Skip to main content

Configure Rundeck behind an Egress Proxy

Configure Rundeck behind an Egress Proxy


Though these instructions reference Rundeck, they can also be applied to environments running the Enterprise versions of the product, PagerDuty Runbook Automationopen in new window or Process Automationopen in new window.


In most organizations, all network infrastructure (including servers) stays isolated from the Internet by default for security reasons.

In this specific scenario, the only way for Rundeck to reach the Internet is by using a proxy server. While in most situations Rundeck does not need internet access to operate, there are cases where job steps need to be able to reach out to SaaS tools such as AWS, ServiceNow, or Jira.

This guide demonstrates how to add the correct parameters to reach a proxy server.

Set proxy server parameters

Linux based Rundeck instance

If your Rundeck instance needs a proxy server to access the internet add the following line in the rundeckd file, located at/etc/sysconfig/rundeckdin RedHat/CentOS/Rocky based Linux distributions or /etc/default/rundeckd on Debian/Ubuntu based Linux distributions. If the file isn't present, you can create it.

RDECK_JVM_OPTS="-Dhttp.proxySet=true -Dhttp.proxyHost=proxy_server_hostname -Dhttp.proxyPort=8888 -Dhttps.proxySet=true -Dhttps.proxyHost=proxy_server_hostname -Dhttps.proxyPort=8888 -Dhttp.nonProxyHosts=any_direct_host"

Windows based Rundeck instance

On Windows based instances, the process is quite different. Just add these parameters to the RDECK_CLI_OPTS variable in the profile.bat file:

set RDECK_CLI_OPTS=-Xms2048m -Xmx4096m -Dhttp.proxySet=true -Dhttp.proxyHost=proxy_server_hostname -Dhttp.proxyPort=8888 -Dhttps.proxySet=true -Dhttps.proxyHost=proxy_server_hostname -Dhttps.proxyPort=8888 -Dhttp.nonProxyHosts=any_direct_host

Then save the file and restart the server.

Parameters explained

  • http.proxySet & https.proxySet: Enables the proxy config on the java app.
  • http.proxyHost & https.proxyHost: The host name of the proxy server.
  • http.proxyPort & https.proxyPort: The port number, (default value is 80, 8888 in the example).
  • http.nonProxyHosts: A list of hosts to be reached directly, bypassing the proxy.

Config testing environment

To test these concepts quickly, a Docker environment is useful. Docker is a container system that provides a computer network abstraction, providing a using a virtual network.

Each container is a computer in a virtual network. The easiest way to use Docker is to install Docker Desktop, instructionsopen in new window depending on your main Operating System. Hereopen in new window is a basic guide to understand how it works.

This Docker environment contains two containers (nodes): the official Rundeck container (extended to add the custom JVM parameters explained above) and the reiz/nginx_proxy container as a preconfigured Egress Proxy. You can find the full nginx_proxy project hereopen in new window.

  1. Create a directory called "egress_test" and then create a docker-compose.yml file with the following content:
    version: '3'
      	context: .
        	IMAGE: rundeck/rundeck:4.8.0
    	command: "-Dhttp.proxySet=true -Dhttp.proxyHost=proxysrv -Dhttp.proxyPort=8888 -Dhttps.proxySet=true -Dhttps.proxySet=true -Dhttps.proxyHost=proxysrv -Dhttps.proxyPort=8888 -Dhttp.nonProxyHosts=proxysrv"
      	- 4440:4440
      	RUNDECK_GRAILS_URL: http://localhost:4440
      	- int
    	image: reiz/nginx_proxy:0.0.3
      	- ./conf/nginx_denylist.conf:/usr/local/nginx/conf/nginx.conf
      	- 8888:8888
      	- ext
      	- int
    	internal: true
    	external: true
  2. Now create a new file called Dockerfile with the following content:
    FROM rundeck/rundeck:4.8.0
    USER root
    # base network tools
    RUN apt-get update && apt-get -y install iputils-ping curl nmap mc
    # rd cli to interact with rundeck instance
    RUN curl -s | os=any dist=any bash && apt-get update && apt-get install rundeck-cli
    USER rundeck
    # rd cli env vars
    ENV RD_URL http://localhost:4440
    ENV RD_USER admin
    This file allows you to build a custom container, adding the RD CLI tool to the Rundeck base container.
  3. Create a new directory called "conf" and create a new file called "nginx_denylist.conf" with the following content:
    user www-data;
    worker_processes auto;
    daemon off; # Don't run Nginx as a daemon, as we run it in Docker we need a foreground process.
    events { }
    http {
    	server_names_hash_bucket_size 128;
    	access_log /var/log/nginx_access.log;
    	error_log /var/log/nginx_errors.log;
    	# Denylist Google
    	server {
        	listen   	8888;
        	server_name  *;
        	return 404;
    	# Everything else is allowed
    	server {
        	  listen   	8888;
        	  server_name ~.+;
        	  proxy_max_temp_file_size 0;
        	  location / {
           	  proxy_pass http://$http_host;
           	  proxy_set_header Host $http_host;
    This is just the proxy configuration for the NGINX web server (check thisopen in new window basic example). It blocks any connection from the google domain. In this environment, if any system needs to get "outside" to the Internet, it needs to pass through this proxy server. It's based on thisopen in new window project.

Running and testing

  1. Create the network, this is needed by the whole environment and allows you to create the basic external network to reach the Internet using your current network device.
    docker network create --driver bridge ext
  2. Build the environment:
    docker compose build
  3. Run the Docker environment:
    docker compose up
  4. Now, enter to the rundeck container using:
    docker exec -it rundeck_container bash
  5. Execute the following command to test that the Rundeck instance container can't access the internet:
  6. Now, test the Proxy connection:
    curl -x srvproxy:8888
  7. List all available plugins from the official repository (using Rundeck you can see all plugins available from the external Rundeck repository via Egress Proxy):
    rd plugins list
  8. And finally, download a plugin using RD CLI:
    rd plugins install -r official -i <plugin_id>

This command downloads and installs the plugin from the official plugin repository via proxy server configured at the JVM level.