Secure Proxy

Moesif Secure Proxy enables zero-knowledge security with on-premises client-side encryption and bring your own keys (BYOK). The proxy appliance is installed in your data center and handles encryption and decryption of your Moesif data on the fly. With the secure proxy, Moesif and its employees cannot view your event payload in plain text, and can only see the encrypted form.

In addition to client-side encryption, the secure proxy also enables all communication with Moesif to be routed through a single appliance. This enables Moesif to be used in apps that do not have direct access to the internet and also reduce the number of outbound connections to Moesif servers.

How Moesif works with secure proxy

Overview

Keystore

Your master encryption keys are never stored on Moesif servers. Instead, secure proxy has adapters for popular key stores. Currently AWS Key Management Service (KMS) and AWS CloudHSM are supported, but other key stores can be added in the future.

What’s encrypted

All HTTP request and response headers, the request and response body, and any custom metadata is encrypted.

How to build

Moesif Proxy uses the revel webframework. To learn more about revel https://revel.github.io/

To build Docker image

docker build -t moesif/moesifproxy:latest

To push to Docker repo

docker login

docker push moesif/moesifproxy:latest

How to use

To run the Docker image

To run Moesif proxy, it needs several configuration as environment variables. Below is an example of passing to the container using -e option. All the environment variables can also be put in some file and run docker command with the –env-file option.

docker run -it -e MOESIF_MANAGEMENT_API_KEY=”Your Moesif Management Key”
-e MOESIF_APPLICATION_ID=”Your moesif application Id”
-e AWS_CUSTOMER_KEY_ID=”Your AWS customer key Id”
-e AWS_ACCESS_KEY_ID=”Your AWS access Key Id”
-e AWS_SECRET_ACCESS_KEY=”Your AWS secret access key”
-p 9500:9500 –name moesifproxy moesifproxy

Note:

  1. MOESIF_MANAGEMENT_API_KEY must have scopes create:encrypted_keys, read:encrypted_keys
  2. Optionally AWS_KMS_REGION can be passed as env variable. Defaults to us-west-2

Configuring Moesif SDK

Normally, the Moesif SDKs communicate directly to the Moesif collector API hosted at https://api.moesif.net. With the proxy, you can access the collector API at http://localhost:9500/collector like so:

curl -XPOST http://localhost:9500/collector/v1/events

To ensure event data is encrypted on the fly before being sent to Moesif, override the Moesif SDK Base URI to route through your local proxy hostname. An example for moesif-nodejs is below:

const moesifMiddleware = moesif({
  applicationId: process.env.MOESIF_APPLICATION_ID,
  baseUri: 'http://localhost:9500/collector',
});

Refer to the SDK-specific documentation or reach out to your Moesif technical account manager.

Accessing the Moesif portal

To access analytics and reports in the Moesif portal, you will need to be on a network that can reach your proxy host. This means if the proxy is only accessible from your corporate intranet, you will need to VPN to that network before you can log in and use Moesif.

Your Moesif proxy instance will handle encryption and decryption on the fly on the way from Moesif servers to the local browser app.

Accessing the Moesif Management API

Like the collector API, you can access your data programmatically via the Moesif Management API while having it decrypted on the fly as long as you route your requests through the proxy under the /api endpoint. Keep in mind any scripts or access you make must have access to your local proxy instance.

For example instead of querying data in Moesif directly via https://api.moesif.com/v1/search/~/search/events, you can search data in Moesif like so:

curl -XPOST http://localhost:9500/api/search/~/search/events

Scaling Moesif proxy

For light load, you may be fine with a single Docker container running. If you expect a high volume of data collected or a large number of users at your organization querying data in Moesif, you can create a pool of Moesif proxy instances behind a load balancer. No storage is required which simplifies scaling. You can even run multiple clusters at different host names for better control. For example, one cluster can be used for data collection from SDKs, while a different cluster is used for users querying data in Moesif.

Configuration options

MOESIF_APPLICATION_ID

Required Your Moesif Collector Application Id which can be found by logging into Moesif and going to API Keys from the top-right menu.

MOESIF_MANAGEMENT_API_KEY

Required Your Moesif Management API key which can be found by logging into Moesif and going to API Keys from the top-right menu. Ensure the key is generated with at least the create:encrypted_keys, read:encrypted_keys scopes.

MOESIF_ENCRYPTION_ENABLED

Set to false to disable client-side encryption.

MOESIF_ENCRYPT_NUMERICS

Set to false if numbers are not sensitive and don’t require encryption. This enables numeric math in Moesif.

MOESIF_ENCRYPT_DATES

Set to false if dates are not sensitive and don’t require encryption. This enables date math in Moesif.

AWS configuration config

The below options are used to configure AWS KMS.

AWS_CUSTOMER_KEY_ID

AWS_KMS_REGION

AWS_ACCESS_KEY_ID

AWS_SECRET_ACCESS_KEY

Updated: