Browse Source

[WO-628] Restrict connections for socket.io proxy

dev/WO-783
Felix Hammerl 8 years ago
parent
commit
eaff850d27
  1. 18
      README.md
  2. 11
      config/default.js
  3. 17
      server.js

18
README.md

@ -71,6 +71,24 @@ Then start the server and navigate to [http://localhost:8585](http://localhost:8 @@ -71,6 +71,24 @@ Then start the server and navigate to [http://localhost:8585](http://localhost:8
**A note on security:** The app should not be used without SSL so it's best to set up a reverse proxy or Loadbalancer with your SSL certificates. If you are not sure how to do this it might be easier to use our managed web hosting or packaged apps under [https://whiteout.io/#product](https://whiteout.io/#product).
You can limit incoming and outgoing connections to the socket.io proxy by setting the following environment variables:
# the web socket proxy listens to this port
# if unset, defaults to 8889
PORT=12345
# the socket.io proxy accepts connections from these origins to tunnel them to tcp,
# separate with commas
# if unset, defaults to 'localhost:' + port
INBOUND_ORIGINS='foo:1234,bar:569'
# the socket.io proxy opens tcp connections with these ports to tunnel them to socket.io
# separate with commas
# if unset, defaults to '143,465,587,993' (25 is forbidden by default)
OUTBOUND_PORTS='123,456,789'
To start the server in development mode (no forced HTTPS, iframe loads http content), run `node server.js --dev`
## License
Copyright © 2014, Whiteout Networks GmbH. All rights reserved.

11
config/default.js

@ -1,9 +1,16 @@ @@ -1,9 +1,16 @@
'use strict';
var port = process.env.PORT || 8889;
module.exports = {
server: {
port: process.env.PORT || 8889,
host: "0.0.0.0"
port: port,
inboundOrigins: (process.env.INBOUND_ORIGINS || ('localhost:' + port)).split(',').map(function(host) {
return host.trim();
}),
outboundPorts: (process.env.OUTBOUND_PORTS || '143,465,587,993').split(',').map(function(i) {
return parseInt(i, 10);
})
},
log: {
level: "silly",

17
server.js

@ -71,15 +71,14 @@ app.disable('x-powered-by'); @@ -71,15 +71,14 @@ app.disable('x-powered-by');
// web server config
//
var port = config.server.port,
development = process.argv[2] === '--dev';
var development = (process.argv[2] === '--dev');
// set HTTP headers
app.use(function(req, res, next) {
// HSTS
res.set('Strict-Transport-Security', 'max-age=16070400; includeSubDomains');
// CSP
var iframe = development ? "http://" + req.hostname + ":" + port : "https://" + req.hostname; // allow iframe to load assets
var iframe = development ? "http://" + req.hostname + ":" + config.server.port : "https://" + req.hostname; // allow iframe to load assets
res.set('Content-Security-Policy', "default-src 'self' " + iframe + "; object-src 'none'; connect-src *; style-src 'self' 'unsafe-inline' " + iframe + "; img-src *");
// set Cache-control Header (for AppCache)
res.set('Cache-control', 'public, max-age=0');
@ -110,6 +109,8 @@ app.use(express.static(__dirname + '/dist')); @@ -110,6 +109,8 @@ app.use(express.static(__dirname + '/dist'));
// Socket.io proxy
//
io.origins(config.server.inboundOrigins.join(' '));
io.on('connection', function(socket) {
log.info('io', 'New connection [%s]', socket.conn.id);
@ -120,6 +121,12 @@ io.on('connection', function(socket) { @@ -120,6 +121,12 @@ io.on('connection', function(socket) {
var socketId = ++idCounter;
var tcp;
if (config.server.outboundPorts.indexOf(data.port) < 0) {
log.warn('io', 'Open request to %s:%s was rejected, closing [%s:%s]', data.host, data.port, socket.conn.id, socketId);
socket.disconnect();
return;
}
log.verbose('io', 'Open request to %s:%s [%s:%s]', data.host, data.port, socket.conn.id, socketId);
tcp = net.connect(data.port, data.host, function() {
@ -187,8 +194,8 @@ io.on('connection', function(socket) { @@ -187,8 +194,8 @@ io.on('connection', function(socket) {
// start server
//
server.listen(port);
server.listen(config.server.port);
if (development) {
console.log(' > starting in development mode');
}
console.log(' > listening on http://localhost:' + port + '\n');
console.log(' > listening on http://localhost:' + config.server.port + '\n');

Loading…
Cancel
Save