使用2个Express应用阻止私人端口NGINX反向代理 [英] Block private port NGINX reverse proxy with 2 express apps

问题描述

我正在尝试在同一台服务器上运行两个Express应用程序(一个是公共API，另一个是与数据库对话的私有API).

I am trying to run two express apps on the same server (one being a public API and the other being the private API that talks to the DB).

我已设置nginx来反向代理到运行在端口3000上的公共快递应用程序，并使用来自数字海洋的私有IP.

I have set up nginx to reverse proxy to my public express app that is running on port 3000, with a private IP from digital ocean.

我的公共快递应用将请求发送到私有api(在端口3030上运行)

My public express app sends requests to the private api (running on port 3030)

当我转到我的域example.com:3030/users时-我可以看到我的所有用户.(坏的).

When I go to my domain example.com:3030/users - I can see all my users. (bad).

如何从公众(例如:sites.com/:3030/API-ROUTE)锁定端口3030?

How can I lockdown port 3030 from the public (ie: website.com/:3030/API-ROUTE)?

nginx设置:

server {
    listen 80;

    server_name 123.456.78.910;

    root /srv/www;

    location / {
        root /srv/www/public;
        try_files $uri/maintenance.html @node_app;
    }

    location @node_app {

        proxy_pass http://98.765.4.32:3000;
        proxy_http_version 1.1;
        proxy_set_header X-NginX-Proxy true;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}

公共API

var express = require('express');
var app = express();

app.get('/', function (req, res) {
  res.send('Hello public World!');
});

app.listen(3000, function () {
  console.log('Example app listening on port 3000!');
});

私有API

var express = require('express');
var app = express();

app.get('/', function (req, res) {
  res.send('Hello Private World!');
});

app.listen(3030, function () {
  console.log('Example app listening on port 3030!');
});

推荐答案

您可以在多个层上锁定对该端口的访问.

You can lock down access to this port at several layers.

首先，在Node.js中，您可以告诉Node.js应用程序绑定到特定的IP地址，即127.0.0.1:

First, in Node.js, you can tell your Node.js app to bind to a specific IP address, namely 127.0.0.1:

app.listen(3030, '127.0.0.1');

接下来，您可以在操作系统级别锁定访问权限.例如，在Ubuntu Linux中，您可以使用 ufw 定义仅允许从本地主机访问此端口的规则.

Next, you can lock down access at the OS level. For example, with Ubuntu Linux you can use ufw define a rule that only allows access to this port from the localhost.

最后，外部设备上其他位置的防火墙规则可能会限制访问.例如，对于AWS安全组，您可以定义一个规则，即仅允许该组中的其他服务器访问特定组中的服务器的端口3030-并且该组中可能只有一个服务器.

Finally, firewall rules elsewhere on an external device can limit access. For example, with AWS Security Groups, you could define a rule that access to port 3030 to servers in a particular group is only allowed from other servers in that group-- and that group might have just one server in it.

另一种方法是改为在Unix套接字上监听IP地址.

Yet another approach is to listen on a Unix socket instead of an IP address.

这篇关于使用2个Express应用阻止私人端口NGINX反向代理的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！