Skip to content
Open
58 changes: 57 additions & 1 deletion content/en/agent/configuration/proxy_squid.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,9 @@ Install Squid on a host that has connectivity to both your internal Agents and D

To configure Squid, edit the configuration file. This file is usually located at `/etc/squid/squid.conf` on Linux or `C:\squid\etc\squid.conf` in Windows. For other operating systems, see [Agent configuration directory][6].

Edit your `squid.conf` configuration file so that Squid is able to accept local traffic and forward it to the necessary Datadog intakes:
Edit your `squid.conf` configuration file so that Squid is able to accept local traffic and forward it to the necessary Datadog intakes.

The simplest approach uses a wildcard to allow all subdomains of your Datadog site:

```conf
http_port 0.0.0.0:3128
Expand All @@ -34,6 +36,26 @@ http_access allow Datadog
http_access allow local manager
```

Alternatively, if you require more granular control, you can explicitly list each Datadog endpoint instead of using a wildcard. For the full list of domains and IP ranges the Agent needs to reach, see [Network Traffic][7]. For example:

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Issue: The list agent, process, logs, api is a non-exhaustive sample (the Network Traffic page lists many more intake subdomains: trace., dbm-metrics-intake., instrumentation-telemetry-intake., orchestrator., ndm-intake., and so on). Without that caveat, a reader who copies this block to gain "more granular control" will silently lose telemetry from any product whose intake isn't in the four lines below. Consider explicitly noting this is a minimal example and that the user must add the subdomains for every Datadog product they use, per the Network Traffic link.


{{< warning >}}
The example below only includes a subset of Datadog endpoints. Make sure to include all domains required by the Datadog features you use. See [Network Traffic][7] for the complete list.
{{< /warning >}}
Comment on lines +41 to +43

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is no warning shortcode, so we should use the alert classes. Also, in case you are curious, our styling is backwards, so danger will render as a yellow callout.

Suggested change
{{< warning >}}
The example below only includes a subset of Datadog endpoints. Make sure to include all domains required by the Datadog features you use. See [Network Traffic][7] for the complete list.
{{< /warning >}}
<div class="alert alert-danger">
The example below only includes a subset of Datadog endpoints. Make sure to include all domains required by the Datadog features you use. See [Network Traffic][7] for the complete list.
</div>


```conf
http_port 0.0.0.0:3128

acl local src 127.0.0.1/32

acl Datadog dstdomain agent.{{< region-param key="dd_site" >}}
acl Datadog dstdomain process.{{< region-param key="dd_site" >}}
acl Datadog dstdomain logs.{{< region-param key="dd_site" >}}
acl Datadog dstdomain api.{{< region-param key="dd_site" >}}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: Squid does merge multiple acl directives that share a name, but listing every domain on its own line obscures that intent and is unusual in published Squid examples. Combining them into a single acl definition is clearer and matches the wildcard example above (which uses one line):

Suggested change
acl Datadog dstdomain api.{{< region-param key="dd_site" >}}
acl Datadog dstdomain agent.{{< region-param key="dd_site" >}} process.{{< region-param key="dd_site" >}} logs.{{< region-param key="dd_site" >}} api.{{< region-param key="dd_site" >}}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: This example only covers four endpoints, but the Agent reaches many more (process, trace, profiling, DBM, telemetry, NDM, and others depending on enabled products). The intro text already points to [Network Traffic][7] for the full list, but consider making it explicit that this snippet is a pattern to extend — not a complete allowlist — so copy-paste users don't end up with a broken proxy after enabling additional products.


http_access allow Datadog
http_access allow local manager
```

### Start Squid

Start (or restart) Squid so that your new configurations can be applied.
Expand Down Expand Up @@ -72,6 +94,9 @@ net start squid

### Configure the Datadog Agent

{{< tabs >}}
{{% tab "Host" %}}

Modify the Agent's configuration file (`datadog.yaml`) to include the following:

```yaml
Expand All @@ -82,6 +107,36 @@ proxy:

After saving these changes, [restart the Agent][1].

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: Only the Host tab tells users to restart the Agent for changes to take effect. For parity, consider adding a one-liner to the Operator and Helm tabs noting how the change is applied (Operator reconciles automatically once the CR is updated; Helm requires helm upgrade to roll out the new pods).


{{% /tab %}}
{{% tab "Operator" %}}
Comment thread
beommoyang marked this conversation as resolved.

Modify the DatadogAgent CR to include the following:

```yaml
spec:
global:
proxy:
http: http://squid-proxy.proxy-namespace.svc.cluster.local:3128
https: http://squid-proxy.proxy-namespace.svc.cluster.local:3128
```
Comment thread
beommoyang marked this conversation as resolved.

{{% /tab %}}
{{% tab "Helm" %}}

Modify your `values.yaml` to include the following:

```yaml
datadog:
env:
- name: DD_PROXY_HTTP
value: http://squid-proxy.proxy-namespace.svc.cluster.local:3128
- name: DD_PROXY_HTTPS
value: http://squid-proxy.proxy-namespace.svc.cluster.local:3128
```
Comment thread
beommoyang marked this conversation as resolved.

{{% /tab %}}
{{< /tabs >}}

Verify that Datadog is able to receive the data from your Agent(s) by checking your [Infrastructure Overview][3].

## Further Reading
Expand All @@ -94,3 +149,4 @@ Verify that Datadog is able to receive the data from your Agent(s) by checking y
[4]: https://wiki.squid-cache.org/KnowledgeBase/Windows
[5]: /agent/configuration/proxy/
[6]: /agent/configuration/agent-configuration-files#agent-configuration-directory
[7]: /agent/configuration/network/#overview
Loading