Overview

The Polaris Secure Proxy is an essential component of the Polaris Secure Container architecture. It facilitates end-to-end encrypted communication between a workload and external services or applications while abstracting the management of the private key used to decrypt communications and data for the workload.

Modules

The Polaris Secure Proxy consists of an Encryption Proxy module and a Key Management module.

Encryption Proxy

The Polaris Secure Proxy is designed for applications communicating via the HTTP protocol. It operates as a middleware in front of the client workload, intercepting all HTTP communication with other services or applications. It can be configured to transparently encrypt and decrypt all HTTP requests and responses using the Integrated Encryption Scheme provided by the Polaris SDK.

This enables deploying any client workload in an encrypted environment without requiring modifications to the workload itself.

Key Management

The Polaris Secure Proxy includes a key management module that handles connections to RSA encryption keys managed in external solutions. Specifically, the proxy can work with RSA keys stored in Google Cloud Key Management or Azure Vault, accessible only after providing a remote attestation generated by the TEE environment in which the Polaris Proxy operates.

The key management module is compatible with the Key Handler interface provided by the Polaris SDK and can be extended to work with other key management solutions.

Usage

The Polaris Secure Proxy is included in the Polaris Secure Container products available on the Google Cloud Marketplace and the Microsoft Azure Marketplace. The Polaris Proxy can also be used standalone, provided the usage complies with the AGPL-3.0 License.

The source code, build pipeline, and built Docker images of the Polaris Proxy are publicly available for inspection and independent verification.

Build Pipeline

Polaris Proxy images are built and pushed to public Docker container registries using GitHub Actions. The build scripts are available in the GitHub repository. The production Docker images are published in the following public registries:

DockerHub: fr0ntierx/polaris-proxy
Azure: fr0ntierxpublic.azurecr.io/polaris-proxy
Google Cloud: us-docker.pkg.dev/fr0ntierx-public/fr0ntierx-public-registry/polaris-proxy

Local Usage

To run the proxy locally, you can use the official DockerHub image. The only required variable to configure is POLARIS_CONTAINER_WORKLOAD_BASE_URL, which should point to the base URL of the workload that the proxy will protect.

docker run -it -e POLARIS_CONTAINER_WORKLOAD_BASE_URL="http://localhost:3001" fr0ntierx/polaris-proxy

For details about additional configuration parameters, please refer to the Configuration section.

Local Development

If you want to run the proxy server directly, create a .env file with the required configuration, then run the server using the following commands:

yarn install
yarn dev

Modules​

Encryption Proxy​

Key Management​

Usage​

Build Pipeline​

Local Usage​

Local Development​