This document is for developers who want to route all server-side tagging traffic through a proxy server.
Before you begin
Before you can set up proxy server routing, make sure you have:
A server container deployed on Cloud Run or via manual setup.
A proxy server deployed that supports
HTTP CONNECT
requests.The ability to allowlist specific outbound traffic from the proxy server, for example, using VPC, Firewall, or Proxy access control lists (ACLs).
Configure proxy server routing
Cloud Run
To forward traffic to a proxy for Cloud Run deployments:
- Open Cloud Run
- Choose your server-side tagging Cloud Run instance.
- Click EDIT & DEPLOY NEW REVISION. The deploy revision screen opens.
- Under Container(s), choose your server container. A new screen with the container setting opens.
To expand the service configuration, select the Variables & Secrets tab. Click the Add Variable button and add the following environment variable:
- Name:
HTTP_PROXY
- Value: URI of the proxy server (e.g.
https://proxy.example.com:3333
orhttp://32.12.83.10
)
- Name:
Click Done.
Confirm your revisions and click Deploy.
Manual deployment
To forward traffic to a proxy for manual deployments:
Define an environment variable accessible to the Docker image:
- Name:
HTTP_PROXY
- Value: URI of the proxy server (e.g.
https://proxy.example.com
orhttp://32.12.83.10:1234
)
- Name:
Run your Docker image with the new environment variable.
docker run -p 8080:8080 \ -e CONTAINER_CONFIG=CONTAINER_CONFIG \ -e HTTP_PROXY=PROXY_URL \ gcr.io/cloud-tagging-10302018/gtm-cloud-image:stable
Result: Your server-side tagging deployment sends all outbound traffic to the proxy endpoint you specified in the environment variable.
Verify the proxy server setup
To verify your proxy requests setup, check both Google Tag Manager and your proxy server configuration.
To verify your server container proxies requests:
Open your server container.
Open Preview mode. In the Requests tab:
- Ensure your client claims the incoming request.
- Ensure that your tags and variables successfully send outgoing HTTP requests.
- To check whether a request was sent through a proxy server, click a HTTP request to view the HTTP Request Details.
To verify your proxy setup:
- Check your network and proxy server logs. At a minimum you should see successful requests to the following endpoints:
- Check if there are requests to other endpoints.
- Depending on the server-side tagging features you use, you may also see requests made to other endpoints, such as www.google-analytics.com, bigquery.googleapis.com, or third-party endpoints. Allow-list any other endpoints that are needed for your tagging setup.
Optional: Allow-list outbound traffic from your proxy server
If you block outbound traffic from your network or from your proxy server, you must allowlist Google Tag Manager domains for your tagging server instance to work. How you allowlist outbound traffic depends on your network environment and proxy software. Before you begin allowlisting endpoints, make sure that you understand your network topology.
The following domains are used to fetch, preview, and debug your Google Tag Manager container:
https://www.googletagmanager.com
https://tagmanager.google.com
${Preview server URL}
If you host your Preview server on a different network than your proxy server or have restrictive network rules, allowlist outbound traffic from the proxy to the Preview server. The Preview server URL is defined when you deploy your server container.
Optional: Use BASIC Authentication with your proxy server
If your organization requires authentication, you can use BASIC authentication with all server types.
To use BASIC authentication, include the credentials (username/password) as part of the proxy server URL in the following format:
HTTP_PROXY=http(s)://USER_NAME:PASSWORD@PROXY_URL
Each request to the proxy sets the username and password in the Proxy-Authorization header as Base64 values.
If you use Cloud Run, store the proxy endpoint credentials in Secret Manager. Secret Manager gives Cloud Run access to the secret at startup time and resolves the value. Learn how to configure secrets in Cloud Run.
Optional: Disable the proxy for specific hosts
The NO_PROXY
environment variable lets you define a comma delimited list
of hostnames that can't be sent through the proxy server.
For example, given:
NO_PROXY=example.com,169.254.169.254,diagnostics.example2.com:3131
The sGTM container doesn't proxy any of the following requests:
http://example.com
,https://sub.example.com
,https://other.example.com:123
http://169.254.169.254
,https://169.254.169.254
,http://169.254.169.254:123
http://diagonstics.example2.com:3131
,https://diagonstics.example2.com:3131