Using Kubernetes Ingress Controller to proxy PostHog Cloud

Last updated:

|
Warning

  1. The following self-hosted proxy isn't provided by PostHog, so we can't take responsibility for it! If unsure, we recommend using our managed reverse proxy.

  2. If you are using the EU cloud then use eu instead of us in all domains (e.g. us.i.posthog.com -> eu.i.posthog.com).

  3. Avoid using generic or common path names like /analytics, /tracking, /ingest, or /posthog for your reverse proxy. They will most likely be blocked. Instead, use a non-obvious path name or something random and unique to your application that's unlikely to appear in a filter list.

If your team is already using Kubernetes, you may prefer to use Kubernetes resources to setup a proxy to PostHog Cloud rather than deploying a new tool. This method requires one ingress resource for the proxy and one service resource to direct traffic externally to PostHog Cloud.

Different Ingress controllers support different annotations for configuration. The example below uses ingress-nginx.

YAML
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: posthog-proxy
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/upstream-vhost: us.i.posthog.com # Change to eu.i.posthog.com if needed.
    nginx.ingress.kubernetes.io/backend-protocol: https
    # Why configuration-snippet: https://github.com/kubernetes/ingress-nginx/issues/6728
    # Change to eu.i.posthog.com if needed.
    nginx.ingress.kubernetes.io/configuration-snippet: |
      proxy_ssl_name "us.i.posthog.com";
      proxy_ssl_server_name "on";
spec:
  tls:
  - hosts:
    - example.com # Change to the host you will proxy posthog traffic through.
    secretName: example-tls # Change to the secret containing your certificate.
  rules:
  - http:
      paths:
      - pathType: Prefix
        path: /
        backend:
          service:
            name: posthog-proxy
            port:
              name: https
      - pathType: Prefix
        path: /static
        backend:
          service:
            name: posthog-assets-proxy
            port:
              name: https


---
apiVersion: v1
kind: Service
metadata:
  name: posthog-proxy
spec:
  type: ExternalName
  externalName: us.i.posthog.com # Change to eu.i.posthog.com if needed.
  ports:
  - name: https
    protocol: TCP
    port: 443


---
apiVersion: v1
kind: Service
metadata:
  name: posthog-assets-proxy
spec:
  type: ExternalName
  externalName: us-assets.i.posthog.com # Change to eu-assets.i.posthog.com if needed.
  ports:
  - name: https
    protocol: TCP
    port: 443

Questions? Ask Max AI.

It's easier than reading through 799 pages of documentation

Community questions

Was this page useful?

Next article

Using Netlify redirects as a reverse proxy

Netlify supports redirects and rewrites which we can use as a reverse proxy from a custom route. In your netlify.toml file, add a redirect like this: Note: If deploying SvelteKit on Netlify use _redirects file and place it in the project root, as redirects in netlify.toml configuration are not supported . Note: This proxy configuration works with custom domains but may not work correctly with the default .netlify.app domain. If you're experiencing issues with PostHog requests being…

Read next article