If I were to host a simple Node API (or any API for that matter), such that on requesting the hosted URI path, it must return an object to the client.
For Example:
If a client makes a request to the API, the API must return the IP address along with the request type.
I'm particularly worried about the hosting part, not the implementation of the API itself as I'm already well aware of it.
Any suggestion or resource links are appreciated.
PS: Not very familiar with hosting server or Devops.
I am not sure, if I understood your question propery.
PS: Not very familiar with hosting server or Devops.
You should definitely be familiar with system administration on the respective operating system and environment. Which you haven't mentioned.
I almost downvoted your post, because it's not even a real question. I'd recommend to consult your favourite search engine first.
Try heroku they have nice documentation and free hosting
https://devcenter.heroku.com/articles/getting-started-with-nodejs#introduction
Related
Our team is currently working on an Web API that runs in ExpressJS and is deployed via Google Cloud Functions. We've moved beyond our core MVP deliverable and now have time to beef up more of our security/logging features.
Being paranoid (as you should be when developing security) I would like to protect our api from malicious code introduced from one of our npm packages.
I understand that there are many attacks possible if this were to happen. But I would like to protect against the class that send information to the attackers server.
Is there a way to monitor/whitelist all outbound requests? Perhaps by wrapping the Node process itself or utilizing a feature created by Google.
Thank you very much for reading my question, and stay safe!
👋
This is late, obviously, but I still think it's a relevant question that probably many (should!) think about.
We've had a bit of experience with Puresec Function Shield which works for AWS Lambda and apparently also Google Cloud Functions. One of its features is in fact about blocking outbound network traffic.
You should also be able to put your function in a VPC and set its firewall rules to disallow any traffic that is not conformant to your own known ports and sources.
Hope that helps any late-comers into this question.
I currently have a website where I need to use node.js, I am not able to use node.js however, because the web host does not support it. What is the best way I go about hosting a server without having to completely change hosts?
[…] without having to completely change hosts?
If your current hosting provider doesn't support nodejs and you want to use nodejs, then you have to change hosting provider. Sorry.
I can recommend Google Cloud Engine. You can create a virtual machine, e.g. running Fedora, access it via SSH and install what you need, i.e. apache2, nodejs, etc.
If you're not comfortable with that, you should go for a managed hosting solution instead. It will probably be a little more expensive, and you'll have less flexibility in what programs you can use (since you share your virtual machine with other customers and can't make changes to the system yourself), but on the upside, most of the setup is done for you. There are many providers you can choose from; google "managed hostinig with nodejs" if you want an overview. I have used 1and1 before and was mostly happy with it. As you can see here, they have nodejs installed on their servers.
Your question makes hardly any sense... but
Heroku is really great for Node.js app hosting
I am concern, about how secure is to use the drivers as code in the client.
I mean, to connect to the database, you have to put the username and the password in the code ! that is not secure! somebody could just grab the code from the cellphone (reverse engineering) and get the user/password !
Also you have to put the queries in the code. somebody could manipulate that.
You shouldn't be exposing mongodb to the internet. Instead your mobile app should talk to a server app, which, in turn, will talk to private instance of mongodb (not available to the world, only to the server app).
And in that server app you can make necessary authentication and checks.
In addition to Sergio's answer, we also recommend that you utilize environment/config variables to avoid hardcoding your URI in the app.
You can read more on the topic here: http://12factor.net/config
Feel free to email us anytime at support[AT]mongolab{DOT}com as well if you have questions regarding your MongoDB and security.
The drivers are safe, but they are not for provide web services to the internet. What it is need is an API, that communicates with the driver (in Python, in Java, in C#, ...).
There are a lot of APIs out there to do that. Then you have to modify and extend that API according to what exactly you need.
Hello there and thanks for reading my question.
I am looking into Amazon Cloudfront (CF) at the moment and need to define exactly the steps to setting up CF with our own origin server before I can proceed past inputting payment details. The basic steps I have been able to find out through Googling are:
Register with CF
Set-up a CF distribution (this is where you register your origin server)
Update your resource references on your site
The problem I am having is with step 2. Although Amazon describe it as a simple API call, I am still not quite sure exactly what this means and what I would have to do to perform this call.
A lot of bloggers/forum posters suggest using a third party software like CloudBerry - the problem is is that CloudBerry costs to do the CF/origin server bit and I only need to do it once (everything else after that can be handled by the AWS management console.
I have looked at loads of other similar pieces of software but have found them to either error on download or on install or not have the functionality I am looking for on the Windows version!
Now, this page describes how to setup the origin server manually (http://docs.amazonwebservices.com/AmazonCloudFront/latest/DeveloperGuide/) but I am still not sure exactly how this is performed.
Has anyone done this before and can offer some guidance or step on how to do this?
Many thanks in advance!
Greg
I had success using Fog gem. Once you establish a connection to the Amazon API, it was painless to create a distribution.
cdn = Fog::AWS::CDN.new(
:aws_access_key_id => YOUR_ID,
:aws_secret_access_key => YOUR_SECRET_KEY
)
cdn.post_distribution(options = YOUR_OPTIONS_HASH )
And with that you should receive a 201.
The documentation is great, too.
Cloudbuddy (http://m1.mycloudbuddy.com/downloads.html) is free and you can use it to setup the Cloudfront custom origin. Windows only, unfortunately, but you only have to use it once, right? :-D
This page walks through the custom origin server in a bit more detail http://docs.amazonwebservices.com/AmazonCloudFront/latest/DeveloperGuide/index.html?CreatingDistributions.html. The API call you need to make is to create a new distribution which points at your custom origin server. Basically you would craft the request as described and post it to amazon's web services.
Amazon just updated their CloudFront Management console to support features that were previously only available through their API, so you should be able to configure it without using the API.
http://aws.amazon.com/about-aws/whats-new/2010/11/09/cloudfront-adds-support-for-custom-origins-and-sla/?ref_=pe_2170_19753730
Heroku seems great, but most non-trivial applications require authentication, and conventional authentication schemes require an SSL connection, and it's impossible to get https://your_app_name.com (you can only get https://your_app_name.heroku.com).
So if you're using Heroku, is it that:
You don't mind directing users to
another domain (seems pretty
bad)
You don't mind foregoing
SSL for authentication (seems really
bad)
Your app doesn't require authentication
This is now a moot point. According to the documentation (http://docs.heroku.com/ssl, see http://addons.heroku.com/ for pricing), Heroku now allows custom domains to have SSL through their SSL Endpoint addon.
https://devcenter.heroku.com/articles/ssl-endpoint
Heroku also just announced support for SNI. This will allow them to attach SSL to any domain hosted on Heroku's service. It is still in beta but should get pushed to every one soon. Heroku continues to improve their security offerings.
Hey, it's James from Heroku. The inability to use SSL with a custom domain is a problem shared by all multi-tenant platforms, due to a fundamental issue with the SSL protocol. A solution is in the works, we'll post details as soon we've finalized the plan.
I'm using Twitter's OAuth for authentication on my apps (via twitter-auth).
Generic OpenID or even Facebook Connect would work just as well, as each of these handle the sensitive bits of authentication on somebody else's server.
Authlogic is an authentication gem that has has plugins for each of these methods.
However, SSL is now fully supported on Heroku, if you're willing to pay a price that reflects the difficulty in getting SSL to work in a multi-tenant environment.
You can use a custom domain name in Heroku. This is not included in the free account though. Also Heroku makes it dead simple to deploy Ruby on Rails apps. Deploying a Ruby on Rails application on a cheap hosting provider that only gives you limited if any shell access can be a nightmare. Not mention Heroku's server already preconfigured to optimize Ruby on Rails code, likewise scaling up is just a matter of sliding a scale on the user interface.
With Heroku you can use custom domain names (in the free version too).
Scaling is easy, very easy, and they are making it better and better (i'm testing memcached and work like a charm, delayed job, the backup system and the git integration are great too).
The only problem for me, as you wrote is the SSL...