Does zeromq provide TCP security while communicating to nodejs apps? - node.js

I have integrated zeromq in 5 applications those are running on nodejs and nginx proxy. I want to know the best way to secure the tcp communication between 0mq and nodejs app - I am mostly using PUB SUB method.
Currently for security I am using req rep method to share a key with queue id before any connection. this key I am using into SUB.
What are the best standard for zeromq tcp security?

ZAP CURVE for nodejs zmq lib.
There are few libraries those are in beta but I have implemented Curve Machenism it is working fine no breaking issues
you can use REQ REP also with ZAP module. But best I felt CURVE machenisim.
https://github.com/msealand/zmq-zap.node/tree/master/examples
http://rfc.zeromq.org/spec:26/CURVEZMQ
https://en.wikipedia.org/wiki/Elliptic_curve_cryptography
Just go through documentation and if you face any problem while implementing it please post separate question.

Related

RTCDataChannel communication between server and client

I am going to create real time web application and would like to use WebRTC RTCDataChannel to exchange data between client and server.
WebRTC is created for peer-to-peer communication. However, is it possible to do data exchanging between server and client?
Yes! You could use a WebRTC implementation and build your server from the ground up. Will feel like using a HTTP library and setting your own endpoints.
https://github.com/aiortc/aiortc (Python)
GStreamer’s webrtcbin (C)
https://github.com/shinyoshiaki/werift-webrtc (Typescript)
https://github.com/pion/webrtc (Golang)
https://github.com/webrtc-rs/webrtc (Rust)
https://github.com/awslabs/amazon-kinesis-video-streams-webrtc-sdk-c (C/Embedded)
https://webrtc.googlesource.com/src/ (C++)
https://github.com/rawrtc/rawrtc (C++)
https://github.com/sipsorcery-org/sipsorcery (C#)
https://github.com/paullouisageneau/libdatachannel (C++)
Or you could run a WebRTC server and write an extension/modify it. This will get you something working quicker.
https://github.com/meetecho/janus-gateway
https://github.com/jitsi/jitsi-meet
https://github.com/versatica/mediasoup
https://github.com/pion/ion-sfu
https://galene.org
https://github.com/peer-calls/peer-calls
Happy to answer more directed questions. I think it depends on what languages/tools you feel comfortable with.

Using nats with angular to discuss with Hemerajs microservices server

I need a piece of advice.
Indeed I am writing an Hemerajs (Hemerajs) server application couple with a NATS (NATS) messaging server.
Moreover I'd like to plug an Angular 6+ front application on this server through the NATS pub/sub system.
However I did not find any package or help for using nats with angular.
May I misunderstood pattern messaging behavior, perhaps the messaging system is only internally of microservices server and the communication between angular and node must be with REST API ?
Could you help me for finding the correct package or the correct way to implement this please ?
Thanks
Regards
At the time of writing there is no official Angular client and ts-nats was written for node.js aka server side.
There are
https://github.com/isobit/websocket-nats
and
https://github.com/isobit/ws-tcp-relay
But they had no updates for 3 years. I'm not sure if websocket-nats was written for nats v1 or v2.
The client protocol is documented here: https://docs.nats.io/nats-protocol/nats-protocol and the following page talks about implementing your own client.
So far nats seems to be for service to service communication only, since there are no official clients for browsers.

Websocket Security

I am looking to implement web (angular) and iPhone apps using WebSockets to communicate with our server. In the past using HTTP requests we have used hashes using the request data, url, timestamp etc to authenticate and secure the requests.
As far as I am aware we can't send headers with WebSockets requests therefore I am wondering how I can secure each request.
Does anyone have any ideas or good practices?
To secure your messages, use WebSockets over SSL/TLS (wss:// instead of ws://). Don't roll your own crypto.
Concerning authentication. The big difference between HTTP and WebSockets is that HTTP is a stateless protocol and WebSockets is not.
With HTTP you have to send headers (cookies, tokens, whatever) with each request. With WebSockets you establish a connection. In the first interactions you can authenticate the client and for the remainder of the connection you know the client is authenticated.
The people at Heroku have described a pattern where the client authenticates using HTTP, gets a ticket and then sends that ticket as a first message over the WebSocket connection. See https://devcenter.heroku.com/articles/websocket-security
I agree with the SSL/TLS wss:// connection. Always use encrypted traffic. There are several ways to implement a authentication. See here:
http://simplyautomationized.blogspot.com/2015/09/5-ways-to-secure-websocket-rpi.html
Most to all examples use python or nodejs and are directed for the Raspberry Pi but the general concepts are good ideas to consider. There are links in the post to a SocketRocket helper library that allows you to insert authentication into the auth header (SocketShuttle).
Having secure communication with server includes authenticating both parties to each other. If you need to channel different users with different authentication credentials through one communication channel (which is a rare idea nowadays), you'll need separate authentication. Otherwise, you just need to come up with key distribution scheme (so that your apps know public keys of your server and your server has a protocol of getting acquanted to public keys of clients, there are plenty of patterns for this).
To do that, there is a choice gradient a bit wider than SSL or your own crypto (try to avoid writing your own crypto at any cost).
For webserver-to-browser part of stack, SSL is your only choice, however it shouldn't be considered as a good safety measure, each year unfolds more and more vulnerabilities, cipher degradation cases and trust problems. It carries 20 years of baggage of bad engineering decisions and urgent fixes, so if you can get something better - it's worth doing so. Still, it's much better than nothing for the regular webs.
In your mobile app you could easily use one of a number of cryptographic libraries providing secure session messaging with server with significantly higher security guarantees, no reliance:
https://github.com/mochtu/libsodium-ios, libsodium-ios, an ios wrapper for NaCl, one of the best modern cryptographic libraries, which has lots of novel implementations to ECC cryptography, is highly praised in academic circles and written by a madman keen to have best performance under all circumstances (in short: I adore it :) ).
Themis, a project I'm a contributor in, we have very ObjC-friendly iOS version of our library, and a handy tutorial on doing secure traffic over websockets in iOS: https://www.cossacklabs.com/building-secure-chat
You should secure your connection with SSL/TLS and use https over http and wss over ws. For having auhentication/authorization, you can add query params to the websocket connections and also add something like username/passwprd.
For instanse :
wss://example.com/path?username=password=anotherParam=99ace112-dd56-427e-ba3d-9dd23e9c7551
yes, in js you cant add your arbitrary header, but you are allowed to add protocols and Sec-WebSocket-Protocol header to your webocket connections and on the server-side authenticate/authorize users based on websocket protocols

Websocket App Design

Most examples I have seen are are just small demo's and not full stack applications and they use websocket for messaging, but for any chat application there is more data then just messages...suppose like user profile, his contacts etc.
So should I use websockets for all communication between server and client or just use them for sending messages and do other things through http? If I am to use websocket for all communication how do url design of the app...since websockets don't have have any different urls like http.
You might be interested in WAMP, an officially registered WebSocket subprotocol that provides applications with WebSocket based
asynchronous, bidirectional remote procedure calls
real-time publish & subscribe notifications
Disclaimer: I am original author of WAMP and work for Tavendo.
Pretty sure you'll get the usual "it depends" answer, because, well, it depends!
If you are going to build a large application, to be used by a number of different clients in different network arrangements etc then I personally wouldn't recommend using WebSockets for everything. Why?
It's a new standard, so not all clients support it
In some network configurations WebSocket traffic may be filtered out, meaning you end up with no communications - not great
If you end up exposing an external API then HTTP is much better fitted for the job and will likely be easier to code against. There are a lot more tools out there to help you with it and styles that everyone is familiar with, like REST, to follow.
Use WebSockets when you require data being pushed from the server without the client having to poll for it, or when HTTP header overhead becomes a problem. And if you still decide to use it make sure you have a fallback mechanism (e.g. longpolling) so you don't end up with no comms.
I'm afraid I can't help you regarding WebSocket API design... given it's a new standard I don't believe the community has settled on anything just yet so you'll have to come out with your own message-based scheme.

Node.js with socket.io

I am looking to build an web application using node.js and possibly socket.io but I am having a lots of confusion regarding whether to use socket.io or go with plain http. In the app the node.js server will be basically an api server which serves json to the javascript client or may be mobile clients too. The web app will also has chat messeneger for its users, this is where socket.io comes in.
I am not sure whether to use socket.io for the whole app or only for the chat part. Although my app itself could benefit from socket.io but its nothing that I think can't be done using plain http and client making more requests to the server.
I have read at several places that sometimes socket.io can be difficult to scale for more users.
Socket.io often crashes and specially creates probs when there are firewall in clients system.
More importantly.....I checked out socket.io user list and did not find many users, so was curious to know what kind of platform is more know chat network like facebook messenger, google talk etc are built upon, Are any built using http-ajax and continues querying to the server.
Please help me out in solving this question. Some might argue that this is a opinion based question. But what actually I am trying to figure out the implementation of socket.io and its limitation.
I would suggest serving your API over HTTP and leave the real-time business to Socket.io. If you are adverse to using Websockets, like #GeoPheonix stated, you can choose from a variety of transport methods using both socket.io and sockjs (https://github.com/sockjs/sockjs-node).
As far as scaling is concerned, I deployed a socket.io based real-time analytics/tracking service for a very large application with ana average of 400+ concurrent connections with no visible performance impact, but this may depend on the implementation and hardware.
Socket.io is faster than plain http. I recommend you to use it for all since you have to have a chat in first place.
In my case, real-time Texas Hold'em-like game can receive up to 2500 concurrent with one node process. However, if you change transport from websocket to xhr-polling, It can receive like more 10x than pure websocket. Your application is just chat so, I guess a little slow down wouldn't be a problem. If you sure you will exceed this number, yes, scale socket.io is a pain.
This problem will happen only if you open socket.io for port other than 80 and 443. If you have frontend web server with other language already, you can still use socket.io on another subdomain to be able to run on port 80 without conflict with your main frontend web server. Socket.io support cross-domain without a problem.
Have you used trello.com? If not, try it :). It's best for task management or even some Agile thing. They used socket.io. https://c9.io/ is another one. It's online IDE with google doc-like collaborative. One thing to note is xhr-polling trasport in socket.io is the same with http-ajax with long-polling (Better than general ajax). You can read more info at:
http://book.mixu.net/node/ch13.html

Resources