# Configure Rundeck behind an Egress Proxy


Though these instructions reference Rundeck, they can also be applied to environments running the Enterprise versions of the product, PagerDuty Runbook Automation (opens new window) or Process Automation (opens new window).

# Overview

In most organizations, all network infrastructure (including servers) stays isolated from the Internet by default for security reasons.

In this specific scenario, the only way for Rundeck to reach the Internet is by using a proxy server. While in most situations Rundeck does not need internet access to operate, there are cases where job steps need to be able to reach out to SaaS tools such as AWS, ServiceNow, or Jira.

This guide demonstrates how to add the correct parameters to reach a proxy server.

# Set proxy server parameters

# Linux based Rundeck instance

If your Rundeck instance needs a proxy server to access the internet add the following line in the rundeckd file (opens new window), located at/etc/sysconfig/rundeckdin RedHat/CentOS/Rocky based Linux distributions or /etc/default/rundeckdon Debian/Ubuntu based Linux distributions. If the file isn't present, you can create it.

RDECK_JVM_OPTS="-Dhttp.proxySet=true -Dhttp.proxyHost=proxy_server_hostname -Dhttp.proxyPort=8888 -Dhttps.proxySet=true -Dhttps.proxyHost=proxy_server_hostname -Dhttps.proxyPort=8888 -Dhttp.nonProxyHosts=any_direct_host"

# Windows based Rundeck instance

On Windows (opens new window) based instances, the process is quite different. Just add these parameters to the RDECK_CLI_OPTS variable in the profile.bat file:

set RDECK_CLI_OPTS=-Xms2048m -Xmx4096m -Dhttp.proxySet=true -Dhttp.proxyHost=proxy_server_hostname -Dhttp.proxyPort=8888 -Dhttps.proxySet=true -Dhttps.proxyHost=proxy_server_hostname -Dhttps.proxyPort=8888 -Dhttp.nonProxyHosts=any_direct_host

Then save the file and restart the server.

# Parameters explained

  • http.proxySet & https.proxySet: Enables the proxy config on the java app.
  • http.proxyHost & https.proxyHost: The host name of the proxy server.
  • http.proxyPort & https.proxyPort: The port number, (default value is 80, 8888 in the example).
  • http.nonProxyHosts: A list of hosts to be reached directly, bypassing the proxy.

# Config testing environment

To test these concepts quickly, a Docker environment is useful. Docker is a container system that provides a computer network abstraction, providing a using a virtual network.

Each container is a computer in a virtual network. The easiest way to use Docker is to install Docker Desktop, instructions (opens new window) depending on your main Operating System. Here (opens new window) is a basic guide to understand how it works.

This Docker environment contains two containers (nodes): the official Rundeck container (extended to add the custom JVM parameters explained above) and the reiz/nginx_proxycontainer as a preconfigured Egress Proxy. You can find the full nginx_proxy project here (opens new window).

  1. Create a directory called "egress_test" and then create a docker-compose.yml file with the following content:
    version: '3'
      	context: .
        	IMAGE: rundeck/rundeck:4.8.0
    	command: "-Dhttp.proxySet=true -Dhttp.proxyHost=proxysrv -Dhttp.proxyPort=8888 -Dhttps.proxySet=true -Dhttps.proxySet=true -Dhttps.proxyHost=proxysrv -Dhttps.proxyPort=8888 -Dhttp.nonProxyHosts=proxysrv"
      	- 4440:4440
      	RUNDECK_GRAILS_URL: http://localhost:4440
      	- int
    	image: reiz/nginx_proxy:0.0.3
      	- ./conf/nginx_denylist.conf:/usr/local/nginx/conf/nginx.conf
      	- 8888:8888
      	- ext
      	- int
    	internal: true
    	external: true
  2. Now create a new file called Dockerfile with the following content:
    FROM rundeck/rundeck:4.8.0
    USER root
    # base network tools
    RUN apt-get update && apt-get -y install iputils-ping curl nmap mc
    # rd cli to interact with rundeck instance
    RUN curl -s https://packagecloud.io/install/repositories/pagerduty/rundeck/script.deb.sh | os=any dist=any bash && apt-get update && apt-get install rundeck-cli
    USER rundeck
    # rd cli env vars
    ENV RD_URL http://localhost:4440
    ENV RD_USER admin
    This file allows you to build a custom container, adding the RD CLI tool to the Rundeck base container.
  3. Create a new directory called "conf" and create a new file called "nginx_denylist.conf" with the following content:
    user www-data;
    worker_processes auto;
    daemon off; # Don't run Nginx as a daemon, as we run it in Docker we need a foreground process.
    events { }
    http {
    	server_names_hash_bucket_size 128;
    	access_log /var/log/nginx_access.log;
    	error_log /var/log/nginx_errors.log;
    	# Denylist Google
    	server {
        	listen   	8888;
        	server_name  google.com;
        	server_name  *.google.com;
        	return 404;
    	# Everything else is allowed
    	server {
        	  listen   	8888;
        	  server_name ~.+;
        	  proxy_max_temp_file_size 0;
        	  location / {
           	  proxy_pass http://$http_host;
           	  proxy_set_header Host $http_host;
    This is just the proxy configuration for the NGINX web server (check this (opens new window) basic example). It blocks any connection from the google domain. In this environment, if any system needs to get "outside" to the Internet, it needs to pass through this proxy server. It's based on this (opens new window) project.

# Running and testing

  1. Create the network, this is needed by the whole environment and allows you to create the basic external network to reach the Internet using your current network device.
    docker network create --driver bridge ex
  2. Build the environment:
    docker compose build
  3. Run the Docker environment:
    docker compose up
  4. Now, enter to the rundeck container using:
    docker exec -it rundeck_container bash
  5. Execute the following command to test that the Rundeck instance container can't access the internet:
    curl https://kernel.org
  6. Now, test the Proxy connection:
    curl https://kernerl.org -x srvproxy:8888
  7. List all available plugins from the official repository (using Rundeck you can see all plugins available from the external Rundeck repository via Egress Proxy):
    rd plugins list
  8. And finally, download a plugin using RD CLI:
    rd plugins install -r official -i <plugin_id>

This command downloads and installs the plugin from the official plugin repository via proxy server configured at the JVM level.

# Resources