Using Kubernetes Ingress Controller to proxy PostHog Cloud

Warning
  1. The following self-hosted proxy isn't provided by PostHog, so we can't take responsibility for it! If unsure, we recommend using our managed reverse proxy.

  2. If you are using the EU cloud then use eu instead of us in all domains (e.g. us.i.posthog.com -> eu.i.posthog.com).

  3. Avoid using generic or common path names like /analytics, /tracking, /ingest, or /posthog for your reverse proxy. They will most likely be blocked. Instead, use a non-obvious path name or something random and unique to your application that's unlikely to appear in a filter list.

If your team is already using Kubernetes, you may prefer to use Kubernetes resources to setup a proxy to PostHog Cloud rather than deploying a new tool. This method requires one ingress resource for the proxy and one service resource to direct traffic externally to PostHog Cloud.

Different Ingress controllers support different annotations for configuration. The example below uses ingress-nginx.

YAML
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: posthog-proxy
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/upstream-vhost: us.i.posthog.com # Change to eu.i.posthog.com if needed.
nginx.ingress.kubernetes.io/backend-protocol: https
# Why configuration-snippet: https://github.com/kubernetes/ingress-nginx/issues/6728
# Change to eu.i.posthog.com if needed.
nginx.ingress.kubernetes.io/configuration-snippet: |
proxy_ssl_name "us.i.posthog.com";
proxy_ssl_server_name "on";
spec:
tls:
- hosts:
- example.com # Change to the host you will proxy posthog traffic through.
secretName: example-tls # Change to the secret containing your certificate.
rules:
- http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: posthog-proxy
port:
name: https
- pathType: Prefix
path: /static
backend:
service:
name: posthog-assets-proxy
port:
name: https
---
apiVersion: v1
kind: Service
metadata:
name: posthog-proxy
spec:
type: ExternalName
externalName: us.i.posthog.com # Change to eu.i.posthog.com if needed.
ports:
- name: https
protocol: TCP
port: 443
---
apiVersion: v1
kind: Service
metadata:
name: posthog-assets-proxy
spec:
type: ExternalName
externalName: us-assets.i.posthog.com # Change to eu-assets.i.posthog.com if needed.
ports:
- name: https
protocol: TCP
port: 443

Community questions

Was this page useful?

Questions about this page? or post a community question.