I wanted to clarify if what I am doing is secure or not…
I have a nodeJS expressJS server running on port 8081. I didn’t want to install an SSL certificate on nodeJS, so I wanted to install it on my apache server. So I was going to redirect the server.mydomain.com through apache2 (using VirtualHost that has a LetsEncrypt SSL/TLS certificate) to localhost:8081 which does not have SSL cert.
Is this considered good practice with regards to: security and performance? Am I right to say that all secure traffic will be hitting apache, and internally redirecting to localhost) or should I bite the bullet and install the cert on nodeJS . (It’s an active development server so I don’t want to keep re-installing certificates on it).
Thanks guys!! really appreciate your help in advance!
That’s fine, as long as we’re clear about what exactly you mean by “redirect”:
If you mean, forward the traffic using mod_proxy, then yes, that’s fine and secure (assuming, as you’ve implied, that Node.js is on the same machine as Apache), and I believe it is a fairly common configuration.
If you mean literally redirect, by sending for example a 301 response to the browser, sending it to HTTP on port 8081, then no - that’s not secure.
Regarding performance - well, Apache is not bad but if your requirements are demanding you will need to understand a bit about how to configure it optimally. If it’s a development server you’re probably fine.