How to secure a Node JS proxy with a dynamic target?Best Practices for securing a REST API / web serviceHow can I prevent SQL injection in PHP?Difference between proxy server and reverse proxy serverSecure hash and salt for PHP passwordsGetting git to work with a proxy serverHow do I pass command line arguments to a Node.js program?How to decide when to use Node.js?How to exit in Node.jsHow do I update each dependency in package.json to the latest version?Node js ECONNRESET
Download app bundles from App Store to run on iOS Emulator on Mac
Find this Unique UVC Palindrome ( ignoring signs and decimal) from Given Fractional Relationship
Real Analysis: Proof of the equivalent definitions of the derivative.
Are there historical examples of audiences drawn to a work that was "so bad it's good"?
Does attacking (or having a rider attack) cancel Charge/Pounce-like abilities?
What does it mean for something to be strictly less than epsilon for an arbitrary epsilon?
Illustrating that universal optimality is stronger than sphere packing
Why the work done is positive when bringing 2 opposite charges together?
Adobe Illustrator: How can I change the profile of a dashed stroke?
Department head said that group project may be rejected. How to mitigate?
Passport queue length in UK in relation to arrival method
Is ideal gas incompressible?
How to safely discharge oneself
Why is Ni[(PPh₃)₂Cl₂] tetrahedral?
Why do testers need root cause analysis?
How to tease a romance without a cat and mouse chase?
One word for 'the thing that attracts me'?
why "American-born", not "America-born"?
Results relying on higher derived algebraic geometry
If change in free energy (G) is positive, how do those reactions still occur?
size of pointers and architecture
Can the Conjure Barrage spell stack with the Disarming Attack or Trip Attack Battle Master maneuvers?
Is it safe to redirect stdout and stderr to the same file without file descriptor copies?
If I arrive in the UK, and then head to mainland Europe, does my Schengen visa 90 day limit start when I arrived in the UK, or mainland Europe?
How to secure a Node JS proxy with a dynamic target?
Best Practices for securing a REST API / web serviceHow can I prevent SQL injection in PHP?Difference between proxy server and reverse proxy serverSecure hash and salt for PHP passwordsGetting git to work with a proxy serverHow do I pass command line arguments to a Node.js program?How to decide when to use Node.js?How to exit in Node.jsHow do I update each dependency in package.json to the latest version?Node js ECONNRESET
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
In an attempt to learn more about the intricacies of NodeJS and securty. I am playing with communicating via raw TCP sockets via a TCP-to-TCP proxy that I've set up with net.createConnection().
In my playground I have the following setup: My Custom NodeJS Telnet Client > My NodeJS TCP-to-TCP Server Proxy > Server Requested by Telnet Client
What I have discovered is that with my Telnet Client that I can make a request to the proxy server for localhost:3306 and that my proxy server will connect me to the DB running on the proxy server. Of course, not good. It seems easy enough right? Block localhost, 127.0.0.1, etc... But it seems to me that I can never know what hostnames point to an internal address. For example, lndo.site is a public domain, but it publicly points to 127.0.0.1. This means that if this were a real-world application I would have to determine which hosts are safe to forward to. Is this even possible?
Is the only "safe" method to put the proxy on the server that has no other TCP services running? Can loopbacks be blocked?
node.js security proxy
asked Mar 23 at 20:07
TylersSNTylersSN
73421433
add a comment |
In an attempt to learn more about the intricacies of NodeJS and securty. I am playing with communicating via raw TCP sockets via a TCP-to-TCP proxy that I've set up with net.createConnection().
In my playground I have the following setup: My Custom NodeJS Telnet Client > My NodeJS TCP-to-TCP Server Proxy > Server Requested by Telnet Client
What I have discovered is that with my Telnet Client that I can make a request to the proxy server for localhost:3306 and that my proxy server will connect me to the DB running on the proxy server. Of course, not good. It seems easy enough right? Block localhost, 127.0.0.1, etc... But it seems to me that I can never know what hostnames point to an internal address. For example, lndo.site is a public domain, but it publicly points to 127.0.0.1. This means that if this were a real-world application I would have to determine which hosts are safe to forward to. Is this even possible?
Is the only "safe" method to put the proxy on the server that has no other TCP services running? Can loopbacks be blocked?
node.js security proxy
asked Mar 23 at 20:07
TylersSNTylersSN
73421433
add a comment |
In an attempt to learn more about the intricacies of NodeJS and securty. I am playing with communicating via raw TCP sockets via a TCP-to-TCP proxy that I've set up with net.createConnection().
In my playground I have the following setup: My Custom NodeJS Telnet Client > My NodeJS TCP-to-TCP Server Proxy > Server Requested by Telnet Client
What I have discovered is that with my Telnet Client that I can make a request to the proxy server for localhost:3306 and that my proxy server will connect me to the DB running on the proxy server. Of course, not good. It seems easy enough right? Block localhost, 127.0.0.1, etc... But it seems to me that I can never know what hostnames point to an internal address. For example, lndo.site is a public domain, but it publicly points to 127.0.0.1. This means that if this were a real-world application I would have to determine which hosts are safe to forward to. Is this even possible?
Is the only "safe" method to put the proxy on the server that has no other TCP services running? Can loopbacks be blocked?
node.js security proxy
asked Mar 23 at 20:07
TylersSNTylersSN
73421433
In an attempt to learn more about the intricacies of NodeJS and securty. I am playing with communicating via raw TCP sockets via a TCP-to-TCP proxy that I've set up with net.createConnection().
In my playground I have the following setup: My Custom NodeJS Telnet Client > My NodeJS TCP-to-TCP Server Proxy > Server Requested by Telnet Client
What I have discovered is that with my Telnet Client that I can make a request to the proxy server for localhost:3306 and that my proxy server will connect me to the DB running on the proxy server. Of course, not good. It seems easy enough right? Block localhost, 127.0.0.1, etc... But it seems to me that I can never know what hostnames point to an internal address. For example, lndo.site is a public domain, but it publicly points to 127.0.0.1. This means that if this were a real-world application I would have to determine which hosts are safe to forward to. Is this even possible?
Is the only "safe" method to put the proxy on the server that has no other TCP services running? Can loopbacks be blocked?
node.js security proxy
node.js security proxy
asked Mar 23 at 20:07
TylersSNTylersSN
73421433
asked Mar 23 at 20:07
TylersSNTylersSN
73421433
asked Mar 23 at 20:07
TylersSNTylersSN
73421433
asked Mar 23 at 20:07
TylersSNTylersSN
73421433
asked Mar 23 at 20:07
TylersSNTylersSN
73421433
73421433
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55317900%2fhow-to-secure-a-node-js-proxy-with-a-dynamic-target%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55317900%2fhow-to-secure-a-node-js-proxy-with-a-dynamic-target%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
