保护 Socket.io [英] Securing Socket.io
问题描述
我使用的是基于 Node.js 的 https 服务器,该服务器使用 HTTP Basic 进行身份验证(这很好,因为数据是通过 SSL 加密连接发送的).
I am using a Node.js based https server that authenticates using HTTP Basic (which is fine as the data are sent over the SSL encrypted connection).
现在我想提供一个 Socket.io 连接,它应该是
Now I want to provide a Socket.io connection which should be
- 加密和
- 仅适用于经过身份验证的用户.
问题是如何做到这一点.我已经发现连接到套接字时需要在客户端 JavaScript 代码中指定 {secure: true } ,但是如何在服务器端强制使套接字连接只能运行SSL,并且它仅适用于经过身份验证的用户?
The question is how to do this. I already found out that I need to specify { secure: true } in the client JavaScript code when connecting to the socket, but how do I force on the server-side that socket connections can only be run over SSL, and that it works only for authenticated users?
我想 SSL 的事情是简单的部分,因为 Socket.io 服务器只绑定到 https 服务器,所以它应该只使用 SSL 运行,并且应该不可能在(另外)上运行它运行http服务器,对吗?
I guess that the SSL thing is the easy part, as the Socket.io server is bound to the https server only, so it should run using SSL only, and there should be no possibility to run it over an (additionally) running http server, right?
关于另一件事,我对如何确保只有在用户使用 HTTP Basic 成功通过身份验证后才能建立套接字连接一无所知.
Regarding the other thing I have not the slightest idea of how to ensure that socket connections can only be established once the user successfully authenticated using HTTP Basic.
有什么想法吗?
推荐答案
虽然 Linus 的回答基本正确,但我现在使用 session.socket.io - 基本上做同样的事情,但编写的自定义代码更少.
Although the answer by Linus is basically right, I now solved it in a more easy way using the session.socket.io - which basically does the same thing, but with way less custom-code to write.
这篇关于保护 Socket.io的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
