Outbound HTTP proxy for IDVA applications on Cloud.gov
The IDVA project is composed of many different microservices, with many needing to access known URLs on the public internet. In order to enhance our security and enforce that applications are not talking to domains other than those we explicitly allow, we use a forward proxy with an allow list that specify which domains are allowed for our apps.
The IDVA outbound proxy is implemented using the Caddy v2 Proxy
with the http.forwardproxy plugin
enabled. The Caddyfile is set up to allow all domains included in a user-provided file named
allow.acl
over port 443
The Caddyfile
requires a file named allow.acl
to determine which domains should be allowed
by the proxy. The format of this file is simply one domain per line. For example, the following
allow.acl would allow a client using the proxy to only google and github domains:
google.com
github.com
A new domain can be added by including the domain in the allow.acl
file that is specified by
the Caddyfile.
In order to use a port other than 443 when connecting to a domain, update the Caddyfile ports
section to include the desired port.
The most up-to-date information about the CI/CD flows for this repo can be found in the GitHub workflows directory
This project is in the worldwide public domain. As stated in CONTRIBUTING:
This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.
All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.