Reputation: 1148
Securing a Socket.IO Websocket and restricting it to a domain
So I am an absolute beginner at Socket.IO, but I have a pre built application that needs to be secured in two ways: It needs to be transmitted over HTTPS and it needs to be restricted to only server data to a specific domain.
This is the code for the emitter thus far: https://github.com/Bitzz/Pokemon-Go-Coords/blob/master/discord-bot/index.js How do I go about securing it? I assume something along the lines of
io.set('origins', 'https://example.com:*');
on line 156 would restrict it to one domain... Could I maybe blacklist only specific domains instead? Beyond that, how do I make it emit over https via wss?
Currently the console shows:
I think I can figure out how to configure the web sided reader to look for the over https websocket, but getting it to send is not something I know how to figure out. Please use simple words I am not a smart cookie. :(
Upvotes: 1
Views: 3372
Answers (2)
Reputation: 1148
I found the solution.
In the apache2 site config file for the secure config (*:443), add the following:
#This enables polling over https. Painfully inefficient but a good fallback
SSLProxyEngine on
ProxyPass /socket.io http://127.0.0.1:49002/socket.io/
ProxyPassReverse /socket.io http://127.0.0.1:49002/socket.io/
#This upgrades and rewrites the ws to wss
RewriteEngine on
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
RewriteRule .* ws://localhost:49002%{REQUEST_URI} [P]
Upvotes: 0
Reputation: 11275
To restrict Socket.IO to multiple domain, I believe you only need to separate each domain by one space.
io.set('origins', 'https://example.com:* https://anotherdomain.com:*');
About the SSL connection, there are several ways to archive that:
- Config Socket.IO to use ssl (wss:// instead of ws://) in NodeJS, there is an answer here: node.js, socket.io with SSL
- Create a reverse proxy with Nginx, there is a guide here: https://www.exratione.com/2013/06/websockets-over-ssl-with-nodejs-and-nginx/
- Use reverse proxy from 3rd service like https://www.cloudflare.com
The third option is the easiest way to archive. You only need to point your domain CloudFlare and config an a record to your ws server, CloudFlare will provide ssl for websocket for free and automatically do SSL termination to your origin websocket server.
Upvotes: 2
Related Questions
- Cross-domain connection in Socket.IO
- Implementing https and socket io
- Secure Websocket connection (wss) with ip address
- socket.io / node.js with ssl and Access-Control-Header
- Websocket security authentication with own credentials
- Securing Socket.io
- Secure WebSockets with Socket.io, Node.js, and iisnode
- How can i prevent cross-domain connections and allow access from my domain only?
- Socket.IO HTTP - How to Secure the Configuration
- socket.io security - maybe allow only from specific domain?