Websocket security

[Christian Schwaderer]

Dear all,

I ran NodeJS as a kind of Webapplication Server serving an AngularJS 
frontend. They communicate solely over WebSockets, using the SailsJS 
implementation of Socket.IO. Between frontend (client) and the NodeJS 
backend, sits nginx as a proxy, configured like so:

|server { listen 1337 ssl; location /socket.io/ { proxy_pass 
https://localhost:1338; proxy_set_header Upgrade $http_upgrade; 
proxy_set_header Connection "upgrade"; proxy_http_version 1.1; 
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } |

So far, so good. I now want to monitor and secure the Websocket 
connection. In particular, I want to prevent XSS attacks and exclude IPs 
trying to brute force the login to my application. I'm pretty new to 
that stuff, but I've found out that there are tools working together 
with nginx which can fulfill my needs here. (In particular, fail2ban and 
nginx-naxsi)

However, I did not find out till now, whether and how these tools would 
work with my design (proxied websocket).

fail2ban works on log files. Right now, nginx does *not* log the 
websocket traffic. Is it possible to configure nginx so that it logs the 
proxied websocket traffic? I mean, the actual traffic, not the 
establishing of the socket connection, but what is actually being 
exchanged between client (browser) and server (NodeJS). That should 
appear in some nginx log file in order to make fail2ban work.

Same goes for nginx-naxsi, I guess.
Does nginx, in my configuration, even care about what browser and NodeJS 
are exchanging via websocket? How can I make nginx inspect the content 
of the websocket connection so that I can filter out malicious requests 
based on nginx-naxsi rules?

Thanks in advance for any hints!
Best,
Christian

(PS: Already had asked a similar question on serverfault, but not no avail.)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170406/4b4ebe8a/attachment-0001.html>