Bitz Bitz - 2 months ago 14
Node.js Question

Securing a Socket.IO Websocket and restricting it to a domain

So I am an absolute beginner at Socket.IO, but I have a pre built application that needs to be secured in two ways: It needs to be transmitted over HTTPS and it needs to be restricted to only server data to a specific domain.

This is the code for the emitter thus far: https://github.com/Bitzz/Pokemon-Go-Coords/blob/master/discord-bot/index.js
How do I go about securing it?
I assume something along the lines of

io.set('origins', 'https://example.com:*');


on line 156 would restrict it to one domain...
Could I maybe blacklist only specific domains instead?
Beyond that, how do I make it emit over https via wss?

Currently the console shows:
bye bye ws over https

I think I can figure out how to configure the web sided reader to look for the over https websocket, but getting it to send is not something I know how to figure out.
Please use simple words I am not a smart cookie. :(

Answer

I found the solution.

In the apache2 site config file for the secure config (*:443), add the following:

#This enables polling over https. Painfully inefficient but a good fallback
SSLProxyEngine on
ProxyPass /socket.io http://127.0.0.1:49002/socket.io/ 
ProxyPassReverse /socket.io http://127.0.0.1:49002/socket.io/

#This upgrades and rewrites the ws to wss
RewriteEngine on
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
RewriteRule .* ws://localhost:49002%{REQUEST_URI} [P]
Comments