> ## Documentation Index
> Fetch the complete documentation index at: https://getconvoy.io/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Smokescreen

## Configuring Stripe's Smokescreen as a forward proxy for Convoy

Stripe's Smokescreen is a powerful tool that can be used as a forward proxy for Convoy, it can be used to achieve Static IPs for your outbound webhook events.

### Why Use a Forward Proxy?

A forward proxy acts as an intermediary between clients and servers, forwarding requests on behalf of clients and providing additional services such as caching, security, and anonymity. By using Smokescreen as a forward proxy for Convoy, you can benefit from its advanced features and capabilities.

### Configuring Smokescreen as a Forward Proxy

To configure Smokescreen as a forward proxy for Convoy, follow the steps [here](https://github.com/stripe/smokescreen) to install smokescreen on your server.

Start smokcscreen by running:

```bash terminal theme={null}
smokescreen --listen-port <your-desired-proxy-port>

```

In your convoy.json file, you need to specify the url to smokescreen as your proxy value:

```bash terminal theme={null}
"server": {
  "http": {
    "proxy": "<smokescreen-url>",
    "ssl": false,
    "ssl_cert_file": "",
    "ssl_key_file": "",
    "port": 5005
  }
},

```

For more extensive documentation of Smokescreen's configuration see [here](https://github.com/stripe/smokescreen).

### Bypassing the proxy with NO\_PROXY

The webhook dispatcher honors `NO_PROXY` so you can route some traffic directly while everything else goes through the forward proxy. The `server.http.no_proxy` bypass list applies only when a forward proxy is configured via `server.http.proxy` (which itself requires the forward-proxy license). In that case `server.http.no_proxy` takes precedence over the `NO_PROXY` env var, which takes precedence over `no_proxy`.

```bash terminal theme={null}
"server": {
  "http": {
    "proxy": "<smokescreen-url>",
    "no_proxy": "internal.example.com,10.0.0.0/8,*.svc.cluster.local"
  }
}
```

Entries support domain suffix matches (`example.com`), exact hosts, CIDR ranges, and wildcards, using the same matching rules as Go's standard `http.ProxyFromEnvironment`. When no explicit proxy is configured, the dispatcher falls back to the standard proxy environment variables (`HTTP_PROXY`/`HTTPS_PROXY`/`NO_PROXY`).

### Access Control Lists (ACLs)

Smokescreen allows you to specify access control lists, these help prevent IP spoofing attacks.

```bash terminal theme={null}
---
version: v1
services:
  - name: enforce-dummy-srv
    project: usersec
    action: enforce
    allowed_domains:
      - example1.com
      - example2.com
      - deny1.com # overrides global deny list

  - name: report-dummy-srv
    project: security
    action: report
    allowed_domains:
      - example3.com

global_allow_list:
  - goodexample1.com
  - goodexample2.com
  - goodexample3.com
  - conflictingexample.com

global_deny_list:
  - deny1.com
  - deny2.com
  - conflictingexample.com

```

The `enforce` action makes smokescreen strictly follow the defined rule, as opposed to `report` which allows the rule to be broken with a warning. For more extensive documentation of Smokescreen's configuration see [here](https://github.com/stripe/smokescreen).
