Auditing Your Backup Storage on Scaleway Using the NGINX Reverse Proxy

Auditing Your Backup Storage on Scaleway Using the NGINX Reverse Proxy

Profile picture for user AndrewAbwoga
Andrew Abwoga
14 July 2020

Scaleway provides a vast number of client-server use cases for accessing and operating on your backup storage. Though, by using Scaleway you don’t get a facility for logging and auditing out-of-the-box. Even so, the importance of auditing and logging can not be overstated as I have emphasized in my previous blogs.  However, you can achieve auditing and logging by introducing an intermediary reverse proxy service between your client and the Scaleway storage servers or simply using Backup Ninja. In this blog, we discuss how you can leverage NGINX reverse proxy versus purely using Backup Ninja to achieve authentication, authorization, and auditing of your backup storage on Scaleway.

Auditing Your Backup Storage on Scaleway Using the NGINX Reverse Proxy

Authentication

Access Token

Scaleway provides a means to protect your storage by letting you authenticate using a token. The token is essentially an access/secret key combination. You can easily create the Access key and Secret key combination by logging on to the Scaleway’s management console and generating them. Below are some steps:

  1. Log in to the management console.
  2. Open the drop-down menu on your account name and click on Credentials.
Access Token
  1. To generate a new token, click on Generate new token in the Tokens section of the page.
Access Token
  1. The Access Key and the Secret Key will show on your screen. Take a note of the secret key as it will not be recoverable so you may need to store it somewhere safe at that point.
Access Token

If you plan to use Backup Ninja to manage your backups you have the option of specifying Scaleway as your choice for cloud storage and you will need to specify the access/secret key combination when setting up your cloud provider as shown below.

Access Token

Authorization

Scaleway lets you apply a set of Access Control Lists (ACL’s) to your backup storage. 

Setting ACL

By using the AWS CLI tool, you can give full control to users within the same organization to your bucket or objects in your bucket. The command below gives full access to your bucket to users within the same organization. You can retrieve your organization ID from the Scaleway Console under your username > account in the top right corner.

aws s3api put-bucket-acl --bucket $BucketName --grant-full-control id=$ORG_ID:$ORG_ID

You can also give full control to users to a specific object within your bucket by utilizing the AWS cli tool like below.

aws s3api put-object-acl --bucket $BucketName --key $ObjectName--grant-full-control id=$ORG_ID:$ORG_ID

Listing ACL

You can easily list your ACL by using the command below

aws s3api get-bucket-acl --bucket $BucketName

Auditing and Logging

Auditing and logging are not supported by Scaleway out-of-the-box. Depending on your situation, you may choose to use a well-controlled database backup storage solution - that has an auditing and logging feature - of which you can dedicate to be the only means that you can use to access and operate on your storage backups or you can alternatively decide to set up a reverse proxy via which you can access and operate on your storage backups, which are not necessarily database backups.

Auditing and Logging with Backup Ninja

Backup Ninja gives you a seamless and configuration-free auditing and logging facility. By using it, you can easily limit access to your database backups since it gives you an additional backup restore feature.  Backup Ninja keeps tracks of User events and Backup events. 

Please refer to this blog for more details: Event Monitoring, Logging and Alerting for Your Database Backups

Auditing and Logging with NGINX Reverse Proxy

Auditing and Logging with NGINX Reverse Proxy

To make use of Nginx for logging and auditing you can easily set up a reverse proxy by installing and configuring Nginx as in the steps below:

  1. Install Nginx on a preferred Linux host.
  2. Disable the default, virtual host, and other features that may not be needed to reduce exposure to the default configuration vulnerabilities.
  3. Create a reverse proxy configuration on Nginx like the one below.
server {

    listen 80;

    # Configure your domain name here:

    server_name mys3server.com;

    # Configure your access log here:

    access_log   /var/log/s3proxy.access.log  combined;

    # Configure your Object Storage bucket URL here: 

    set $bucket "myobjectstoragebucket.s3.fr-par.scw.cloud";

    # This configuration provides direct access to the Object Storage bucket:

    location /s3/ {

      resolver 62.210.16.6; 

      proxy_http_version     1.1;

      proxy_redirect off;

      proxy_set_header       Connection "";

      proxy_set_header       Authorization '';   

      proxy_set_header       Host $bucket;

      proxy_set_header       X-Real-IP $remote_addr;

      proxy_set_header       X-Forwarded-For $proxy_add_x_forwarded_for;

      proxy_hide_header      x-amz-id-2;

      proxy_hide_header      x-amz-request-id;

      proxy_hide_header      x-amz-meta-server-side-encryption;

      proxy_hide_header      x-amz-server-side-encryption;

      proxy_hide_header      Set-Cookie;

      proxy_ignore_headers   Set-Cookie;

      proxy_intercept_errors on;

      add_header             Cache-Control max-age=31536000;

      proxy_pass             https://$bucket/;

    }

For more details about setting up the Nginx Proxy please refer to this link: Setting up an Nginx reverse proxy with Object Storage

Key Takeaways

  • Opt to use a dedicated database backup solution if you specifically want auditing and logging for your cloud-based database backups. Using an Nginx reverse proxy may be relevant if you need auditing and logging for other kinds of storage objects like text, HTML or other files.
  • Always review your ACLs to ensure that only the users have appropriate permissions.
  • Ensure you don’t expose your storage backups to the public if you don’t need to. Keep them private.
  • Keep your secret key secret.