Proxy Configuration

Configure Keeper Gateway to route traffic through corporate HTTP/HTTPS proxy servers for air-gapped or restricted network environments.

Overview

In enterprise environments, network security policies may require internet traffic to flow through a corporate proxy server. Keeper Gateway supports standard HTTP/HTTPS proxy configuration through environment variables and command-line parameters, ensuring compatibility with corporate network architectures.

When proxy support is enabled, the Gateway routes all outbound connections through the specified proxy server, including:

  • WebSocket connections to Keeper servers

  • HTTP/HTTPS API calls

  • Health check endpoints

  • Version verification requests

  • TURN credential requests

Proxy support is currently available for Discovery and Rotation operations. PAM connection sessions (SSH, RDP, VNC, database connections, RDP) are not supported through proxies at this time due to the complexity of WebRTC media traffic routing. WebRTC connections require direct network access or TURN server configuration.

Supported Proxy Types

Keeper Gateway supports the following proxy configurations:

  • HTTP Proxy - Standard HTTP proxy servers (e.g., Squid, Apache Traffic Server)

  • HTTPS Proxy - Secure proxy connections with TLS

  • Authenticated Proxies - Proxies requiring username/password authentication

  • Bypass Lists - Exclude specific domains or IP addresses from proxy routing

Configuration Methods

You can configure proxy settings using either environment variables or command-line parameters. Command-line parameters take precedence over environment variables.

Option 1: Environment Variables

Environment variables provide a standard way to configure proxy settings across all network-aware applications. These variables are recognized by most networking tools and libraries.

Supported Environment Variables

Keeper Gateway recognizes the following environment variables (in order of precedence):

  1. HTTPS_PROXY or https_proxy - Primary proxy configuration (recommended)

  2. HTTP_PROXY or http_proxy - Fallback proxy configuration

  3. NO_PROXY or no_proxy - Bypass list for excluded hosts

These are standard environment variable names used across many applications and programming languages. The Keeper Gateway follows this industry convention for seamless integration with existing infrastructure.

Setting Environment Variables

Linux/macOS:

export HTTPS_PROXY="http://proxy.company.com:8080"
export NO_PROXY="localhost,127.0.0.1,.local"

Windows (Command Prompt):

set HTTPS_PROXY=http://proxy.company.com:8080
set NO_PROXY=localhost,127.0.0.1,.local

Windows (PowerShell):

$env:HTTPS_PROXY="http://proxy.company.com:8080"
$env:NO_PROXY="localhost,127.0.0.1,.local"

With Authentication

Include credentials in the proxy URL:

export HTTPS_PROXY="http://username:[email protected]:8080"

Special characters in passwords must be URL-encoded. For example, p@ssw0rd becomes p%40ssw0rd.

Option 2: Command-Line Parameters

Command-line parameters provide additional flexibility and override environment variables when both are present.

Available Parameters

Parameter
Description
Example

--proxy-url

Complete proxy URL with optional credentials

http://proxy.company.com:8080

--proxy-host

Proxy server hostname or IP address

proxy.company.com

--proxy-port

Proxy server port number

8080

--proxy-username

Authentication username (if required)

myuser

--proxy-password

Authentication password (if required)

mypassword

--no-proxy

Comma-separated list of hosts to bypass

localhost,127.0.0.1,.internal

Docker Deployment with Proxy

When deploying Keeper Gateway in Docker, configure proxy settings in your docker-compose.yml file.

Docker Compose Configuration

Add proxy environment variables to your Gateway service:

services:
  keeper-gateway:
    platform: linux/amd64
    image: keepersecurityinc/gateway:latest
    environment:
      GATEWAY_CONFIG: <your-gateway-config>

      # Proxy Configuration
      HTTP_PROXY: http://proxy:3128
      HTTPS_PROXY: http://proxy:3128
      NO_PROXY: localhost,127.0.0.1,db-mysql,server-ssh,server-rdp

    networks:
      - internal-network
    depends_on:
      - proxy

The proxy server must be accessible from the Gateway container. If using an external proxy, ensure network connectivity. If deploying a proxy container in the same Docker Compose stack, include it in the depends_on section.

Air-Gapped Docker Environment Example

For complete network isolation, deploy the Gateway with a dedicated proxy container:

networks:
  # Internal network with NO internet access
  airgapped-internal-network:
    internal: true
    ipam:
      config:
        - subnet: 10.99.0.0/24

  # Public network (proxy only)
  public-internet-network:
    driver: bridge

services:
  # HTTP Proxy (bridges networks)
  proxy:
    platform: linux/amd64
    image: ubuntu/squid:latest
    networks:
      - airgapped-internal-network
      - public-internet-network
    ports:
      - "3128:3128"
    volumes:
      - ./squid.conf:/etc/squid/squid.conf:ro

  # Keeper Gateway (air-gapped)
  keeper-gateway:
    platform: linux/amd64
    image: keepersecurityinc/gateway:latest
    environment:
      GATEWAY_CONFIG: <your-gateway-config>
      HTTP_PROXY: http://proxy:3128
      HTTPS_PROXY: http://proxy:3128
      NO_PROXY: localhost,127.0.0.1,internal-service
    networks:
      - airgapped-internal-network  # NO public-internet-network
    depends_on:
      - proxy

In this configuration:

  • Gateway container has no direct internet access (only on internal: true network)

  • All internet traffic must flow through the proxy container

  • Proxy container bridges the air-gapped and public networks

  • Internal services (databases, application servers) bypass the proxy

Configuration Priority

When multiple configuration sources are present, Keeper Gateway applies settings in the following priority order (highest to lowest):

  1. Individual command-line parameters (--proxy-host, --proxy-port, etc.)

  2. --proxy-url command-line parameter

  3. HTTPS_PROXY environment variable

  4. https_proxy environment variable

  5. HTTP_PROXY environment variable

  6. http_proxy environment variable

For bypass lists:

  1. --no-proxy command-line parameter

  2. NO_PROXY environment variable

  3. no_proxy environment variable

Proxy URL Format

Proxy URLs follow standard URI syntax:

[scheme://][username:password@]hostname:port

Examples

Basic HTTP proxy:

http://proxy.company.com:8080

HTTPS proxy:

https://proxy.company.com:8080

Authenticated proxy:

http://username:[email protected]:8080

Proxy with special characters in password:

http://user:p%40ssw0rd%[email protected]:8080

Note: URL-encode special characters in usernames and passwords using percent-encoding (e.g., @ becomes %40, ! becomes %21).

NO_PROXY Bypass List

The NO_PROXY setting allows you to exclude specific hosts from proxy routing. This is useful for:

  • Internal services on the same network

  • Local resources that don't require proxy access

  • Services that cannot work through a proxy

Bypass List Format

The bypass list is a comma-separated list of:

  • Exact hostnames: localhost, internal-server

  • IP addresses: 127.0.0.1, 192.168.1.100

  • Domain suffixes: .internal.com, .local (matches all subdomains)

Examples

Basic bypass list:

NO_PROXY=localhost,127.0.0.1

With domain suffixes:

NO_PROXY=localhost,127.0.0.1,.corp.internal,.local

Docker internal services:

NO_PROXY=localhost,127.0.0.1,db-mysql,server-ssh,server-rdp,server-vnc

Spaces are automatically trimmed. Both localhost, 127.0.0.1 and localhost,127.0.0.1 work identically.

Verification and Testing

Step 1: Verify Configuration

After starting the Gateway with proxy configuration, check the logs for confirmation:

INFO - Applying proxy configuration: proxy.company.com:8080
INFO - Using proxy for WebSocket: proxy.company.com:8080

Step 2: Test Proxy Connectivity

Before starting the Gateway, verify proxy accessibility:

Linux/macOS:

curl -x http://proxy.company.com:8080 https://keepersecurity.com

Windows (PowerShell):

Invoke-WebRequest -Uri https://keepersecurity.com -Proxy http://proxy.company.com:8080

If the proxy requires authentication:

curl -x http://username:[email protected]:8080 https://keepersecurity.com

PreviousGateway Configuration with Custom FieldsNextPAM Configuration

Last updated

Was this helpful?