node.js - Nodejs, PM2, and nginx deploying security? -


there few guides online show how nodejs running on server, tend skip on few details on security. bit of loaded question, , i'm not sure begin. wondering if clarify following details.

first, setup:

  • i have installed node locally non-sudo user because running node admin bad idea:

    /home/appuser     |--- nodejs/               # node install             |--- bin/             |--- include/             |--- lib/             |--- share/      |--- app/             |--- node_modules/             |--- public/        # holds html templates, static files , uploaded files             |--- core/          # holds main app js files             |--- app.js         # main nodejs program             |--- config.js      # configuration holds authentication details, other config stuff             |--- package.json

    i can run application using pm2 doing pm2 start app.js.

    my nginx configuration:

    server {     listen 80;      server_name mydomainname.com;      location / {       proxy_pass http://localhost:8080;       proxy_http_version 1.1;       proxy_set_header upgrade $http_upgrade;       proxy_set_header connection 'upgrade';       proxy_set_header host $host;       proxy_cache_bypass $http_upgrade;     } }

my concerns are:

(1) application - should main app/ live inside /home/appuser?

  • any danger in having app files live inside non-sudo user home? if so, should app files live?

  • i'm wondering if public/ should in different place , not live in same folder application files. wouldn't want application source files leak out, config.js holds sensitive information database auth details , email auth details.

    if should moved, /public live relative app/?

  • right permissions on app/ chown -r appuser:appuser app/, user owns files. there other permissions should set on application folder?

(2) pm2 - since installed nodejs , modules locally, how safely pm2 restart nodejs app after server restart?

  • my understanding pm2-init.sh live in /etc/init.d/, , happens automatically if had installed pm2 globally sudo.

    how should pm2 restart app safely using non-sudo user?

(3) nginx

  • how can safely serve public/ through nginx if served this:

    http://mydomainname.com/public

  • my app handles routes , should throw 404 if route not found. possible work around , maliciously make app or nginx browse other directories?

    ie, outside of app directory

    http://mydomainname.com/../../etc/path/to/secrets

    or, locally in app

    http://mydomainname.com/public/../../config.js

    are there security precautions can set in nginx or nodejs prevent if possible?

  1. the way adopt have files node:node-developer. , start app under node user. node-developer group developers. , set file permissions 770

  2. write simple shell script logs node user , start pm2 init scirpts

  3. solved using proper permission settings. nginx runs under nginx user. if files public, make nginx:nginx. user public/../../something. nginx not have rights access it.


Comments

Post a Comment

Popular posts from this blog

java - Null response to php query in android, even though php works properly -

Image
table i'm trying retrieve above data using 2 php files below. want pass email parameter , return bets user = email. work fine when tested advanced rest client, problem not php. however, when try through android 2 java classes below, null pointer exception (logcat below) , json object returned null. i'm not sure error is, think i'm not passing parameter php , that's why it's producing null response. logcat 05-31 15:10:50.227 26074-26074/com.example.albert.betterapp e/androidruntime﹕ fatal exception: main process: com.example.albert.betterapp, pid: 26074 java.lang.runtimeexception: unable start activity componentinfo{com.example.albert.betterapp/com.example.albert.betterapp.displayallbets}: java.lang.nullpointerexception @ android.app.activitythread.performlaunchactivity(activitythread.java:2292) @ android.app.activitythread.handlelaunchactivity(activitythread.java:2350) @ android.app.activitythread.acce...
Read more

node.js - Using Node without global install -

i'm working on few node & electron (atom shell) projects , i'm curious how them work without user having install node globally. i've seen few applications including node directory in project contains node.exe binary. how go setting node project use binary? edit: thought should add, i've searched everywhere answer this, unrelated results.
Read more

php - CakePHP HttpSockets send array of paramms -

i problem when make request (i can request). $link = 'http://uri/path/?param1=1&sid=2&sid=3&sid=4' $http = $httpsocket = new httpsocket(); $res = $httpsocket->get($link); if check request pr($http); i see : [line] => /url/path/?param1=1&sid%5b0%5d=2&sid%5b1%5d=3&sid%5b2%5d=4 http/1.1 and i'm getting empty response because server doesn't know parameters sid%5b0%5d=2 when try send parameters array : $data = array('param1' => '1', 'sid' => array('2','3', '4')); i see same changes %5b0%5d - additional indexes. how fix it? unfortunately , can not change server side, if send request in browser, i'll normal response in json format. when make request, can parameters this: $param1 = $_get['param1']; $sid= $_get['sid']; tip: use diferente names parameters. have multiples sid. use sid1, sid2, sid3... update: can parameters this:...
Read more