So I have a peculiar setup to work with. The main server is your standard off-the-mill Apache server with SSL enabled bound to a public domain (NOT localhost!). My Node.JS server runs on localhost:8080. They both run on the same machine so there are no network security considerations.
I have successfully setup a ProxyPass and VirtualHost for port 8080.
httpd.conf:
SSLProxyEngine on
ProxyPass /mycustompath http://localhost:8080
http-vhosts.conf:
<VirtualHost *:8080>
ServerName example
ServerAlias *.example
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
ProxyPreserveHost On
ProxyPass /mycustompath http://localhost:8080
ProxyPassReverse /mycustompath http://localhost8080
SSLCertificateFile "mypathto/server.crt"
SSLCertificateKeyFile "mypathto/server.key"
</VirtualHost>
The URL points internally to the http://localhost:8080. Using Postman I was able to confirm that the entire setup works properly.
However, I am unsure if this is safe and if SSL is used properly. Does Apache handle the SSL and the forward the decrypted request or is the connecting client fully redirected to the Node.JS server on localhost? Right now I am not using HTTPS in my Node.JS server code. Do I need to?
Additional note: I have tried without the SSLProxyVerify portion in http-vhosts.conf, but then I get an SSL handshake error. I assume the Apache server is expecting the Node.JS server to have SSL enabled in this case.
So I have a peculiar setup to work with. The main server is your standard off-the-mill Apache server with SSL enabled bound to a public domain (NOT localhost!). My Node.JS server runs on localhost:8080. They both run on the same machine so there are no network security considerations.
I have successfully setup a ProxyPass and VirtualHost for port 8080.
httpd.conf:
SSLProxyEngine on
ProxyPass /mycustompath http://localhost:8080
http-vhosts.conf:
<VirtualHost *:8080>
ServerName example
ServerAlias *.example
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
ProxyPreserveHost On
ProxyPass /mycustompath http://localhost:8080
ProxyPassReverse /mycustompath http://localhost8080
SSLCertificateFile "mypathto/server.crt"
SSLCertificateKeyFile "mypathto/server.key"
</VirtualHost>
The URL https://example/mycustompath points internally to the http://localhost:8080. Using Postman I was able to confirm that the entire setup works properly.
However, I am unsure if this is safe and if SSL is used properly. Does Apache handle the SSL and the forward the decrypted request or is the connecting client fully redirected to the Node.JS server on localhost? Right now I am not using HTTPS in my Node.JS server code. Do I need to?
Additional note: I have tried without the SSLProxyVerify portion in http-vhosts.conf, but then I get an SSL handshake error. I assume the Apache server is expecting the Node.JS server to have SSL enabled in this case.
Share Improve this question asked 2 days ago bblizzardbblizzard 7285 silver badges8 bronze badges 2- 1 This question might be more suited for security.stackexchange – Mureinik Commented 2 days ago
- 1 Thanks! I'll do that. In case anybody stumbles upon my question here, this is the new URL: security.stackexchange/questions/280612/… – bblizzard Commented yesterday
1 Answer
Reset to default 0As you guessed correctly, the traffic from Apache to your NodeJS applications is being sent unencrypted.
ProxyPass /mycustompath http://localhost:8080
So anyone having access to your VM could look into said traffic - which might OTOH then be your smallest issue :)
And yes, there are documents out there that explain to set up TLS certificates for use in Node.