1

I'm aware that nodejs can run on the port 80 by :

  • setting up a proxy with apache/nginx
  • setting up a port redirection with an iptables rule
  • making express listen on port 80 within the app

The first option isn't the easiest and require more dependencies then I need. The second one could be working but on my OpenVZ VPS it won't (and I can't compile a custom linux kernel).

I needed to handle some sub-domains too, and after reading this stackoverflow answer, I tried the third solution. It's perfectly working and very easy to perform.

I was wondering if there might be some security issues while running nodejs directly on the 80 port ? How may I fix/found these ?

I wanted to use pm2 to handle the processes and it might run not as root (Goodbye node-forever hello pm2).

Community
  • 1
  • 1
soyuka
  • 8,839
  • 3
  • 39
  • 54
  • 3
    Why would it be less safe than on another port ? – Denys Séguret Oct 16 '13 at 17:21
  • @dystroy: It might be less safe than proxying through nginx, in case someone finds a vulnerability in Node's HTTP parser. – SLaks Oct 16 '13 at 17:23
  • @dystroy Good question so running it with a proxy, an iptable or directly on port 80 'll lead to the same security issues ? – soyuka Oct 16 '13 at 17:24
  • If your firewall doesn't mask the original port, that's certain. If it does and you use a proxy **and** there's a vulnerability in Node's http parser that's masked by a proxy, then this solution might be faster. But I seriously doubt it and I would need a link to that vulnerability before I consider such a solution. – Denys Séguret Oct 16 '13 at 17:27

1 Answers1

2

The first option isn't the easiest and require more dependencies then I need

Please review why should one use a http server in front of a framework web server for the many valid reasons you should in fact do it this way.

setting up a port redirection with an iptables rule

This is probably better than directly having your node process listen on port 80, although I haven't seen this type of configuration used in production.

making express listen on port 80 within the app

This is functionally a poor choice because you don't get the benefits outlined in the linked answer above, however, from a strictly security standpoint, the key thing to remember is you must not run your node process as root, which would be a horrendous security problem. You must be root to bind to port 80 because that's a rule of unix, but you can and must change to a less-privileged user immediately after binding to that port.

Community
  • 1
  • 1
Peter Lyons
  • 142,938
  • 30
  • 279
  • 274
  • I'm using [pm2](https://github.com/Unitech/pm2) and I think they're working on running it as a user. Thanks for the link very interesting! – soyuka Oct 16 '13 at 18:08
  • It's a very fine line between port redirection and using a redirecting proxy like [HAProxy](http://haproxy.1wt.eu/). As you point out, running as `root` is almost always a Very Bad Idea. – tadman Oct 16 '13 at 18:12