In the previous article “Writing an Nginx module for RSA Encryption and decryption”, I described how to write an Nginx module and implement relatively high performance encryption and decryption with the help of Nginx. A new version of Nginx has been released, with initial native “RSA encryption and decryption” capabilities.

So, let’s take a lighter approach to implementing the aforementioned functionality.

Writing in the front

With the Nginx release coming to 1.21.4, NJS has also been upgraded to 0.7. This is a breakthrough release because NJS adds a W3C-compliant WebCrypto API.

This means that the days of requiring a separate set of services for interface encryption authentication may be over.

The official implementation of this feature is mainly through the addition of njs_webCrypto. C encryption and decryption module, introduced some of OpenSSL capabilities. If your requirements include encryption and decryption for a specified RSA key (with a password), NJS currently cannot do this. However, you can modify the above code to add the “computational” code implementation I mentioned in “Writing Nginx modules for RSA encryption and decryption” : Add the password-carrying part of PEM_read_bio_RSAPrivateKey, do some function binding to NJS, and remember to clean up RSA references.

Fortunately, in most cases, encryption and decryption for the business interface is not preferred to use cryptographically added keys because of call performance.

Next, I’ll show you how to use this new capability of Nginx NJS to implement a step-by-step interface service that can perform RSA automatic encryption and decryption based on the business interface content.

Use a browser to generate an RSA certificate

You read the subtitle correctly, this time we’re going to use a browser instead of “OpenSSL on the traditional command line” to generate our certificate.

There are two main apis used here:

  • SubtleCrypto.generateKey()
  • SubtleCrypto.exportKey()

The document is boring, so here are the highlights. In the generation algorithm, this paper adopts rSA-OAep, the asymmetric encryption algorithm only supported by WEB Crypto API. When exporting the generated certificate, it is necessary to select the corresponding export format according to the key type.

For the convenience of my readers, I wrote a simple JavaScript script, copied and pasted it into your browser console (Chrome is recommended), and executed. Unsurprisingly, your browser will automatically download two files called ‘rsa.pub’ and ‘rsa.key’, which we’ll use later.

(async() = > {const ab2str = (buffer) = > String.fromCharCode.apply(null.new Uint8Array(buffer));
  const saveFile = async (files) => {
    Object.keys(files).forEach(file= > {
      const blob = new Blob([files[file]], { type: 'text/plain' });
      with (document.createElement('a')) { download = file; href = URL.createObjectURL(blob); click(); }
      URL.revokeObjectURL(blob);
    });
  }
  const exportKey = (content) = > new Promise(async (resolve) => { await crypto.subtle.exportKey(content.type === "private" ? "pkcs8" : "spki", content).then((data) = > resolve(`-----BEGIN ${content.type.toUpperCase()} KEY-----\n${btoa(ab2str(data))}\n-----END ${content.type.toUpperCase()} KEY-----`)); });
  const { privateKey, publicKey } = await crypto.subtle.generateKey({ name: "RSA-OAEP".modulusLength: 4096.publicExponent: new Uint8Array([1.0.1]), hash: "SHA-256" }, true["encrypt"."decrypt"])
  saveFile({ "rsa.key": await exportKey(privateKey), "rsa.pub": awaitexportKey(publicKey) }); }) ();Copy the code

RSA encryption and decryption using NJS

How the new WEB Crypto API is used is not mentioned in the official Nginx and NJS documentation, but we can see how the interface is used in the latest test cases in the code repository.

Nginx: Nginx: Nginx: Nginx: Nginx: Nginx: Nginx: Nginx: Nginx: Nginx: Nginx: Nginx Nginx RSA encryption and decryption using NJS

const fs = require('fs');
if (typeof crypto == 'undefined') {
  crypto = require('crypto').webcrypto;
}

function pem_to_der(pem, type) {
  const pemJoined = pem.toString().split('\n').join(' ');
  const pemHeader = `-----BEGIN ${type} KEY-----`;
  const pemFooter = `-----END ${type} KEY-----`;
  const pemContents = pemJoined.substring(pemHeader.length, pemJoined.length - pemFooter.length);
  return Buffer.from(pemContents, 'base64');
}

const rsaKeys = {
  public: fs.readFileSync(`/etc/nginx/script/rsa.pub`),
  private: fs.readFileSync(`/etc/nginx/script/rsa.key`)}async function simple(req) {

  const spki = await crypto.subtle.importKey("spki", pem_to_der(rsaKeys.public, "PUBLIC"), { name: "RSA-OAEP".hash: "SHA-256" }, false["encrypt"]);
  const pkcs8 = await crypto.subtle.importKey("pkcs8", pem_to_der(rsaKeys.private, "PRIVATE"), { name: "RSA-OAEP".hash: "SHA-256" }, false["decrypt"]);

  let originText = "Suppose this is something that needs to be encrypted, by Soulteary.";

  let enc = await crypto.subtle.encrypt({ name: "RSA-OAEP" }, spki, originText);
  let decode = await crypto.subtle.decrypt({ name: "RSA-OAEP" }, pkcs8, enc);

  req.headersOut["Content-Type"] = "text/html; charset=UTF-8";
  req.return(200['

Original content

'
.`<code>${originText}</code>`.'

Encrypted content

'
.`<code>${Buffer.from(enc)}</code>`.'

Decrypted content

'
.`<code>${Buffer.from(decode)}</code>`, ].join(' ')); } export default { simple }; Copy the code

The code above defines a simple interface, “Simple,” to load the RSA Keys we just generated, and then encrypt and decrypt a specified piece of content (originText). With that saved as app.js, let’s go ahead and write a simple Nginx configuration (nginx.conf) :

load_module modules/ngx_http_js_module.so;

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;

events { worker_connections 1024; }

http {
    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    js_import app from script/app.js;

    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
    '$status $body_bytes_sent "$http_referer" '
    '"$http_user_agent" "$http_x_forwarded_for"';

    access_log /var/log/nginx/access.log main; keepalive_timeout 65; gzip on; server { listen 80; server_name localhost; charset utf-8; gzip on; location / { js_content app.simple; }}}Copy the code

For ease of use, here is also a container configuration (docker-comemage.yml) :

version: '3'

services:

  nginx-rsa-demo:
    image: Nginx: 1.21.4 - alpine
    ports:
      - 8080: 80
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf
      - ./scripts:/etc/nginx/script
Copy the code

Start the container with docker-compose up, then go to Localhost :8080 in your browser and you can see the following.

And the response time, by the way, in the container of the laptop is about a dozen ms, but if you put it in production, with some optimization, it’s in the single digits.

All right, that’s the end of the competency test. Let’s slightly modify and optimize the gateway product to achieve automatic RSA encryption and decryption function.

Build a gateway with RSA encryption and decryption capability

Here’s how to use Nginx’s NJS to encrypt and decrypt requests. Let’s start by writing the Nginx configuration.

Adjust NJS export functions used in Nginx configuration

Considering convenient debugging, we will be “entry point” (interface) broken down into three, you can be adjusted according to actual usage scenarios, such as at the entrance to add IP access restrictions, additional authentication function, or cancel the entrance to the “unity”, direct use of the two main encryption interface for program “entry point” :

server { listen 80; server_name localhost; charset utf-8; gzip on; location / { js_content app.entrypoint; } location /api/encrypt { js_content app.encrypt; } location /api/decrypt { js_content app.decrypt; }}Copy the code

With the Nginx configuration written, it’s time to start the meal: writing NJS programs.

Adjust NJS programs: Adjust export functions

After the Nginx configuration changes, the export function in NJS also needs to be adjusted:

export default { encrypt, decrypt, entrypoint };
Copy the code

After modifying the export function, we in turn to achieve the function of the three interface functions.

Implement NJS program: default entry function

Because the current development and debugging of NJS is still in a very inconvenient state, so we first write the entry function to facilitate the debugging process (app.js) :

function debug(req) {
  req.headersOut["Content-Type"] = "text/html; charset=UTF-8";
  req.return(200, JSON.stringify(req, null, 4));
}

function encrypt(req) {
  debug(req)
}

function decrypt(req) {
  debug(req)
}

function entrypoint(r) {
  r.headersOut["Content-Type"] = "text/html; charset=UTF-8";
  switch (r.method) {
    case 'GET':
      return r.return(200, [
        '<form action="/" method="post">'.'<input name="data" value=""/>'.'<input type="radio" name="action" id="encrypt" value="encrypt" checked="checked"/><label for="encrypt">Encrypt</label>'.'<input type="radio" name="action" id="decrypt" value="decrypt"/><label for="decrypt">Decrypt</label>'.'<button type="submit">Submit</button>'.'</form>'
      ].join('<br>'));
    case 'POST':
      var body = r.requestBody;
      if (r.headersIn['Content-Type'] != 'application/x-www-form-urlencoded'| |! body.length) { r.return(401,"Unsupported method\n");
      }

      var params = body.trim().split('&').reduce(function (prev, item) {
        var tmp = item.split('=');
        var key = decodeURIComponent(tmp[0]).trim();
        var val = decodeURIComponent(tmp[1]).trim();
        if (key === 'data' || key === 'action') {
          if(val) { prev[key] = val; }}return prev;
      }, {});

      if(! params.action || (params.action ! ='encrypt'&& params.action ! ='decrypt')) {
        return r.return(400, 'Invalid Params: `action`.');
      }

      if(! params.data) {return r.return(400, 'Invalid Params: `data`.');
      }

      function response_cb(res) {
        r.return(res.status, res.responseBody);
      }

      return r.subrequest(`/api/${params.action}`, { method: 'POST' }, response_cb)
    default:
      return r.return(400, "Unsupported method\n"); }}export default { encrypt, decrypt, entrypoint };
Copy the code

What did we accomplish in the 60 or so lines above?

  • A simple Web form interface for receiving “encryption and decryption actions” and “data to be decrypted and decrypted” in the process of debugging and development.
  • According to the action we select, the “encryption and decryption” operation is automatically performed, and the processing result of the specific encryption and decryption interface is returned.
  • The simple Mock encryption and decryption interface currently actually calls adebugTo print our submission.

Using a browser to access the interface, you can see this simple submission interface:

Write something in the debug form text box and submit it. You can see that the function works as expected and the submission is printed correctly:

Next, we implement NJS’s RSA encryption function.

NJS implementation procedures: RSA encryption function

Referring to the previous, with a little adjustment, it is not difficult to implement this encryption function, about five lines is enough.

async function encrypt(req) {
  const spki = await crypto.subtle.importKey("spki", pem_to_der(rsaKeys.public, "PUBLIC"), { name: "RSA-OAEP".hash: "SHA-256" }, false["encrypt"]);
  const result = await crypto.subtle.encrypt({ name: "RSA-OAEP" }, spki, req.requestText);
  req.return(200, Buffer.from(result));
}
Copy the code

Run Nginx again, commit the content, and you can see that the data has been successfully encrypted with RSA.

Since RSA encryption is not readable by default, we generally use a layer of Base64 for plaintext transmission. So, we need to make some adjustments to this function and the function from the previous step, starting with the entry function.

function entrypoint(r) {
  r.headersOut["Content-Type"] = "text/html; charset=UTF-8";

  switch (r.method) {
    case 'GET':
      return r.return(200['<form action="/" method="post">'.'<input name="data" value=""/>'.'<input type="radio" name="action" id="encrypt" value="encrypt" checked="checked"/><label for="encrypt">Encrypt</label>'.'<input type="radio" name="action" id="decrypt" value="decrypt"/><label for="decrypt">Decrypt</label>'.'<input type="radio" name="base64" id="base64-on" value="on" checked="checked"/><label for="base64-on">Base64 On</label>'.'<input type="radio" name="base64" id="base64-off" value="off" /><label for="base64-off">Base64 Off</label>'.'<button type="submit">Submit</button>'.'</form>'
      ].join('<br>'));
    case 'POST':
      var body = r.requestBody;
      if (r.headersIn['Content-Type'] != 'application/x-www-form-urlencoded'| |! body.length) { r.return(401."Unsupported method\n");
      }

      var params = body.trim().split('&').reduce(function (prev, item) {
        var tmp = item.split('=');
        var key = decodeURIComponent(tmp[0]).trim();
        var val = decodeURIComponent(tmp[1]).trim();
        if (key === 'data' || key === 'action' || key === 'base64') {
          if(val) { prev[key] = val; }}return prev;
      }, {});

      if(! params.action || (params.action ! ='encrypt'&& params.action ! ='decrypt')) {
        return r.return(400.'Invalid Params: `action`.');
      }

      if(! params.base64 || (params.base64 ! ='on'&& params.base64 ! ='off')) {
        return r.return(400.'Invalid Params: `base64`.');
      }

      if(! params.data) {return r.return(400.'Invalid Params: `data`.');
      }

      function response_cb(res) {
        r.return(res.status, res.responseBody);
      }

      return r.subrequest(`/api/${params.action}${params.base64 === 'on' ? '? base64=1' : ' '}`, { method: 'POST'.body: params.data }, response_cb)
    default:
      return r.return(400."Unsupported method\n"); }}Copy the code

Did we add an option to enable Base64 encoding in the debug entry, and an additional one when calling the encryption and decryption interface with Base64 encoding enabled? Request parameters of base64=1.

The encryption function transformation is also very simple, about ten lines on the line:

async function encrypt(req) {
  const needBase64 = req.uri.indexOf('base64=1') > -1;
  const spki = await crypto.subtle.importKey("spki", pem_to_der(rsaKeys.public, "PUBLIC"), { name: "RSA-OAEP".hash: "SHA-256" }, false["encrypt"]);
  const result = await crypto.subtle.encrypt({ name: "RSA-OAEP" }, spki, req.requestText);
  if (needBase64) {
    req.return(200, Buffer.from(result).toString("base64"));
  } else {
    req.headersOut["Content-Type"] = "application/octet-stream";
    req.return(200, Buffer.from(result)); }}Copy the code

Restart the Nginx service, select Base64 encoding, and you can see that the output is as expected.

Copy the content and save it for later use. Let’s continue with RSA decryption.

NJS implementation: RSA decryption function

With the RSA encryption function, it is much easier to write the decryption function. Instead of decomposing the encryption function, you can directly take care of the Base64 option type.

async function decrypt(req) {
  const needBase64 = req.uri.indexOf('base64=1') > -1;
  const pkcs8 = await crypto.subtle.importKey("pkcs8", pem_to_der(rsaKeys.private, "PRIVATE"), { name: "RSA-OAEP".hash: "SHA-256" }, false["decrypt"]);
  const encrypted = needBase64 ? Buffer.from(req.requestText, 'base64') : Buffer.from(req.requestText);
  const result = await crypto.subtle.decrypt({ name: "RSA-OAEP" }, pkcs8, encrypted);
  req.return(200, Buffer.from(result));
}
Copy the code

Use the RSA encryption result after Base64 in the previous step to commit, and you can see that the encrypted content in the previous article can be decrypted correctly.

With the above foundation, let’s move on to automated encryption and decryption.

Build a gateway with automatic encryption and decryption capability

To simulate a real business scenario, we had to adjust the Nginx configuration and the container configuration separately.

Adjust the Nginx configuration: Simulate the business interface

Let’s start with Nginx configuration adjustments.

Start by emulating two new services and setting their output as raw data and RSA encrypted data. To keep things simple, we’ll use NJS to simulate the server-side interface response:

server { listen 8081; server_name localhost; charset utf-8; gzip on; location / { js_content mock.mockEncData; } } server { listen 8082; server_name localhost; charset utf-8; gzip on; location / { js_content mock.mockRawData; }}Copy the code

To use NJS in the emulated service, remember to add additional NJS script reference declarations to the Nginx global configuration:

js_import mock from script/mock.js;
Copy the code

To facilitate local debugging, we can also adjust the container choreography configuration to expose the interfaces of the above two services:

version: '3'

services:

  nginx-api-demo:
    image: Nginx: 1.21.4 - alpine
    restart: always
    ports:
      - 8080: 80
      - 8081: 8081
      - 8082: 8082
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf
      - ./scripts:/etc/nginx/script
Copy the code

Implement NJS program: write business simulation interface

Referring to the previous section, you can quickly write out two business interfaces that will output raw data that needs to be encrypted later, and RSA encrypted data. In order to simulate the real scene, random function is used here, and specific calculation is carried out randomly for three different contents.

function randomPick() {
    const powerWords = ['Su Yang Blog'.'Hardcore focus'.'Share fun'];
    return powerWords[Math.floor(Math.random() * powerWords.length)];
}

function mockRawData(r) {
    r.headersOut["Content-Type"] = "text/html; charset=UTF-8";
    r.return(200, randomPick());
}

const fs = require('fs');
if (typeof crypto == 'undefined') {
    crypto = require('crypto').webcrypto;
}

function pem_to_der(pem, type) {
    const pemJoined = pem.toString().split('\n').join(' ');
    const pemHeader = `-----BEGIN ${type} KEY-----`;
    const pemFooter = `-----END ${type} KEY-----`;
    const pemContents = pemJoined.substring(pemHeader.length, pemJoined.length - pemFooter.length);
    return Buffer.from(pemContents, 'base64');
}

const publicKey = fs.readFileSync(`/etc/nginx/script/rsa.pub`);

async function mockEncData(r) {
    const spki = await crypto.subtle.importKey("spki", pem_to_der(publicKey, "PUBLIC"), { name: "RSA-OAEP".hash: "SHA-256" }, false["encrypt"]);
    const result = await crypto.subtle.encrypt({ name: "RSA-OAEP" }, spki, randomPick());

    r.headersOut["Content-Type"] = "text/html; charset=UTF-8";
    r.headersOut["Encode-State"] = "ON";
    r.return(200, Buffer.from(result).toString("base64"));
}

export default { mockEncData, mockRawData };
Copy the code

With everything in place, we access the different ports and see that the “business Interface” is ready. The data type distinction is made by adding an encode-state request header to the encrypted data. If you don’t want to add additional fields, you can also specify the response data Type in the Content-Type.

Adjust gateway Nginx configuration: Aggregate service interfaces

There are two ways to actually use services. One is that the service interface invokes the gateway encryption and decryption function mentioned above to encrypt and decrypt data, and then responds. The other is the gateway aggregation business interface, which adjusts the corresponding output according to the data response type.

In this paper, the latter solution, combined with Traefik, can achieve rapid horizontal expansion to improve service responsiveness.

Because NJS sub-requests have request source constraints, in order to be able to interact with business data, two interfaces need to be added to the Nginx configuration of the gateway. The remote side of the proxy needs to encrypt or decrypt business data.

location /remote/need-encrypt {
    proxy_pass http://localhost:8082/;
}

location /remote/need-decrypt {
    proxy_pass http://localhost:8081/;
}
Copy the code

Configured, you can through the http://localhost:8080/remote/need-encrypt and http://localhost:8080/remote/need-encrypt to access the contents of the previous section.

At the same time, in order for us to access the automatic encryption and decryption interface, we need to add another interface to call the NJS function for automatic encryption and decryption of data. (For practical business use and pursuit of extreme performance, we can consider splitting it into two parts)

location /auto{
    js_content app.auto;
}
Copy the code

NJS program: automatic encryption and decryption of business data

Let’s start by implementing an automatic processing of data according to the data source we specify (encrypted data, undecrypted data).

async function auto(req) {
  req.headersOut["Content-Type"] = "text/html; charset=UTF-8";

  let remoteAPI = "";
  switch (req.args.action) {
    case "encrypt":
      remoteAPI = "/remote/need-encrypt";
      break;
    case "decrypt":
    default:
      remoteAPI = "/remote/need-decrypt";
      break;
  }

  async function autoCalc(res) {
    const isEncoded = res.headersOut['Encode-State'] = ="ON";
    const remoteRaw = res.responseText;
    if (isEncoded) {
      const pkcs8 = await crypto.subtle.importKey("pkcs8", pem_to_der(rsaKeys.private, "PRIVATE"), { name: "RSA-OAEP".hash: "SHA-256" }, false["decrypt"]);
      const encrypted = Buffer.from(remoteRaw, 'base64');
      const result = await crypto.subtle.decrypt({ name: "RSA-OAEP" }, pkcs8, encrypted);
      req.return(200, Buffer.from(result));
    } else {
      const spki = await crypto.subtle.importKey("spki", pem_to_der(rsaKeys.public, "PUBLIC"), { name: "RSA-OAEP".hash: "SHA-256" }, false["encrypt"]);
      const dataEncrypted = await crypto.subtle.encrypt({ name: "RSA-OAEP" }, spki, remoteRaw);
      req.return(200, Buffer.from(dataEncrypted).toString("base64"));
    }
  }

  req.subrequest(remoteAPI, { method: "GET" }, autoCalc)
}


export default { encrypt, decrypt, entrypoint, auto };
Copy the code

Restart Nginx and access the proxy remote data interface /remote/need-encrypt and automatic encryption gateway interface respectively. You can see that the program is running as expected.

To make the program smarter and fully automated, a simple adjustment can be made to make the program access the raw data randomly rather than according to the parameters we specify. (In order to visually verify the behavior, we adjust the output here as well.)

async function auto(req) {
  req.headersOut["Content-Type"] = "text/html; charset=UTF-8";

  function randomSource() {
    const sources = ["/remote/need-encrypt"."/remote/need-decrypt"];
    return sources[Math.floor(Math.random() * sources.length)];
  }

  async function autoCalc(res) {
    const isEncoded = res.headersOut['Encode-State'] = ="ON";
    const remoteRaw = res.responseText;
    if (isEncoded) {
      const pkcs8 = await crypto.subtle.importKey("pkcs8", pem_to_der(rsaKeys.private, "PRIVATE"), { name: "RSA-OAEP".hash: "SHA-256" }, false["decrypt"]);
      const encrypted = Buffer.from(remoteRaw, 'base64');
      const result = await crypto.subtle.decrypt({ name: "RSA-OAEP" }, pkcs8, encrypted);
      req.return(200[

Original content

.`<code>${remoteRaw}</code>`."

Processed content

"
.`<code>${Buffer.from(result)}</code>` ].join("")); } else { const spki = await crypto.subtle.importKey("spki", pem_to_der(rsaKeys.public, "PUBLIC"), { name: "RSA-OAEP".hash: "SHA-256" }, false["encrypt"]); const dataEncrypted = await crypto.subtle.encrypt({ name: "RSA-OAEP" }, spki, remoteRaw); req.return(200[

Original content

.`<code>${remoteRaw}</code>`."

Processed content

"
.`<code>${Buffer.from(dataEncrypted).toString("base64")}</code>` ].join("")); } } req.subrequest(randomSource(), { method: "GET" }, autoCalc) } Copy the code

Restart Nginx again, refresh several times, you can see the result of automatic RSA encryption and decryption based on the content.

Others: Consider interface security

In practice, in addition to adding additional authentication and frequency restrictions before services, it is also recommended to use internal to limit the “scope” of Nginx interfaces according to actual situations, so that data sources and basic computing interfaces can only be accessed by NJS programs.

location /remote/need-encrypt {
    internal;
    proxy_pass http://localhost:8082/;
}

location /remote/need-decrypt {
    internal;
    proxy_pass http://localhost:8081/;
}

location /api/encrypt {
    internal;
    js_content app.encrypt;
}

location /api/decrypt {
    internal;
    js_content app.decrypt;
}
Copy the code

Others: If you’re looking for more efficient computing

For the purposes of this demonstration, we have Base64 encoded the results of our calculations. Considering the high pressure of a real production environment, where we are often too sensitive to the computational complexity of functions, consider hardcoding certificates into the code and removing Base64 as much as possible (only turn it on in debug mode).

The last

There are still few references to NJS on the web, so hopefully this article will serve as a link between you and NJS.

The above content is stored on GitHub for those who are interested.

–EOF


We have a little group of hundreds of people who like to do things.

In the case of no advertisement, we will talk about software and hardware, HomeLab and programming problems together, and also share some information of technical salon irregularly in the group.

Like to toss small partners welcome to scan code to add friends. (To add friends, please note your real name, source and purpose, otherwise it will not be approved)

All this stuff about getting into groups


If you think the content is still practical, welcome to share it with your friends. Thank you.


This article is published under a SIGNATURE 4.0 International (CC BY 4.0) license. Signature 4.0 International (CC BY 4.0)

Author: Su Yang

Creation time: on November 14, 2021 statistical word count: 16413 words reading time: 33 minutes to read this article links: soulteary.com/2021/11/14/…