Membrane API Gateway for Outbound Traffic

Motivation

This example demonstrates how to configure Membrane as an outgoing API gateway. It acts as a controlled egress point for internal services that need to call external APIs. The architecture provides:

• Client authentication – restrict external API access to authorized internal clients
• Centralized auditing – track API usage per client for compliance and observability
• Data protection – inspect and sanitize outbound traffic to avoid leaks
• Threat prevention – block suspicious, malformed, or dangerous payloads

How It Works

Internal services send API requests to Membrane on a fixed port (e.g., 2000). Membrane validates and filters the request before forwarding it to the configured target API.

Unlike reverse proxies, Membrane is configured to:

• Remove all headers by default, except a defined safe list (e.g., to avoid leaking Access Tokens)
• Disable the X-Forwarded-For header to avoid leaking internal IPs

Setup

1. Download Membrane: Membrane API Gateway
2. Edit conf/proxies.xml to configure the gateway:

<api port="2000" name="Outgoing Gateway">
    <request>
        <headerFilter>
            <include>Accept.*</include>
            <include>Content-Type</include>
            <include>Content-Length</include>
            <include>X-Api-Key</include>
            <exclude>.*</exclude>
        </headerFilter>
        <!-- Client authentication via API key -->
        <apiKey>
            <keys>
                <secret value="abc123"/ >
            </keys>
            <headerExtractor />
        </apiKey>
    </request>
    <target url="https://www.predic8.de/"/>
</api>

3. Start Membrane:
   • ./membrane.sh (Linux/macOS)
   • membrane.cmd (Windows)

Testing

Send a test request using curl:

curl -v http://localhost:2000 \
  -H "X-Api-Key: abc123" \
  -H "User-Agent: secret" \
  -H "Authorization: secret"

Membrane will forward only the headers explicitly included in the filter. For example, User-Agent and Authorization will be removed, while X-Api-Key is forwarded.

Use the Admin Console at http://localhost:9000 to inspect requests, logs, and stats

<api port="9000">
    <!-- Centralized auditing and Data protection -->
    <adminConsole />
</api>

Security Considerations

• Ensure all external traffic goes through Membrane; block direct egress
• Block direct internet access at the network firewall level
• Set xForwardedForEnabled="false" to prevent IP leakage
• Use headerFilter to enforce strict outbound header policies
• Protect internal access with authentication (e.g. API keys, OAuth2)
• Monitor and audit request logs for abnormal behavior

DNS Tunneling Risk

DNS tunneling is a technique that abuses DNS to bypass firewall controls, enabling covert data exfiltration or backchannels.

To defend against it:

• Inspect DNS traffic for anomalies (e.g., long or random hostnames)
• Limit DNS resolution capabilities in internal environments
• Use threat intelligence feeds and DNS security tools

More info: DNS Tunneling (ICANNWiki)

Extendability

Membrane offers advanced gateway features that can be added easily:

• Rate limiting and quota enforcement
• JSON and XML schema validation
• Message transformation (rewriting, mapping)
• Comprehensive logging and auditing
• Data Loss Prevention (DLP) for sensitive information

References

• DNS Tunneling (ICANNWiki)