Using Kubernetes Ingress Controller to proxy PostHog Cloud

Warning

  1. The following self-hosted proxy isn't provided by PostHog, so we can't take responsibility for it! If unsure, we recommend using our managed reverse proxy.

  2. If you are using the EU cloud then use eu instead of us in all domains (e.g. us.i.posthog.com -> eu.i.posthog.com).

  3. Avoid using generic or common path names like /analytics, /tracking, /ingest, or /posthog for your reverse proxy. They will most likely be blocked. Instead, use a non-obvious path name or something random and unique to your application that's unlikely to appear in a filter list.

If your team is already using Kubernetes, you may prefer to use Kubernetes resources to setup a proxy to PostHog Cloud rather than deploying a new tool. This method requires one ingress resource for the proxy and one service resource to direct traffic externally to PostHog Cloud.

Different Ingress controllers support different annotations for configuration. The example below uses ingress-nginx.

YAML
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: posthog-proxy
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/upstream-vhost: us.i.posthog.com # Change to eu.i.posthog.com if needed.
    nginx.ingress.kubernetes.io/backend-protocol: https
    # Why configuration-snippet: https://github.com/kubernetes/ingress-nginx/issues/6728
    # Change to eu.i.posthog.com if needed.
    nginx.ingress.kubernetes.io/configuration-snippet: |
      proxy_ssl_name "us.i.posthog.com";
      proxy_ssl_server_name "on";
spec:
  tls:
  - hosts:
    - example.com # Change to the host you will proxy posthog traffic through.
    secretName: example-tls # Change to the secret containing your certificate.
  rules:
  - http:
      paths:
      - pathType: Prefix
        path: /
        backend:
          service:
            name: posthog-proxy
            port:
              name: https
      - pathType: Prefix
        path: /static
        backend:
          service:
            name: posthog-assets-proxy
            port:
              name: https


---
apiVersion: v1
kind: Service
metadata:
  name: posthog-proxy
spec:
  type: ExternalName
  externalName: us.i.posthog.com # Change to eu.i.posthog.com if needed.
  ports:
  - name: https
    protocol: TCP
    port: 443


---
apiVersion: v1
kind: Service
metadata:
  name: posthog-assets-proxy
spec:
  type: ExternalName
  externalName: us-assets.i.posthog.com # Change to eu-assets.i.posthog.com if needed.
  ports:
  - name: https
    protocol: TCP
    port: 443

Community questions

Was this page useful?

Questions about this page? or post a community question.