There is a front-end npm server hosted on a public port 80 in my production environment. I can launch a remote web browser client of this front-end server using its public hostname, e.g., http://hostname:80, and successfully load the webpage.
The Javascript in this app makes HTTP GET/POST requests to a back-end server to fetch some data on the URL: http://hostname:5000. This back-end server is running on the same production environment but on a private port, e.g., 5000, i.e., this port will not be visible outside the firewall.
As I understand it, this HTTP request is essentially made from the remote web browser client sitting outside the firewall. Due to the Firewall (UFW) policy, any request made from this client on private port 5000 gets blocked.
I do not want to allow the private port 5000 in the UFW, and I do not want to run the back-end server on a public port of the production server.
What are the solutions for this?
I have heard about the Nginx proxy server which redirects client connections on a public port (80) to a Node application running on a different port (3000).
Reference: https://blog.logrocket.com/how-to-run-a-node-js-server-with-nginx/
However, I am not certain if the Nginx server would be able to handle the client requests beyond the UFW rules.
The majority of request information is sent to the backend from the proxy.
A request sent through the nginx proxy will act like a request directly to the backend.
Some fields may not be passed, for example:
From nginx.org:
By default, nginx does not pass the header fields “Date”, “Server”, “X-Pad”, and “X-Accel-...” from the response of a proxied server to a client. The proxy_hide_header directive sets additional fields that will not be passed
Related
Is there any way to use express or other nodejs librarys to to design an api and deploy it pasting files as a resource path in a web server just like react.
My web server just listen on ports 80 and 443.
I have pages on domain.com/page1 domain.com/page2.
and i want to deploy an api listening on domain.com/page3 but i cant install a nodejs server and proxy requests to page3 to it.
Thanks a lot
There can be only one web server listening on a given port. You can directly "listen to a path", only a port.
So, if you already have an existing web server running on ports 80 and 443, then these are your options.
Modify your existing web server to add your API server code to it so it can handle requests for http://yourdomain.com/page3 and https://yourdomain.com/page3 directly with your API.
You can add some middleware to your existing web server to make it a proxy for http://yourdomain.com/page3 that will redirect requests to your http://yourdomain.com:3000/page3 Express-based API server.
Run your own Express-based API server on your own separate port and access the API server directly via the separate port such as http://yourdomain.com:3000/page3.
You can install a proxy such as nginx in front of your existing web server and have it redirect incoming requests to http://yourdomain.com/page3 and https://yourdomain.com/page3 to the separate port that your Express-based API server is running on.
I am running both the react app on 0.0.0.0:5000 and expressjs api server on 0.0.0.0:3000 .i.e. instead of accessing them via localhost I am using my machines ip on home network which is
192.168.0.7:5000 (for react app)
192.168.0.7:3000 (for api server)
I have to test this on different devices connected to my home wifi. However the app is unable to allow set cookie
this set cookie was blocked because its domain attribute was invalid with regards to the current host url
as per suggestions over net added proxy to package.json of react app
and in changed cookie domain in api server setting to 192.168.0.7:5000 (address for react app)
below is the screenshot of the network request in chrome
I have a containerized Docker ASP.NET Core application created with
mcr.microsoft.com/dotnet/core/runtime:3.1.3-alpine
When launched the only reference to the port is this ENV variable from the base image
ASPNETCORE_URLS http://+:80
I deployed the app to Azure, setuped the registry and created a new Web Application.
I setup the TLS/SSL settings for working with https only.
Everythings works.
Question:
I want to know how this is possible since I don't config the certificate on my container, I suppose the Kudu service (the reverse proxy) rebind the 443 port to the 80 of the container. Is this true ? The plain http traffic between Kudu and the container on port 80 can cause a possible security hole ?
If I deploy a container with NGINX as a reverse-proxy for ASP.NET Core I must configure the TSL/SSL into NGINX ? On ASP.NET Core ? None at all ?
I want to understand how Kudu, NGINX, and the reverse proxy in general works with and without SSL/TSL
With a Reverse Proxy the client never connects to the HTTP server in your application, in your case Kestrel. The connections you get are requests coming from the Reverse Proxy, and you send your responses back to the Reverse Proxy. Most HTTP stuff is copied from the incoming client request and passed along to your application, but the Reverse Proxy can terminate the SSL tunnel, offload the Authentation, and perform other request transformations.
I am able to connect to my Nodejs API server through aws by entering url such as ip + :3000. Now I do not want to show port no 3000 after url. is there any way to hide this or this will be there compulsory?
You can't do this on the client side. You need to do one of:
Have your nodejs server running on port 80/443
Run a webserver (apache,nginx) on your nodejs server as a reverse proxy
Use a load balancer.
In my Amazon EC2 instance I have a Pyramid server as well as a NodeJS server running. The NodeJS server acts as the frontend and I updated my security groups so I can use the public DNS to view the page.
The Pyramid server acts as a backend and the frontend accesses it by http://0.0.0.0:8002/. But when I do an http call to the backend I get a Failed to load resource: net::ERR_ADDRESS_INVALID error message.
Do I need to add a rule to the security groups, or update the iptables, or something?
If both of these services are running on the same server, you shouldn't be sending network traffic out of the server and back, so security groups will not be an issue here.
The question is, why are you using 0.0.0.0 here? I think you probably configured the Pyramid server to listen on 0.0.0.0, which really means "listen on all IP addresses". However you need to be using http://127.0.0.1:8002/ or http://localhost:8002/ in order to connect to the service from another service running on the same server.