Quantcast

Websocket security

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Websocket security

Christian Schwaderer

Dear all,

I ran NodeJS as a kind of Webapplication Server serving an AngularJS frontend. They communicate solely over WebSockets, using the SailsJS implementation of Socket.IO. Between frontend (client) and the NodeJS backend, sits nginx as a proxy, configured like so:

server {
    listen 1337 ssl;
    location /socket.io/ {
       proxy_pass https://localhost:1338;
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "upgrade";
       proxy_http_version 1.1;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}
So far, so good. I now want to monitor and secure the Websocket connection. In particular, I want to prevent XSS attacks and exclude IPs trying to brute force the login to my application. I'm pretty new to that stuff, but I've found out that there are tools working together with nginx which can fulfill my needs here. (In particular, fail2ban and nginx-naxsi)

However, I did not find out till now, whether and how these tools would work with my design (proxied websocket).

fail2ban works on log files. Right now, nginx does not log the websocket traffic. Is it possible to configure nginx so that it logs the proxied websocket traffic? I mean, the actual traffic, not the establishing of the socket connection, but what is actually being exchanged between client (browser) and server (NodeJS). That should appear in some nginx log file in order to make fail2ban work.

Same goes for nginx-naxsi, I guess.
Does nginx, in my configuration, even care about what browser and NodeJS are exchanging via websocket? How can I make nginx inspect the content of the websocket connection so that I can filter out malicious requests based on nginx-naxsi rules?

Thanks in advance for any hints!
Best,
Christian

(PS: Already had asked a similar question on serverfault, but not no avail.)


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Websocket security

tory
Hello christian,


naxsi-contributor first

bad news first:

naxsi wouldnt work on websockets.

Any other security for websockets you have to implement yourself.


list of usefull reads:
- https://devcenter.heroku.com/articles/websocket-security
-
https://security.stackexchange.com/questions/48378/anti-dos-websockets-best-practices/
- https://gist.github.com/subudeepak/9897212
- https://kaazing.com/2012/02/28/html5-websocket-security-is-strong/



regards,


mex

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273438,273440#msg-273440

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Loading...