IP allowlist
When building a Fintech, you need to provide a list of IPs that will consume the Bank as a Service API. This is great from the security perspective, but it creates a bad DX for developers who need to test the APIs.
To overcome this restriction we deployed a forward proxy in our Kubernetes to enable developers to use these APIs from their computers.
Forward HTTP Proxy
A forward HTTP proxy is a server that sits between a client (such as a web browser or an application) and the internet. Its primary function is to forward requests from the client to the internet and then return the responses from the Internet to the client.
This enables us to forward requests that have IP restrictions to this forward proxy to provide a better developer experience
Squid Proxy
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently requested web pages. Squid has extensive access controls and makes a great server accelerator.
We used Squid Proxy as it is a very popular forward proxy solution, and it was simple to set up.
To deploy it to Kubernetes you need a deployment, a service, and a config map
apiVersion: apps/v1
kind: Deployment
metadata:
namespace: proxy-dev
name: squid-dev-proxy
spec:
replicas: 1
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
selector:
matchLabels:
app: squid-dev-proxy
template:
metadata:
labels:
app: squid-dev-proxy
spec:
volumes:
- name: config
configMap:
name: squid-dev-config
containers:
- name: squid-dev-proxy
image: sameersbn/squid:latest
ports:
- containerPort: 3128
volumeMounts:
- name: config
mountPath: /etc/squid/
apiVersion: v1
kind: Service
metadata:
namespace: proxy-dev
name: squid-dev-proxy
spec:
ports:
- protocol: TCP
port: 3128
targetPort: 3128
selector:
app: squid-dev-proxy
kind: ConfigMap
apiVersion: v1
metadata:
name: squid-dev-config
namespace: proxy-dev
data:
squid.conf: |
http_port 3128
acl all src all
cache_log /dev/null
cache deny all
http_access allow all
We deployed it port 3128.
Forward Proxy on Node
We use fetch to make HTTP requests in our backend.
To enable a forward proxy, we are going to use the package https-proxy-agent
export const devProxyAgent = () => {
if (process.env.K8S_DEV_PROXY === 'true') {
const proxyAgent = new HttpsProxyAgent(process.env.K8S_DEV_PROXY_URL);
// eslint-disable-next-line
console.log('proxy k8sdev');
return { agent: proxyAgent };
}
return {};
};
To use like this
const options = {
method: 'POST',
body,
...devProxyAgent(),
};
const response = await fetch(url, options);
We only enable the proxy if the K8S_DEV_PROXY flag is set to true. This is needed to avoid using a proxy in staging and production as they are already using the allowedlist IPs.
We use process.env. a lot as feature flags
Security concerns of this approach
We recommend using this approach only for staging environments.
Our developers can only access this forward proxy when using our VPN.
In Conclusion
We hope this approach improves the DX to consume APIs that require allowedlist of specific IPs for security reasons.
We also allow our users to allowlist some specific IPs to use their application token for security reasons.
Woovi is an innovative startup revolutionizing the payment landscape. With Woovi, shoppers can enjoy the freedom to pay however they prefer. Our cutting-edge platform provides instant payment solutions, empowering merchants to accept orders and enhance their customer experience seamlessly.
If you're interested in joining our team, we're hiring! Check out our job openings at Woovi Careers.
Top comments (1)
Awesome post o/