So I have a peculiar setup to work with. The main server is your standard off-the-mill Apache server with SSL enabled bound to a public domain (NOT localhost!). My Node.JS server runs on localhost:8080. They both run on the same machine so there are no network security considerations.
I have successfully setup a ProxyPass and VirtualHost for port 8080.
httpd.conf:
SSLProxyEngine on ProxyPass /mycustompath http://localhost:8080 http-vhosts.conf:
<VirtualHost *:8080> ServerName example.com ServerAlias *.example.com SSLProxyEngine on SSLProxyVerify none SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLProxyCheckPeerExpire off ProxyPreserveHost On ProxyPass /mycustompath http://localhost:8080 ProxyPassReverse /mycustompath http://localhost8080 SSLCertificateFile "mypathto/server.crt" SSLCertificateKeyFile "mypathto/server.key" </VirtualHost> The URL https://example.com/mycustompath points internally to the http://localhost:8080. Using Postman I was able to confirm that the entire setup works properly.
However, I am unsure if this is safe and if SSL is used properly. Does Apache handle the SSL and the forward the decrypted request or is the connecting client fully redirected to the Node.JS server on localhost? Right now I am not using HTTPS in my Node.JS server code. Do I need to?
Additional note: I have tried without the SSLProxyVerify portion in http-vhosts.conf, but then I get an SSL handshake error. I assume the Apache server is expecting the Node.JS server to have SSL enabled in this case.
http://localhost:8000. If your NodeJS app is bound to a local interface, then only a process on the same machine can connect to it, this is by definition. So the client cannot connect directly to it. In short, Apache is not acting as a forward HTTP proxy nor as a SOCKS proxy, it is in reverse proxy conf and it's terminating the TLS connection for your app. This is a standard deployment and it's perfectly fine.