Overcoming IP Restrictions: Leveraging Squid Proxy on Kubernetes for API Consumption

sibelius

Sibelius Seraphini

Posted on June 17, 2024

Overcoming IP Restrictions: Leveraging Squid Proxy on Kubernetes for API Consumption

IP allowlist

When building a Fintech, you need to provide a list of IPs that will consume the Bank as a Service API. This is great from the security perspective, but it creates a bad DX for developers who need to test the APIs.

To overcome this restriction we deployed a forward proxy in our Kubernetes to enable developers to use these APIs from their computers.

Forward HTTP Proxy

A forward HTTP proxy is a server that sits between a client (such as a web browser or an application) and the internet. Its primary function is to forward requests from the client to the internet and then return the responses from the Internet to the client.

This enables us to forward requests that have IP restrictions to this forward proxy to provide a better developer experience

Squid Proxy

Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently requested web pages. Squid has extensive access controls and makes a great server accelerator.

We used Squid Proxy as it is a very popular forward proxy solution, and it was simple to set up.

To deploy it to Kubernetes you need a deployment, a service, and a config map

apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: proxy-dev
  name: squid-dev-proxy
spec:
  replicas: 1
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 1
  selector:
    matchLabels:
      app: squid-dev-proxy
  template:
    metadata:
      labels:
        app: squid-dev-proxy
    spec:
      volumes:
        - name: config
          configMap:
            name: squid-dev-config
      containers:
        - name: squid-dev-proxy
          image: sameersbn/squid:latest
          ports:
            - containerPort: 3128
          volumeMounts:
            - name: config
              mountPath: /etc/squid/
Enter fullscreen mode Exit fullscreen mode
apiVersion: v1
kind: Service
metadata:
  namespace: proxy-dev
  name: squid-dev-proxy
spec:
  ports:
    - protocol: TCP
      port: 3128
      targetPort: 3128
  selector:
    app: squid-dev-proxy
Enter fullscreen mode Exit fullscreen mode
kind: ConfigMap
apiVersion: v1
metadata:
  name: squid-dev-config
  namespace: proxy-dev
data:
  squid.conf: |
    http_port 3128
    acl all src all
    cache_log /dev/null
    cache deny all
    http_access allow all
Enter fullscreen mode Exit fullscreen mode

We deployed it port 3128.

Forward Proxy on Node

We use fetch to make HTTP requests in our backend.
To enable a forward proxy, we are going to use the package https-proxy-agent

export const devProxyAgent = () => {
  if (process.env.K8S_DEV_PROXY === 'true') {
    const proxyAgent = new HttpsProxyAgent(process.env.K8S_DEV_PROXY_URL);

    // eslint-disable-next-line
    console.log('proxy k8sdev');

    return { agent: proxyAgent };
  }

  return {};
};
Enter fullscreen mode Exit fullscreen mode

To use like this

const options = {
    method: 'POST',
    body,
    ...devProxyAgent(),
};

const response = await fetch(url, options);
Enter fullscreen mode Exit fullscreen mode

We only enable the proxy if the K8S_DEV_PROXY flag is set to true. This is needed to avoid using a proxy in staging and production as they are already using the allowedlist IPs.

We use process.env. a lot as feature flags

Security concerns of this approach

We recommend using this approach only for staging environments.
Our developers can only access this forward proxy when using our VPN.

In Conclusion

We hope this approach improves the DX to consume APIs that require allowedlist of specific IPs for security reasons.

We also allow our users to allowlist some specific IPs to use their application token for security reasons.


Woovi is an innovative startup revolutionizing the payment landscape. With Woovi, shoppers can enjoy the freedom to pay however they prefer. Our cutting-edge platform provides instant payment solutions, empowering merchants to accept orders and enhance their customer experience seamlessly.

If you're interested in joining our team, we're hiring! Check out our job openings at Woovi Careers.

💖 💪 🙅 🚩
sibelius
Sibelius Seraphini

Posted on June 17, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related