All geek questions in one place

Best fast authentication mechanism for embedded devices with Nginx & Apache

We have a project deployed with Nginx, Apache, Django and Postgres.

The project has a large number of built-in devices for entering the server (https) after 5 minutes and sending the file to the server. In addition, on the front side of the WebUI project there are regular users who log into the system and perform various functions.

Currently, the system does not distinguish between the embedded device and the general user. When the number of devices was low, this mechanism worked normally at the required speed. But overtime work with an increase in the number of devices significantly increased the load on the database. We watched about 60,000 django_session entries per day. The import script that we run to process files sent from devices is unlikely to match the incoming data, and the database is heavily loaded.

I want to implement a minimal authentication mechanism that can simply quickly authenticate a device and allow it to send a text file. I want to avoid the django authentication method but want to continue to use the auth_user table for the username and password for devices. Given the performance requirements, I need some way that uses nginx and doesn't bring apache to the image and accept the file.

What do you think is the best way to achieve this? In addition, what projects related to large embedded devices are used for this type of mechanism?

+4
source share
2 answers

So, I understand that every embedded device has a user account setup in django, and you want to avoid this overhead.

So, the first question is, how do you know the end when he is talking to an embedded device or person? I would suggest that this information is built into the django system.

If so, what you need to do is intercept the username and password before it will be transferred to django, check the type of account in the database and if its built-in device transfers it to a processing application that does not accept files and process them . The way you intercept this is up to you, you can do it in almost any โ€œweb languageโ€ you need and just use redirects when you decide how to handle the traffic.

If you have the opportunity to rewrite this again, why do you even have a password for the name of the embedded device? Assuming this is an embedded device (single-purpose minimum interface), does it not check its SSL certificate for a list of known certificates sufficient to identify it? This can eliminate any interaction with the django system in general, since all you have to do is check the certificate for the ok certificate bank.

+2
source

Can you write a compiled cgi script (in C or C ++?) That directly authenticates the embedded devices for the Postgres database and saves the file accordingly? You obviously do not need sessions, since the built-in device makes a one-time connection every 5 minutes.

I donโ€™t know anything about Django (chose this from the built-in tag), so I donโ€™t know what is responsible for its overhead.

It is actually not that difficult to write a CGI script in C (assuming you or someone on your team knows C) for this simple task.

+1
source

Source: https://habr.com/ru/post/1301637/

More articles:


All Articles