Secure Proxy

For very sensitive data like financial and heath data, Moesif Secure Proxy enables zero-knowledge security with on-premises client-side encryption and Bring Your Own Key (BYOK). This makes it easy to gain the privacy benefits of on-premises installation without the complexity of building and scaling your own data infrastructure.

The secure proxy is deployed as a stateless docker container in your data center and handles encryption and decryption of your Moesif data on the fly. Because Moesif doesn’t have access to your master encryption keys, Moesif and its employees cannot view your event data in plain text.

Use cases

Besides client-side encryption and decryption, the secure proxy enables a variety of other use cases:

  • Reduce the number of outbound requests to Moesif’s collection network.
  • Relay requests from servers that don’t have direct access to the internet.
  • White label the Moesif API like analytics.acmeinc.com.

How Moesif works with secure proxy

How it works

Keystore

Your master encryption keys are never stored on Moesif servers. Instead, the secure proxy has adapters for popular key stores and handles key rotation automatically. Currently, AWS Key Management Service (KMS) and AWS CloudHSM are supported, but other key stores can be added if needed by our professional services team.

Access

Depending on your requirements, there are two ways to set up the secure proxy:

  • Local network only: If you don’t use Moesif’s embedded templates feature, you don’t need to expose the secure proxy to the internet. In this case, the secure proxy host needs to be accessible by employees who log into Moesif. For example, they need to be on a corporate VPN or local intranet.

  • Exposed to the internet: The proxy is safe to be exposed to the internet. This is required if you’re using Moesif’s embedded templates so that customers can also access the encrypted data. In this case, you should add a record to your DNS provide that points to the secure proxy like analytics.acmeinc.com. Moesif strongly recommends adding SSL such as via a load balancer in front of the secure proxy like NGINX or HaProxy.

In this case, employees don’t need to be on the corporate VPN or network to access Moesif data.

What’s encrypted

The HTTP request and response headers, body, and any custom metadata is encrypted before being sent to Moesif.

How to install

1. Run the Docker image

A working docker-compose.yml is available on GitHub with moesifproxy and NGINX configured with SSL termination using Let’s Encrypt.

The easiest way to run the secure proxy is as a Docker container. You need to set your Moesif and AWS keys as Docker environment variables such as via the -e option.

docker run -it  -e MOESIF_MANAGEMENT_API_KEY="Your Moesif Management Key" \
 -e MOESIF_APPLICATION_ID="Your moesif application Id" \
 -e AWS_CUSTOMER_KEY_ID="Your AWS customer key Id" \
 -e AWS_ACCESS_KEY_ID="Your AWS access Key Id" \
 -e AWS_SECRET_ACCESS_KEY="Your AWS secret access key" \
 -p 9500:9500 --name moesifproxy moesifproxy

Note:

  1. MOESIF_MANAGEMENT_API_KEY must have scopes create:encrypted_keys, read:encrypted_keys
  2. Optionally AWS_KMS_REGION can be passed as env variable. Defaults to us-west-2

2. Configure Moesif SDK

The collection API is accessible via the /collector endpoint on the secure proxy. You will need to configure any SDKs to log to this endpoint instead of Moesif’s main API at https://api.moesif.net.

For example, instead of logging to https://api.moesif.net/v1/events, you can log traffic to the the secure proxy via http://localhost:9500/collector/v1/events.

To do so, override the Moesif SDK Base URI to route through your local proxy hostname. Refer to your respective server integration docs or reach out to support.

An example for moesif-nodejs is below:

const moesifMiddleware = moesif({
  applicationId: process.env.MOESIF_APPLICATION_ID,
  baseUri: 'http://localhost:9500/collector',
});

Accessing the Moesif Management API

Like the collector API, you can access your data programmatically via the Moesif Management API while having it decrypted on the fly as long as you route your requests through the proxy under the /api endpoint. Keep in mind any scripts or access you make must have access to your local proxy instance.

For example instead of querying data in Moesif directly via https://api.moesif.com/v1/search/~/search/events, you can search data in Moesif like so:

curl -XPOST http://localhost:9500/api/search/~/search/events

Scaling Moesif proxy

For light load, you may be fine with a single Docker container running. If you expect a high volume of data collected or a large number of users at your organization querying data in Moesif, you can create a pool of Moesif proxy instances behind a load balancer. No storage is required which simplifies scaling. You can even run multiple clusters at different host names for better control. For example, one cluster can be used for data collection from SDKs, while a different cluster is used for users querying data in Moesif.

Configuration options

MOESIF_APPLICATION_ID

Required Your Moesif Collector Application Id which can be found by logging into Moesif and going to API Keys from the top-right menu.

MOESIF_MANAGEMENT_API_KEY

Required Your Moesif Management API key which can be found by logging into Moesif and going to API Keys from the top-right menu. Ensure the key is generated with at least the create:encrypted_keys, read:encrypted_keys scopes.

MOESIF_ENCRYPTION_ENABLED

Set to false to disable client-side encryption.

MOESIF_ENCRYPT_NUMERICS

Set to false if numbers are not sensitive and don’t require encryption. This enables numeric math in Moesif.

MOESIF_ENCRYPT_DATES

Set to false if dates are not sensitive and don’t require encryption. This enables date math in Moesif.

AWS configuration config

The below options are used to configure AWS KMS.

AWS_CUSTOMER_KEY_ID

AWS_KMS_REGION

AWS_ACCESS_KEY_ID

AWS_SECRET_ACCESS_KEY

How to build

Moesif Proxy uses the revel webframework. To learn more about revel https://revel.github.io/

To build Docker image

docker build -t moesif/moesifproxy:latest

To push to Docker repo

docker login

docker push moesif/moesifproxy:latest

Updated: