QuotaGuard and Scalingo Integration Guide
QuotaGuard Static gives your Scalingo apps two static outbound IP addresses. Set HTTP_PROXY and HTTPS_PROXY with the Scalingo CLI, restart the app, and every outbound request exits from one of your two static IPs.
Why Scalingo Apps Often Need Static Outbound IPs
Scalingo publishes its regional egress IPs through a domain like egress.osc-fr1.scalingo.com, so you can allowlist them. Two things push teams to bring their own pair instead. Those IPs are shared by every app in the region, so a destination that allowlists one is trusting every other Scalingo tenant on it, which many security teams reject. Scalingo also states the egress IPs may change with at least 30 days’ notice, which puts you on a clock to update partner allowlists on Scalingo’s schedule. QuotaGuard gives you two static IPs assigned to your subscription that stay the same unless you ask to change them.
Getting Started
After creating a QuotaGuard account, you are redirected to your dashboard, where you can find your proxy credentials and two static IP addresses.
Choose the right proxy region: Select the QuotaGuard region closest to your Scalingo region (for example osc-fr1, hosted on Outscale eu-west-2) to minimize latency. The region is set at sign-up. Changes after sign-up require contacting support.
Step 1: Set the Proxy with the Scalingo CLI
Most runtimes and HTTP clients read the standard HTTP_PROXY and HTTPS_PROXY variables automatically. Set them using the proxy URL from your QuotaGuard dashboard, then restart, because Scalingo does not automatically restart your app when environment variables change.
scalingo --app my-app env-set \
"HTTP_PROXY=http://username:password@<your-quotaguard-proxy-host>:9293" \
"HTTPS_PROXY=http://username:password@<your-quotaguard-proxy-host>:9293" \
"NO_PROXY=localhost,127.0.0.1"
scalingo --app my-app restart
Use the exact value of QUOTAGUARDSTATIC_URL from your dashboard.
You can also set these in the Environment tab of the dashboard. Either way, the restart is required for the app to pick them up.
Step 2: Route Outbound Traffic Through the Proxy
With the variables set, most clients route automatically. To be explicit per request:
Python:
import os, requests
p = os.environ["HTTPS_PROXY"]
r = requests.get("https://api.example.com/data", proxies={"http": p, "https": p})
print(r.json())
Node.js:
const { ProxyAgent, fetch } = require('undici');
const dispatcher = new ProxyAgent(process.env.HTTPS_PROXY);
const r = await fetch('https://api.example.com/data', { dispatcher });
console.log(await r.json());
Ruby:
require 'net/http'
require 'uri'
proxy = URI.parse(ENV['HTTPS_PROXY'])
http = Net::HTTP.new('api.example.com', 443, proxy.host, proxy.port, proxy.user, proxy.password)
http.use_ssl = true
puts http.get('/data').body
For a tool that ignores the standard variables, pass it explicitly, for example curl -x "$HTTPS_PROXY" https://api.example.com/data.
Connecting to Firewalled Databases with QGTunnel
For database connections such as PostgreSQL, MySQL, or MongoDB, use QuotaGuard’s SOCKS5 proxy through QGTunnel, which routes traffic through your static IPs without changing your connection code.
Step 1: Include QGTunnel in your app
Add the binary to your repository so it is present at runtime:
curl https://s3.amazonaws.com/quotaguard/qgtunnel-latest.tar.gz | tar xz
This creates bin/qgtunnel and vendor/nss_wrapper/. Commit them.
Step 2: Prefix your start command in the Procfile
web: bin/qgtunnel <your normal start command>
Step 3: Configure the tunnel in the dashboard
In your QuotaGuard dashboard, go to Setup > QGTunnel Configuration > Create a Tunnel.
| Setting | Value |
|---|---|
| Remote Destination | tcp://your-database.example.com:5432 |
| Local Port | 5432 |
| Transparent | true |
| Encrypted | false |
Transparent mode overrides DNS so your driver connects to the original hostname while traffic exits from your static IPs. QGTunnel reads QUOTAGUARDSTATIC_URL, so set that variable as well if you use the tunnel.
Testing Your App Is Using the Static IP
Run a one-off container in your app’s environment and check the egress IP:
scalingo --app my-app run bash
# inside the container:
curl -x "$HTTPS_PROXY" https://ip.quotaguard.com
Expected response:
{"ip":"<one of your two QuotaGuard static IPs>"}
The returned IP must match one of the two static IPs in your QuotaGuard dashboard. Run it again to see both (load-balanced).
Troubleshooting
Proxy not applied after setting the variable
Scalingo does not restart on env changes. Run scalingo --app my-app restart and retest.
407 Proxy Authentication Required
The credentials are wrong. Confirm the values with scalingo --app my-app env and match them to your QuotaGuard dashboard.
Wrong IP returned
The client is not honoring the variables. Pass the proxy explicitly per request, as shown above.
Connection timeout
Confirm the app can reach external networks and that nothing blocks port 9293.
QuotaGuard Static vs QuotaGuard Shield
| Feature | QuotaGuard Static | QuotaGuard Shield |
|---|---|---|
| Protocol | HTTP / HTTPS / SOCKS5 | HTTPS / SOCKS5 over TLS |
| Customer-to-proxy hop | Plaintext | TLS-encrypted |
| HTTPS payload | Tunneled end-to-end, never decrypted at the proxy | Tunneled end-to-end, never decrypted at the proxy |
| Best for | Most apps | Regulated data or environments that require TLS on every hop |
| Starting price | $19/month | $29/month |
For most Scalingo apps, Static is the right product. Choose QuotaGuard Shield if your app handles regulated data or your environment requires TLS between your app and the proxy itself.
Ready to Get Started?
Get in touch or create a free trial account.