The only Node.js API gateway with kernel-level iptables banning, TCP socket termination, and distributed ban propagation. Attacks are stopped before they reach your application.
Incoming Traffic
All requests hit the server
Layer 1: Kernel (iptables)
Packet dropped at kernel — Node.js never sees it
Layer 2: TCP Socket
Connection destroyed before HTTP parsing
Layer 3: Application
Failure detection, threat scoring, ban escalation
Clean Traffic → Your API
Only legitimate requests reach your backend
Each layer catches what the previous one missed. Together, they provide enterprise-grade protection.
LAYER 01
iptables / ip6tables
Banned IPs are added to a dedicated NOLXY_SHIELD iptables chain. Packets are dropped at the kernel level before they ever reach Node.js — zero CPU cost for your application.
LAYER 02
server.on('connection')
Every new TCP connection is checked against the ban list before HTTP parsing begins. Banned connections are destroyed instantly — including all existing keep-alive connections for that IP.
LAYER 03
Failure counting & progressive banning
Authentication failures, rate limit violations, and IP block hits are tracked per-IP. Repeated offenses trigger automatic bans with escalating durations.
ProxyShield includes additional security mechanisms that work together with the three-layer defense.
Bans are broadcast via Redis Pub/Sub to all gateway nodes instantly. Ban one IP on node 1, it's blocked on all nodes within milliseconds.
When an IP is banned, all existing keep-alive TCP connections for that IP are immediately destroyed. No waiting for timeout — instant termination.
Invalid API keys are cached to prevent cache-bypass DoS attacks. Attackers can't flood your database with invalid key lookups.
Legitimate traffic never touches ProxyShield. Ban checks use in-memory LRU cache — zero Redis calls, zero database queries on the hot path.
ProxyShield is included in every Nolxy plan — even free. No configuration needed. Just deploy and you're protected.