Nginx and Node.js — am I doing it wrong?

Question

“If #nginx isn’t sitting in front of your node server, you’re probably doing it wrong.”

— Bryan Hughes via Twitter

For a short while now, I have been making applications with Node.js and, as Mr.Hughes advises, serving them with Nginx as a reverse proxy. But I am not sure that I am doing it correctly because I can still access my Node.js application over the internet without going through the Nginx server.

---

At its core, the typical application is quite simple. It is served with ExpressJS like this:

var express = require("express");

var app = express();

// ...

app.listen(3000);

and Nginx is configured as a reverse-proxy like so:

# ...

location / {
    proxy_pass http://127.0.0.1:3000;
}

# ...

And this works wonderfully! However I have noticed a behaviour that I am not sure is desirable, and may defeat a large portion of the purpose of using Nginx as a reverse-proxy in the first place:

Assuming example.org is a domain name pointing to my server, I can navigate to http://www.example.org:3000 and interact with my application from anywhere, without touching the Nginx server.

The typical end user would never have any reason to navigate to http://<whatever-the-server-host-name-or-IP-may-be>:<the-port-the-application-is-being-served-on>, so this would never effect them. My concern, though, is that this may have security implications that a not-so-end-user could take advantage of.

---

1. Should the application be accessible directly even though Nginx is being used as a reverse-proxy?

2. How can you configure the application so that it is only be available to the local machine / network / Nginx server?

Answer 1

1. It is best not to be available directly (imho).

2. You can specify accepted hostname:

   app.listen(3000, 'localhost');