Heroku Setup Instructions - QG Shield Static IP’s

QuotaGuard Shield Static IP’s

QuotaGuard Shield is a Heroku Static IP add-on that allows you to route inbound & outbound traffic through a static IP address on Heroku with full end-to-end encryption. You can provide the IP addresses to an API partner for IP-based allowlisting and open your own firewall to access internal resources.

QuotaGuard Shield Static IP’s come in two flavors:

1. Outbound HTTPS proxy for accessing HTTP & HTTPS web services
2. Inbound HTTPS reverse proxy for accessing your Heroku app on a static IP

For outbound traffic, there is native support across Ruby, Python, Node.js, PHP, Scala, Java, and nearly every other language for the HTTPS Proxy.

For inbound traffic, we provide you with a CNAME record to point your domain to and we utilize SSL Passthrough to connect to your application. Inbound proxy is Heroku ACM compatible or you can bring your own certificates.

Note: Inbound proxy service is only available for the Micro plan or above.

Which QuotaGuard Should I Use?

We offer three products on Heroku, QuotaGuard, QuotaGuard Static, and QuotaGuard Shield.

QuotaGuard routes your traffic through a dynamic set of IP addresses that may change at any time and is intended for accessing APIs like Google Maps that restrict usage based on your IP address. It should be used if you want to access these APIs without your limit being shared with other Heroku apps.

QuotaGuard Static IP’s routes your Heroku traffic through a pair of static IP addresses that never change. It should be used if you need your traffic to pass through a known static IP address for the purpose of firewall ingress rules or application allowlisting with a third party. QuotaGuard Static IP’s uses HTTP and SOCKS5 for outbound service and SSL Termination for inbound service.

QuotaGuard Shield Static IP’s are HIPAA compliant and built to handle Heroku traffic that contains PII and other sensitive information. QuotaGuard Shield routes your traffic through a pair of static IP addresses that never change with a higher level of security over QuotaGuard Static. The service uses HTTPS and SOCKS over TLS for outbound service and SSL Passthrough for inbound service. Like QuotaGuard Static, QuotaGuard Shield should be used if you need your traffic to pass through a known IP address for the purpose of firewall ingress rules or application allowlisting with a third party. Shield allows you to utilize Heroku’s ACM for your site or bring your own certificate.

Please send us email if you’d like more guidance on what service fits your needs best.

Provisioning the Add-On

Plans

A list of all plans available can be found in the Pricing section.

QuotaGuard Shield can be added to a Heroku application via the CLI:

$ heroku addons:create quotaguardshield:starter
-----> Adding quotaguardshield:starter to sharp-mountain-4005... done, v18 (free)
-----> Your static IPs are [10.11.12.13, 14.15.16.17]

Once the QuotaGuard Shield add-on has been added, the QUOTAGUARDSHIELD_URL setting is available in that app’s configuration. This contains the full URL you should use to proxy your requests. This can be confirmed using the heroku config:get command:

$ heroku config:get QUOTAGUARDSHIELD_URL
-----> https://user:pass@shield.quotaguard.com:9294

After installing QuotaGuard Shield, the application should be configured to fully integrate with the add-on. However, you are not done, you still have to configure your application to route traffic via the Static IP’s.

What Are My IPs?

You are provided with two static IP addresses as part of our fault tolerant, load balanced service. Traffic may route through either one at any time.

Your two IP addresses will be printed on the command line when you provision the add-on, and you can view them on your QuotaGuard Shield dashboard, accessible by clicking the small arrow next to the QuotaGuard Shield add-on on the Heroku Dashboard.

Local Setup

Environment Setup

After provisioning the add-on, it’s necessary to locally replicate the config vars so your development environment can operate against the service. This should be used for initial testing only as usage will count against your daily limits.

Though less portable, it’s also possible to set local environment variables using export QUOTAGUARDSHIELD_URL=value.

Use Heroku Local to configure, run and manage process types specified in your app’s Procfile. Heroku Local reads configuration variables from a .env file. Use the following command to add theQUOTAGUARDSHIELD_URL value retrieved from heroku config to .env:

$ heroku config -s | grep QUOTAGUARDSHIELD_URL >> .env
$ more .env

Warning! Credentials and other sensitive configuration values should not be committed to source-control. In Git exclude the .env file with: echo .env >> .gitignore.

HTTPS Proxy

The HTTPS Proxy is an outbound proxy service, allowing your application to reach an external endpoint (ie: HTTPS api) with HTTP or HTTPS protocols.

How Secure is the HTTPS Proxy

The connection from your application to our proxy servers is completed over HTTPS. Unlike HTTP Proxy services, this includes the initial CONNECT request which contains the proxy credentials.

Utilizing the HTTPS proxy to access HTTPS services and websites will ensure the highest level of security. On receipt of the CONNECT request, the proxy will open a tunnel between your client and the endpoint, allowing your client to negotiate a standard SSL session with the endpoint. Once negotiated all traffic sent between your client and the endpoint will be encrypted as if you had connected directly with them. QuotaGuard nor anyone else will have access to the information in the HTTPS requests.

You can utilize the HTTPS proxy to access HTTP services and websites. When doing this the information between your application and the proxy server are encrypted (HTTP over HTTPS proxy), but the information between the proxy server and the end point are not (HTTP).

HTTPS Proxy with QGPass

QGPass is a wrapper program that makes using the the HTTPS Proxy as easy as connecting to an unauthenticated HTTP Proxy. Connection can be made to localhost:8080 with no credentials, then QGPass will use the secure HTTPS connection URL to proxy your requests through our proxy servers.

To get started with the with QGPass, please follow these steps:

Download QGPass

Download and extract the qgpass in the root directory of your app:

Linux

$ curl https://s3.amazonaws.com/quotaguard/qgpass-latest.tar.gz | tar xz

Mac (available only for local testing)

$ curl https://quotaguard.s3.amazonaws.com/qgpass-1.1.0-darwin.tar.gz | tar xz

Change your code

Change your code to connect through QGPass at http://localhost:8080. Each language has simple HTTP proxy support. Examples can be found in later sections of this documentation.

Change your Procfile

Modify your app Procfile to prepend the QGPass application to your standard commands:

Before:

web: bundle exec unicorn -p $PORT -c ./config/unicorn.rb

After:

web: bin/qgpass bundle exec unicorn -p $PORT -c ./config/unicorn.rb

Deploy

Commit and deploy your changes. Be sure to add bin/qgpass.

If problems arise

By default all fatal errors encountered by the qgpass will be logged to your Heroku logs. If this information is not enough, enable verbose output mode by setting QGPASS_DEBUG environment variable to true.

$ heroku config:set QGPASS_DEBUG=true

Send any information in the logs (please redact any credentials, including your QuotaGuard connection URL) to support@quotaguard.com.

HTTPS Proxy with Ruby/Rails

Ruby’s popular HTTP libraries REST client and HTTParty do not support HTTPS proxies out of the box. We can use QGPass to get around this.

require "rest-client"

RestClient.proxy = "http://localhost:8080"

res = RestClient.get("https://ip.quotaguard.com")

puts "Your Static IP is: #{res.body}"

Note: Be sure to follow the directions in the QGPass section.

HTTPS Proxy Python/Django

Requests is a great HTTP library for Python. It allows you to specify an authenticated proxy on a per request basis so you can pick and choose when to route through your static IP.

import requests
import os

proxies = {
"http": os.environ['QUOTAGUARDSHIELD_URL'],
"https": os.environ['QUOTAGUARDSHIELD_URL']
}

res = requests.get("http://ip.quotaguard.com/", proxies=proxies)
print(res.text)

HTTPS Proxy with Node.js

The standard Node.js HTTPS module does not handle making requests through a proxy very well. If you need to access an HTTPS API we recommend using the Request module (npm install request) with https-proxy-agent (npm install https-proxy-agent).

'use strict';
require('dotenv').load({ silent: true });

var url = require('url');
var HttpsProxyAgent = require('https-proxy-agent');
var request = require('request');

var testEndpoint = 'https://ip.quotaguard.com';
var proxy = process.env.QUOTAGUARDSHIELD_URL;
var agent = new HttpsProxyAgent(proxy);
var options = {
  uri: url.parse(testEndpoint),
  agent
};

function callback(error, response, body) {
  if (!error && response.statusCode == 200) {
    console.log('body: ', body);
  } else {
    console.log('error: ', error);
  }
}

request(options, callback);

HTTPS Proxy with PHP

PHP cURL is the easiest way to make HTTP requests via QuotaGuard Shield. This example assumes that you have set the QUOTAGUARDSHIELD_URL environment variable which is automatically set for you when you provision the add-on.

The IP address printed on screen will be one of your two static IP addresses, run it a couple of times and you’ll probably see the other one too.

<?php

function lookup(){
  $quotaguard_env = getenv("QUOTAGUARDSHIELD_URL");
  $quotaguard = parse_url($quotaguard_env);

  $proxyUrl       = $quotaguard['host'].":".$quotaguard['port'];
  $proxyAuth       = $quotaguard['user'].":".$quotaguard['pass'];

  $url = "https://ip.quotaguard.com/";

  $ch = curl_init();
  curl_setopt($ch, CURLOPT_URL, $url);
  curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  curl_setopt($ch, CURLOPT_PROXY, $proxyUrl);
  curl_setopt($ch, CURLOPT_PROXYAUTH, CURLAUTH_BASIC);
  curl_setopt($ch, CURLOPT_PROXYUSERPWD, $proxyAuth);
  curl_setopt($ch, CURLOPT_PROXYTYPE, CURLPROXY_HTTPS);
  $response = curl_exec($ch);
  return $response;
}

$res = lookup();
print_r($res);

?>

HTTPS Proxy with Java

The example below uses Apache HttpClient, but the same configuration applies to other JVM-based clients.

import java.net.*;
import java.io.*;

public class HelloWorld {
    public static void main(String []args) throws IOException {
        URL proxyUrl = new URL(System.getenv("QUOTAGUARDSHIELD_URL"));
        String userInfo = proxyUrl.getUserInfo();
        String user = userInfo.substring(0, userInfo.indexOf(':'));
        String password = userInfo.substring(userInfo.indexOf(':') + 1);

        URLConnection conn = null;
        System.setProperty("http.proxyHost", proxyUrl.getHost());
        System.setProperty("http.proxyPort", Integer.toString(proxyUrl.getPort()));

        Authenticator.setDefault(new Authenticator() {
                protected PasswordAuthentication getPasswordAuthentication() {
                    return new PasswordAuthentication(user, password.toCharArray());
                }
            });

        URL url = new URL("https://ip.quotaguard.com");
        conn = url.openConnection();
        BufferedReader in = new BufferedReader(new InputStreamReader(conn.getInputStream()));

        String inputLine;
        while ((inputLine = in.readLine()) != null)
            System.out.println(inputLine);

        in.close();
    }
}

You can check available proxy related JVM settings here.

HTTPS Proxy with Clojure

The Clojure clj-http library allows you to configure a proxy for an HTTP request. The example below shows you how to use this with the add-on:

(defn get-quota-guard []
  (let [proxy-uri (java.net.URI. (env :quotaguardshield-url))]
    (client/get "http://httpbin.org/ip"
      {:proxy-host (.getHost proxy-uri)
       :proxy-port (.getPort proxy-uri)
       :headers {
         "Proxy-Authorization"
         (str "Basic " (.encode (sun.misc.BASE64Encoder.)
           (.getBytes (.getUserInfo proxy-uri))))}})))

HTTP Proxy with Golang

For Golang, you can setup a per-request proxy in the http package like this:

proxyUrl, err := url.Parse("http://username:password@proxy.quotaguard.com:9293")
myClient := &http.Client{Transport: &http.Transport{Proxy: http.ProxyURL(proxyUrl)}}

Or you can configure it for all requests like this:

proxyUrl, err := url.Parse("http://username:password@proxy.quotaguard.com:9293")
http.DefaultTransport = &http.Transport{Proxy: http.ProxyURL(proxyUrl)}```

Secure SOCKS5 Proxy

SOCKS5 is a very flexible TCP level tunneling protocol which works on a per host basis and is compatible with all programming environments. QuotaGuard Shield provides Secure SOCKS, which is SOCKS5 over a TLS connection. Secure SOCKS encrypts your credentials and connection between your application and our proxy servers.

To utilize the Secure SOCKS system, you can use the QuotaGuard Tunnel (QGTunnel). QGTunnel is an extremely versatile wrapper script for your process. It allows you to map one or more local ports to route through the QuotaGuard proxy servers. It supports a DNS override mode for protocols that require the hostname stay the same (ie: HTTPS) or to minimize the impact on the code. QGTunnel also supports end-to-end encryption of your tunnel data for protocols that are not encrypted (ie: redis).

QGTunnel is great for connecting to databases such as mysql, postgresql, mongodb, and mssql. QGTunnel also works great with SFTP and FTP. QGTunnel works with just about any TCP based protocol and with just about any framework or programming language.

Secure SOCKS5 Proxy with QGTunnel

To get started with the SOCKS5 proxy utilizing QGTunnel, please follow these steps:

Download QGTunnel

Download and extract the qgtunnel in the root directory of your app:

$ curl https://s3.amazonaws.com/quotaguard/qgtunnel-latest.tar.gz | tar xz

Setup the Tunnel

Login to our dashboard and setup the tunnel:

$ heroku addons:open quotaguardshield
Opening quotaguardshield for sharp-mountain-4005...

At the top right, click Settings, then Setup. On the left, click Tunnel, then Create Tunnel. This example assumes a MySQL server.

Remote Destination: tcp://hostname.for.your.server.com:3306
Local Port: 3306
Transparent: true
Encrypted: false

This setup assumes that your server is located at “hostname.for.your.server.com” and is listening on port 3306 (the default mysql port).

Use the same port for the local port, unless you are using that port on your dyno or it is below 1024, then you will have to change this to some other port (say 3307).

Transparent mode allows QuotaGuard to override the DNS for hostname.for.your.server.com to 127.0.0.1, which redirects traffic to the QGTunnel software. This means you can connect to either hostname.for.your.server.com or 127.0.0.1 to connect through the QGTunnel. More information is available on transparent mode as you follow along in these instructions.

Encrypted mode can be used to encrypt data end-to-end, but if your protocol is already encrypted then you don’t need to spend time setting it up. More details on end-to-end encryption is below as you follow these instructions.

Note: Creating the tunnels in the dashboard is for convenience. See the last step (Harden your setup) for how to remove a dependency from your system.

Change your code (maybe)

You may have to change your code to connect through QGTunnel.

With transparent mode, and when using the same local and remote port, you should not have to change your code.

Without transparent mode, you will want to connect to 127.0.0.1:3306 (in this example). If you changed the local port, then you will need to change the port number to match.

Change your Procfile

Modify your app Procfile to prepend the QGTunnel application to your standard commands:

Before:

web: bundle exec unicorn -p $PORT -c ./config/unicorn.rb

After:

web: bin/qgtunnel bundle exec unicorn -p $PORT -c ./config/unicorn.rb

Deploy

Commit and deploy your changes. Be sure to add bin/qgtunnel. If you are using transparent mode, be sure vendor/nss_wrapper/libnss_wrapper.so is also committed.

If problems arise

By default all fatal errors encountered by the qgtunnel will be logged to your Heroku logs. If this information is not enough, you can enable verbose output mode by setting QGTUNNEL_DEBUG environment variable to true.

$ heroku config:set QGTUNNEL_DEBUG=true

Send any information in the logs (please redact any credentials, including your QuotaGuard connection URL) to support@quotaguard.com.

IMPORTANT: Harden your setup.

This step is highly recommended as we do not have any SLA on our website, which can be out due to maintenance.

By default qgtunnel will try to fetch configuration from the QuotaGuard API, but it also supports local configuration. You should download the configuration file from the Dashboard by pressing Download configuration on the Tunnel page.

Place the downloaded file into the root directory of your project under the .qgtunnel filename, commit and deploy. With this file, your application will not depend on the availability of our website during application startup.

Transparent Mode

If your application depends on DNS based discovery process or needs local tunnel to be resolvable via the DNS name regular tunneling mode will not be enough. For this situation you should enable transparent mode for the QGTunnel in your configuration. In transparent mode, QGTunnel will alter DNS queries from your app to the local address.

Let’s say you want to access replicated MongoDB cluster using QGTunnel with 3 replicas located on the hosts: rs01.mongodb.net:52115, rs02.mongodb.net:52115 and rs1.mongodb.net:52115. For this configuration you will need to create 3 separate tunnels for each host on the port 52115 in transparent mode. Once this is done, QGTunnel will alter DNS resolution process to resolve these host names to the appropriate loopback address and auto discovery for your replicated cluster should work as intended.

End-to-End Encryption

Tunnels support communication over TLS encrypted connections. Encryption offers a high level of data protection: all data will be decrypted only in the environments that you control. The remote destination that the tunnels connect to have to support TLS encryption and have a valid certificate installed. If your remote destination doesn’t support encryption, you can use stunnel. You can use self-signed certificates, however you have to provide a custom root CA certificate, it will be added to the list of trusted roots in qgtunnel.

For example: You want to connect to the IP restricted Redis and encrypt all traffic between the Heroku app and Redis server. Redis doesn’t support encryption, so you have to install stunnel on the Redis server or any other server within the same network. Typical stunnel configuration that you might want to use:

[redis]
accept = 6380
connect = 127.0.0.1:6379
cert = example.com.pem

With this configuration, stunnel will start TLS server on port 6380, it will handle encrypted traffic and will pass decrypted data to the Redis server on 127.0.0.1:6379. As noted you will need a valid certificate, or you can generate self-signed certificate:

• Generate private key and certificate for the custom CA:

$ openssl genrsa -out CA.key 2048
$ openssl req -x509 -new -key CA.key -out CA.cer -days 730

• Generate CSR for your domain and sign it with custom CA:

$ openssl genrsa -out example.com.key 2048
$ openssl req -new -out example.com.req -key example.com.key
$ openssl x509 -req -in example.com.req -out example.com.cer -CAkey CA.key -CA CA.cer -days 365 -CAcreateserial -CAserial serial

• Create PEM bundle:

$ cat example.com.key example.com.cer > example.com.pem

Install example.com.pem on stunnel server. Add CA.cer to your heroku repository and update qgtunnel command in your Procfile:

web: bin/qgtunnel -root_ca CA.cer bundle exec unicorn -p $PORT -c ./config/unicorn.rb

Finally enable encryption for your tunnel configuration on QuotaGuard dashboard.

With this configuration, all the traffic handled by qgtunnel will be encrypted with your certificate and all data will be passing proxies in encrypted format.

Inbound Proxy

The Inbound Proxy allows you to always access your Heroku app on a static IP address. This feature is available on our Micro plan and above.

Once you have provisioned the add-on, you just need to visit the QuotaGuard Shield Dashboard to complete your setup. You can do this from your Heroku Dashboard by clicking on our icon or from your command line:

$ heroku addons:open quotaguardshield
Opening quotaguardshield for sharp-mountain-4005...

Visit the Setup page and follow the instructions on the Inbound page.

We create for you a unique DNS entry that you can use to access your web application (e.g., a62b1d0b4983db763450411fd393b3ce-eu-west-1.getstatica.com).

This URL corresponds to a set of DNS A name records that resolves to your two QuotaGuard Shield IPs. You should point your DNS entry for your domain to a CNAME record containing this unique URL. You should include both IP addresses in any firewall rules or allowlists.

Open this URL in your browser and you should see your own web application.

In your firewall you can now open access to the two QuotaGuard Shield IPs in order to work with your cloud app.

Monitoring & logging

Real-time and historical usage stats can be displayed on the QuotaGuard Shield Dashboard accessible from your Heroku Dashboard.

Dashboard

The QuotaGuard Shield dashboard allows you to view your real-time and historical usage of every API.

The dashboard can be accessed via the CLI:

$ heroku addons:open quotaguardshield
Opening quotaguardshield for sharp-mountain-4005...

or by visiting the Heroku apps web interface and selecting the application in question. Select QuotaGuard Shield from the Add-ons menu.

FAQs

Do you offer Dedicated Static IPs?

Yes - dedicated IP addresses are available on request for subscriptions on the Enterprise plan and above. As they require dedicated infrastructure we only provision these on request so please contact us if you want a dedicated Static IP address.

What happens when I reach my usage limit?

To make sure we grow in harmony with your application, QuotaGuard Shield operates initially with a soft limit. When you reach your plan’s monthly usage limit your requests will continue going through but we will reach out to you via email to ask that you upgrade your plan.

If you repeatedly exceed your limits without upgrading then hard limits may be placed on your account but this is a very last resort.

I’ve forgotten what my Static IPs are.

Both IPs are shown on your Dashboard which you can get to either from your Heroku Apps page or via the CLI.

Can I access your Brazilian instance in Sao Paulo?

QuotaGuard Shield is deployed in the Heroku US, Asia, LA and Europeon regions, and you are automatically assigned to an instance in the same region as your app. If you would like to use our South America instance located in Sao Paulo, please contact us and we can manually relocate you. This will change your Static IP address.

$ heroku addons:open quotaguard
Opening quotaguardshield for sharp-mountain-4005...

Why have you given me two Static IP addresses?

We believe all apps should be built for scalability and high availability. Our commitment to this means we only provide load balanced, high availability services. Load balancing our nodes allows one node to fail or be brought down for maintenance with no impact to your application. Each IP you are given represents one proxy node that is running behind a load balancer.

However, if you want to use just one IP address, you can change your QUOTAGUARDSHIELD_URL environment variable to point to one of the two IPs following this format:

https://USERNAME:PASSWORD@PROXY-a.quotaguard.com:9294

https://USERNAME:PASSWORD@PROXY-b.quotaguard.com:9294

The IP’s behind “-a/-b” will not change, so whichever one you choose will stay constant.

Contact support@quotaguard.com if you have any issues utilizing just one of the two IPs.

What region does QuotaGuard Shield run in?

We have instances in the US, EU, SA, EA, and AP regions. When you provision the add-on you will be assigned static IPs in the same region as your Heroku app ensuring we can always process your requests with ultra low latency.

Can I access MySQL, MongoDB, or Postgres through this?

Yes. Please utilize the QGTunnel software as described in this document.

Migrating between plans

Note: Application owners can migrate at any time with no interruption to your service.

Use the heroku addons:upgrade command to migrate to a new plan.

$ heroku addons:upgrade quotaguardshield:large
-----> Upgrading quotaguardshield:large to sharp-mountain-4005... done, v18 ($90/mo)
       Your plan has been updated to: quotaguardshield:large

Note: The QUOTAGUARDSHIELD_URL will revert back to it’s original setting when you change plans. Be prepared to reset this if you have changed it.

Installing Curl Dev Package

pycurl and curb require the libcurl4-openssl-dev debian package to be installed. This can be accomplished with the ‘heroku-buildpack-apt’ multipack.

To use the latest stable version of the buildpack:

$ heroku buildpacks:add --index 1 heroku-community/apt
-----> Buildpack added. Next release on stork-crest-63916 will use:
----->   1. heroku-community/apt
----->   2. heroku/ruby
-----> Run git push heroku master to create a new release using these buildpacks.

Add libcurl4-openssl-dev to the Aptfile in the root of your project.

Removing the add-on

QuotaGuard Shield can be removed via the CLI.

WARNING: This will destroy all associated data and cannot be undone!

$ heroku addons:destroy quotaguardshield
-----> Removing quotaguardshield from sharp-mountain-4005... done, v20 (free)

Privacy - GDPR and CCPA

All three QuotaGuard services are a GDPR and CCPA compliant.

Please review our Privacy Policy and GDPR compliance information at QuotaGuard.com’s Privacy Policy page.

In addition, we also answer many questions around Privacy, Security, and GDPR at QuotaGuard.com FAQ’s.

If you need a DPA for your customers, or from us as a sub-contractor of your services, please contact us via our Support](mailto:support@quotaguard.com){:target=”_blank”} channel so we can get you the right DPA contract for your review.

Support

All QuotaGuard Shield support and runtime issues should be submitted to our Support.