使用2个Express应用阻止私人端口NGINX反向代理 [英] Block private port NGINX reverse proxy with 2 express apps
问题描述
我正在尝试在同一台服务器上运行两个Express应用程序(一个是公共API,另一个是与数据库对话的私有API).
I am trying to run two express apps on the same server (one being a public API and the other being the private API that talks to the DB).
我已设置nginx来反向代理到运行在端口3000上的公共快递应用程序,并使用来自数字海洋的私有IP.
I have set up nginx to reverse proxy to my public express app that is running on port 3000, with a private IP from digital ocean.
我的公共快递应用将请求发送到私有api(在端口3030上运行)
My public express app sends requests to the private api (running on port 3030)
当我转到我的域example.com:3030/users时-我可以看到我的所有用户.(坏的).
When I go to my domain example.com:3030/users - I can see all my users. (bad).
如何从公众(例如:sites.com/:3030/API-ROUTE)锁定端口3030?
How can I lockdown port 3030 from the public (ie: website.com/:3030/API-ROUTE)?
nginx设置:
server {
listen 80;
server_name 123.456.78.910;
root /srv/www;
location / {
root /srv/www/public;
try_files $uri/maintenance.html @node_app;
}
location @node_app {
proxy_pass http://98.765.4.32:3000;
proxy_http_version 1.1;
proxy_set_header X-NginX-Proxy true;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
公共API
var express = require('express');
var app = express();
app.get('/', function (req, res) {
res.send('Hello public World!');
});
app.listen(3000, function () {
console.log('Example app listening on port 3000!');
});
私有API
var express = require('express');
var app = express();
app.get('/', function (req, res) {
res.send('Hello Private World!');
});
app.listen(3030, function () {
console.log('Example app listening on port 3030!');
});
推荐答案
您可以在多个层上锁定对该端口的访问.
You can lock down access to this port at several layers.
首先,在Node.js中,您可以告诉Node.js应用程序绑定到特定的IP地址,即127.0.0.1:
First, in Node.js, you can tell your Node.js app to bind to a specific IP address, namely 127.0.0.1:
app.listen(3030, '127.0.0.1');
接下来,您可以在操作系统级别锁定访问权限.例如,在Ubuntu Linux中,您可以使用 ufw
定义仅允许从本地主机访问此端口的规则.
Next, you can lock down access at the OS level. For example, with Ubuntu Linux you can use ufw
define a rule that only allows access to this port from the localhost.
最后,外部设备上其他位置的防火墙规则可能会限制访问.例如,对于AWS安全组,您可以定义一个规则,即仅允许该组中的其他服务器访问特定组中的服务器的端口3030-并且该组中可能只有一个服务器.
Finally, firewall rules elsewhere on an external device can limit access. For example, with AWS Security Groups, you could define a rule that access to port 3030 to servers in a particular group is only allowed from other servers in that group-- and that group might have just one server in it.
另一种方法是改为在Unix套接字上监听IP地址.
Yet another approach is to listen on a Unix socket instead of an IP address.
这篇关于使用2个Express应用阻止私人端口NGINX反向代理的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!