Is it safe to use node.js next to php using http requests?

Question

I am building a website using PHP and a mySQL database. The website now has a login/register functionality and profiles with walls could be visited. On the same website, I want to build a big chat application using websockets. This chat should host a dynamically expanding amount of chat rooms (could run into thousands) of medium-sized groups (+/- 25 people).

I've been considering node.js to run websockets with, but I only want to use node.js to handle incoming messages and broadcasting. In addition, I want to save the incoming messages in the database using PHP. I want to use http calls in the node.js server file to handle this, as described in http://docs.nodejitsu.com/articles/HTTP/clients/how-to-create-a-HTTP-request. I also want to use http requests to get properties of the user (for example name and profile picture), so these could be displayed to other users in the same chatroom. I do not want to handle this client side, as the user could then easily pretend to be someone else.

Both the php website and the node.js server run on localhost. The website runs on 127.0.0.1:80 and the server on 127.0.0.1:1337.

My question is, is this approach save? Are there any security risks in doing http requests on a node.js server to send/receive data from the database? Is it a good idea to run node.js next to a PHP website, or should I build my website purely on node.js? Are there any other alternatives?

Answer 1

I run PHP and nodejs in tandem for production and it is no less secure than any other CGI backend. The one thing no one has mentioned is that Nginx doesn't support WebSockets yet, so binding Nginx to port 80 is not going to work if you want to support both a PHP application and a nodejs application using websockets.

See my answer here for my solution: nginx vs node-http-proxy

EDIT: As of version 1.3.13, Nginx supports web sockets. Nginx has now taken back its rightful place on port 80 of my production stack.

Answer 2

Is this approach safe?

Sure. I mean technically, sure. It's no more unsafe than any of the technologies individually. It does, however, make your architecture a bit more complex which may marginally lead to more human error and bugs or security issues. But that's more about humans and complexity rather than the tech itself.

Are there any security risks in doing http requests on a node.js server to send/receive data from the database?

Nope, not more than any other backend technology. It sits behind a webserver, runs code that may or may not access a database and returns a response. Plenty of production websites are running node.js without any security issues.

Is it a good idea to run node.js next to a PHP website, or should I build my website purely on node.js?

That's tough to answer. I think overall a simpler and more maintainable pattern is too keep things in one place and technology. But as applications grow it's actually very common to remove standalone parts and implement them on their own in their own best case way. Usually this has as much to do with performance, separating high traffic systems from low traffic ones, as it does with the capabilities of the tech itself.

But this usually comes into play when you have multiple servers with different roles. With smaller projects, there is usually less value.

---

I don't know if that answers your question, but in short: It's not inherently bad. It depends.

Answer 3

I don't think there is anything inherently unsafe with mixing Node.js and PHP/Apache. It's just like running multiple programs in your computer, they have their own space, listen to their own port and don't talk to each other directly.

But I would personally be more concerned about server resources (how fast is your CPU? how much RAM?). It would definitely be more efficient to build your website on just one platform. But depending on what you are building, it might be okay to have both.

From the benchmark I've seen, Node.js is more resource hungry than Apache. But Node.js is also very fast for certain applications.