Is it ok if http://myapp.domain.com:3000 is reachable?

bidetaggle · January 31, 2019, 3:30pm

Hi there,

I got troubles to deploy my android app using apache proxy, either problems with the domain name or CORS restrictions… After having swapped domain names and configurations from different commands, I made it works the way I want:
My app works on https://interesting-links.luteciacorp.org/ and the android client works well although this error appearing regularly:

(android:http://localhost:12512/__cordova/packages/webapp.js:37) Error: ROOT_URL in downloaded asset bundle would change current ROOT_URL to localhost. Make sure ROOT_URL has been configured correctly on the server.

Question:

http://interesting-links.luteciacorp.org:3000/ and even http://luteciacorp.org:3000/ are reachable with a web browser, is it safe ? If not, why and how to fix it ?

You can check my configuration below:

build command

$ meteor build ../build --server https://interesting-links.luteciacorp.org --directory

Server side

Apache configuration:

$ cat /etc/apache2/sites-enabled/000-default.conf
<VirtualHost *:80>
	ServerName luteciacorp.org

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined
	
	RewriteEngine on
	RewriteCond %{SERVER_NAME} =luteciacorp.org
	RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

	RewriteCond %{SERVER_NAME} =interesting-links.luteciacorp.org
	RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE]
</VirtualHost>

$ cat /etc/apache2/sites-enabled/000-default-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
	ServerName luteciacorp.org

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	SSLCertificateFile /etc/letsencrypt/live/luteciacorp.org/fullchain.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/luteciacorp.org/privkey.pem
	Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
<VirtualHost *:443>
	ServerName interesting-links.luteciacorp.org
	
	SSLCertificateFile /etc/letsencrypt/live/luteciacorp.org-0001/fullchain.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/luteciacorp.org-0001/privkey.pem
	Include /etc/letsencrypt/options-ssl-apache.conf
	
	SSLProxyEngine On
	ProxyPreserveHost On
	ProxyPass /websocket ws://localhost:3000/websocket
	ProxyPassMatch ^/sockjs/(.*)/websocket ws://localhost:3000/sockjs/$1/websocket
	ProxyPass / http://localhost:3000/
	ProxyPassReverse / http://localhost:3000/
</VirtualHost>
</IfModule>

Node process:

PORT=3000 MONGO_URL=mongodb://db-username:db-passwd@localhost:27017/db-name HTTP_FORWARDED_COUNT=1 ROOT_URL=http://localhost node main.js

Thank you

rjdavid · February 1, 2019, 2:22am

It is safe for that URL to be accessible. The mobile app has to access that URL to work. If you don’t want users accessing that URL to view what is available in your app, you can opt to use Meteor.isCordova() checks to ensure that only user with the mobile app can see the content.

bidetaggle · February 1, 2019, 9:11am

I want the app accessible by https://interesting-links.luteciacorp.org/ (which internally go to http://localhost:3000 with proxy/reverse proxy settings) and the android client. I wouldn’t like an user using insecure http protocol for his own security but there is no reason for him to type http://interesting-links.luteciacorp.org:3000/ (except a redirection/social engineering ?)

My concern is mostly this one: Is it possible for an attacker to do something using the app directly through port 3000 which could lead to an intrusion in my server or something similar ?

rjdavid · February 3, 2019, 2:34pm

You can make url:3000 only accessible by the reverse proxy that you set so that all external connections must go through url:80

rhywden · February 3, 2019, 5:14pm

You can use iptables to make the port 3000 inaccessible from outside.

doctorpangloss · February 4, 2019, 7:43am

Don’t use Apache.
Especially don’t do ACME in Apache this way.
Your ROOT_URL is wrong, that’s why you have CORS issues. Why are you setting it to localhost, when your root URL is https://interesting-links.luteciacorp.org/? I mean that’s what the error says! It’s telling you that’s the issue!

I’d recommend Traefik, it might be easier for you to understand and it handles creating an SSL certificate for you automatically with ACME.

bidetaggle · February 8, 2019, 5:30pm

Because it doesn’t work with https://interesting-links.luteciacorp.org, I have actually CORS issues when I set this as ROOT_URL and it disappeared when I set it to localhost:3000 then I reverse proxy. I tried all the combinations possible before and this last one works although this error Make sure ROOT_URL has been configured correctly on the server which sounds more like a warning to me.

Why shouldn’t I use apache ? I already have a website running on it (/var/www/html/ main domain name), I’d like to put my app server on /var/www/interesting-links/ because the structure seems simple and I already got to know apache config files.

Could you explain me with more details if you have a better idea to make it works properly in a simple way ?

From Traefik website:

Traditional reverse-proxies require that you configure each route
that will connect paths andsubdomains to each microservice.
In an environment where you add, remove, kill, upgrade, or scale
your services many times a day, the task of keeping the routes up
to date becomes tedious.

I have only 2 routes that I want to configure:

I’d like first, to understand the basics, I don’t need Traefik but thanks for link, I’ll store it somewhere

doctorpangloss · February 8, 2019, 7:36pm

I’m trying to say you’ve misconfigured Apache. I’m not sure how to configure it correctly, but it’s definitely misconfigured. I mean, clearly it is, because it’s not working right?

It’s rewriting the Host to appear that they’re from localhost:3000 (i.e., the place where Apache is running, which is totally reasonable). So when a CORS (OPTIONS) request is made, the server thinks it’s okay, but the client code knows it’s actually being served from a real domain. This is why your ROOT_URL variable appears to be misbehaving.

Because it’s full of pitfalls, and tutorial for it are really a collection of things-that-work for people as opposed to some cogent narrative about how it works.

bidetaggle · February 8, 2019, 10:04pm

This “bad” configuration works and is the only one working, with PORT=3000 ROOT_URL=localhost

if ROOT_URL=https://interesting-links.luteciacorp.org
then CORS issues
endif

rhywden · February 8, 2019, 11:35pm

Are you married to the idea of using Apache?

Because nginx is a bit easier to configure in that regard.

bidetaggle · February 8, 2019, 11:41pm

Well, if this actual configuration doesn’t have any security issue, as long as it works I guess it’s better to settle with apache for now. I barely know nginx but I’m open to suggestions.

rhywden · February 9, 2019, 12:41pm

Well, for me nginx works fine without any kind of CORS issue and I also can set the root_url to its proper value. So there’s that.

bidetaggle · February 18, 2019, 12:27pm

ok, thanks for the advice, I keep it in mind for later