I have about 5-6 node.js web apps all running off of different ports that proxy to two domains via apache. Can someone guide me on how I would set up SSL for this? Could I just buy one comprehensive multi-domain/wildcard SSL cert and import that into all of my different applications?
I just need to be pointed in the right direction.
For any future lurkers, I recommend using Certbot, and then having the node HTTPS servers pull from that one certificate on the local machine. I wrote an npm module called iomicro that, among other things, does this.
Related
I have two domains abc.com and xyz.com pointing to the same NodeJS server. Based on the domain I want to load the configuration that will persist for that domain i.e. for xyz.com I wanna connect to Database1 and for abc.com I wanna connect to Database2.
How do I go about doing this? Is it even possible or recommended to do so?
I started with loading the configuration on the first request by getting the hostname from req.hostname. Is there any better way to do this?
Multiple strategies -
1. Deploy the same code multiple times but on different ports.
Your reverse proxy sends the request to the correct server. I do this currently by hosting multiple ghost blogs on the same vps. One runs on port 3000, another on 3010.
Pros - Less fragile setup, easier scaling, application need not be aware of operational environment. If one domain comes under attack, the other is not automatically a casualty.
Cons - Might not be possible in resource constrained environments. Deployments can involve repetitive work.
2. Read the hostname
Great option if the feature set is pretty much the same but only the domain name changes. You read the configuration file as you stated depending on the hostname.
Pros - Easier deployment, great option for resource constrained environments.
Cons - Unnecessarily tight coupling, all domains will become unavailable in case of server errors, scaling could be an issue.
Personally, I prefer deploying on different ports unless and until the code requires depending on hostnames. If you are just building a product where some unique identifier needs to be present in the URL like mycompany.slack.com then using subdomains in dns might be a better idea.
Is ngrok a safe tool to use? I was reading a tutorial which recommended to use ngrok test API responses that I make to outside services that need to connect to my endpoints also.
There is no source code available for Version 2.0, considering it started as an open source project in 2014. I am suspect of any code that opens a tunnel to my localhost from the cloud. Pretty scary stuff especially without source code!
It opens up a tunnel to your dev machine, which is partially secured by obscurity (a hard to guess subdomain), and can be further secured by requiring a password. But you're still opening yourself up to ngrok itself, and the company is completely opaque (no address, no employees, no business name, no LinkedIn presence; all I can find is that it has 1-10 employees and is private; not even sure what country its based in). On top of that the code is not open-sourced. No reason to think they're not legit, but not a lot of information available to build trust.
You may be able to use ngrok and other local tunnel services with more security by encrypting the traffic. See https://security.stackexchange.com/questions/177280/end-to-end-encryption-for-localtunnel-ngrok-setup/177357#177357 for more information.
I found good rating, but vacuous information here:
http://www.scamadviser.com/is-ngrok.com-a-fake-site.html
The kicker for me is
https://developer.atlassian.com/blog/2015/05/secure-localhost-tunnels-with-ngrok/
where the Atlassian folks recommend it highly.
I think I am going to use it.
If anyone is concerning compromising their development environment, you can use Docker. There are many ngrok/docker projects but here is the one I chose: https://github.com/gtriggiano/ngrok-tunnel
for macOS, use "TARGET_HOST=docker.for.mac.localhost"
They now offer a service where you locally run only ssh, no need to run any of their code on your machine.
You run something like ssh -R 80:localhost:8501 tunnel.us.ngrok.com http. This connects to one of their hosts and forwards connections they receive back to your machine and the service you run on localhost:8501.
This seems secure to me, the only thing is that you don't know what information they collect and who is connecting to your exposed service. They print all connections, but it's their binary that does this and someone might well listen in without you noticing. You can check connections on your end, but you cannot be sure who it is that connects.
Ngrok is a convenient and highly secure utility for creating tunnels to locally hosted applications via a reverse proxy. This is a utility for publishing locally hosted applications on the web. style="letter-spacing: 0px;">Simply put, any locally hosted application provides a publicly accessible web URL to the . H. Either a Spring Boot or Nodejs based web application, or a webhook for a chat application, etc.
I am a Linux server beginner. In fact I am a beginner at a lot of the stuff I am trying to figure out. Therefore, I suspect much of my troubles are due to the fact I don’t know the right words to figure out what I am trying to do.
I am hosting an Ubuntu Linux server using a mirco AWS EC2 instance. On my server I have a number of server applications running, but one in particular is causing me problems.
I am using an independent free server application that hosts (not on port 80) a webpage for everyone to access. The same application has a pay version which adds a tons of features as well as the feature I need – namely, the ability to password protect the website. The free version I have does not even allow the ability to utilize proxy settings.
I would like to know what I need in order to force the webpage traffic through some authentication system before users have access to the sensitive data.
I have thought of a few possible methods so far:
1) reverse proxy server? (Although I cannot set up the app to use a proxy)
2) Use EC2 firewall IP address restriction to only accept traffic from another server (or my computer), and then require that server to authenticate access.
3) Some sort of access gateway or extra firewall installed on (and on top of) the EC2 instances that requires authentication over top of the running application.
4) Paying for some sort of (reverse) VPN service that forces web traffic through password authentication before allowing access to my website.
5) Some tool on sites like http://www.hidemyass.com that would allow me to use a secured connection.
If someone was to reply with just the simple language that I am missing, that would help immensely.
If you don't want to use a reverse proxy using Apache or Nginx, it will come down to the specifics of you application. What's your application running on ? Rails, Django, Tomcat ? All of these web apps have ways to setup routes that you can use to redirect all your users in case they are no authenticated.
Hope this helps.
I'm a developing a website and the client has decided to provide they're own hosting. They've purchased a mac mini, this is all they require for the scope of the project. They've given me to full access to the server via a remote desktop connection. I'm not too great on this side of things. I'm sure there's a lot of required information I'm not providing for a full answer but any help? I'm not really sure what I'm suppose to be doing with this.
Is your website static (no server side language / database)?
Is it for internet or intranet?
The generic answer would be telling you to enable OS X Apache server, configure a virtual host, edit httpd.conf configuration, configure the static ip, configure the DNS servers, etc, etc, etc. Quite a lot of steps (but most are simple).
Take a look at this serie of articles: http://oreilly.com/pub/ct/49
What is the easiest free method of encrypting my web traffic? I'd like to be able to log in to sites on my web server without sending my password in plaintext.
Edit: My web server is running on the LAMP stack , although it is a shared host so I don't have root.
Get an X.509 certificate (for example, generating your own, or getting one free from StartSSL), and use it to set up SSL—a server-specific configuration task.
If you can't configure a new listener in your web server, there's not really a good option. In theory you could do a little hacking with some JavaScript crypto library, like JavaScrypt, and come up with something safe. I've toyed with several options but I don't know enough about it to come up with anything I feel confident about.
I don't know your circumstances, but if it were me, I'd consider another host.
https
Use a self-signed certificate.
Tell us your web server software for a detailed implementation description!
Since you don't have root your best bet is to contact your hosting provider and see what they can do for you. You may already have SSL access (try using https://yourdomain.com) using a self-certified key.
You should be able to talk them into installing a StartSSL key for you. This provides you with SSL encryption and browsers won't complain that it isn't signed by a valid Certificate Authority.
As stated above, publishing your own certification is free, however knowing more about your environment, may get you more specific answers. Are you running IIS? What will you be logging into that needs encryption? Are you using Windows Servers on the back end?
use Digest Authentication. Since you're on LAMP, you can configure it on Apache with mod_auth_digest.
Since you are trying to reduce costs, any ssl solutions will probably not be an option.
First it requires a signed certificate that cost a bit, the free ones is not always included in all web browsers.
Second to be able to utilize an ssl certificate your server ip must be dedicated to you. This is not the case in every cheap web hosting option. There are technologies that in the future will make it possible to host multiple ssl enabled sites on a single ip, but it's not here yet.
As mentioned before Digest Authentication is one option that doesn't require ssl certificate or dedicated ip.
It's a method of authentication that doesn't reveal your password even though everything else in the communication is unprotected.
In Apache this can be applied in individual directories by specific .htaccess files.
I'll repeat the previous link on mod_auth_digest.
This one is usually already installed on most servers so you won't have to ask you web hosting provider.
You don't always require root access to setup Apache to use SSL, but you will likely need to modify config files, which is either done thru your providers interface, or via files via a shell account. Either way you will need a server certificate; either self-signed, from a major company like Verisign, or one of the smaller free places like cacert.org. As noted by others, this does require a dedicated IP to your server or instance on the server.
I would recommend SSL first, but mod_auth_digest isn't a bad backup idea.