Node security on different ports

[Joe Bloggs]

Hi all!

So, I would really like to use Angular + Node for some of the data trends, pie charts, and bar graphs for real-time processing. However, I have to use a non-standard port (not 80 or 443) to make node work, obviously. The other thing is, we are running apache on port 80, so I will be using something like nginx on port 8080, and node on port 3000. The issue of security is raised. Here is the exact question a surly Administrator has asked me:

So in order to use these services, the client would have to make a connection to these ports? If so, that doesn’t sound like a good idea to me. A lot of CUs firewall and/or filter non-standard outbound ports, so in addition to security considerations for incoming traffic, there’s the consideration that many of your clients may not be able to use whatever it is you’re trying to turn on. Is this some special service they’re trying to consume and would be willing to adjust their firewalls to access?

How might one answer this question? Is this an inherently dangerous, un-secure environment?

Thanks,

Joe

 

[Charlie McConnell]

Just use nginx as a reverse proxy to send connections to the node service. That should eliminate most of these concerns, and it's a very common practice.

 

--

Charlie McConnell

--

Job board: http://jobs.nodejs.org/

New group rules: https://gist.github.com/othiym23/9886289#file-moderation-policy-md

Old group rules: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines

---

You received this message because you are subscribed to the Google Groups "nodejs" group.

To unsubscribe from this group and stop receiving emails from it, send an email to nodejs+un...@googlegroups.com.

To post to this group, send email to nod...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/nodejs/59ddcadc-85db-48f3-8170-3747f09ef508%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

 

[Alex Kocharin]

 

I believe the correct answer to these questions is "it is bullshit". Non-standard port is as secure as a standard one, and any user who has full access to the Internet would be able to reach it.

 

(only security issue is that if someone else has user access to your server, they can bind on ports >1024 if they are free, i.e. switch your server with theirs when you restarting it)

 

 

26.06.2014, 21:02, "Joe Bloggs" <joe4...@gmail.com>:

--

[Darren]

Port numbers below 1024 are privileged ports and require elevated permissions to be able to run services on them. Contrary to your system administrator's concerns, the worry isn't about running services on non-privileged port above 1024 as a normal user, but running things as an admin/superuser on the privileged ports like 80 and 443. Firewalls blocking non-standard ports can be problematic in some enterprise settings, but 8080 is a well-known http alternate port and 3000 is also in widespread use; they're typically *not* blocked. I would have some concerns with that particular administrator, based on the questions being asked.

One small recommendation if you do run nginx is to set up forwarding from :8080/something to node on :3000 so the client can retrieve both the static resources served by nginx, and the real-time data served by node, from the same host:port combination. This is because the same origin policy applies to protocol, host AND port number.

hope this helps,
Darren

[Ryan Schmidt]

On Jun 26, 2014, at 11:27 AM, Joe Bloggs wrote:

> However, I have to use a non-standard port (not 80 or 443) to make node work, obviously.

Actually, it's not obvious why that would be the case. Why can't you use port 80 and/or 443 for node?

> The other thing is, we are running apache on port 80, so I will be using something like nginx on port 8080, and node on port 3000.

Already using port 80 and/or 443 for another server would of course be an understandable reason. But nothing is forcing you to do that. You could run node on port 80 and/or 443 on another IP address on the same server (or on another server).