Skip to content

Add proxy configuration instructions for Operator and Helm #37798

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
beommoyang wants to merge 10 commits into
base: master
Choose a base branch
from
Open

Add proxy configuration instructions for Operator and Helm #37798

Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
dcd0e7f
Add Squid proxy configuration for Datadog Agent
beommoyang Jun 26, 2026
ef9c8a2
Apply suggestion from @github-actions[bot]
beommoyang Jun 26, 2026
4becc78
Update proxy configuration to include env section
beommoyang Jun 26, 2026
7d2daa6
Revise Squid proxy configuration instructions
beommoyang Jun 26, 2026
2956d0a
Update content/en/agent/configuration/proxy_squid.md
beommoyang Jun 26, 2026
9a95254
Update content/en/agent/configuration/proxy_squid.md
beommoyang Jun 26, 2026
71d9f05
Update content/en/agent/configuration/proxy_squid.md
beommoyang Jun 26, 2026
35e222b
Merge branch 'master' into beommo.yang/add-proxy-operator-helm
beommoyang Jun 26, 2026
b20506c
Refine wording in proxy_squid.md for clarity
beommoyang Jun 26, 2026
25edc4c
Merge branch 'master' into beommo.yang/add-proxy-operator-helm
beommoyang Jun 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 57 additions & 1 deletion content/en/agent/configuration/proxy_squid.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,9 @@ Install Squid on a host that has connectivity to both your internal Agents and D

To configure Squid, edit the configuration file. This file is usually located at `/etc/squid/squid.conf` on Linux or `C:\squid\etc\squid.conf` in Windows. For other operating systems, see [Agent configuration directory][6].

Edit your `squid.conf` configuration file so that Squid is able to accept local traffic and forward it to the necessary Datadog intakes:
Edit your `squid.conf` configuration file so that Squid is able to accept local traffic and forward it to the necessary Datadog intakes.

The simplest approach uses a wildcard to allow all subdomains of your Datadog site:

```conf
http_port 0.0.0.0:3128
Expand All @@ -34,6 +36,26 @@ http_access allow Datadog
http_access allow local manager
```

Alternatively, if you require more granular control, you can explicitly list each Datadog endpoint instead of using a wildcard. For the full list of domains and IP ranges the Agent needs to reach, see [Network Traffic][7]. For example:

@github-actions github-actions Bot Jun 26, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Issue: The list agent, process, logs, api is a non-exhaustive sample (the Network Traffic page lists many more intake subdomains: trace., dbm-metrics-intake., instrumentation-telemetry-intake., orchestrator., ndm-intake., and so on). Without that caveat, a reader who copies this block to gain "more granular control" will silently lose telemetry from any product whose intake isn't in the four lines below. Consider explicitly noting this is a minimal example and that the user must add the subdomains for every Datadog product they use, per the Network Traffic link.


{{< warning >}}
The example below only includes a subset of Datadog endpoints. Make sure to include all domains required by the Datadog features you use. See [Network Traffic][7] for the complete list.
{{< /warning >}}
Comment on lines +41 to +43

@brett0000FF brett0000FF Jun 26, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is no warning shortcode, so we should use the alert classes. Also, in case you are curious, our styling is backwards, so danger will render as a yellow callout.

Suggested change
{{< warning >}}
The example below only includes a subset of Datadog endpoints. Make sure to include all domains required by the Datadog features you use. See [Network Traffic][7] for the complete list.
{{< /warning >}}
<div class="alert alert-danger">
The example below only includes a subset of Datadog endpoints. Make sure to include all domains required by the Datadog features you use. See [Network Traffic][7] for the complete list.
</div>


```conf
http_port 0.0.0.0:3128

acl local src 127.0.0.1/32

acl Datadog dstdomain agent.{{< region-param key="dd_site" >}}
acl Datadog dstdomain process.{{< region-param key="dd_site" >}}
acl Datadog dstdomain logs.{{< region-param key="dd_site" >}}
acl Datadog dstdomain api.{{< region-param key="dd_site" >}}

@github-actions github-actions Bot Jun 26, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: Squid does merge multiple acl directives that share a name, but listing every domain on its own line obscures that intent and is unusual in published Squid examples. Combining them into a single acl definition is clearer and matches the wildcard example above (which uses one line):

Suggested change
acl Datadog dstdomain api.{{< region-param key="dd_site" >}}
acl Datadog dstdomain agent.{{< region-param key="dd_site" >}} process.{{< region-param key="dd_site" >}} logs.{{< region-param key="dd_site" >}} api.{{< region-param key="dd_site" >}}

@github-actions github-actions Bot Jun 26, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: This example only covers four endpoints, but the Agent reaches many more (process, trace, profiling, DBM, telemetry, NDM, and others depending on enabled products). The intro text already points to [Network Traffic][7] for the full list, but consider making it explicit that this snippet is a pattern to extend — not a complete allowlist — so copy-paste users don't end up with a broken proxy after enabling additional products.


http_access allow Datadog
http_access allow local manager
```

### Start Squid

Start (or restart) Squid so that your new configurations can be applied.
Expand Down Expand Up @@ -72,6 +94,9 @@ net start squid

### Configure the Datadog Agent

{{< tabs >}}
{{% tab "Host" %}}

Modify the Agent's configuration file (`datadog.yaml`) to include the following:

```yaml
Expand All @@ -82,6 +107,36 @@ proxy:

After saving these changes, [restart the Agent][1].

@github-actions github-actions Bot Jun 26, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: Only the Host tab tells users to restart the Agent for changes to take effect. For parity, consider adding a one-liner to the Operator and Helm tabs noting how the change is applied (Operator reconciles automatically once the CR is updated; Helm requires helm upgrade to roll out the new pods).


{{% /tab %}}
{{% tab "Operator" %}}
Comment thread
beommoyang marked this conversation as resolved.

Modify the DatadogAgent CR to include the following:

```yaml
spec:
global:
proxy:
http: http://squid-proxy.proxy-namespace.svc.cluster.local:3128
https: http://squid-proxy.proxy-namespace.svc.cluster.local:3128
```
Comment thread
beommoyang marked this conversation as resolved.

{{% /tab %}}
{{% tab "Helm" %}}

Modify your `values.yaml` to include the following:

```yaml
datadog:
env:
- name: DD_PROXY_HTTP
value: http://squid-proxy.proxy-namespace.svc.cluster.local:3128
- name: DD_PROXY_HTTPS
value: http://squid-proxy.proxy-namespace.svc.cluster.local:3128
```
Comment thread
beommoyang marked this conversation as resolved.

{{% /tab %}}
{{< /tabs >}}

Verify that Datadog is able to receive the data from your Agent(s) by checking your [Infrastructure Overview][3].

## Further Reading
Expand All @@ -94,3 +149,4 @@ Verify that Datadog is able to receive the data from your Agent(s) by checking y
[4]: https://wiki.squid-cache.org/KnowledgeBase/Windows
[5]: /agent/configuration/proxy/
[6]: /agent/configuration/agent-configuration-files#agent-configuration-directory
[7]: /agent/configuration/network/#overview
Loading