Forward Proxy

tl;dr: If your network environment requires it, we offer a mechanism to provide you with a set of stable or static IP address ranges for your firewall. As well as a way to bypass HTTPS restriction.

We rotate our load balance servers often. This means that the IP addresses for our API endpoints are always changing. For the vast majority of our customers, this works very well. However, there are a few customers (perhaps you) who have specific security or other compliance-based requirements. To accommodate these situations we have created a cluster of forward proxy servers.

Our forward proxy servers provide a set of stable IP address ranges that change in a predictable, controlled manner. Address changes are much less frequent (perhaps only a few times per year) and never occur without advance notice of at least two (2) calendar weeks. As long as you monitor the contract file described below you will always be aware of changes before they happen.

The Notification Contract

The following JSON document must be actively monitored for changes to determine what IP ranges are and will be used in production:

Here is an example of an entry in the ip-ranges document:

	"class": "ipv4",
	"published": "2017-07-01",
	"enabled": "2017-07-01",
	"retired": "2017-09-18",
	"facility": "vultr-ewr"
key example value description
cidr or 0:0:0:0:0:ffff:2d4c:999/128 IP address using cidr notation.
class ipv4 or ipv6 Whether the IP is using the IPv4 or IPv6 class.
published 2017-07-01 The date when the IP address was added to the ip-ranges.json document. Date format: YYYY-MM-DD
enabled 2017-07-01 The date when the IP address was (or will be) put into service. Date format: YYYY-MM-DD
retired 2017-09-18 or null The date on which the IP address was (or will be) retired. The value of this key will default to null unless the address has been retired. This date may be in the future.
facility vultr-ewr The a label that helps group a set of entries together in a similar location, e.g. aws-us-east-1. This label should be considered opaque and may hint at a physical geography.

Making a Request Through the Proxy

Here is an example curl session making a request through the proxy. Notice that even though the request appears to be sent to the proxy over an insecure connection (http) a secure TLS handshake is established with the target (via the proxy), ensuring a secure transmission.

curl -v --proxy ''
	*   Trying
	* Connected to ( port 80 (#0)
	* Establish HTTP proxy tunnel to
	> Host:
	> User-Agent: curl/7.54.0
	> Proxy-Connection: Keep-Alive
	< HTTP/1.1 200 OK
	* Proxy replied OK to CONNECT request
	* ALPN, offering h2
	* ALPN, offering http/1.1
	* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
	* successfully set certificate verify locations:
	*   CAfile: /etc/ssl/cert.pem
	CApath: none
	* TLSv1.2 (OUT), TLS handshake, Client hello (1):
	* TLSv1.2 (IN), TLS handshake, Server hello (2):
	* TLSv1.2 (IN), TLS handshake, Certificate (11):
	* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
	* TLSv1.2 (IN), TLS handshake, Server finished (14):
	* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
	* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
	* TLSv1.2 (OUT), TLS handshake, Finished (20):
	* TLSv1.2 (IN), TLS change cipher, Client hello (1):
	* TLSv1.2 (IN), TLS handshake, Finished (20):
	* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
	* ALPN, server did not agree to a protocol
	* Server certificate:
	*  subject: OU=Domain Control Validated; OU=PositiveSSL Multi-Domain;
	*  start date: Oct 26 00:00:00 2017 GMT
	*  expire date: Jan 24 23:59:59 2019 GMT
	*  subjectAltName: host "" matched cert's "*"
	*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO RSA Domain Validation Secure Server CA
	*  SSL certificate verify ok.
	> GET /street-address?auth-id=YOUR+AUTH-ID+HERE&auth-token=YOUR+AUTH-TOKEN+HERE&street=1600+amphitheatre+pkwy&city=mountain+view&state=CA&candidates=10 HTTP/1.1
	> Host:
	> User-Agent: curl/7.54.0
	> Accept: */*
	< HTTP/1.1 200 OK
	< Content-Length: 829
	< Content-Type: application/json; charset=utf-8
	< Date: Thu, 06 Sep 2018 23:05:35 GMT
	< Strict-Transport-Security: max-age=31536000; includeSubDomains
	* Connection #0 to host left intact
	[{"input_index":0,"candidate_index":0,"delivery_line_1":"1600 Amphitheatre Pkwy","last_line":"Mountain View CA 94043-1351","delivery_point_barcode":"940431351000","components":{"primary_number":"1600","street_name":"Amphitheatre","street_suffix":"Pkwy","city_name":"Mountain View","state_abbreviation":"CA","zipcode":"94043","plus4_code":"1351","delivery_point":"00","delivery_point_check_digit":"0"},"metadata":{"record_type":"S","zip_type":"Standard","county_fips":"06085","county_name":"Santa Clara","carrier_route":"C909","congressional_district":"18","rdi":"Commercial","elot_sequence":"0094","elot_sort":"A","latitude":37.42357,"longitude":-122.08661,"precision":"Zip9","time_zone":"Pacific","utc_offset":-8,"dst":true},"analysis":{"dpv_match_code":"Y","dpv_footnotes":"AABB","dpv_cmra":"N","dpv_vacant":"N","active":"N"}}]


"My corporate firewall policies require traffic on port 443, but my code is not connecting to your proxy."

We have had reports that some frameworks do not support TLS proxies. In these instances we recommend using the free/open source stunnel application as a local proxy. stunnel listens on localhost ( and forwards traffic that it receives to port 443 of a fixed IP proxy server. This should allow frameworks/applications to connect over port 80 to a local resource and have their traffic routed properly through the Smarty proxy servers.

Here is a sample configuration file called stunnel.conf that can be used after installing stunnel. There is an installable version available for Windows, Linux, and Mac.

; foreground = yes
; debug = info

options = -NO_SSLv3

client = yes
accept =
connect =