确保riemann仪表板websocket

Question

我希望保护我的riemann服务器/客户端/仪表板在生产服务器上使用它，以便只有经过授权才能访问数据。

所以：

• 我将端口80重定向到443
• 使用了let的加密证书
• 在信息中心添加了nginx身份验证

但后来我发现我必须将websocket从仪表板重定向到服务器，以便Web浏览器显示内容，所以我添加了一个重定向到服务器的端口。这是我担心的事情。

我最终得到了这个配置文件（可能有一些冗余部分）：

server {
    listen 80 ;
    listen [::]:80;

    server_name riemann.mydomain.io;

    return 301 https://$host$request_uri;
}


server {
    listen 443 ssl;
    listen [::]:443;

    server_name riemann.mydomain.io;

    location / {
        auth_basic            "Restricted Area";
        auth_basic_user_file /etc/nginx/htpasswd;

        # note no HTTPS here, that's ok since it serves the dashboard right ?
        proxy_pass http://localhost:4567;
    }

    ssl_certificate           /etc/letsencrypt/live/mydomain.io/fullchain.pem;
    ssl_certificate_key       /etc/letsencrypt/live/mydomain.io/privkey.pem;

    ssl on;
    ssl_prefer_server_ciphers  on;
    ssl_session_timeout        180m;
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'AES256+EECDH:AES256+EDH';
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    add_header Strict-Transport-Security 'max-age=31536000';

    access_log /var/log/mydomain_riemann_access.log;
    error_log /var/log/mydomain_riemann_error.log;
}


# dashboard websocket
# then configure mydomain.io:4556 in the dashboard
# TODO secure it

server {
    listen 4556;
    listen [::]:4556;

    # not sure if this is the best possible name also
    server_name localhost:4556;

    location / {
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        # note no HTTPS here
        # this is the websocket port my question is about
        # note that it is not directly accessible from the outside
        proxy_pass http://localhost:5556;
    }

    ssl_certificate           /etc/letsencrypt/live/mydomain.io/fullchain.pem;
    ssl_certificate_key       /etc/letsencrypt/live/mydomain.io/privkey.pem;

    ssl on;
    ssl_prefer_server_ciphers  on;
    ssl_session_timeout        180m;
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'AES256+EECDH:AES256+EDH';
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    add_header Strict-Transport-Security 'max-age=31536000';

    access_log /var/log/mydomain_riemann_access.log;
    error_log /var/log/mydomain_riemann_error.log;
}

我现在唯一的问题是：从浏览器到服务器的websocket连接看起来不安全（即使它使用wss），因为似乎没有任何类型的身份验证/令牌继续。

我是否正确地说有人知道端口和协议与riemann服务器通话，任何人都可以在这里收听？ 如果是，我如何将其配置为仅允许经过身份验证的用户？或者它更像是一个架构问题？