Proxy Configuration

Configure Keeper Gateway to route traffic through corporate HTTP/HTTPS proxy servers for air-gapped or restricted network environments.

Overview

In enterprise environments, network security policies may require internet traffic to flow through a corporate proxy server. Keeper Gateway supports standard HTTP/HTTPS proxy configuration through environment variables and command-line parameters, ensuring compatibility with corporate network architectures.

When proxy support is enabled, the Gateway routes all outbound connections through the specified proxy server, including:

  • WebSocket connections to Keeper servers

  • HTTP/HTTPS API calls

  • Health check endpoints

  • Version verification requests

  • TURN credential requests

Proxy support is currently available for Discovery and Rotation operations. PAM connection sessions (SSH, RDP, VNC, database connections, RDP) are not supported through proxies at this time due to the complexity of WebRTC media traffic routing. WebRTC connections require direct network access or TURN server configuration.

Supported Proxy Types

Keeper Gateway supports the following proxy configurations:

  • HTTP Proxy - Standard HTTP proxy servers (e.g., Squid, Apache Traffic Server)

  • HTTPS Proxy - Secure proxy connections with TLS

  • Authenticated Proxies - Proxies requiring username/password authentication

  • Bypass Lists - Exclude specific domains or IP addresses from proxy routing

Configuration Methods

You can configure proxy settings using either environment variables or command-line parameters. Command-line parameters take precedence over environment variables.

Option 1: Environment Variables

Environment variables provide a standard way to configure proxy settings across all network-aware applications. These variables are recognized by most networking tools and libraries.

Supported Environment Variables

Keeper Gateway recognizes the following environment variables (in order of precedence):

  1. HTTPS_PROXY or https_proxy - Primary proxy configuration (recommended)

  2. HTTP_PROXY or http_proxy - Fallback proxy configuration

  3. NO_PROXY or no_proxy - Bypass list for excluded hosts

These are standard environment variable names used across many applications and programming languages. The Keeper Gateway follows this industry convention for seamless integration with existing infrastructure.

Setting Environment Variables

Linux/macOS:

Windows (Command Prompt):

Windows (PowerShell):

With Authentication

Include credentials in the proxy URL:

Special characters in passwords must be URL-encoded. For example, p@ssw0rd becomes p%40ssw0rd.

Option 2: Command-Line Parameters

Command-line parameters provide additional flexibility and override environment variables when both are present.

Available Parameters

Parameter
Description
Example

--proxy-url

Complete proxy URL with optional credentials

http://proxy.company.com:8080

--proxy-host

Proxy server hostname or IP address

proxy.company.com

--proxy-port

Proxy server port number

8080

--proxy-username

Authentication username (if required)

myuser

--proxy-password

Authentication password (if required)

mypassword

--no-proxy

Comma-separated list of hosts to bypass

localhost,127.0.0.1,.internal

Docker Deployment with Proxy

When deploying Keeper Gateway in Docker, configure proxy settings in your docker-compose.yml file.

Docker Compose Configuration

Add proxy environment variables to your Gateway service:

The proxy server must be accessible from the Gateway container. If using an external proxy, ensure network connectivity. If deploying a proxy container in the same Docker Compose stack, include it in the depends_on section.

Air-Gapped Docker Environment Example

For complete network isolation, deploy the Gateway with a dedicated proxy container:

In this configuration:

  • Gateway container has no direct internet access (only on internal: true network)

  • All internet traffic must flow through the proxy container

  • Proxy container bridges the air-gapped and public networks

  • Internal services (databases, application servers) bypass the proxy

Configuration Priority

When multiple configuration sources are present, Keeper Gateway applies settings in the following priority order (highest to lowest):

  1. Individual command-line parameters (--proxy-host, --proxy-port, etc.)

  2. --proxy-url command-line parameter

  3. HTTPS_PROXY environment variable

  4. https_proxy environment variable

  5. HTTP_PROXY environment variable

  6. http_proxy environment variable

For bypass lists:

  1. --no-proxy command-line parameter

  2. NO_PROXY environment variable

  3. no_proxy environment variable

Proxy URL Format

Proxy URLs follow standard URI syntax:

Examples

Basic HTTP proxy:

HTTPS proxy:

Authenticated proxy:

Proxy with special characters in password:

Note: URL-encode special characters in usernames and passwords using percent-encoding (e.g., @ becomes %40, ! becomes %21).

NO_PROXY Bypass List

The NO_PROXY setting allows you to exclude specific hosts from proxy routing. This is useful for:

  • Internal services on the same network

  • Local resources that don't require proxy access

  • Services that cannot work through a proxy

Bypass List Format

The bypass list is a comma-separated list of:

  • Exact hostnames: localhost, internal-server

  • IP addresses: 127.0.0.1, 192.168.1.100

  • Domain suffixes: .internal.com, .local (matches all subdomains)

Examples

Basic bypass list:

With domain suffixes:

Docker internal services:

Spaces are automatically trimmed. Both localhost, 127.0.0.1 and localhost,127.0.0.1 work identically.

Verification and Testing

Step 1: Verify Configuration

After starting the Gateway with proxy configuration, check the logs for confirmation:

Step 2: Test Proxy Connectivity

Before starting the Gateway, verify proxy accessibility:

Linux/macOS:

Windows (PowerShell):

If the proxy requires authentication:

PreviousGateway Configuration with Custom FieldsNextPAM Configuration

Last updated

Was this helpful?