2

I ran NodeJS as a kind of Webapplication Server serving an AngularJS frontend. They communicate solely over WebSockets, using the SailsJS implementation of Socket.IO. Between frontend (client) and the NodeJS backend, sits nginx as a proxy, configured like so:

server {
    listen 1337 ssl;
    location /socket.io/ {
       proxy_pass https://localhost:1338;
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "upgrade";
       proxy_http_version 1.1;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

So far, so good. I now want to monitor and secure the Websocket connection. In particular, I want to prevent XSS attacks and exclude IPs trying to brute force the login to my application. I'm pretty new to that stuff but after some research I came across fail2ban and nginx-naxsi which might be exactly what I need. However, I have no idea how I can make them work with my setup.

Is this even possible? Can I somehow intercept the traffic tunneled through a Websocket in the proxy (being nginx)?

cis
  • 217
  • 2
  • 9

2 Answers2

0

Personally I don't have any experience with fail2ban or nginx-naxsi, but I do know that ModSecurity is avaiable for nginx since 2012 and is easily capable of handling your requests. It is open source as well so it can be customized for your needs.

ModSecurity includes base_rulesets and optional_rulesets with already prepared & ready-to-use XSS- and DOS-rules to secure your server.

It definitely causes a slight bump in your performance (depending on how many rules you use and how much traffic you handle), but is a really powerful tool.

Here is a tutorial on how to set it up for nginx. Maybe you'll like that :)

Hello Fishy
  • 101
  • 3
  • Thanks for that hint! However, are you sure that ModSecurity works for proxied Websocket connections? I have found anything about that in their docs and the only issue I've found on github is rather discouraging. – cis Mar 29 '17 at 16:47
  • I have to admit that I didn't read your initial question well enough, sorry for that. Because I didn't remember the websocket-part -.- I have no idea if ModSec is able to read that traffic. I mean, it is open source, so there's probably a way to do it, but I agree: the other posts concerned with this topic are rather discouraging. – Hello Fishy Mar 29 '17 at 20:42
0

naxsi and fail2ban are different naxsi is a WAF (web application firewall), this means that all requests first go through naxsi, then you will have some rules set to check each request, in case the client made a request to a resource you don't want to grant access, then naxsi will block that request

fail2ban is an IDS (intrusion detection system), what fail2ban does is it monitors your nginx logs (or any log for the matter), and based on some REGEX you can block clients after certain attempts. so let's say you have a brute force attack where the client is attempting to reach unexistent URLS, then fail2ban will detect that that client has a lot of 404 responsed, then it will ban the ip

so naxsi denies malicious requests and fail2ban just bans in case a condition is met

Diego Velez
  • 780
  • 1
  • 6
  • 13
  • Well, thanks for the info. However, first problem: fail2ban monitors the logs - my web socket traffic doesn't appear right now in the nginx logs. How can I turn logging on here? Second problem: naxsi blocks some requests based on rules - e.g. block all "POST" requests, however nginx is, as of my current configuration, complete ignorant regarding the used method inside the websocket traffic. It's established via a GET request - nginx doesn't seem to care about the rest. Do you know what to do here? – cis Apr 02 '17 at 14:54