1

我想保护我的 riemann 服务器/客户端/仪表板以在生产服务器上使用它,以便只有授权才能访问数据。

所以:

  • 我将端口 80 重定向到 443
  • 使用让我们加密证书
  • 在仪表板上添加了 nginx 身份验证

但后来我注意到我必须将 websocket 从仪表板重定向到服务器,以便 web 浏览器显示某些内容,所以我添加了一个重定向到服务器的端口。这是我担心的事情。

我最终得到了这个配置文件(可能有一些多余的部分):

server {
    listen 80 ;
    listen [::]:80;

    server_name riemann.mydomain.io;

    return 301 https://$host$request_uri;
}


server {
    listen 443 ssl;
    listen [::]:443;

    server_name riemann.mydomain.io;

    location / {
        auth_basic            "Restricted Area";
        auth_basic_user_file /etc/nginx/htpasswd;

        # note no HTTPS here, that's ok since it serves the dashboard right ?
        proxy_pass http://localhost:4567;
    }

    ssl_certificate           /etc/letsencrypt/live/mydomain.io/fullchain.pem;
    ssl_certificate_key       /etc/letsencrypt/live/mydomain.io/privkey.pem;

    ssl on;
    ssl_prefer_server_ciphers  on;
    ssl_session_timeout        180m;
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'AES256+EECDH:AES256+EDH';
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    add_header Strict-Transport-Security 'max-age=31536000';

    access_log /var/log/mydomain_riemann_access.log;
    error_log /var/log/mydomain_riemann_error.log;
}


# dashboard websocket
# then configure mydomain.io:4556 in the dashboard
# TODO secure it

server {
    listen 4556;
    listen [::]:4556;

    # not sure if this is the best possible name also
    server_name localhost:4556;

    location / {
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        # note no HTTPS here
        # this is the websocket port my question is about
        # note that it is not directly accessible from the outside
        proxy_pass http://localhost:5556;
    }

    ssl_certificate           /etc/letsencrypt/live/mydomain.io/fullchain.pem;
    ssl_certificate_key       /etc/letsencrypt/live/mydomain.io/privkey.pem;

    ssl on;
    ssl_prefer_server_ciphers  on;
    ssl_session_timeout        180m;
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'AES256+EECDH:AES256+EDH';
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    add_header Strict-Transport-Security 'max-age=31536000';

    access_log /var/log/mydomain_riemann_access.log;
    error_log /var/log/mydomain_riemann_error.log;
}

我现在唯一的问题是:从浏览器到服务器的 websocket 连接看起来并不安全(即使它使用wss),因为似乎没有任何类型的身份验证/令牌正在进行。

我是否正确地说有人知道与 riemann 服务器交谈的端口和协议,任何人都可以在这里收听?如果是,我将如何将其配置为仅允许经过身份验证的用户?还是更多的架构问题?

4

0 回答 0