一、基础安全配置

1. SSL/TLS加密配置

nginx
# Nginx配置WebSocket SSL
server {
    listen 443 ssl;
    ssl_certificate     /etc/nginx/cert/server.crt;
    ssl_certificate_key /etc/nginx/cert/server.key;

    location /ws {
        proxy_pass http://websocket_backend;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection"upgrade";
}
}

2. 安全Headers配置

javascript
// Node.js WebSocket服务器配置
constWebSocket=require('ws');
const server =newWebSocket.Server({
    port:8080,
    clientTracking:true,
    verifyClient:(info)=>{
// 验证Origin
const origin = info.origin;
return allowedOrigins.includes(origin);
}
});

二、身份验证实现

1. Token认证

javascript
// WebSocket连接认证中间件
const wsAuth =(socket, request)=>{
const token = request.url.split('?token=')[1];

if(!token){
        socket.close(4001,'No token provided');
returnfalse;
}

try{
const decoded = jwt.verify(token, process.env.JWT_SECRET);
        socket.user = decoded;
returntrue;
}catch(err){
        socket.close(4003,'Invalid token');
returnfalse;
}
};

2. Session验证

javascript
// Session-based认证
const sessionParser =require('express-session')({
    secret: process.env.SESSION_SECRET,
    resave:false,
    saveUninitialized:false
});

wss.on('connection',(ws, req)=>{
    sessionParser(req,{},()=>{
if(!req.session.userId){
            ws.close(4002,'Not authenticated');
return;
}
});
});

三、访问控制策略

1. 速率限制

javascript
// 实现连接频率限制
const rateLimit =newMap();

const rateLimiter =(ip)=>{
const now =Date.now();
const connectionInfo = rateLimit.get(ip)||{ count:0, firstConnection: now };

if(now - connectionInfo.firstConnection <60000){// 1分钟内
if(connectionInfo.count >=10){
returnfalse;
}
        connectionInfo.count++;
}else{
        connectionInfo.count =1;
        connectionInfo.firstConnection = now;
}

    rateLimit.set(ip, connectionInfo);
returntrue;
};

2. IP白名单控制

javascript
// IP白名单配置
const allowedIPs =[
'192.168.1.0/24',
'10.0.0.0/8'
];

const checkIP =(ip)=>{
return allowedIPs.some(allowedIP =>{
return ipRangeCheck(ip, allowedIP);
});
};

四、数据安全处理

1. 消息验证

javascript
// 消息完整性验证
const validateMessage =(message)=>{
try{
const data = JSON.parse(message);
const signature = data.signature;
delete data.signature;

const expectedSignature = createHmac('sha256', SECRET_KEY)
.update(JSON.stringify(data))
.digest('hex');

return signature === expectedSignature;
}catch(err){
returnfalse;
}
};

2. 数据过滤

javascript
// XSS防护
const sanitizeMessage =(message)=>{
return{
...message,
        content:DOMPurify.sanitize(message.content)
};
};

五、监控与日志

1. 连接监控

javascript
// WebSocket连接监控
wss.on('connection',(ws, req)=>{
const clientIP = req.socket.remoteAddress;

    logger.info({
event:'connection',
        ip: clientIP,
        timestamp:newDate(),
        userAgent: req.headers['user-agent']
});

    ws.on('close',(code, reason)=>{
        logger.info({
event:'disconnection',
            ip: clientIP,
            code,
            reason,
            timestamp:newDate()
});
});
});

2. 异常监控

javascript
// 错误处理和监控
ws.on('error',(error)=>{
    logger.error({
event:'websocket_error',
        error: error.message,
        stack: error.stack,
        timestamp:newDate()
});

    alertSystem.notify({
        title:'WebSocket Error',
        message: error.message,
        severity:'high'
});
});

六、安全最佳实践

1. 心跳检测

javascript
// 实现心跳机制
const heartbeat =(ws)=>{
    ws.isAlive =true;
    ws.on('pong',()=>{
        ws.isAlive =true;
});
};

setInterval(()=>{
    wss.clients.forEach((ws)=>{
if(ws.isAlive ===false){
return ws.terminate();
}
        ws.isAlive =false;
        ws.ping();
});
},30000);

2. 关闭超时连接

javascript
// 超时处理
const connectionTimeout =(ws)=>{
const timeout = setTimeout(()=>{
        ws.close(4000,'Connection timeout');
},60000);// 60秒超时

    ws.on('message',()=>{
        clearTimeout(timeout);
});
};