Configure an external proxy

PreviousEnable the CARTO Data Warehouse NextEnable BigQuery OAuth connections

Last updated 3 months ago

Was this helpful?

Configure an external proxy

This documentation is for the CARTO Self-Hosted Legacy Version. Use only if you've installed this specific version. Explore our latest documentation for updated features.

CARTO Self-hosted supports operating behind an HTTP or HTTPS proxy. The proxy acts as a gateway, enabling CARTO Self-hosted components to establish connections with essential external services like CARTO licensing system, or auth.carto.com. You can find detailed information about these components and services in the section.

CARTO Self-hosted does not provide or install any proxy component; It's built to connect to an existing proxy software deployed on your side.

HTTP

In order to configure an external HTTP proxy on your CARTO Self-hosted installation, you'll have to:

Set the following environment variables (both in uppercase and lowercase) in your .env file:

HTTP_PROXY="http://my-proxy:3128"
http_proxy="http://my-proxy:3128"
HTTPS_PROXY="http://my-proxy:3128"
https_proxy="http://my-proxy:3128"
GRPC_PROXY="http://my-proxy:3128"
grpc_proxy="http://my-proxy:3128"
NO_PROXY="localhost,mega.io,dropbox.com,filestack.com"
no_proxy="localhost,mega.io,dropbox.com,filestack.com"

HTTP_PROXY (mandatory): Proxy connection string, consisting of http://<hostname>:<port>.
HTTPS_PROXY (mandatory): Same as HTTP_PROXY.
GRPC_PROXY (mandatory): Same as HTTP_PROXY.
NO_PROXY (optional): Comma-separated list of domains to exclude from proxying.

HTTPS

To configure an HTTPS proxy on CARTO Self-hosted, you'll have to change the following configuration:

Set the following environment variables (both in uppercase and lowercase) in your .env file:

HTTP_PROXY="https://my-proxy:3129"
http_proxy="https://my-proxy:3129"
HTTPS_PROXY="https://my-proxy:3129"
https_proxy="https://my-proxy:3129"
NO_PROXY="mega.io,dropbox.com,filestack.com"
no_proxy="mega.io,dropbox.com,filestack.com"
NODE_EXTRA_CA_CERTS=/opt/carto/certs/proxy-ca.crt
NODE_TLS_REJECT_UNAUTHORIZED=0

HTTP_PROXY (mandatory): Proxy connection string, consisting of https://<hostname>:<port>.
HTTPS_PROXY (mandatory): Same as HTTP_PROXY.
NO_PROXY (optional): Comma-separated list of domains to exclude from proxying.
NODE_TLS_REJECT_UNAUTHORIZED (optional): Specify if CARTO Self-hosted should check if the proxy certificate is valid (1) or not (0). For instance, self signed certificates validation must be skipped.

Support for data warehouses

While certain data warehouses can be configured to work with a proxy, there are some providers that will inherently bypass it. This means that the connection to these data warehouses won't be created through the proxy, so CARTO Self-hosted services will try to directly perform requests to the providers.

BigQuery: It supports both HTTP and HTTPs proxy.
PostgreSQL and Redshift: They use a TCP connection instead of HTTP(S), so the proxy is bypassed.
Databricks: Proxy is not supported, so the HTTPS connection will be bypassed.
Snowflake: It supports HTTP proxy, but HTTPS is not supported and will have to be bypassed. In order to bypass it, you'll have to add snowflakecomputing.com to the list of excluded domains.

When the proxy is bypassed, and you have a restrictive network policy in place, you will need to explicitly allow this egress of non-proxied traffic.

Limitations

Password authentication is not supported for the proxy connection.

PreviousEnable the CARTO Data Warehouse NextEnable BigQuery OAuth connections

Last updated 3 months ago

Was this helpful?

This documentation is for the CARTO Self-Hosted Legacy Version. Use only if you've installed this specific version. Explore our latest documentation for updated features.

CARTO Self-hosted does not provide or install any proxy component; It's built to connect to an existing proxy software deployed on your side.

A comprehensive list of domains that must be whitelisted by the proxy for the proper operation of CARTO Self-hosted can be found . Such list includes domains for the core services of CARTO Self-hosted, as well as some optional domains that should be enabled to access specific features.

HTTP

In order to configure an external HTTP proxy on your CARTO Self-hosted installation, you'll have to:

Set the following environment variables (both in uppercase and lowercase) in your .env file:

HTTP_PROXY="http://my-proxy:3128"
http_proxy="http://my-proxy:3128"
HTTPS_PROXY="http://my-proxy:3128"
https_proxy="http://my-proxy:3128"
GRPC_PROXY="http://my-proxy:3128"
grpc_proxy="http://my-proxy:3128"
NO_PROXY="localhost,mega.io,dropbox.com,filestack.com"
no_proxy="localhost,mega.io,dropbox.com,filestack.com"

HTTP_PROXY (mandatory): Proxy connection string, consisting of http://<hostname>:<port>.
HTTPS_PROXY (mandatory): Same as HTTP_PROXY.
GRPC_PROXY (mandatory): Same as HTTP_PROXY.
NO_PROXY (optional): Comma-separated list of domains to exclude from proxying.

HTTPS

To configure an HTTPS proxy on CARTO Self-hosted, you'll have to change the following configuration:

Set the following environment variables (both in uppercase and lowercase) in your .env file:

HTTP_PROXY="https://my-proxy:3129"
http_proxy="https://my-proxy:3129"
HTTPS_PROXY="https://my-proxy:3129"
https_proxy="https://my-proxy:3129"
NO_PROXY="mega.io,dropbox.com,filestack.com"
no_proxy="mega.io,dropbox.com,filestack.com"
NODE_EXTRA_CA_CERTS=/opt/carto/certs/proxy-ca.crt
NODE_TLS_REJECT_UNAUTHORIZED=0

HTTP_PROXY (mandatory): Proxy connection string, consisting of https://<hostname>:<port>.
HTTPS_PROXY (mandatory): Same as HTTP_PROXY.
NO_PROXY (optional): Comma-separated list of domains to exclude from proxying.
NODE_EXTRA_CA_CERTS (optional): Path to the proxy CA certificate. If the proxy certificate is signed by a custom CA, such CA must be included here. If the proxy certificate is signed by a well known CA, there is no need to add it here. Well known CAs are usually part of the
NODE_TLS_REJECT_UNAUTHORIZED (optional): Specify if CARTO Self-hosted should check if the proxy certificate is valid (1) or not (0). For instance, self signed certificates validation must be skipped.

Support for data warehouses

BigQuery: It supports both HTTP and HTTPs proxy.
PostgreSQL and Redshift: They use a TCP connection instead of HTTP(S), so the proxy is bypassed.
Databricks: Proxy is not supported, so the HTTPS connection will be bypassed.
Snowflake: It supports HTTP proxy, but HTTPS is not supported and will have to be bypassed. In order to bypass it, you'll have to add snowflakecomputing.com to the list of excluded domains.

When the proxy is bypassed, and you have a restrictive network policy in place, you will need to explicitly allow this egress of non-proxied traffic.

Limitations

Password authentication is not supported for the proxy connection.

using an HTTPS Proxy configured with a certificate signed by a Custom CA is not supported.