Securing a Socket.IO Websocket and restricting it to a domain - node.js

So I am an absolute beginner at Socket.IO, but I have a pre built application that needs to be secured in two ways: It needs to be transmitted over HTTPS and it needs to be restricted to only server data to a specific domain.
This is the code for the emitter thus far: https://github.com/Bitzz/Pokemon-Go-Coords/blob/master/discord-bot/index.js
How do I go about securing it?
I assume something along the lines of
io.set('origins', 'https://example.com:*');
on line 156 would restrict it to one domain...
Could I maybe blacklist only specific domains instead?
Beyond that, how do I make it emit over https via wss?
Currently the console shows:
I think I can figure out how to configure the web sided reader to look for the over https websocket, but getting it to send is not something I know how to figure out.
Please use simple words I am not a smart cookie. :(

To restrict Socket.IO to multiple domain, I believe you only need to separate each domain by one space.
io.set('origins', 'https://example.com:* https://anotherdomain.com:*');
About the SSL connection, there are several ways to archive that:
Config Socket.IO to use ssl (wss:// instead of ws://) in NodeJS, there is an answer here: node.js, socket.io with SSL
Create a reverse proxy with Nginx, there is a guide here: https://www.exratione.com/2013/06/websockets-over-ssl-with-nodejs-and-nginx/
Use reverse proxy from 3rd service like https://www.cloudflare.com
The third option is the easiest way to archive. You only need to point your domain CloudFlare and config an a record to your ws server, CloudFlare will provide ssl for websocket for free and automatically do SSL termination to your origin websocket server.

I found the solution.
In the apache2 site config file for the secure config (*:443), add the following:
#This enables polling over https. Painfully inefficient but a good fallback
SSLProxyEngine on
ProxyPass /socket.io http://127.0.0.1:49002/socket.io/
ProxyPassReverse /socket.io http://127.0.0.1:49002/socket.io/
#This upgrades and rewrites the ws to wss
RewriteEngine on
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
RewriteRule .* ws://localhost:49002%{REQUEST_URI} [P]

Related

How to redirect a URL for example (www.foobar2.com) to another URL (www.foobar.com) using htaccess file

I am setting up a link which should open another website. For example, if a browser is opening up www.foobar2.com, it should open www.foobar.com without changing the URL. I found out that it can be done using .htaccess file. Currently, if I open, www.foobar2.com, it redirects to www.foobar.com but the URL also changes to www.foobar.com. But I want that URL should not change. What do I need to do?
I tried this which isn't working -
RewriteCond %{HTTP_HOST} ^www.foobar2.com
RewriteRule ^(.*) http://www.foobar.com [P]
Please help me with this.
Thanks :)
Since the http host the request is sent to is always that shown in the URL (for obviousl reasons) you need to implement a proxy feature, this cannot be done using pure rewriting or redirecting.
The apache http server offers a proxy module for this, it can be either used standalone or integrated into the rewriting module. However you want to use it you need to take care that the module is actually loaded first. It consists of two submodules, the core proxy module and the proxy_http module in this case.
Now you can implement a ProxyPass directive for the URL you want to fetch from the other host:
ProxyRequests off
ProxyPass / https://www.foobar.com
ProxyPassReverse / https://www.foobar.com
(yes, that is an off in the first line above)
This rule needs to be implemented in the http host www.foobar2.com. It will make an internal sub request to www.foobar.com for each incoming request (since it masks the root (/) and deliver the response it receives back to the originally requesting client.

Can I redirect a user to a Google Drive PDF while keeping my URL in the address bar?

If I have a user follow a link to my site such as
mydomain.com/pdf/google_token
is there a way for me to redirect them to the Google pdf
drive.google.com/file/d/google_token/view
while keeping
mydomain.com/pdf/google_token
in the address bar?
Right now I am redirecting to google successfully using
RewriteRule ^pdf/([a-zA-Z0-9]+)$ https://drive.google.com/file/d/$1/view
in my .htaccess file, but it is replacing the URL with
drive.google.com/file/d/google_token/view
Thanks.
You are not looking for a way to redirect. A redirection always changes the URL in the client, that is the whole purpose of a redirection. What you are looking for is a proxy solution, maybe in conbination with an internal rewrite. That creates a kind of mapping: the content published on that google resource is re-published through your http host.
This would be an example for such setup:
ProxyPass /google-drive/ https://drive.google.com/
ProxyPassReverse /google-drive/ https://drive.google.com/
RewriteEngine on
RewriteRule ^/?pdf/([a-zA-Z0-9]+)$ /google-drive/file/d/$1/view [END]
An alternative would be to only re-publish a section of that remote resource:
ProxyPass /google-drive/ https://drive.google.com/file/d/
ProxyPassReverse /google-drive/ https://drive.google.com/file/d/
RewriteEngine on
RewriteRule ^/?pdf/([a-zA-Z0-9]+)$ /google-drive/$1/view [END]
That set will work likewise in the http servers host configuration and you probably can also get it to work using a dynamic configuration file (".htaccess" style file). If you really need to use such a file then take care that its interpretation is enabled in the host configiration. And you definitely need to have apache's proxy module loaded. You should prefer to place such rule in the http servers host configuration though, for various reasons.
If that setup is not possible, for example because you do not have access to the proxy module, then you can implement a simple routing solution which fetches the PDF in background using for example php's cURL extension and forwarding the payload along with correct http headers to the client that sent a request to that PDF. That is usually done for resources kept locally but there is no reason why you can't do that with remote resources too.
Some additional notes:
if you only deliver documents form that google drive resource, then you probably do not need the ProxyPassReverse directive, but only the ProxyPass.
if you run into a server internal error (http status 500) using the above setup then chances are that you operate a very old version of the apache http server. You will find a hint on an unsupported END flag in your http servers error log file in that case. Try using the [L] flag in that case, it probably will work the same here, but that depends on the rest of your setup.

Does showing content of other site using .htaccess rewrite function cause security vulnerable?

Let's suppose I have a app running on heroku with heroku's SSL, and I have a domain that has Let's encrypt DV SSL.
Will it cause security vulnerable if I use .htaccess function rewrite (NOT REDIRECT) to show contents on heroku app on my own domain? Since I know if we use iframe or redirect it won't be vulnerable if both connection point has SSL encryption, but how about rewrite?
P.S. The rule I'm using is something like this
RewriteEngine On
RewriteCond #{HTTP_HOST} example.com
RewriteRule (.*) example.herokuapp.com/$1
PPS. If anyone knows there is issue or security holes in the htaccess rule welcome to point out
You can't rewrite to another external website without the apache proxy, and mod_proxy dose have indeed some security issues:
From Apache site:
The forward proxy is activated using the ProxyRequests directive.
Because forward proxys allow clients to access arbitrary sites through
your server and to hide their true origin, it is essential that you
secure your server so that only authorized clients can access the
proxy before activating a forward proxy.

How do I redirect to a different domain AND a different folder?

What htaccess rule would I need to apply to redirect to a different domain but also to a different folder structure? Example: current page is
http://oldwebsite.com/school/forum
and the new website would be
https://newwebsite.com/forum
I figured that the rewrite rule for the domain name alone would be
RewriteEngine on
RewriteRule ^(.*)$ https://newwebsite.com/$1 [R=301,L]
which works just fine when I test it.
But I can't find out what rule I'd need for rewriting the old forum posts that are in an unnecessary subfolder to the new domain where it's directly in /forum.
Also: would I need to write https or is that something that doesn't matter and will be done automatically if I have an SSL certificate and the forum (phpbb3 in this case) is set to SSL anyway?
Thanks and best regards,
Andi
This is what you are looking for I assume:
RewriteEngine on
RewriteRule ^/?school/(.*)$ https://newwebsite.com/$1 [R=301]
That rule will work in the http servers host configuration and likewise in a dynamic configuration file (.htaccess) then the hosts document root. Obviously the rewriting module must be enabled. If you decide to use a dynamic configuration file, then you additionally need to allow that using the AllowOverride directive.
You need to specify the https protocol, since that is where the redirected client will make the connection to. That is something the client has to decide before having contact with the server. So whether a ssl certificate is installed does not really help in that. You mighty rely on an additional redirection from http to http on the new domain, but why? Much better to redirect directly to the ssl port in the first place.
And a general hint: you should always prefer to place such rules inside the http servers (virtual) host configuration instead of using dynamic configuration files (.htaccess style files). Those files are notoriously error prone, hard to debug and they really slow down the server. They are only supported as a last option for situations where you do not have control over the host configuration (read: really cheap hosting service providers) or if you have an application that relies on writing its own rewrite rules (which is an obvious security nightmare).

Redirect to URL and keep it hidden

I have this small private minecraft server, and I added dynmap.
So I would like to share this map on website, BUT I don't want to use its original URL, cause it shows the server IP that I would like to keep hidden.
Map on URL:
http://server17.mycommunity.net:8123/
I want it to be seen from:
http://minecraft.mycommunity.net/map/
I would like to do this with .httaccess file. I've tried the settings below, but it only redirects to the server17 address, and I would like it to stay in /map/ URL and keep the server address hidden.
RewriteEngine On
RewriteBase /
RewriteRule ^map/$ http://server17.mycommunity.net:8123/ [L]
Is this possible to do it with .htaccess or do I have to do this some other way?
These answers looks to be close to what you need, although you might need mod_proxy installed:
configuring ProxyPass on .htaccess to show tomcat through apache http server
.htacess rewriting with the [P] proxy flag
I don't use Apache regularly, so I'm not quite sure what is needed. I do know that with some configuration you can use mod_rewrite/mod_proxy to proxy content from one server at one port to another at the regular http port. That's what you are really needing. There is no such thing as rewriting when it comes to proxying.
However, I'm not sure exactly what that proxy entails, or if, by setting up this kind of proxy, you aren't breaking anything.

Resources