Node, Ubuntu Security POC

For my Ubuntu configuration of Node.js, there were six parts...listed below.  

The basic flow is for a router to forward to the port where the proxy is listening.  The iptables configuration allows non-LAN originated traffic to connect only to this proxy port.  This port is configured only for SSL.  

When the user hits the proxy port the user's browser is requested to provide its SSL client certificate.  If successful, the user attempts to authenticate with the primary Node.js application using the Node.js Passport module.  Authentication will be discussed in a later post.


1.  Node-http-proxy:

• Here's the link: https://github.com/nodejitsu/node-http-proxy
• http://stackoverflow.com/questions/15411042/how-to-run-node-js-app-on-port-80-using-http-proxy
• Make sure the port that Node.js will be running on is open in iptables!

2.  SSL:

• I found this link very helpful in creating the SSL components:
  http://www.akadia.com/services/ssh_test_certificate.html
• This site and the associated Github files were very useful:
  http://www.gettingcirrius.com/2012/06/automating-creation-of-certificate.html
  https://github.com/berico-rclayton/certificate-automation/

3.  Node SSL configuration:

• This link outlines how to use the certificates, etc (created in the prior step) with the Node-http-proxy:
  http://www.gettingcirrius.com/2012/06/securing-nodejs-and-express-with-ssl.html

4.  Browser SSL configuration:

• The client certificates from step 2 will need to be manually loaded into each user's browser.  On the iPad, it seems that the certificates are only recognized by the Safari browser and not Chrome.

5.  Upstart Script:

• The following links were useful in configuring upstart to launch both the Node-http-proxy process as well as the primary Node processes:
• http://caolanmcmahon.com/posts/deploying_node_js_with_upstart/
• https://gist.github.com/louischatriot/3385102
• http://stackoverflow.com/questions/13982257/upstart-script-for-node-js-app
• http://clock.co.uk/tech-blogs/upstart-and-nodejs
• I decided not to use the Node.js forever (https://github.com/nodejitsu/forever) tool with my code.
• I did have my upstart scripts send email when they were invoked...I used the information at this link to help with the configuration:
  http://zackreed.me/articles/39-send-system-email-with-gmail-and-ssmtp
• See my upstart script on my Upstart Script page in the nav bar.

6.  Monit Script:

• To monitor the server, the Node-http-proxy, and the primary Node.js processes, I used Monit.  The instructions at the following link were helpful:
  http://howtonode.org/deploying-node-upstart-monit
• See my Monit script on my Monit Script page in the nav bar.

Node, Rabbit, Ubuntu Tech POC

For the machine hosting Node.js and RabbitMQ, I am using Ubuntu Linux 12.04 LTS Server 32-bit.  Here are the high level configuration steps:

1. Download and install Ubuntu (http://www.ubuntu.com/download/server) on the target machine.
2. Install the Gnome Classic desktop.
3. Configure a static IP address for your server...I found this link helpful:
   https://help.ubuntu.com/12.04/serverguide/network-configuration.html
4. Configure VNC...this link was helpful:
   http://rbgeek.wordpress.com/2012/06/25/how-to-install-vnc-server-on-ubuntu-server-12-04/ 
5. Configure FTP...this link was helpful:
   http://en.kioskea.net/faq/7197-installing-an-ftp-server-under-ubuntu
6. Install Node.js...here's the link:
   https://github.com/joyent/node/wiki/Installing-Node.js-via-package-manager
7. Install RabbitMQ:
• Update Erlang...it should already be installed on Ubuntu:
  http://www.rabbitmq.com/which-erlang.html
  http://www.erlang.org/download.html
• Install RabbitMQ:
  http://www.rabbitmq.com/install-debian.html
8. Secure the server:
• http://www.thefanclub.co.za/how-to/how-secure-ubuntu-1204-lts-server-part-1-basics
• https://www.net24.co.nz/kb/article/AA-00227
• http://notepad2.blogspot.com/2012/03/binbash-flush-all-chainsiptables-f-set.html
• http://www.thegeekstuff.com/2011/06/iptables-rules-examples/
• http://wiki.xtronics.com/index.php/IP_Subnet_Masks
• I created an iptables bash script, using the third bullet above as a model.

That's about it ...

And at this point it cannot be accessed from the internet...only on the LAN.