Skip to main content

Configuring Stripe’s Smokescreen as a forward proxy for Convoy

Stripe’s Smokescreen is a powerful tool that can be used as a forward proxy for Convoy, it can be used to achieve Static IPs for your outbound webhook events.

Why Use a Forward Proxy?

A forward proxy acts as an intermediary between clients and servers, forwarding requests on behalf of clients and providing additional services such as caching, security, and anonymity. By using Smokescreen as a forward proxy for Convoy, you can benefit from its advanced features and capabilities.

Configuring Smokescreen as a Forward Proxy

To configure Smokescreen as a forward proxy for Convoy, follow the steps here to install smokescreen on your server. Start smokcscreen by running:
terminal
smokescreen --listen-port <your-desired-proxy-port>

In your convoy.json file, you need to specify the url to smokescreen as your proxy value:
terminal
"server": {
  "http": {
    "proxy": "<smokescreen-url>",
    "ssl": false,
    "ssl_cert_file": "",
    "ssl_key_file": "",
    "port": 5005
  }
},

For more extensive documentation of Smokescreen’s configuration see here.

Bypassing the proxy with NO_PROXY

The webhook dispatcher honors NO_PROXY so you can route some traffic directly while everything else goes through the forward proxy. The server.http.no_proxy bypass list applies only when a forward proxy is configured via server.http.proxy (which itself requires the forward-proxy license). In that case server.http.no_proxy takes precedence over the NO_PROXY env var, which takes precedence over no_proxy.
terminal
"server": {
  "http": {
    "proxy": "<smokescreen-url>",
    "no_proxy": "internal.example.com,10.0.0.0/8,*.svc.cluster.local"
  }
}
Entries support domain suffix matches (example.com), exact hosts, CIDR ranges, and wildcards, using the same matching rules as Go’s standard http.ProxyFromEnvironment. When no explicit proxy is configured, the dispatcher falls back to the standard proxy environment variables (HTTP_PROXY/HTTPS_PROXY/NO_PROXY).

Access Control Lists (ACLs)

Smokescreen allows you to specify access control lists, these help prevent IP spoofing attacks.
terminal
---
version: v1
services:
  - name: enforce-dummy-srv
    project: usersec
    action: enforce
    allowed_domains:
      - example1.com
      - example2.com
      - deny1.com # overrides global deny list

  - name: report-dummy-srv
    project: security
    action: report
    allowed_domains:
      - example3.com

global_allow_list:
  - goodexample1.com
  - goodexample2.com
  - goodexample3.com
  - conflictingexample.com

global_deny_list:
  - deny1.com
  - deny2.com
  - conflictingexample.com

The enforce action makes smokescreen strictly follow the defined rule, as opposed to report which allows the rule to be broken with a warning. For more extensive documentation of Smokescreen’s configuration see here.