how to set socket.io origins to restrict connectio

2019-01-04 13:48发布

站内问答 / JavaScript
1574 3 6

We have one html site and one node.js server which serves that website. The website and the server exchange data using socke.io. We found this in the documentation:

origins defaults to *:* The origins that are allowed to connect to the Socket.IO server.

Our html.site is on http://questionexample.com/page1 . Only this site may connect to our server.(But everyone may connect to that website.) How do we have to set the origins?

3条回答
一夜七次
2楼-- · 2019-01-04 14:13

I've had similar problem. Try run node in production mode NODE_ENV=production node app.js. I had that code (as recommended here):

io.configure('production', function(){
    console.log("Server in production mode");
    io.enable('browser client minification');  // send minified client
    io.enable('browser client etag'); // apply etag caching logic based on version number
    io.enable('browser client gzip'); // the file
    io.set('log level', 1);           // logging
    io.set('transports', [            // all transports (optional if you want flashsocket)
        'websocket'
        , 'flashsocket'
        , 'htmlfile'
        , 'xhr-polling'
        , 'jsonp-polling'
    ]);
io.set('origins', 'http://questionexample.com/page1:*');
});

and Node rans in development mode so it simply couldn't work. After enabling production mode everything is ok.

I know that it is a little bit late answer but maybe someone else will use that

查看更多
0人赞 添加讨论(0) 举报
女痞
3楼-- · 2019-01-04 14:24

If you dig into Socket.io source code, you will find such lines:

var origin = request.headers.origin || request.headers.referer
  , origins = this.get('origins');

...

var parts = url.parse(origin);
parts.port = parts.port || 80;
var ok =
  ~origins.indexOf(parts.hostname + ':' + parts.port) ||
  ~origins.indexOf(parts.hostname + ':*') ||
  ~origins.indexOf('*:' + parts.port);

As you can see Socket.io takes origin (or referer) that came from the client, retrieves domain name and port, and compares with the origins option you specified.

So the valid origins values are (* means "any"):

  • testsite.com:80
  • http://testsite.com:80
  • http://*:8080
  • *:8080
  • testsite.com:* http://someotherdomain.com:8080 (multiple origins separated by space)
  • testsite.com:*/somepath (socket.io will ignore /somepath)
  • *:*

And these are invalid (because no port number):

  • testsite.com
  • http://testsite.com
  • http://testsite.com/somepath

Also note that if you specify sub.testsite.com as origins value, the testsite.com will be valid origin.

查看更多
0人赞 添加讨论(0) 举报
看我几分像从前
4楼-- · 2019-01-04 14:29

I think io.set('origins', http://questionexample.com/page1) should do it

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(6)