Proof point โ†’ Before writing a single line of code, I wrote the entire system down. Then I built it. That is how infrastructure people depend on should be delivered.

๐Ÿฉป Problem

VPN users are protected in transit but not at the destination: malicious URLs, phishing domains, and malware payloads pass straight through an encrypted tunnel. LuraVPN needed a real-time protection layer its iOS/Android/Windows clients could query - fast, independently scalable, and secure at every internal boundary.

๐Ÿ”จ Solution

GhostRoute - a malware-protection platform decomposed into independently deployable microservices behind a central gateway.

Architecture Overview

  1. API Gateway (Go) - gorilla/mux routing with public auth routes and JWT-protected protection routes (/malware/check, /logs/threats); middleware chain for origin checking, logging, and auth; Redis caching; typed client modules for every downstream service; Kubernetes manifests and Dockerfile.
  2. Threat Intelligence Service (Python/FastAPI) - live Google Web Risk integration with Redis-backed rate limiting to control quota, per-caller JWT validation, CORS allow-listing, and PostgreSQL threat records (type, level, first/last seen, source).
  3. URL Filtering Service - standard filtering plus user-defined custom rules.
  4. Logging & Reporting Service - models for logs, reports, threats, and AI results; the platform’s audit trail.
  5. Notification Service - clean controllers โ†’ services โ†’ repositories layering with a Mailchimp client and retry utility.
  6. The design package - a separate planning repo containing the implementation plan (GKE, BigQuery, Bigtable, Firestore, Redis, TFX), data-flow/deployment/monitoring diagrams, pre-coding Q&A on routing, TLS, token-bucket rate limiting and load-test targets, and operations scripts for cluster, database, firewall, and bucket setup.

Quality signals

  • SonarQube static-analysis CI on every service - uniform quality gating across the fleet.
  • JWT enforced at every service boundary, not just the edge.
  • Built in roughly six weeks (Octoberโ€“November 2024) from plan to running services.

๐Ÿ“œ Philosophy

Design-first, polyglot-pragmatic: Go where performance matters (the gateway), Python/FastAPI where integration speed matters (threat feeds). Security is a property of every boundary, not a perimeter. Weeks of architecture work are cheaper than months of rework.

๐ŸŽ“ Key learnings

  • Decomposing a security product into microservices and wiring service-to-service authentication correctly.
  • Integrating commercial threat-intelligence APIs with caching and rate limiting so costs stay predictable.
  • Kubernetes/GCP delivery: manifests, ingress, build-push scripts, cluster bootstrap.
  • Where this stage of the platform fell short - minimal automated tests - a gap closed in the next project, Lura Identity, which shipped with a five-layer test suite.

๐Ÿ“ˆ Output & impact

  • A 5-service platform (Go + Python) with gateway, threat-intel, URL filtering, logging, and notifications - fully designed, documented, and implemented.
  • Live third-party threat-feed integration (Google Web Risk) in production-shaped code.
  • A complete, reusable pre-implementation design methodology: diagrams, Q&A docs, ops scripts.

๐ŸŒ Why this matters

Trust, Security & Compliance ยท Platforms & Registries. Organizations that run public-facing digital infrastructure - fintechs, platforms, institutions - need security designed in, documented, and auditable. This project shows the full method: a written design package a program can be audited against, then a multi-service implementation that honors it.

๐Ÿš€ Hire me

Need security-first infrastructure designed and shipped - with the paper trail to prove it? Let’s talk โ†’ ยท See also: Lura Identity ยท The thesis