Skip to content

Network Proxy Configuration

Katalogue has two distinct proxy-related configuration areas that are easy to confuse because they solve opposite problems:

Reverse proxyEgress proxy
DirectionInbound — traffic coming in to KatalogueOutbound — traffic going out from Katalogue
What it isA load balancer or reverse proxy in front of Katalogue (e.g. nginx, Traefik)A corporate HTTP proxy that all outbound internet traffic must pass through
What breaks without itClient IPs appear as the proxy IP; req.secure is wrong; rate limiting and cookie security behave incorrectlyCalls to Microsoft Graph, Azure token endpoints, OIDC discovery, and remote file fetches fail
Config parameter(s)TRUST_PROXYHTTPS_PROXY, HTTP_PROXY, NO_PROXY

When Katalogue is hosted behind a reverse proxy or load balancer, the proxy forwards requests on behalf of clients and attaches the original client IP in an X-Forwarded-For header. Set TRUST_PROXY to tell Katalogue to trust these forwarded headers.

{
"config": {
"TRUST_PROXY": "10.0.0.1"
}
}

See TRUST_PROXY in the Config Parameter Reference for accepted values.

The api service exposes its endpoints under a few distinct path families. A reverse proxy in front of Katalogue must forward each of them to the api backend. The paths are configurable, so route them by the config value (defaults shown in parentheses):

Path prefixConfig parameterDefaultPurpose
<API_ENDPOINT_PATH>/*API_ENDPOINT_PATH/api/*REST API and GUI resource endpoints
<REST_API_OIDC_PATH>/*REST_API_OIDC_PATH/oidc/*OIDC provider (token, JWKS, discovery)
<REST_API_DOCS_PATH>/*REST_API_DOCS_PATH/docs/*Interactive API documentation (Redoc + OpenAPI spec)
/health/healthHealth check (fixed, not configurable)

All four forward to the same api service origin. With the default configuration, that is four routing rules: /api/*, /oidc/*, /docs/*, and /health.


In corporate environments, outbound internet traffic is often required to pass through a central HTTP proxy. Katalogue makes several outbound HTTPS calls that need to be routed through this proxy:

  • Microsoft Graph API (user and group synchronisation, email via Graph)
  • Azure Active Directory token and JWKS endpoints (OIDC authentication)
  • Azure Key Vault (connection password retrieval)
  • Remote file fetches (e.g. dbt manifest URLs)

Set HTTPS_PROXY (and optionally HTTP_PROXY) to the URL of your corporate proxy server.

{
"config": {
"proxy": {
"HTTPS_PROXY": "http://proxy.corp.example.com:8080",
"HTTP_PROXY": "http://proxy.corp.example.com:8080",
"NO_PROXY": "internal.corp.example.com,10.0.0.0/8"
}
}
}
  • SMTP email — SMTP connections are TCP-level and are not affected by HTTPS_PROXY. If your SMTP server requires proxy access, configure network routing at the infrastructure level.
  • Database connections — PostgreSQL connections bypass the proxy regardless of these settings.