mirror of
https://github.com/moparisthebest/mail
synced 2024-11-27 11:22:19 -05:00
[WO-628] Restrict connections for socket.io proxy
This commit is contained in:
parent
5d09e32320
commit
eaff850d27
18
README.md
18
README.md
@ -71,6 +71,24 @@ Then start the server and navigate to [http://localhost:8585](http://localhost:8
|
|||||||
|
|
||||||
**A note on security:** The app should not be used without SSL so it's best to set up a reverse proxy or Loadbalancer with your SSL certificates. If you are not sure how to do this it might be easier to use our managed web hosting or packaged apps under [https://whiteout.io/#product](https://whiteout.io/#product).
|
**A note on security:** The app should not be used without SSL so it's best to set up a reverse proxy or Loadbalancer with your SSL certificates. If you are not sure how to do this it might be easier to use our managed web hosting or packaged apps under [https://whiteout.io/#product](https://whiteout.io/#product).
|
||||||
|
|
||||||
|
You can limit incoming and outgoing connections to the socket.io proxy by setting the following environment variables:
|
||||||
|
|
||||||
|
# the web socket proxy listens to this port
|
||||||
|
# if unset, defaults to 8889
|
||||||
|
PORT=12345
|
||||||
|
|
||||||
|
# the socket.io proxy accepts connections from these origins to tunnel them to tcp,
|
||||||
|
# separate with commas
|
||||||
|
# if unset, defaults to 'localhost:' + port
|
||||||
|
INBOUND_ORIGINS='foo:1234,bar:569'
|
||||||
|
|
||||||
|
# the socket.io proxy opens tcp connections with these ports to tunnel them to socket.io
|
||||||
|
# separate with commas
|
||||||
|
# if unset, defaults to '143,465,587,993' (25 is forbidden by default)
|
||||||
|
OUTBOUND_PORTS='123,456,789'
|
||||||
|
|
||||||
|
To start the server in development mode (no forced HTTPS, iframe loads http content), run `node server.js --dev`
|
||||||
|
|
||||||
## License
|
## License
|
||||||
|
|
||||||
Copyright © 2014, Whiteout Networks GmbH. All rights reserved.
|
Copyright © 2014, Whiteout Networks GmbH. All rights reserved.
|
||||||
|
@ -1,9 +1,16 @@
|
|||||||
'use strict';
|
'use strict';
|
||||||
|
|
||||||
|
var port = process.env.PORT || 8889;
|
||||||
|
|
||||||
module.exports = {
|
module.exports = {
|
||||||
server: {
|
server: {
|
||||||
port: process.env.PORT || 8889,
|
port: port,
|
||||||
host: "0.0.0.0"
|
inboundOrigins: (process.env.INBOUND_ORIGINS || ('localhost:' + port)).split(',').map(function(host) {
|
||||||
|
return host.trim();
|
||||||
|
}),
|
||||||
|
outboundPorts: (process.env.OUTBOUND_PORTS || '143,465,587,993').split(',').map(function(i) {
|
||||||
|
return parseInt(i, 10);
|
||||||
|
})
|
||||||
},
|
},
|
||||||
log: {
|
log: {
|
||||||
level: "silly",
|
level: "silly",
|
||||||
|
17
server.js
17
server.js
@ -71,15 +71,14 @@ app.disable('x-powered-by');
|
|||||||
// web server config
|
// web server config
|
||||||
//
|
//
|
||||||
|
|
||||||
var port = config.server.port,
|
var development = (process.argv[2] === '--dev');
|
||||||
development = process.argv[2] === '--dev';
|
|
||||||
|
|
||||||
// set HTTP headers
|
// set HTTP headers
|
||||||
app.use(function(req, res, next) {
|
app.use(function(req, res, next) {
|
||||||
// HSTS
|
// HSTS
|
||||||
res.set('Strict-Transport-Security', 'max-age=16070400; includeSubDomains');
|
res.set('Strict-Transport-Security', 'max-age=16070400; includeSubDomains');
|
||||||
// CSP
|
// CSP
|
||||||
var iframe = development ? "http://" + req.hostname + ":" + port : "https://" + req.hostname; // allow iframe to load assets
|
var iframe = development ? "http://" + req.hostname + ":" + config.server.port : "https://" + req.hostname; // allow iframe to load assets
|
||||||
res.set('Content-Security-Policy', "default-src 'self' " + iframe + "; object-src 'none'; connect-src *; style-src 'self' 'unsafe-inline' " + iframe + "; img-src *");
|
res.set('Content-Security-Policy', "default-src 'self' " + iframe + "; object-src 'none'; connect-src *; style-src 'self' 'unsafe-inline' " + iframe + "; img-src *");
|
||||||
// set Cache-control Header (for AppCache)
|
// set Cache-control Header (for AppCache)
|
||||||
res.set('Cache-control', 'public, max-age=0');
|
res.set('Cache-control', 'public, max-age=0');
|
||||||
@ -110,6 +109,8 @@ app.use(express.static(__dirname + '/dist'));
|
|||||||
// Socket.io proxy
|
// Socket.io proxy
|
||||||
//
|
//
|
||||||
|
|
||||||
|
io.origins(config.server.inboundOrigins.join(' '));
|
||||||
|
|
||||||
io.on('connection', function(socket) {
|
io.on('connection', function(socket) {
|
||||||
|
|
||||||
log.info('io', 'New connection [%s]', socket.conn.id);
|
log.info('io', 'New connection [%s]', socket.conn.id);
|
||||||
@ -120,6 +121,12 @@ io.on('connection', function(socket) {
|
|||||||
var socketId = ++idCounter;
|
var socketId = ++idCounter;
|
||||||
var tcp;
|
var tcp;
|
||||||
|
|
||||||
|
if (config.server.outboundPorts.indexOf(data.port) < 0) {
|
||||||
|
log.warn('io', 'Open request to %s:%s was rejected, closing [%s:%s]', data.host, data.port, socket.conn.id, socketId);
|
||||||
|
socket.disconnect();
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
log.verbose('io', 'Open request to %s:%s [%s:%s]', data.host, data.port, socket.conn.id, socketId);
|
log.verbose('io', 'Open request to %s:%s [%s:%s]', data.host, data.port, socket.conn.id, socketId);
|
||||||
|
|
||||||
tcp = net.connect(data.port, data.host, function() {
|
tcp = net.connect(data.port, data.host, function() {
|
||||||
@ -187,8 +194,8 @@ io.on('connection', function(socket) {
|
|||||||
// start server
|
// start server
|
||||||
//
|
//
|
||||||
|
|
||||||
server.listen(port);
|
server.listen(config.server.port);
|
||||||
if (development) {
|
if (development) {
|
||||||
console.log(' > starting in development mode');
|
console.log(' > starting in development mode');
|
||||||
}
|
}
|
||||||
console.log(' > listening on http://localhost:' + port + '\n');
|
console.log(' > listening on http://localhost:' + config.server.port + '\n');
|
||||||
|
Loading…
Reference in New Issue
Block a user