I developed a website that will be hosted on a webhosting server with dedicated IP in order to be able to use SSL (https).
This website makes some calls to a node.js app running on a VPS i am hiring. In this VPS i have some sensible data (database) and in the app i have a sensible user and password. I would like to know if the frontend uses SSL is enough to secure my VPS and app.js, or if there are some other actions i should perform.
Also i would be grateful if you can advise which is the best solution to hire: Dedicated IP WebHosting(frontend) + VPS (backend) Versus VPS (backedn and frontend). It's my first website and I need some experienced advices.
Regards,
If Node.js will be running with ssl certificate, then please use passphrase for ssl certificate that will be asked if you run node.js server. This will provide additional security.
Also, you can request for client certificate and reject unauthorized that provide additional layer of security and prevent from man-in-middle attack.
Related
I'm making a hobby project and it involves a NodeJS http server that I access via a web browser (through GET and POST requests). The HTML/CSS/JS part of the webpage is local, not on the NodeJS server.
I understand I need to generate SSL certificates but those ask for things like domain names and stuff.
I simply want to enable HTTPS on my NodeJS server. Right now I'm manually encrypting all messages sent back and forth through AES, but I trust the https security more, I'm not a cryptographer.
Is there an easy way to get those certificates? My NodeJS server is accessible via the internet but only by IP address (port forwarded), and through the express module using HTTP requests.
Do I need to pay for them?
In this case you can take services from Digital Ocean, you can buy subscription as per your choice and deploy your Nodejs app with free SSL certificate.(let's encrypt)
However I recommend you to understand following concepts
Reverse proxy (nginx)
Process managements (pm2)
SSL certificates
I am sure, You would love to go though with starter tutorials from DigitalOcean
https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-20-04
https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-ubuntu-20-04
https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-20-04
As Its a hobby project, otherwise I would have recommended other options.
We use Google App Engine and the provided load balancer to do SSL offloading for our API requests which are served by NodeJs. A third part is using Fortify to determine that even though it is https to the outside, because it is http inside the containers, it is considered a vulnerability.
Everything we read suggests setting the environment up this way.
Is this really a vulnerability and if so, how would we best mitigate against this without having to add paid certificates into our Node app.
Thanks in advance
Is this really a vulnerability and if so, how would we best mitigate
against this without having to add paid certificates into our Node
app.
Yes, the proxy of HTTPS to HTTP is a vulnerability as data is decrypted in transit. However, the connection between the frontend and your application is very hard to exploit outside the Google data center. I am not aware of a method to exploit this item.
In the cloud and on-premises data centers, proxying of HTTPS to HTTP is very popular. This offloads the CPU intensive process of encryption and decryption.
In security, there are almost always exceptions that need to be documented. This is one of them.
For the second part of your question, the proxy is HTTPS -> HTTP. This means that you cannot add your own SSL certificate to your backend code. If you did, you would have connection protocol errors.
If you must mitigate this problem, then you must select a different service and deploy your code with frontends/backends (web servers/proxies/load balancers) you configure and control.
I have a single domain, which is pointed to the frontend(Reactjs) of the application hosted on cPanel. The backend(Nodejs) of the application is on a Linode VPS. The frontend of the application communicates with the backend through APIs.
Every thing was good in development phase but now in production the browser doesn't allows to use APIs with http (Was giving mixed content error) and to resolve this issue I changed it to HTTPS from HTTP and configured nginx with self signed certificate. Now I'm able to make requests from the browser using the IP Address of my server and I don't want to use domain for that but it shows the warning that the certificate is not trusted. How can I resolve this issue as I don't want to use another domain for the backend server.
I have started creating my own nodejs app (for the first time) that I hope to deploy at some point, perhaps to Heroku or another platform.
I need for my app to encrypt traffic namely for user passwords and sessions (note there is no other obviously sensitive data).
I started looking into serving my app using HTTPS (SSL) however I am now wondering if I need this. If my app is to be hosted and deployed using Heroku/other platform won't all requests be trafficked through their servers presumably using HTTPS by default? I am guessing that the request will then be routed using HTTP to my application, although I am struggling to understand how this works. Ultimately I would like to know if I can ignore worrying about paying for SSL certification and such like when it will not matter in this hosting environment?
Help much appreciated. Matt.
If you are using heroku then you must be using paid dyno( hobby or professional) and heroku provides free SSL to all paid dynos. Furthermore if you think that at some point you can switch hosting then there is always freessl available via Let's encrypt.
Heroku serves all requests with and without SSL in default herokuapp url.
Use cloudflare free plan. Open a free account in cloudflare, Copy the DNS. Then set the DNS in your domain service provider (godaddy or sth), then change the Cname config for the website inside cloudflare. Now you have a free certificate.
I'm trying to configure CouchDB to use SSL on IoT devices accessed via IP. I'm trying to avoid adding a webserver as a reverse proxy in an attempt to keep things as lightweight as possible and instead use CouchDb's builtin SSL functionality.
The problem I'm running into is that replication is going to fail Common Name certificate verification because we're accessing via IP. I'm hoping to use a custom verification function to check certificate thumbprint instead. It looks like verify_fun combined with someting like this ssl_verify_fingerprint function is probably what I'm looking for, but I can't figure out how to use it in the config file. How can I update this config line to use a custom function?
verify_fun = {Module, VerifyFun}
I am not sure I understand your question fully. By "nodes" do you mean a Node.js environment? You can configure CouchDb itself to use SSL, but normally you would serve your HTML from a web server and use CouchDb to provide information for the web pages. So users would not directly access CouchDb in that scenario.
The common solution is to configure Apache, Nginx or some other web server as a reverse proxy and SSL end point. You can then redirect incoming HTTPS requests to other services on your server such as Node.js. There are many guides on setting up a reverse proxy with SSL such as this one and this one. You can use "Let's Encrypt" for secure certificates. I hope this helps.