Secure Proxy
For very sensitive data like financial and heath data, Moesif Secure Proxy enables zero-knowledge security with on-premises client-side encryption and Bring Your Own Key (BYOK). This makes it easy to gain the privacy benefits of on-premises installation without the complexity of building and scaling your own data infrastructure.
The secure proxy is deployed as a stateless docker container in your data center and handles encryption and decryption of your Moesif data on the fly. Because Moesif doesn’t have access to your master encryption keys, Moesif and its employees cannot view your event data in plain text.
Use cases
Besides client-side encryption and decryption, the secure proxy enables a variety of other use cases:
- Reduce the number of outbound requests to Moesif’s collection network.
- Relay requests from servers that don’t have direct access to the internet.
- White label the Moesif API like
analytics.acmeinc.com
.
How it works
Keystore
Your master encryption keys are never stored on Moesif servers. Instead, the secure proxy has adapters for popular key stores and handles key rotation automatically. Currently, AWS Key Management Service (KMS) and AWS CloudHSM are supported, but other key stores can be added if needed by our professional services team.
Access
Depending on your requirements, there are two ways to set up the secure proxy:
-
Local network only: If you don’t use Moesif’s embedded templates feature, you don’t need to expose the secure proxy to the internet. In this case, the secure proxy host needs to be accessible by employees who log into Moesif. For example, they need to be on a corporate VPN or local intranet.
-
Exposed to the internet: The proxy is safe to be exposed to the internet. This is required if you’re using Moesif’s embedded templates so that customers can also access the encrypted data. In this case, you should add a record to your DNS provide that points to the secure proxy like
analytics.acmeinc.com
. Moesif strongly recommends adding SSL such as via a load balancer in front of the secure proxy like NGINX or HaProxy.
In this case, employees don’t need to be on the corporate VPN or network to access Moesif data.
What’s encrypted
The HTTP request and response headers, body, and any custom metadata is encrypted before being sent to Moesif.
How to install
1. Run the Docker image
A working
docker-compose.yml
is available on GitHub withmoesifproxy
and NGINX configured with SSL termination using Let’s Encrypt.
The easiest way to run the secure proxy is as a Docker container. You need to set your Moesif and AWS keys as Docker environment variables such as via the -e option.
docker run -it -e MOESIF_MANAGEMENT_API_KEY="Your Moesif Management Key" \
-e MOESIF_APPLICATION_ID="Your moesif application Id" \
-e AWS_CUSTOMER_KEY_ID="Your AWS customer key Id" \
-e AWS_ACCESS_KEY_ID="Your AWS access Key Id" \
-e AWS_SECRET_ACCESS_KEY="Your AWS secret access key" \
-p 9500:9500 --name moesifproxy moesifproxy
Note:
- MOESIF_MANAGEMENT_API_KEY must have scopes
create:encrypted_keys
,read:encrypted_keys
- Optionally AWS_KMS_REGION can be passed as env variable. Defaults to
us-west-2
2. Configure Moesif SDK
The collection API is accessible via the /collector
endpoint on the secure proxy. You will need to
configure any SDKs to log to this endpoint instead of Moesif’s main API at https://api.moesif.net
.
For example, instead of logging to https://api.moesif.net/v1/events, you can log traffic to the
the secure proxy via http://localhost:9500/collector/v1/events
.
To do so, override the Moesif SDK Base URI to route through your local proxy hostname. Refer to your respective server integration docs or reach out to support.
An example for moesif-nodejs is below:
const moesifMiddleware = moesif({
applicationId: process.env.MOESIF_APPLICATION_ID,
baseUri: 'http://localhost:9500/collector',
});
Accessing the Moesif Management API
Like the collector API, you can access your data programmatically via the Moesif Management API while having it decrypted on the fly as long as you route your
requests through the proxy under the /api
endpoint. Keep in mind any scripts or access you make must have access to your local proxy instance.
For example instead of querying data in Moesif directly via https://api.moesif.com/v1/search/~/search/events
, you can search data in Moesif like so:
curl -XPOST http://localhost:9500/api/search/~/search/events
Scaling Moesif proxy
For light load, you may be fine with a single Docker container running. If you expect a high volume of data collected or a large number of users at your organization querying data in Moesif, you can create a pool of Moesif proxy instances behind a load balancer. No storage is required which simplifies scaling. You can even run multiple clusters at different host names for better control. For example, one cluster can be used for data collection from SDKs, while a different cluster is used for users querying data in Moesif.
Configuration options
MOESIF_APPLICATION_ID
Required Your Moesif Collector Application Id which can be found by logging into Moesif and going to API Keys from the top-right menu.
MOESIF_MANAGEMENT_API_KEY
Required Your Moesif Management API key which can be found by logging into Moesif and going to API Keys from the top-right menu.
Ensure the key is generated with at least the create:encrypted_keys
, read:encrypted_keys
scopes.
MOESIF_ENCRYPTION_ENABLED
Set to false to disable client-side encryption.
MOESIF_ENCRYPT_NUMERICS
Set to false if numbers are not sensitive and don’t require encryption. This enables numeric math in Moesif.
MOESIF_ENCRYPT_DATES
Set to false if dates are not sensitive and don’t require encryption. This enables date math in Moesif.
AWS configuration config
The below options are used to configure AWS KMS.
AWS_CUSTOMER_KEY_ID
AWS_KMS_REGION
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
How to build
Moesif Proxy uses the revel webframework. To learn more about revel https://revel.github.io/
To build Docker image
docker build -t moesif/moesifproxy:latest
To push to Docker repo
docker login
docker push moesif/moesifproxy:latest