Tanzu Platform for Cloud Foundry 4.0

10.0 6.0 4.0

Configuring proxy settings for all apps

Last Updated March 13, 2025

Some environments restrict access to the Internet by requiring traffic to pass through an HTTP or HTTPS proxy. Operations Manager operators can use the Cloud Foundry Command Line Interface (cf CLI) to provide the proxy settings to all apps, including system apps and service brokers.

Configuring proxy settings incorrectly can prevent apps from connecting to the Internet or accessing required resources. They can also cause errands to fail and break system apps and service brokers. Although errands, system apps, and service brokers do not need to connect to the Internet, they often need to access other resources in Operations Manager. Incorrect proxy settings can break these connections.

Set environment variables

To globally configure proxy settings for Operations Manager apps, you must set three environment variables for both the staging environment variable group and the running environment variable group.

For more information about variable groups, see Environment Variable Groups in TAS for VMs Environment Variables.

This procedure explains how to set proxy information for both staging and running apps. However, you can also set proxy settings for only staging or only running apps.

To globally configure proxy settings for Operations Manager apps:

  1. Target your Cloud Controller with the cf CLI. If you have not installed the cf CLI, see Installing the cf CLI. Run:

    cf api api.SYSTEM-DOMAIN

    Where SYSTEM-DOMAIN is your system domain.

  2. Log in with your UAA administrator credentials.

    1. To retrieve these credentials:
      1. Navigate to the Tanzu Operations Manager Installation Dashboard.
      2. Click the VMware Tanzu Application Service for VMs (TAS for VMs) tile.
      3. Select the Credentials tab.
      4. Under UAA, next to Admin Credentials, click Link to Credential.
      5. Record the password.

    2. Run:

      cf login

  3. To configure proxy access for apps that are staging, run:

    cf set-staging-environment-variable-group '{"http_proxy": "http://PROXY:8080/", "https_proxy": "http://PROXY:8080/", "no_proxy": "DNS-SUFFIX-OR-IP-ADDRESS,DNS-SUFFIX-OR-IP-ADDRESS"}'

    Where:

    • http_proxy is the proxy to use for HTTP requests.
    • https_proxy is the proxy to use for HTTPS requests. In most cases, this is the same as http_proxy.
    • PROXY is your proxy.
    • no_proxy is a comma-separated list of DNS suffixes or IP addresses that can be accessed without passing through the proxy. VMware recommends this value contains the domain .cf.internal, which is used by the platform to communicate with CredHub.
    • DNS-SUFFIX-OR-IP-ADDRESS is a DNS suffix or IP address that can be accessed without passing through the proxy.

    From now on, the proxy settings are applied to apps during staging.

  4. To configure proxy access for apps that are running:

    • For non-Java-based apps, run:

      cf set-running-environment-variable-group '{"http_proxy": "http://PROXY:8080/", "https_proxy": "http://PROXY:8080/", "no_proxy": "DNS-SUFFIX-OR-IP-ADDRESS,DNS-SUFFIX-OR-IP-ADDRESS"}'

      Where:

      • http_proxy is the proxy to use for HTTP requests.
      • https_proxy is the proxy to use for HTTPS requests. In most cases, this is the same as http_proxy.
      • PROXY is your proxy.
      • no_proxy is a comma-separated list of DNS suffixes or IP addresses that can be accessed without passing through the proxy. VMware recommends this value contains the domain .cf.internal, which is used by the platform to communicate with CredHub.
      • DNS-SUFFIX-OR-IP-ADDRESS is a DNS suffix or IP address that can be accessed without passing through the proxy.

    • For Java-based apps, run:

      cf set-running-environment-variable-group '{"JAVA_OPTS": "-Dhttp.proxyHost=PROXY -Dhttp.proxyPort=8080 -Dhttp.nonProxyHosts=DNS-SUFFIX-OR-IP-ADDRESS|DNS-SUFFIX-OR-IP-ADDRESS"}'

      Where:

      • -Dhttp.proxyHost is the proxy to use for HTTP requests.
      • PROXY is your proxy.
      • -Dhttp.proxyPort is the port your proxy uses.
      • -Dhttp.nonProxyHosts is a pipe-separated list of DNS suffixes or IP addresses that can be accessed without passing through the proxy. VMware recommends this value contains the domain .cf.internal, which is used by the platform to communicate with CredHub.
      • DNS-SUFFIX-OR-IP-ADDRESS is a DNS suffix or IP address that can be accessed without passing through the proxy.

      For more information about these Java proxy settings, see Java Networking and Proxies in the Oracle documentation.

  5. To apply the proxy configuration for the running environment variable group, restart each app that you want to use the new configuration.

Troubleshooting

This section describes solutions to try if an app fails after you apply the global proxy settings.

Exclude an app from global proxy settings

If your app fails, try instructing the app to ignore the global proxy settings.

To manually unset the proxy environment variables for the failing app:

  1. Set the proxy environment variables for http_proxy to an empty value by running:

    cf set-env APP-NAME http_proxy ''

    Where APP-NAME is the name of your app.

  2. Set the proxy environment variables for https_proxy to an empty value by running:

    cf set-env APP-NAME https_proxy ''

    Where APP-NAME is the name of your app.

  3. Set the proxy environment variables for no_proxy to an empty value by running:

    cf set-env APP-NAME no_proxy ''

    Where APP-NAME is the name of your app.

Change case of HTTP environment variables

Your app and language runtime might be case-sensitive. Try using the steps in Set environment variables using uppercase for HTTP_PROXY, HTTPS_PROXY, and NO_PROXY instead of lowercase, as in the following example:

cf set-staging-environment-variable-group '{"HTTP_PROXY": "http://PROXY:8080/", "HTTPS_PROXY": "http://PROXY:8080/", "NO_PROXY": "DNS-SUFFIX-OR-IP-ADDRESS,DNS-SUFFIX-OR-IP-ADDRESS"}'.

Where:

  • PROXY is your proxy.
  • DNS-SUFFIX-OR-IP-ADDRESS is a DNS suffix or IP address that can be accessed without passing through the proxy.

Check proxy settings

If you have set up your proxy so that it can only send traffic to the Internet, a request to an internal resource like Operations Manager fails. You must set no_proxy so that traffic destined for Operations Manager and other internal resources is sent directly and does not go through the proxy. For instance, setting no_proxy to include your system and app domains ensure that requests destined for those domains are sent directly.

Verify interpretation

The interpretation of no_proxy depends on the app and the language runtime. Most support no_proxy, but the specific implementation may vary. For example, some match DNS names that end with the value set in no_proxy: example.com would match test.example.com. Others support the use of the asterisk as a wildcard to provide basic pattern matching in DNS names: *.example.com would match test.example.com. Most apps and language runtimes do not support pattern matching and wildcards for IP addresses.