Page History
The Aspire AWS KMS encryption provider uses keys created in KMS to encrypt and decrypt the data. The secrets will be encrypted with KMS encryption mechanisms, and stored in the Aspire Configuration indexes once encrypted. When Aspire needs the secret value, it calls KMS decrypt mechanism to obtain the value back.app needs to be setup to mitigate DDOS attacks and other similar issues related to findings Jira vulnerability issue.
Quick and straightforward solution can be done by Nginx server, which is setup as proxy server to Aspire.
Prerequisite:
Install Nginx server
Install Aspire 5
Aspire should be not available out site directly but always using Nginx or similar technology (Apache, AWS WAF ...).
Nginx will be setup as proxy server with https certificates, request limit and other necessary security.
Internally Aspire 5 with cooperation with internals apps can be connected directly (localhost:50505).
We will avoid with this approach to have some limitations between internal applications.
To enable POST requests limitations open nginx.conf and putTo enable AWS KMS Encryption, you must change your Aspire Settings file on the encryptionProvider section to point to the KMS encryption provider jar:
| Code Block | ||
|---|---|---|
| ||
http { # "encryptionProvider": { Maps ip address to $limit variable if request is of type POST map $request_method $limit { default ""_comments_implementation": [ "Maven coordinates of the encryption provider", "default is: com.accenture.aspire:aspire-encryption-provider" ],; POST $binary_remote_addr; } # Creates 10mb zone in memory for storing binary ips and limit requests to 60 per minute. limit_req_zone $limit zone=one:10m rate=60r/m; ... server { ... location / { "implementation": "com.accenture.aspire:aspire-aws-kms-encryption-provider" ... #limit post request 60 requests per minutes limit_req zone=one; } }, |
There are two ways of configuring the encryption provider through Properties or Settings File (click each link to see more details)
...
Overview
Content Tools