How to encrypt proxy cache

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

How to encrypt proxy cache

anish10dec
Hi,

We are testing using nginx as a file cache  in front of our app, but the
contents of the proxy cache directory are readable to any body who has
access to the machine. Is there a way to encrypt the files stored in the
proxy cache folder so that it' not exposed to the naked eye but nginx
decrypts it on the fly before serving it to the user.

Thanks
Sachin

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273311,273311#msg-273311

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to encrypt proxy cache

Rainer Duffner
Am 2017-04-03 15:21, schrieb [hidden email]:
> Hi,
>
> We are testing using nginx as a file cache  in front of our app, but
> the
> contents of the proxy cache directory are readable to any body who has
> access to the machine. Is there a way to encrypt the files stored in
> the
> proxy cache folder so that it' not exposed to the naked eye but nginx
> decrypts it on the fly before serving it to the user.



Run it on a machine that only authorized users have access to.

Servers from HP let you encrypt the harddrives through the
RAID-controller.



_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to encrypt proxy cache

Maxim Dounin
In reply to this post by anish10dec
Hello!

On Mon, Apr 03, 2017 at 09:21:10AM -0400, [hidden email] wrote:

> We are testing using nginx as a file cache  in front of our app, but the
> contents of the proxy cache directory are readable to any body who has
> access to the machine. Is there a way to encrypt the files stored in the
> proxy cache folder so that it' not exposed to the naked eye but nginx
> decrypts it on the fly before serving it to the user.

Files in the proxy cache folder are protected using normal access
control, nginx uses 0600 access mask for all cache files and
directories.  They aren't expected to be readable by anyone except
nginx itself.  This is believed to be enough to prevent any
unauthorized access on software level.

If you also want to protect data from attackers with physical
access to the server, consider using disk encryption and/or
filesystem-level encryption.  It is not likely to solve the
problem completely, but may help in some simple cases.

--
Maxim Dounin
http://nginx.org/
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to encrypt proxy cache

anish10dec
Thanks Maxim for the reply. We have evaluated disk based encryption etc, but
that does not prevent sysadmins from viewing user data which is a problem
for us.

Do you think we could build something using lua and intercept read and
wriite call from cache?

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273311,273354#msg-273354

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to encrypt proxy cache

Rainer Duffner
Am 2017-04-03 17:50, schrieb [hidden email]:
> Thanks Maxim for the reply. We have evaluated disk based encryption
> etc, but
> that does not prevent sysadmins from viewing user data which is a
> problem
> for us.

Then you should put your servers someplace where you trust your the
sysadmins.

Because ultimately, you will have to.

They could just replace the lua-script with something that makes an
unencrypted copy to some other place, couldn't they?
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to encrypt proxy cache

Steve Wilson
In reply to this post by anish10dec
On 03/04/2017 16:50, [hidden email] wrote:

> Thanks Maxim for the reply. We have evaluated disk based encryption
> etc, but
> that does not prevent sysadmins from viewing user data which is a
> problem
> for us.
>
> Do you think we could build something using lua and intercept read and
> wriite call from cache?
>
> Posted at Nginx Forum:
> https://forum.nginx.org/read.php?2,273311,273354#msg-273354
>
> _______________________________________________
> nginx mailing list
> [hidden email]
> http://mailman.nginx.org/mailman/listinfo/nginx

With root level access I doubt you'll be able to meet your requirements.
There's tools like ssldump which can be used to decrypt the network
traffic, even implementing something via a module/lua would require the
encryption key to be read and available for the sysadmins to use.

Personally I'd look at avoiding caching if it's got sensitive data by
identifying common request data (paths/cookies etc) and excluding from
the cache.

Alternatively, as Maxim has said, review and restrict access to the
server.

Steve.
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to encrypt proxy cache

antituhan
In reply to this post by anish10dec
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello!

On 04/03/2017 08:21 PM, [hidden email] wrote:
> Hi,
>
> We are testing using nginx as a file cache  in front of our app,
> but the contents of the proxy cache directory are readable to any
> body who has access to the machine.

[..]

> Is there a way to encrypt the files stored in the proxy cache
> folder so that it' not exposed to the naked eye but nginx decrypts
> it on the fly before serving it to the user.

I didn't get your expectations and why you doing this. Then if the
content can publicly visible over nginx, why the sysadmin or other
trying to break the proxy cache directly?

I think they (your engineer) will call the URL directly over the
browser. (eg. http://localhost/this/should/be/secret) isn't it?

If your expectations is encrypt/encode the url and should be visible
to authorized user only, it's more possible.

>
> Thanks Sachin
>
> Posted at Nginx Forum:
> https://forum.nginx.org/read.php?2,273311,273311#msg-273311
>
> _______________________________________________ nginx mailing list
> [hidden email] http://mailman.nginx.org/mailman/listinfo/nginx
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQI4BAEBCAAiBQJY4nuBGxxkZXdhbmdnYWJhQHh0cmVtZW5pdHJvLm9yZwAKCRDl
f9IgoCjNcAxNEACatmZrvqDVQ2NGCfZ/T73qcPnTe4daLSkXo8/3VPdhTPDdilzx
Q6HWTWxarkbt2WX9/3F/Xpmp244UGUIySdGS2jMrC7dcx7mJD/Ts0G13XZk/X9aS
S1bbOUpuCMCkypaENkQAe7nubYiFZfeB3uANfhiOrJOa7DUN7QQJCDZzubBd/FV/
eRz5tfV7z0wI5PkwSn670lq/lTiaMamkjEEvOMFz2O7gA0+jl+OxC2wM9NJRTmkl
Z1NamP5CgYUmcXdx7AS0hBh7UFdAV+Nk/qfs1PtyXqssmbm9dZ869Ppixh84k+3i
foG1zMdMUHZIFdnLjEtcEruzv4fLuQCgqEmWRA5FGylQ0v3zBjfst6aj06s1R5Dk
dwdIsNTB2F4tYsL4fusmdbrFY+/4igsuDtEZpF0KTyKGPquDUxN7MZRN4D5OoBhn
U6i6d2qr5iE4Xs/2E1rOtEIEiZYZTHdCXj9xE5+hJjVuYb6V2G6XTLMF8ToYLNlF
VBpewPJ3IkLyRbiRw9ssqank/al//BICXa/dklDcUM2N4F57gXdvuFn10u22DYhr
8Dz2NKFM0YftVcNmqJ8yNit5WUQEr1fhX4GWrHhle0GTlz19lrsuc/QsQEqrHVUU
oDBahO35+B7ifXlrwY7Rpy3EjmvyYws/422pH3y2fsZBbHB6oJJEGsrpuw==
=hU4o
-----END PGP SIGNATURE-----
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
[daemon@antituhan.com ~]#
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to encrypt proxy cache

anish10dec
Hi,

The information is not publicly available, it is protected by
authentication, we have an auth plugin which makes sure auth happens before
the request is routed to this cache.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273311,273363#msg-273363

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Loading...