Changelog

iron-proxy v0.3.0

View on GitHub →

New: gRPC Transform API

iron-proxy now supports delegating request/response handling to external gRPC servers via a new grpc transform. Build custom policy engines, request loggers, or body rewriters as standalone services and plug them into the pipeline.

  transforms:
    - name: grpc
      config:
        name: "policy-engine"
        target: "localhost:9500"
        send_request_body: true
        send_response_body: true
        rules:
          - host: "api.openai.com"
            methods: ["POST"]
            paths: ["/v1/*"]

Features:

  • One server per transform entry. Chain multiple gRPC backends by adding multiple entries. They run in pipeline order.
  • Selective routing via rules. Same host/CIDR/methods/paths syntax as the allowlist. Requests that don't match skip the gRPC call entirely.
  • Body control. send_request_body and send_response_body opt in to forwarding bodies over gRPC. Bodies are capped by the global max_request_body_bytes / max_response_body_bytes settings.
  • TLS support. Plaintext by default; enable TLS with optional custom CA and mTLS client certs via tls.enabled, tls.ca_cert, tls.cert, tls.key.

The proto schema lives in proto/transform/v1/transform.proto. Generated Go code is in gen/transform/v1/. Codegen uses https://buf.build.

Other changes

  • Global body buffer limits. New proxy.max_request_body_bytes (default 1 MiB) and proxy.max_response_body_bytes (default uncapped) control how much transforms can buffer. Bodies are buffered incrementally as transforms read them and automatically rewound between pipeline stages.
  • Streaming response writes. Response bodies are no longer fully buffered into memory before writing to the client. The proxy streams directly from the buffer and then the upstream connection.

iron-proxy v0.2.0

View on GitHub →

New: Method and path matching in allowlist rules

The allowlist transform now supports per-rule HTTP method and path restrictions. Previously you could only allow or deny entire domains/CIDRs. Now you can lock down exactly which endpoints and methods are permitted.

New rules config:

transforms:
  - name: allowlist
    config:
      # Simple form still works — all methods, all paths
      domains:
        - "registry.npmjs.org"
 
      # New: restrict by method and/or path
      rules:
        - host: "api.openai.com"
          methods: ["POST"]
          paths: ["/v1/*"]
        - host: "*.anthropic.com"
          methods: ["POST"]
          paths: ["/v1/messages", "/v1/complete"]
        - cidr: "172.16.0.0/12"
          methods: ["GET"]

Each rule specifies a host (domain glob) or CIDR, plus optional methods and paths. Omitting methods or paths allows all. Path patterns ending in /* match any subpath (e.g. /v1/* matches /v1/chat/completions).

Existing configs with flat domain/CIDR lists continue to work unchanged.

iron-proxy v0.1.0

View on GitHub →

Changelog

  • e4e912e45696c4f846024079ac543f530a6f9beb Initial OSS release
  • a18cedc36204a2a7308339e8058f3474dd566e41 Support HTTP Basic auth in secrets transform (#2)
  • 6555a10622adb56fdc8e2ba786fe702e5a882a3a fix: Small clarifications in comparison table (#1)