Changelog

New: Load Config From S3

The -config flag now accepts s3:// URLs. When an S3 URL is provided, the config is fetched from S3 using the default AWS credential chain (environment variables, shared config, IAM role, etc.). Local file paths continue to work as before.

New: generate-ca Subcommand

A new generate-ca subcommand creates a CA certificate and private key for use with the proxy. It supports RSA 4096 and Ed25519 key types, configurable expiry, and configurable CA name. Existing files will not be overwritten.

Fix: Request Content-Length Preserved Through Proxy

Fixed a bug where the proxy would set Content-Length: 0 on upstream requests when the request body had not been buffered by transforms. The original request's Content-Length is now correctly forwarded.

Fix: Content-Length header preserved for passthrough responses

The proxy was unconditionally stripping the Content-Length header from all responses, which broke clients that depend on it (e.g. Docker registry pulls). Content-Length is now preserved as-is when no transform modifies the response body. When a transform does replace the body, Content-Length is set from the buffered data.

Body buffering simplified

There is now single BufferedBody type with lazy, all-or-nothing buffering. If a transform reads the body, the entire stream is eagerly consumed into memory on first read. If no transform touches the body, it streams directly to the client or upstream with no buffering.

Keep in mind that transforms which read or modify request/response bodies will cause the full body to be buffered into memory. Use body-inspecting transforms sparingly, and prefer header-only matching where possible to avoid unnecessary memory usage on large payloads.

New: Allowlist warn mode

The allowlist transform now supports a warn mode for observing what would be blocked without actually enforcing it. When warn: true is set, requests that would normally be rejected are instead allowed through and annotated with "action": "warn" in the transform trace, making it easy to audit traffic before switching to enforcement.

Usage

transforms:
  - name: allowlist
    config:
      warn: true
      domains:
        - "api.openai.com"
        - "*.anthropic.com"

New: CA Private Key Format Support

The proxy now supports loading CA private keys in PKCS1 (RSA) format in addition to the existing PKCS8 and EC formats. This means CA keys generated with tools that output traditional RSA key files (PEM header RSA PRIVATE KEY) will work without needing to convert them to PKCS8 first.

No configuration changes are required. The correct format is detected automatically.

New: Configurable upstream DNS resolver

When iron-proxy owns the system DNS - for example, running in a GitHub Action where all OS DNS is redirected to the proxy - upstream HTTP connections would loop back through the proxy's own resolver. The new dns.upstream_resolver setting gives the proxy a dedicated resolver for both passthrough DNS queries and upstream HTTP dials, breaking the loop.

If upstream_resolver is not set, behavior is unchanged: the OS default resolver is used.

Configuration

dns:
  listen: ":53"
  proxy_ip: "10.16.0.1"
  upstream_resolver: "8.8.8.8:53"

The resolver is used in two places:

1. DNS passthrough queries: domains matching passthrough patterns are forwarded to the upstream resolver instead of the OS default.
2. Upstream HTTP connections: when the proxy dials upstream servers, it resolves their hostnames via the upstream resolver, avoiding a loop through its own DNS.