Why is running node.js on port 80 might not be safe?
Question
I'm aware that nodejs can run on the port 80 by :
- setting up a proxy with apache/nginx
- setting up a port redirection with an iptables rule
- making express listen on port 80 within the app
The first option isn't the easiest and require more dependencies then I need. The second one could be working but on my OpenVZ VPS it won't (and I can't compile a custom linux kernel).
I needed to handle some sub-domains too, and after reading this stackoverflow answer , I tried the third solution. It's perfectly working and very easy to perform.
I was wondering if there might be some security issues while running nodejs directly on the 80 port ? How may I fix/found these ?
I wanted to use pm2 to handle the processes and it might run not as root ( Goodbye node-forever hello pm2 ).
1 answers
solution1
2 ACCPTED 2013-10-16 17:52:58
The first option isn't the easiest and require more dependencies then I need
Please review why should one use a http server in front of a framework web server for the many valid reasons you should in fact do it this way .
setting up a port redirection with an iptables rule
This is probably better than directly having your node process listen on port 80, although I haven't seen this type of configuration used in production.
making express listen on port 80 within the app
This is functionally a poor choice because you don't get the benefits outlined in the linked answer above, however, from a strictly security standpoint, the key thing to remember is you must not run your node process as root , which would be a horrendous security problem. You must be root to bind to port 80 because that's a rule of unix, but you can and must change to a less-privileged user immediately after binding to that port.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.