2

I am trying to run two express apps on the same server (one being a public API and the other being the private API that talks to the DB).

I have set up nginx to reverse proxy to my public express app that is running on port 3000, with a private IP from digital ocean.

My public express app sends requests to the private api (running on port 3030)

When I go to my domain example.com:3030/users - I can see all my users. (bad).

How can I lockdown port 3030 from the public (ie: website.com/:3030/API-ROUTE)?

nginx setup:

server {
    listen 80;

    server_name 123.456.78.910;

    root /srv/www;

    location / {
        root /srv/www/public;
        try_files $uri/maintenance.html @node_app;
    }

    location @node_app {

        proxy_pass http://98.765.4.32:3000;
        proxy_http_version 1.1;
        proxy_set_header X-NginX-Proxy true;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}

Public API

var express = require('express');
var app = express();

app.get('/', function (req, res) {
  res.send('Hello public World!');
});

app.listen(3000, function () {
  console.log('Example app listening on port 3000!');
});

Private API

var express = require('express');
var app = express();

app.get('/', function (req, res) {
  res.send('Hello Private World!');
});

app.listen(3030, function () {
  console.log('Example app listening on port 3030!');
});
Rastalamm
  • 1,712
  • 3
  • 23
  • 32

1 Answers1

4

You can lock down access to this port at several layers.

First, in Node.js, you can tell your Node.js app to bind to a specific IP address, namely 127.0.0.1:

app.listen(3030, '127.0.0.1');

Next, you can lock down access at the OS level. For example, with Ubuntu Linux you can use ufw define a rule that only allows access to this port from the localhost.

Finally, firewall rules elsewhere on an external device can limit access. For example, with AWS Security Groups, you could define a rule that access to port 3030 to servers in a particular group is only allowed from other servers in that group-- and that group might have just one server in it.

Yet another approach is to listen on a Unix socket instead of an IP address.

Community
  • 1
  • 1
Mark Stosberg
  • 12,961
  • 6
  • 44
  • 49