Changelog History
Page 2
-
v0.81.0 Changes
July 06, 2018Core:
Prepared Statements
- Added support of prepared statements for PostgreSQL/MySQL. Both binary and text response formats are supported (#192).
SQL requests filtering in AcraCensor
AcraCensor got smarter in preventing SQL Injections.
Improved flexibility for parsing queries. If AcraCensor can't parse an SQL query, it is considered as potentially too dangerous to send it to the database, so AcraCensor blocks such "unparseable" queries by default. However, setting the configuration flag
ignore_parse_error
totrue
will make AcraCensor ignore the "unparseable" quality of queries and send them to the database anyway. Check out the configuration example in configs/acra-censor.example.yaml (#194).Added support of complex JOIN queries (#191).
Improved reading/writing QueryCapture log file. Now AcraCensor uses bufferisation before writing queries into a log file. Changed format of QueryCapture log to JSON Line (each query sits in a separate line in a log file instead of having an array of JSON objects) (#193).
Introduced a few fixes here and there, made integration tests for AcraCensor more stable (#184).
- ๐ Improving MySQL support
We introduced MySQL support just a few Acra releases ago and we continue polishing it. Now we've updated the example projects so you can jump right into the code!
Take a look at how to use Acra for both PostreSQL and MySQL databases in these examples:
Go: see the examples/golang folder (#190).
Ruby: see the examples/ruby folder (#189).
Python: see the examples/python folder (#188).
- Other
Updated handling of message formats for PostgreSQL and MySQL protocols (#186).
Improved logging in CEF and JSON formats for high load systems (#195).
Added comprehensive
Readme
to every project in /examples folder (#196).Added pre-generated configuration file for AcraAuthmanager. Now it's easier to configure AcraServer using AcraWebconfig (#187).
๐ Documentation:
- โก๏ธ Updated Acra Architecture and Data flow graphic schemes to better illustrate Acra's components, connections between them, and typical use-cases.
- โก๏ธ Updated AcraCensor's description to explain how unparseable queries are handled.
- Described typical Public Key Infrastructure with some advice on where to put Acra in the general scheme of things.
- ๐ Described Acra's Security Model, possible threats, and possible consequences of compromisation.
- โ Added a page describing the ways Acra can help you better comply with GDPR.
-
v0.80.0 Changes
May 31, 2018Core:
Renaming
- Global renaming of Acra components and their configuration parameters. We believe that the updated naming will decrease confusion about the components' functions and will make Acra's setup and usage process easier.
Main services:
| Old name | New name | Function | | --- | --- | --- | | AcraServer | AcraServer | decrypts data from the database | | AcraWriter | AcraWriter | encrypts data on the client side | | AcraProxy | AcraConnector | encrypts traffic between the client and the server using Themis Secure Session | | AcraCensor | AcraCensor | firewall, part of AcraServer, blocks suspicious SQL requests to the database | | AcraConfigUI | AcraWebConfig | lightweight HTTP web server for managing AcraServer's certain configuration options |
Utilities:
| Old name | New name | Function | | --- | --- | --- | | acra_rollback | AcraRollback | decrypts the whole database | | acra_genkeys | AcraKeymaker | generates encryption keys for storage and transport of the Acra components | | acra_genauth | AcraAuthmanager | generates user accounts for AcraWebConfig | | acra_genpoisonrecord | AcraPoisonRecordMaker | generates poison records for databases | | acra_addzone | AcraAddzone | generates Zones' header for AcraWriter |
Check the configurations of components inside /configs folder and read Migration Guide for more details (#175, #174, #173, #170, #169, #168).
SSL/TLS
- Improved SSL/TLS connections between AcraServer<->AcraConnector and AcraServer<->database. Added TLS authentication mode (
tls_auth
) argument to the AcraServer/AcraConnector configuration files:- for AcraConnector it indicates how to authenticate AcraServer during a TLS connection;
- for AcraServer it indicates how to authenticate database during a TLS connection.
- Updated TLS configuration to provide other less strict authentication methods (do not authenticate client from server, ask for any certificate, ask and check) (#171).
- Improved SSL/TLS connections between AcraServer<->AcraConnector and AcraServer<->database. Added TLS authentication mode (
SQL requests filtering
- Added support of filtering SQL requests for PostgreSQL databases. Now you can setup AcraCensor rules for both MySQL and PostgreSQL databases (#177).
- Improved QueryCapture: AcraCensor writes allowed/blocked queries into a separate log file without blocking the main process (#176, #172).
See a detailed description of AcraCensor on the corresponding AcraCensor documentation page.
๐ AcraWriter in Ruby
- Updated AcraWriter Ruby wrapper for ActiveRecord tutorial and pushed a new gem (#166).
Key Handling
Other
Infrastructure:
๐ณ Even better Docker support
- Added more ready-to-use Docker Containers:
acra-keymaker
,acra-authmanager
. As a result, each Acra component is wrapped into a Docker container, allowing you to try Acra into your infrastructures easily. - Added easy-to-use docker-compose files for setting up the whole Acra-based environment connected to MySQL database. Possible configurations include setup with/without SSL, with/without AcraConnector, with/without Zones (#180). Check out the instructions and examples in the /docker folder: we have examples for both MySQL and PostgreSQL databases.
- Updated descriptions for official Cossack Labs packages on Docker Hub.
- Updated Getting started with Docker guide to make starting out with Acra even easier.
- Added more ready-to-use Docker Containers:
OS
- Added support of Ubuntu Xenial, Ubuntu Bionic (added precompiled binaries and tests to make sure that Acra is compiling/building/working well on 16.04/18.04).
๐ Documentation:
- โก๏ธ Updated tutorials about protecting a Ruby on Rails app and a Django app.
- โก๏ธ Every single document, code line, and image are updated using the new naming.
- Significant parts of the README have been rewritten.
-
v0.77.0 Changes
April 13, 2018Core:
MySQL databases
- Added support for MySQL: now you can connect Acra to MySQL databases. Works with any SSL mode:
require
,allow
,disable
. - Tested and supported on: MySQL (#155, #140).
๐ > Note: Prepared statements are not supported yet, but this feature is coming soon!
๐ Read about the new configurations on the AcraServer documentation page.
Keeping keys in secret
- Added encryption for the keys' folder: private keys are now symmetrically encrypted by
master_key
(#143) for storage. - Added ability to generate public/private keys in the separate folders (#148, #142).
Read more about the current changes in key management here.
Filtering requests for MySQL
- Added firewall component named AcraCensor to handle MySQL queries.
๐ง You can provide a list of restricted or allowed tables, columns, and exact queries to handle. AcraCensor will pass the allowed queries and return error on forbidden ones. Rules are configured and stored in
yaml
file. Each request is logged in real time. Moreover, all the queries and their states are logged into a separate log file. (#151, #138, #136, #132, #125, #108).๐ See a detailed description of AcraCensor on the corresponding AcraCensor documentation page.
๐ป Web Config UI
- Added lightweight HTTP web server for managing AcraServer's certain configuration options.
โก๏ธ You can update the proxy address and port, database address and port, handling of Zone mode and poison records. On saving new configuration,
acraserver
will gracefully restart and use these settings automatically. The access to thiw web page is restricted using basic auth. (#153, #141, #123, #111).๐ See the interface screenshot and detailed instructions at Acra Config UI page.
๐ฒ Logging
- Added support of new logging formats: plaintext, CEF, and json.
๐ง Logging mode and verbosity level is configured for AcraServer, AcraProxy, and AcraConfigUI in the corresponding
yaml
files. Log messages were slightly improved, custom error codes were added (which we believe will help to understand and debug any issues) (#135, #126, #110).๐ฒ Read more about the log analysis at Logging page.
โ Tests
- Added many new integartion tests, fixed stability and handling of more complicated use-cases (#150, #147, #137, #117, #116, #115).
Infrastructure:
๐ณ Docker support
โ Added Docker Container for every main component:
AcraServer
,AcraProxy
,AcraConfigUI
, and key generators (AcraGenKeys
andAcraGenAuth
). You can find the containers in /docker folder or on the Docker Hub (#139).โก๏ธ Updated Getting started with Docker guide to make starting out with Acra even easier.
โ Added easy-to-use docker-compose files to launch Acra in different environments, including key distribution. Possible configurations are:
- `acraserver` + `acra_configui `; - connecting to PostreSQL or MySQL databases; - using Secure Session or SSL as transport encryption; - with or without `acraproxy`; - with or without zones.
๐ณ This is huge! We encourage you to try it! Check out the instructions and examples in the /docker folder. (#154, #146, #134, #133, #102).
Go versions
- Updated the list of supported versions of Go. Every Acra component can now be built using Go >1.7, except
acra_rollback
that requires Go >1.8. No worries, you can still download Acra as a binary package anyway :)OS
- Dropped support of Debian Wheezy (no autotests, no precompiled binaries now).
๐ Documentation:
- ๐ Updated QuickStart documentation about launching and building Acra components.
- Described how to setup AcraCensor and AcraConfigUI.
- โ Added more details and described new options (like using TLS and connecting to MySQL databases) for AcraServer and AcraProxy.
- ๐ฒ Described new logging formats.
- โก๏ธ Updated description of Key management approach we encourage you to use.
- ๐ณ Described Docker components and ready-to-use Docker Compose configurations based on the Docker Readme.
- โก๏ธ Updated Getting started with Docker guide.
- ๐ Distributed the information about master key across the docs.
- Many small improvements.
- Added support for MySQL: now you can connect Acra to MySQL databases. Works with any SSL mode:
-
v0.76 Changes
March 09, 2018Core:
- ๐ SSL / TLS support
๐ Now you can use PostgeSQL with SSL/TLS settings enabled. Acra supports two modes of connection between AcraServer and the database: using SSL/TLS or using Secure Session (#113, #119).
- Unix sockets
๐ Acra now supports usage of both TCP and Unix Sockets as a connection layer between AcraWriter <-> AcraProxy <-> AcraServer.
โ Tests
- Updated integration test suit to support multiple connection modes between the Acra components and the database (#115, #117, #118, #120).
- Added Docker image to make testing easier (#104).
Infrastructure:
- โ Added support of Go 1.10, removed support of older Go versions (<1.6).
- โ Added support of Ubuntu 17.10, Ubuntu 16.04, Ubuntu 14.04, Debian Stretch.
- โก๏ธ Updated dependency libraries (libthemis and libcrypto) to use the latest ones.
๐ Documentation:
- ๐ Updated the documentation and tutorials to reflect the latest changes.
-
v0.75 Changes
March 07, 2017๐ This is the initial public release of Acra, a database protection suite.
This version of Acra:
- ๐ง works on Ubuntu, CentOS, Debian linuxes
- ๐ supports PostgreSQL 9.4+
- ๐ฆ has AcraWriter packages for Python, PHP, Go and NodeJS