What is the point of using a proxy server such as node-http-proxy for a node app with a single app on one port?

Asked 20/5, 2012 at 20:54 Answered 22/5, 2012 at 11:51

Solved javascript node.js proxy node-http-proxy nodejitsu

I'm exploring using the node-http-proxy proxy server so that I can have our proxy server on port 80 forward requests to our app server on port 8000. However, I'm a little confused as to why this is a good idea, and what exactly this set up would protect against security-wise.

The note-http-proxy documentation discusses a lot about using it as a way to forward requests to an app with multiple ports or ip addresses. This obviously would be very useful, particularly with a basic round-robin load balancer strategy. However, we only have one app on one port, so there is no need for us to do this.

If there is an important security reason why we should be using this proxy-server, then I'd love to know what types of attacks it protects against. Also, we're using socket.io, so if there is something that the proxy does to help the websocket server scale up, I'd like to understand that as well. We're having trouble figuring out how to run our app without sudo (since all ports below 1024 require root access), so if there really is no good reason to use a proxy server at this point, we're just going to scrap at. If anyone knows how to run this app with the proxy server on port 80 without root access, that'd be very helpful as well. Thanks!

Simaroubaceous answered 20/5, 2012 at 20:54 Comment(4)

just curious why you looked it up in the first place? Its common to use something like nginx as a proxy to serve static assets or pass the other requests to the node app. – Managing 20/5, 2012 at 22:14

@JustinSoliz Because as far as I know, nginx doesn't proxy websockets – Simaroubaceous 20/5, 2012 at 22:15

It was an example, again just asking why you looked up node-http-proxy? what are you trying to achieve with it – Managing 20/5, 2012 at 22:16

@JustinSoliz I was under the impression that having your app listen on a private port and having a proxy forward requests from a public port to that private port is a best practice (from a security perspective). Someone told my friend this, but did not tell him why. That's what I'd like to figure out (or whether that's a valid strategy at all). – Simaroubaceous 20/5, 2012 at 22:24

The reasons for running a reverse proxy are:

You have limited IP ports open and need to run many Node services each of which needs it's own port
Your back-end service does not support HTTPS but you need it (e.g. Derby)
To add some other feature to the request that cannot be easily done with the back end such as adding Basic Authentication or some form of common logging/auditing
To enforce an addition or change to outgoing responses common across several back end services
To provide a load-balancing service

Unless your needs are quite simple, it would be better to use a dedicated proxy such as HAproxy since node-http-proxy is rather simplistic.

Mcguigan answered 22/5, 2012 at 11:51 Comment(3)

Actually, node-http-proxy can handle this stuff very well. Nodejitsu uses node-http-proxy in production, and it does almost all of the things on your list. It is used for load balancing and HTTPS certificates, and redirects other ports to port 80. You can also add middleware to modify the requests in node-http-proxy. – Trelliswork 31/5, 2012 at 2:31

Perhaps I was being a little harsh on it but the truth is that it is poorly documented and I didn't get any useful support on the issue that I immediately hit when using it with HTTPS. I've no reason to complain - it is made freely available after all - it's just that, when compared against a dedicated proxy tool, it doesn't stack up for production use. Perhaps that could change if it were better documented, it would certainly be nice to have an all Node toolchain. – Mcguigan 31/5, 2012 at 7:41

I find many node apps are no well documented... In those cases, the documentation is the code itself (which is not always as nice as reading well written documentation). – Jugglery 22/11, 2012 at 11:31

Well, if you're only running one instance of server, then theres not really a reason. The node-http-proxy docs mention using a single SSL certificate across multiple apps, which is very possible. You can also load balance across several HTTP and web socket servers (say, run 10 socket.io servers for real time data but only 1 HTTP server to serve out assets and REST APIs). Of course with one instance these don't provide any benefits.

If you want to run node servers without sudo, maybe you could try setting up IP tables port forwarding from port 80 to a port above 1024. See Can I run Node.JS with low privileges?

Trelliswork answered 21/5, 2012 at 0:47 Comment(1)

You can use the same certificate for as many Node "servers" as you like as long as they run from the same IP address. Multiple IP addresses either require multiple certificates or make use of wildcard addressing or the "Server Alternative Name" extension that is not supported on older browsers. You don't need a proxy for this. – Mcguigan 22/5, 2012 at 11:41

We use mainly the http-proxy to have multiple back-end server behind a single IP, but we also use it to forward https to http. It strengthens our app.

Security wise, you may have more confidence on the good quality of http-proxy than on your app. The proxy build by nodejitsu is ready for production and it should be harder for attaquants to gain privileges (like reading the private key files) on a http-proxy instead of your own app (of course this depends on your security development skill and your trust in the open source http-proxy project).

Emsmus answered 21/5, 2012 at 8:3 Comment(0)

Recommended topics

Hot tags