It is secure to forward an SSL/TLS request through apache subdomain?


#1

Hi there,

I wanted to clarify if what I am doing is secure or not…

I have a nodeJS expressJS server running on port 8081. I didn’t want to install an SSL certificate on nodeJS, so I wanted to install it on my apache server. So I was going to redirect the server.mydomain.com through apache2 (using VirtualHost that has a LetsEncrypt SSL/TLS certificate) to localhost:8081 which does not have SSL cert.

Is this considered good practice with regards to: security and performance? Am I right to say that all secure traffic will be hitting apache, and internally redirecting to localhost) or should I bite the bullet and install the cert on nodeJS . (It’s an active development server so I don’t want to keep re-installing certificates on it).

Thanks guys!! really appreciate your help in advance!

Pavel


#2

That’s fine, as long as we’re clear about what exactly you mean by “redirect”:

  • If you mean, forward the traffic using mod_proxy, then yes, that’s fine and secure (assuming, as you’ve implied, that Node.js is on the same machine as Apache), and I believe it is a fairly common configuration.
  • If you mean literally redirect, by sending for example a 301 response to the browser, sending it to HTTP on port 8081, then no - that’s not secure.

Regarding performance - well, Apache is not bad but if your requirements are demanding you will need to understand a bit about how to configure it optimally. If it’s a development server you’re probably fine.


#3

Thanks for your reply! It was helpful.


closed #4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.