured)— No proxy is in use.
Test proxy connectivity
Use curl to confirm that your proxy supports the HTTP CONNECT method and can reach the New Relic OTLP endpoint:
$# Unauthenticated proxy$curl -v -x http://proxy.example.com:8080 https://otlp.nr-data.net$
$# Authenticated proxy$curl -v -x http://user:pass@proxy.example.com:8080 https://otlp.nr-data.netA successful response includes:
< HTTP/1.1 200 Connection established* Proxy replied 200 to CONNECT request* CONNECT phase completed!If the agent isn't routing through the proxy or you encounter errors, see Troubleshoot the eBPF proxy.
Security considerations
When you route the agent through a proxy, keep the following in mind:
- Telemetry data stays TLS-encrypted end-to-end. The proxy only sees an encrypted tunnel to the OTLP endpoint. It never has access to your data.
- Proxy credentials are sent in plaintext to the proxy because the agent doesn't support the
https://proxy scheme. Only use proxy authentication on a trusted network between the agent and the proxy. If you need encrypted transport between the agent and the proxy, run the proxy onlocalhostor use a VPN. - The agent never writes passwords to its logs. The username may appear in log lines such as
Proxy authentication enabled (username: <user>)for debugging. - Kubernetes deployments should use
existingSecretinstead of inline credentials to keep proxy passwords out of yourvalues.yamlfile and source control.