Changelog

iron-proxy v0.7.0

View on GitHub →

New: OpenTelemetry Audit Log Export

Audit events can now be exported as structured logs via OTEL. This enables integration with observability backends like Datadog, Grafana, or any OTLP-compatible collector.

Export is enabled by setting OTEL_EXPORTER_OTLP_ENDPOINT. The following standard OTEL environment variables are supported:

VariableDescriptionDefault
OTEL_EXPORTER_OTLP_ENDPOINTOTLP collector endpoint (e.g. https://logfire-us.pydantic.dev)(none, export disabled)
OTEL_EXPORTER_OTLP_PROTOCOLTransport protocol: http/protobuf or grpchttp/protobuf
OTEL_EXPORTER_OTLP_HEADERSComma-separated key=value pairs for auth headers(none)
OTEL_RESOURCE_ATTRIBUTESComma-separated key=value resource attributes(none)
OTEL_SERVICE_NAMEService name reported in telemetryiron-proxy

New: Health Check Endpoint

A /healthz endpoint is now served on the metrics listen address (default :9090), returning 200 OK. Useful for liveness probes in container orchestrators.

New: Signed Releases

Release artifacts are now GPG-signed. The public key is included in the repo at public-key.asc.

iron-proxy v0.6.0

View on GitHub →

New: Load Config From S3

The -config flag now accepts s3:// URLs. When an S3 URL is provided, the config is fetched from S3 using the default AWS credential chain (environment variables, shared config, IAM role, etc.). Local file paths continue to work as before.

New: generate-ca Subcommand

A new generate-ca subcommand creates a CA certificate and private key for use with the proxy. It supports RSA 4096 and Ed25519 key types, configurable expiry, and configurable CA name. Existing files will not be overwritten.

Fix: Request Content-Length Preserved Through Proxy

Fixed a bug where the proxy would set Content-Length: 0 on upstream requests when the request body had not been buffered by transforms. The original request's Content-Length is now correctly forwarded.

iron-proxy v0.5.1

View on GitHub →

Fix: Content-Length header preserved for passthrough responses

The proxy was unconditionally stripping the Content-Length header from all responses, which broke clients that depend on it (e.g. Docker registry pulls). Content-Length is now preserved as-is when no transform modifies the response body. When a transform does replace the body, Content-Length is set from the buffered data.

Body buffering simplified

There is now single BufferedBody type with lazy, all-or-nothing buffering. If a transform reads the body, the entire stream is eagerly consumed into memory on first read. If no transform touches the body, it streams directly to the client or upstream with no buffering.

Keep in mind that transforms which read or modify request/response bodies will cause the full body to be buffered into memory. Use body-inspecting transforms sparingly, and prefer header-only matching where possible to avoid unnecessary memory usage on large payloads.

iron-proxy v0.5.0

View on GitHub →

New: Allowlist warn mode

The allowlist transform now supports a warn mode for observing what would be blocked without actually enforcing it. When warn: true is set, requests that would normally be rejected are instead allowed through and annotated with "action": "warn" in the transform trace, making it easy to audit traffic before switching to enforcement.

Usage

transforms:
  - name: allowlist
    config:
      warn: true
      domains:
        - "api.openai.com"
        - "*.anthropic.com"

iron-proxy v0.4.1

View on GitHub →

New: CA Private Key Format Support

The proxy now supports loading CA private keys in PKCS1 (RSA) format in addition to the existing PKCS8 and EC formats. This means CA keys generated with tools that output traditional RSA key files (PEM header RSA PRIVATE KEY) will work without needing to convert them to PKCS8 first.

No configuration changes are required. The correct format is detected automatically.