Nchan 实时消息 安全配置
原创rongfengliang ©著作权
©著作权归作者所有:来自51CTO博客作者rongfengliang的原创作品,请联系作者获取转载授权,否则将追究法律责任
备注:
即时消息的安全对于我们来说是比较重要的,作者在设计Nchan 的时候已经考虑了
a. nchan_authorize_request (Hooks and Callbacks)可以集成后端服务
配置如下:
upstream my_app {
server 127.0.0.1:8080;
}
location = /auth {
proxy_pass http://my_app/pubsub_authorize;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Subscriber-Type $nchan_subscriber_type;
proxy_set_header X-Publisher-Type $nchan_publisher_type;
proxy_set_header X-Prev-Message-Id $nchan_prev_message_id;
proxy_set_header X-Channel-Id $nchan_channel_id;
proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Forwarded-For $remote_addr;
}
location ~ /pubsub/auth/(\w+)$ {
nchan_channel_id $1;
nchan_authorize_request /auth;
nchan_pubsub;
nchan_channel_group test;
}
b. 使用内部channel ,控制访问ip
// 只能内部访问
http {
server {
#available only on localhost
listen 127.0.0.1:8080;
location ~ /pub/(\w+)$ {
nchan_publisher;
nchan_channel_group my_app_group;
nchan_channel_id $1;
}
}
server {
#available to the world
listen 80;
location ~ /sub/(\w+)$ {
nchan_subscriber;
nchan_channel_group my_app_group;
nchan_channel_id $1;
}
}
}
// ip 过滤
server {
#available to the world
listen 80;
location ~ /pub/(\w+)$ {
allow 127.0.0.1;
deny all;
nchan_publisher;
nchan_channel_group my_app_group;
nchan_channel_id $1;
}
c. 对于重要的,外部服务进行加密
http {
server {
#available only on localhost
listen 127.0.0.1:8080;
#...publisher endpoint config
}
server {
#available to the world
listen 443 ssl;
#SSL config goes here
location ~ /sub/(\w+)$ {
nchan_subscriber;
nchan_channel_group my_app_group;
nchan_channel_id $1;
}
}
}
·
提问和评论都可以,用心的回复会被更多人看到
评论
发布评论
相关文章
-
Nginx安全配置
nginx版本号隐藏
nginx 版本号 安全