ModSecurity to monitor websocket connection proxied by nginx

[cschwaderer]

Can ModSecurity monitor and block websocket traffic?

(Might be the same question as #831 But that one's not totally clear to me and maybe things have changed since then.)

My current setup: An AngularJS/AngularSails web application "talks" with an NodeJS/SailsJS backend solely over websocket (resp. the Sails implementation of socket.io). In between sits nginx as a proxy, configured like so:

server {
    listen 1337 ssl;
    location /socket.io/ {
       proxy_pass https://localhost:1338;
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "upgrade";
       proxy_http_version 1.1;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

Can I use ModSecurity in nginx to monitor, analyse, and block the traffic going over this websocket connection? If so: How?

[jptosso]

I would say no as websockets are data streams and you can't intercept stream blocks to analyze, it would probably take a huge restructuration and creating new stages.

[zimmerle]

Hi @cschwaderer and @asdfuken,

Currently ModSecurity is not capable to inspect WebSockets. It is only capable to understand the http requests.