How are Express.js files not exposed when deployed to the server? - node.js

This may seem like an odd/broad question, but how does a server know not to render Express.js files and not to expose the content similar to how anyone can see a javascript file, and read the script being executed. Do node servers like Heroku protect them ? Sorry just new to express and node. Is it similar to how PHP syntax/scripts are hidden and protected in a Apache server?

It depends on the server configuration. On a poorly configured server, the .js files might be accessible.
With a nodejs/expressjs server you define a base folder that contains public files, e.g. public and files outside of that public folder are not visible, because the server doesn't serve them to the outside. If you configure the wrong directory, e.g. ., then the expressjs code files would be available to browsers and would be rendered as-is to them, potentially revealing unsafe data like configuration, passwords and so on. Since the default configuration and all code examples make sure that public is defined as the public folder, the risk of accidental misconfiguration is low.
If you run an apache httpd or other webserver on the same host, you have to make sure that the node application is not inside the webroot of any vhost, otherwise the files might also be visible, because to the apache httpd they also look like simple static files, ready to be sent as-is to the browser.
It is different from PHP files, at least in the case of apache httpd or nginx, because those are usually configured so that PHP files are files to be executed, not static files to be served to the outside. However, if the apache httpd or nginx doesn't know about PHP, either because it isn't installed or isn't configured, then PHP files inside the webroot would also be shown to the public as-is. Display of files for the apache httpd can be prevented using .htaccess files.

Related

Elastic Beanstalk Node Static Files are not Loaded

I am having trouble serving my static files on Elastic Beanstalk using NodeJS deployed on Linux 2. My local environment works, but my deployment is unable to serve the static files located in a top-level static folder called 'public'.
My configuration is as follows:
option_settings:
aws:elasticbeanstalk:environment:proxy:staticfiles:
/images: public/images
/javascripts: public/javascripts
/stylesheets: public/stylesheets
I am certain that the configuration is processed correctly because I can view the results of the static file configuration within AWS UI. When I navigate to the home directory of my site (using http:// protocol), the HTML page is loaded, but the CSS and JS under the public directory is not. The error I get is as follows:
GET https://<domain name>/stylesheets/layout.css net::ERR_CONNECTION_TIMED_OUT
Note that the https:// protocol is used. From my understanding, the reason my local environment works is that my application serves the static files with the correct protocol. Here are my questions:
Why are my static files being served with protocol https:// when I request my home directory using http://?
I don't want to serve my static files through the application to reduce the number of requests to my application, noted here: https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/command-options-general.html#command-options-general-environmentproxystaticfiles. Is there anything actually wrong with the configuration?
Issue was resolved. I am using Helmet JS for Content Security Policy (CSP), and it has a directive for converting insecure requests to secure ones: upgrade-insecure-requests. Make sure to remove that in the development phase for a site that is relying on http:// for content. Best practice is to use https:// when possible.

Are the security implications of installing NodeJS in the public HTML folder?

I'm running NodeJS for my server-side javascripting, but serving my pages with Apache.
My pages currently reference Socket.IO locally, in that they load the node_modules/socket.io-client/dist/socket.io.js from the /var/www/html
The NodeJS index.js file also resides in /var/www/html which has become a problem for me.
Can I move my NodeJS index.js file to var/www so it is no longer publicly accessible, without needing to move node_modules from var/www/html which Socket.IO is relying on to be publicly accessible?
When using Node.js to serve the Webpage:
Your servers root directory is typically not publicly visible. Requests to your server get handled by the routes you set up in the index.js file. By default, no files are accessible. However, if you need a public folder (e.g. for the favicon file or an index.html file), I would recommend creating a subfolder in your root directory and use for example express to make it available.
When not using Node.js to serve the Webpage:
If you need Node.js for client-side logic, you should just use normal javascript (for example this in the case of WebSockets). Node.js is a serverside application where you run javascript on the server. So on the client-side, there is no need for Node.js. If you need certain npm packages, SubStack on GitHub has a module called node-browserify. It will compress and bundle your modules and deliver it as a single js file, but you use it just like Node.js.
If you need Node.js for server-side logic, then there is no need to make it publicly available and you should change your current server configuration to not make it accessible from the browser.

Saving and accessing files on a mounted drive in nodejs

I have 3 servers running as a cluster managed by flynn (a bit like heroku) which I can attach a shared drive to so that in theory they all have access to the same files.
However I'm a bit unsure if it's possible to access a mounted drive from my nodejs app to save and access files.
Can anyone shed some light on if this is possible and roughly how I'd go about doing it.
With node.js, your file system path has literally nothing to do with the URLs that your server supports. node.js servers do not serve ANY files by default (unlike some other servers).
If you want an incoming browser request for http://example.com/uploads/test.jpg to read a file from /mnt/shared/uploads, then you have to create a web server route handler that includes the incoming path http://example.com/uploads/test.jpg and then reads the data from /mnt/shared/uploads and writes that data out as the http response.
Depending upon what web server environment you are using, there are helpers to do that mapping. For example, express has express.static() that helps with some auto mapping. But, the web server by itself does not server any files like this automatically.
So, if what you want is that all incoming requests for http://example.com/uploads/* will be read from /mnt/shared/uploads/*, then you can use express.static() to help you do that like this:
app.use("/uploads", express.static("/mnt/shared/uploads"));
This will take any path it finds after /uploads and look for that path in /mnt/shared/uploads. If found, it will automatically serve the content as static content.
So, it would work like this with the incoming URL shown first and the place express.static() would look for a matching file:
/uploads/test.jpg ==> /mnt/shared/uploads/test.jpg
/uploads/bob/test.txt ==> /mnt/shared/uploads/bob/test.txt

Node Application to run in a sub-folder under Apache

I have a simple node/angular application and I would like it to run under a sub-folder of an apache/php application.
What I mean:
At the moment the node app runs under this url http://www.mysite.com:8080 I need the application to run under http://www.mysite.com/nodeapps/applicationName/index.html
Do I need to change something in my apache configuration except moving the application under that folder?
The node app now is under opt/applications/node/applicationName
I am new to Node.js so please make sure that you explain your solution in details or else I am going to get even more confused :)
Apache simply serves files. However, your node application will also serve files without the need of an extra server. So you don't want your node.js files to be in a folder served by Apache (this will make the source code public which you probably don't want in most cases). Instead, the way to go is to run node.js on a custom port (like the above http://www.example.com:8080) and to redirect from apache to that port like so:
RewriteRule /nodeapps/applicationName/(.*) http://localhost:8080/$1 [P]

[NodeJS]Is my backend code secured?

I'd like to create a simple site on NodeJS. For example, it has two files (app.js - main application file) and router,js (a url file). I'd like to know - if it possibke for anyone just to access mydomain.com/router.js to get the source code of my application? I'm asking 'cause for example in PHP you cant just access to php, as you know server just gives you the result of working of this PHP-file, but not the file itself. So, how to make my nodejs-app invisible for public access? Thanks!
I make sure that all files for Node.js are never in a path that is served by another web server such as Apache. That way, there is little danger of the source ever being served by accident.
My node program's and files go in /var/nodejs with a sub-folder for each application in Node. By default of course, Node will not serve ANYTHING unless you tell it to.
At the root of my Apache configuration, I make sure that ALL folders are secured so that I explicitly have to enable serving on any folder structure even under the /var/www folders that I use for all Apache sites.
So you are pretty safe with a default setup of Node and Apache as long as you keep the folders separate. Also Node will not serve source code accidentally, you would have to set up a Node server that read the file as text and wrote it to the http stream.
That depends on how you are using Node.js and what you are using for a web server in front of it. Unlike PHP running as CGI or as a module in Apache, node and the node application itself is a server.
If you have a webserver with your node source directory exposed then the url you provided in the question will most likely result in your source code being served. Even if you were using Apache and proxying to node, there is usually no output filter involved. Instead requests are passed to the backend node server which interprets them.

Resources