I know this is subjective and opinionated, but I just need something to start off from knowing what the best practices may be.
I've got a MERN application running on localhost with the React script currently running on port 3000 and an Express.js application running on port 3001.
Now I'm about to set it up live on AWS and am wondering if I should create it like:
website.com for the frontend React stuff with nginx routing anything from port 80 to 3000 while it makes calls to api.website.com running on 3001 on the same instance with website.com and `api.website.com having the same IP address.
or
one separate instance for website.com on a different IP address and another instance for api.website.com on a different IP address for API calls? Both are being accessed without having to specify a port.
I'm curious because most of the time I've used APIs, they don't have a separate port, just a subdomain on what I assume was a different IP address and a different instance.
What would be the best way to set this up keeping in mind I want to use SSL?
Serving static applications via SSL is not necessary, but on the other hand, your server application has to be secured. Part of the stack which interacts directly with the database is very crucial and has to be secured against all sorts of vulnerabilities. Only SSL won't do any good unless you follow best practices to secure your node application.
You can use the subdomain for the node application and root domain for the actual site. Also, you can use the 80 port for the website and 443 for your node application by defining different server sections inside your nginx configuration file.
Below are some links where you can find the best practices to follow while deploying node applications on production.
https://www.moveoapps.com/blog/set-node-js-application-production-nginx-reverse-proxy/
https://blog.risingstack.com/node-hero-node-js-security-tutorial/
I would say Nginx exposed to the world, with an SSL certificate and all traffic redirected to port 443.
Everything else bound to 127.0.0.1 and proxied through Nginx. It's simple to set up Nginx to accept requests to api.website.com on port 443 and then proxy them over to 127.0.0.1:3000 or 3001 or whatever.
Then firewall all the other random ports and route absolutely all incoming traffic through Nginx.
Related
I have 2 IBM HTTP servers with ip's 10.10.10.2 & 10.10.10.3 with http(port 80) and https(port 443). I have also WAS on 10.10.10.4 with http(port 80) and https(port 443). Now, I have to setup the two http servers with single domain name and forward http/https requests of dynamic contents to whebsphere.
I don't know how to do that. Can anyone help me about that with an example or decent document??
I read about virtual hosts and also about http-plugin but i couldn't understand the difference or what is the specific use of each?
HTTPplugin is a WebSphere component that allows the Web Servers to communicate with the WAS Server.
VirtualHost is a configuration inside WAS.
When you deploy any web app, you will associate them with a Virtual Host.
Virtualhost is a collection of supported IP & Port numbers.
In your case, you have a domain name (say test.abc.com that receives requests at 80 and 443)
Create a virtual host that contains two entries
test.abc.com:80
test.abc.com:443
When you deploy a Web App, then associate it with this virtual host.
Generate the generic plugin (i am assuming you have not defined a Web Server configuration in WAS) and copy the generated plugin files to the Web Servers.
The HTTP Plugin would use this plugin file and route requests for Web Apps to the Application Server.
This article is very old but the basics mentioned here still hold true
http://public.dhe.ibm.com/software/dw/wes/pdf/WASWebserverplug-in.pdf
HTH
Manglu
I have a Play application that I've deployed by running stage within SBT, and then running it from the command line using target/start. I've placed Nginx in front of it and, based on a sub-domain, I have two server blocks--one for port 80, and the other for port 443. The port 80 block just redirects to the https scheme on port 443. This all works great.
To recap:
http://play.mydomain.com/ redirects to
https://play.mydomain.com/ which is a proxy for http://localhost:9000
However, if I just go to http://mydomain.com:9000/, I get access to my Play application directly. There's no SSL, and there's no way I can figure out to keep anyone from accessing it.
What should I do? Should I use Nginx to redirect any access on port 9000 to the URL for the SSL version? Should I firewall port 9000 and only allow local requests on that port? (If so, how would I do that?) Is there some other way of dealing with this that I'm not thinking of?
And how long until the Servlet 3.1 spec is released and I can just deploy the whole thing as a WAR? :-)
You could make your Play application listen only on the local interface (127.0.0.1, for example). That way, nginx can still proxy requests to it but nobody from the outside can access your application directly. No additional firewall setup is necessary.
Looks like you can pass an additional argument to start:
$ start -Dhttp.port=9000 -Dhttp.address=127.0.0.1
I created a WebSockets app to provide communication between connected clients, but I'm concerned about corporate firewalls and ISP rules that might block the port 8080 it's using. But the usual HTTP port 80 (that really no one would block) is already used by Apache on that server to provide the functionality for the rest of the app (which is a clasic web app running on PHP).
What are my options there? Are my concerns misplaced?
One option is to set up an Apache reverse proxy to make your app available via port 80. See (for example) Running a Reverse Proxy in Apache.
How do I set up a website that's accessible within a small (office) network? I've only worked on localhost (using WAMP) so far and have no idea where to start. Also, is it possible to access that website through a pseudo domain name/alias instead of an IP?
This is of topic here - and wil be covered by lots of basic set up tutorials.
It's exactly the same process, except you need to ensure that clients on the lan can connect to the webserver runing on port 80 - i.e. make sure your firewall isn't blocking the access and that apache is listening on the LAN interface address (the default configs are usually to listen on all addresses).
is it possible to access that website...
Yes - just publish a DNS record for the webserver in your DNS server - or add it to the hosts files on all of the clients.
I need a Reverse Proxy to front both Lablz Web server and SSL VPN Adito (SSL Explorer fork) by sitting on one IP/port. Failed to achieve that with Nginx. Failed to use Adito as a generic reverse HTTP proxy.
Can HAProxy fall back to being a TCP proxy if it does not sense HTTP traffic?
In other words can it fall back to Layer 4 if its Layer 7 inspection determines this is not HTTP traffic?
Here is my setup
EC2 machine with one public IP (Elastic IP).
Only one port is open - 443.
Stunnel is sitting on 443 and is passing traffic to HAProxy (I do not like to use Stunnel but HAProxy does not have full support for SSL yet, unlike Nginx).
HAProxy must be configured to pass some HTTP traffic to one server (Apache server which fronts the SVN server) and the rest of the HTTP traffic to our Lablz Web/App server.
All non-HTTP traffic must be forwarded to Adito VPN.
This traffic is:
VNC, NX, SMB
... and all other protocols that Adito supports
I can not rely on source IP address or port to split traffic into HTTP and non-HTTP.
So, can such config be accomplished in HAProxy? Can any other reverse proxy be used for this? Let me know if I am not thinking right about HAProxy and an alternative approach is possible.
BTW, Adito SSL VPN is amazing and if this setup works we will be able to provide Lablz developers with a fantastic one-click single-login secure VNC-over-HTTPS access to their boxes in the cloud.
No solution exists for this but via Adito - please prove me wrong. But please do not say that VNC over SSH is better. Yes, VNC-over-SSH is faster, more secure, but also is much harder (for our target user base) to setup and presumes that user is behind the firewall that allows outbound traffic on port 22 (not always the case).
Besides, Adito is much more than the remote access gateway - it is a full blown in-browser VPN, a software distribution platform and more. I am not associated with Adito guys - see my Adito post on our Lablz blog.
OK, first off, I'd use a simple firewall to divide all HTTP from NON-HTTP traffic. What you need is packet inspection to figure out what it is that is coming in.
Neither haproxy or nginx can do that. They are both made for web traffic and I don't see how they could inspect traffic to guess what it is that they are dealing with.
Update: Looked into this it a bit and with iptables you could probably use string matching to devide the traffic. However, that's all tricky, especially with the encrypted nature. A friend of mine discovered l7-filter and this looks like what you need. Let me know if this helps.