The basic flow is for a router to forward to the port where the proxy is listening. The iptables configuration allows non-LAN originated traffic to connect only to this proxy port. This port is configured only for SSL.
When the user hits the proxy port the user's browser is requested to provide its SSL client certificate. If successful, the user attempts to authenticate with the primary Node.js application using the Node.js Passport module. Authentication will be discussed in a later post.
1. Node-http-proxy:
- Here's the link: https://github.com/nodejitsu/node-http-proxy
- http://stackoverflow.com/questions/15411042/how-to-run-node-js-app-on-port-80-using-http-proxy
- Make sure the port that Node.js will be running on is open in iptables!
2. SSL:
- I found this link very helpful in creating the SSL components:
http://www.akadia.com/services/ssh_test_certificate.html - This site and the associated Github files were very useful:
http://www.gettingcirrius.com/2012/06/automating-creation-of-certificate.html
https://github.com/berico-rclayton/certificate-automation/
3. Node SSL configuration:
- This link outlines how to use the certificates, etc (created in the prior step) with the Node-http-proxy:
http://www.gettingcirrius.com/2012/06/securing-nodejs-and-express-with-ssl.html
4. Browser SSL configuration:
- The client certificates from step 2 will need to be manually loaded into each user's browser. On the iPad, it seems that the certificates are only recognized by the Safari browser and not Chrome.
5. Upstart Script:
- The following links were useful in configuring upstart to launch both the Node-http-proxy process as well as the primary Node processes:
- http://caolanmcmahon.com/posts/deploying_node_js_with_upstart/
- https://gist.github.com/louischatriot/3385102
- http://stackoverflow.com/questions/13982257/upstart-script-for-node-js-app
- http://clock.co.uk/tech-blogs/upstart-and-nodejs
- I decided not to use the Node.js forever (https://github.com/nodejitsu/forever) tool with my code.
- I did have my upstart scripts send email when they were invoked...I used the information at this link to help with the configuration:
http://zackreed.me/articles/39-send-system-email-with-gmail-and-ssmtp - See my upstart script on my Upstart Script page in the nav bar.
6. Monit Script:
- To monitor the server, the Node-http-proxy, and the primary Node.js processes, I used Monit. The instructions at the following link were helpful:
http://howtonode.org/deploying-node-upstart-monit - See my Monit script on my Monit Script page in the nav bar.
