node.js - Nodejs, PM2, and nginx deploying security? -


there few guides online show how nodejs running on server, tend skip on few details on security. bit of loaded question, , i'm not sure begin. wondering if clarify following details.

first, setup:

  • i have installed node locally non-sudo user because running node admin bad idea:

    /home/appuser     |--- nodejs/               # node install             |--- bin/             |--- include/             |--- lib/             |--- share/      |--- app/             |--- node_modules/             |--- public/        # holds html templates, static files , uploaded files             |--- core/          # holds main app js files             |--- app.js         # main nodejs program             |--- config.js      # configuration holds authentication details, other config stuff             |--- package.json

    i can run application using pm2 doing pm2 start app.js.

    my nginx configuration:

    server {     listen 80;      server_name mydomainname.com;      location / {       proxy_pass http://localhost:8080;       proxy_http_version 1.1;       proxy_set_header upgrade $http_upgrade;       proxy_set_header connection 'upgrade';       proxy_set_header host $host;       proxy_cache_bypass $http_upgrade;     } }

my concerns are:

(1) application - should main app/ live inside /home/appuser?

  • any danger in having app files live inside non-sudo user home? if so, should app files live?

  • i'm wondering if public/ should in different place , not live in same folder application files. wouldn't want application source files leak out, config.js holds sensitive information database auth details , email auth details.

    if should moved, /public live relative app/?

  • right permissions on app/ chown -r appuser:appuser app/, user owns files. there other permissions should set on application folder?

(2) pm2 - since installed nodejs , modules locally, how safely pm2 restart nodejs app after server restart?

  • my understanding pm2-init.sh live in /etc/init.d/, , happens automatically if had installed pm2 globally sudo.

    how should pm2 restart app safely using non-sudo user?

(3) nginx

  • how can safely serve public/ through nginx if served this:

    http://mydomainname.com/public

  • my app handles routes , should throw 404 if route not found. possible work around , maliciously make app or nginx browse other directories?

    ie, outside of app directory

    http://mydomainname.com/../../etc/path/to/secrets

    or, locally in app

    http://mydomainname.com/public/../../config.js

    are there security precautions can set in nginx or nodejs prevent if possible?

  1. the way adopt have files node:node-developer. , start app under node user. node-developer group developers. , set file permissions 770

  2. write simple shell script logs node user , start pm2 init scirpts

  3. solved using proper permission settings. nginx runs under nginx user. if files public, make nginx:nginx. user public/../../something. nginx not have rights access it.


Comments

Post a Comment

Popular posts from this blog

angularjs - ADAL JS Angular- WebAPI add a new role claim to the token -

i have created angular spa webapi backend using adal js authentication.as there no roles in ad, need manually add role claims in order give users access different api controllers. the roles stored in database. expecting inject claim through call webapi after authentication ad. webapi code might this. identity.addclaim(new claim("role", "user")); var ticket = new authenticationticket(identity, props); var accesstoken = startup.oauthbeareroptions.accesstokenformat.protect(ticket); is possible replace adal idtoken new token? is viable solution or there other better way handle this? as initial token generated azuread, possible edit token add new claim? appreciated. graph api supporting group claims. see here: http://justazure.com/azure-active-directory-part-4-group-claims/ if @ examples on page, users assigned groups , app can check group in claims. in current version of portal, need app manifest , modify it.
Read more

php - CakePHP HttpSockets send array of paramms -

i problem when make request (i can request). $link = 'http://uri/path/?param1=1&sid=2&sid=3&sid=4' $http = $httpsocket = new httpsocket(); $res = $httpsocket->get($link); if check request pr($http); i see : [line] => /url/path/?param1=1&sid%5b0%5d=2&sid%5b1%5d=3&sid%5b2%5d=4 http/1.1 and i'm getting empty response because server doesn't know parameters sid%5b0%5d=2 when try send parameters array : $data = array('param1' => '1', 'sid' => array('2','3', '4')); i see same changes %5b0%5d - additional indexes. how fix it? unfortunately , can not change server side, if send request in browser, i'll normal response in json format. when make request, can parameters this: $param1 = $_get['param1']; $sid= $_get['sid']; tip: use diferente names parameters. have multiples sid. use sid1, sid2, sid3... update: can parameters this:
Read more

node.js - Using Node without global install -

i'm working on few node & electron (atom shell) projects , i'm curious how them work without user having install node globally. i've seen few applications including node directory in project contains node.exe binary. how go setting node project use binary? edit: thought should add, i've searched everywhere answer this, unrelated results.
Read more