proxy_configuration.md
1 --- 2 title: Proxy Configuration 3 sidebar_position: 550 4 --- 5 6 # Proxy Configuration 7 8 When deploying Agent Mesh in environments with restricted network access, you may need to configure proxy settings to enable communication with external services. This guide explains how to configure HTTPS proxy settings for Agent Mesh. 9 10 ## Environment Variables for Proxy Configuration 11 12 Agent Mesh respects standard proxy environment variables that are commonly used across many applications: 13 14 | Environment Variable | Description | Format | Example | 15 |---------------------|-------------|--------|---------| 16 | `HTTPS_PROXY` | Specifies the proxy server for HTTPS requests | `protocol://[username:password@]host[:port]` | `http://proxy.example.com:8080` or `https://proxy.example.com:443` | 17 | `REQUESTS_CA_BUNDLE` | Path to a custom CA certificate file or bundle used by requests and a number of other libraries. Use alongside SSL_CERT_FILE to maximize compatibility. | `Path to certificate` | `/path/to/certificate.crt` | 18 | `SSL_CERT_FILE` | Path to a custom CA certificate file or bundle used by requests and a number of other libraries. Use alongside REQUESTS_CA_BUNDLE to maximize compatibility. | `Path to certificate` | `/path/to/certificate.crt` | 19 | `DISABLE_SSL_VERIFY` | When set to a true value disables SSL certificate validation for outgoing LLM requests. | boolean | `true` | 20 21 These environment variables can be set at the system level or specifically for the Agent Mesh process. 22 23 ## Proxy Configuration Details 24 25 If DISABLE_SSL_VERIFY is true → TLS verification is disabled (applies globally). 26 Else if REQUESTS_CA_BUNDLE or SSL_CERT_FILE is set → the provided file is used as the trusted CA bundle for TLS validation. Recommendation: set both REQUESTS_CA_BUNDLE and SSL_CERT_FILE to the same path to maximize compatibility, because different components/libraries may read one or the other. 27 Else → the system's default/trusted CA bundle is used. 28 29 ## Setting Proxy Environment Variables 30 31 ### Linux/macOS 32 33 For temporary settings (current terminal session only): 34 35 ```bash 36 export HTTPS_PROXY="http://proxy.example.com:8080" 37 export REQUESTS_CA_BUNDLE="/path/to/certificate.pem" 38 export SSL_CERT_FILE="$REQUESTS_CA_BUNDLE" 39 ``` 40 41 For persistent settings, add these lines to your `~/.bashrc`, `~/.bash_profile`, or `~/.zshrc` file. 42 43 ### Windows 44 45 For temporary settings (current command prompt session only): 46 47 ```cmd 48 set HTTPS_PROXY=http://proxy.example.com:8080 49 set REQUESTS_CA_BUNDLE="/path/to/certificate.pem" 50 set SSL_CERT_FILE="/path/to/certificate.pem" 51 ``` 52 53 ### Docker 54 55 When running Agent Mesh in Docker, you can set environment variables in your Docker run command: 56 57 ```bash 58 docker run --rm \ 59 -e HTTPS_PROXY="http://proxy.example.com:8080" \ 60 -e REQUESTS_CA_BUNDLE="/etc/ssl/certs/custom-ca.pem" \ 61 -e SSL_CERT_FILE="/etc/ssl/certs/custom-ca.pem" \ 62 -v "$HOME/.mitmproxy/mitmproxy-ca.pem:/etc/ssl/certs/custom-ca.pem:ro" \ 63 solace/agent-mesh:latest 64 65 ``` 66 67 Or in your Docker Compose file: 68 69 ```yaml 70 services: 71 agent-mesh: 72 image: solace/agent-mesh:latest 73 environment: 74 - HTTPS_PROXY=http://proxy.example.com:8080 75 - REQUESTS_CA_BUNDLE=/etc/ssl/certs/custom-ca.pem 76 - SSL_CERT_FILE=/etc/ssl/certs/custom-ca.pem 77 volumes: 78 - ./certs/mitmproxy-ca.pem:/etc/ssl/certs/custom-ca.pem:ro 79 .... 80 81 ``` 82 83 ### Kubernetes 84 85 For Kubernetes deployments: 86 87 Ensure configmap: 88 ```shell 89 kubectl create configmap mitm-ca \ 90 --from-file=mitmproxy-ca.pem=./certs/mitmproxy-ca.pem \ 91 -n my-namespace 92 93 ``` 94 95 reference in deployment manifest: 96 97 ```yaml 98 apiVersion: apps/v1 99 kind: Deployment 100 metadata: 101 name: agent-mesh 102 namespace: my-namespace 103 spec: 104 replicas: 1 105 selector: 106 matchLabels: 107 app: agent-mesh 108 template: 109 metadata: 110 labels: 111 app: agent-mesh 112 spec: 113 containers: 114 - name: agent-mesh 115 image: solace/agent-mesh:latest 116 env: 117 - name: HTTPS_PROXY 118 value: "http://my-proxy.example.com:8080" 119 - name: REQUESTS_CA_BUNDLE 120 value: "/etc/ssl/certs/mitmproxy-ca.pem" 121 - name: SSL_CERT_FILE 122 value: "/etc/ssl/certs/mitmproxy-ca.pem" 123 volumeMounts: 124 - name: mitm-ca 125 mountPath: /etc/ssl/certs/mitmproxy-ca.pem 126 subPath: mitmproxy-ca.pem 127 readOnly: true 128 volumes: 129 - name: mitm-ca 130 configMap: 131 name: mitm-ca 132 items: 133 - key: mitmproxy-ca.pem 134 path: mitmproxy-ca.pem 135 136 ``` 137 138 ## Certificate Bundle Merging 139 140 In some environments, especially when using forward or corporate proxies, you may need to add your internal CA to the default certifi trust bundle used by Python. 141 This ensures both public and internal certificates are trusted without disabling SSL verification. 142 143 ```code 144 # Path to your custom CA certificate 145 CUSTOM_CA=/path/to/custom-ca.pem 146 147 # Locate the default certifi bundle 148 CERTIFI_BUNDLE=$(python -m certifi) 149 150 # Choose output path for the merged bundle 151 MERGED_BUNDLE=/tmp/combined-ca.pem 152 153 # Merge the two bundles 154 cat "$CERTIFI_BUNDLE" "$CUSTOM_CA" > "$MERGED_BUNDLE" 155 156 # Point Python SSL libraries to the merged file 157 export REQUESTS_CA_BUNDLE="$MERGED_BUNDLE" 158 export SSL_CERT_FILE="$MERGED_BUNDLE" 159 160 # (Optional) verify 161 python -c "import requests; print(requests.get('https://example.com').status_code)" 162 163 ``` 164 165 This augments the existing certifi CA bundle with your custom certificate while keeping the original file intact.