I want to secure my riemann server/client/dashboard to use it on a production server so that only authorized can access the data.
So:
- I redirect port 80 to 443
- used let's encrypt certificates
- added nginx authentication on the dashboard
But then I noticed that I had to redirect the websocket from the dashboard to the server for the web browser to display something, so I added a port that redirects to the server. This is the thing I am worried about.
I end up with this configuration file (there are probably some redundant parts):
server {
listen 80 ;
listen [::]:80;
server_name riemann.mydomain.io;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
listen [::]:443;
server_name riemann.mydomain.io;
location / {
auth_basic "Restricted Area";
auth_basic_user_file /etc/nginx/htpasswd;
# note no HTTPS here, that's ok since it serves the dashboard right ?
proxy_pass http://localhost:4567;
}
ssl_certificate /etc/letsencrypt/live/mydomain.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain.io/privkey.pem;
ssl on;
ssl_prefer_server_ciphers on;
ssl_session_timeout 180m;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'AES256+EECDH:AES256+EDH';
ssl_dhparam /etc/ssl/certs/dhparam.pem;
add_header Strict-Transport-Security 'max-age=31536000';
access_log /var/log/mydomain_riemann_access.log;
error_log /var/log/mydomain_riemann_error.log;
}
# dashboard websocket
# then configure mydomain.io:4556 in the dashboard
# TODO secure it
server {
listen 4556;
listen [::]:4556;
# not sure if this is the best possible name also
server_name localhost:4556;
location / {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# note no HTTPS here
# this is the websocket port my question is about
# note that it is not directly accessible from the outside
proxy_pass http://localhost:5556;
}
ssl_certificate /etc/letsencrypt/live/mydomain.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain.io/privkey.pem;
ssl on;
ssl_prefer_server_ciphers on;
ssl_session_timeout 180m;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'AES256+EECDH:AES256+EDH';
ssl_dhparam /etc/ssl/certs/dhparam.pem;
add_header Strict-Transport-Security 'max-age=31536000';
access_log /var/log/mydomain_riemann_access.log;
error_log /var/log/mydomain_riemann_error.log;
}
The only problem that I have now is: the websocket connection from the browser to the server does not look secure (even if it uses wss), as there does not seem to be any kind of authentication/token going on.
Am I correct in saying that someone knowing the port and protocol to speak to a riemann server anyone could listen here as well ? If yes, how would I configure it to only allow authenticated users ? Or is it more of an architectural problem ?
