Node.js application security – with Nginx, Let’s Encrypt & Docker Compose

In today’s digital world, ensuring the security of your application is crucial. This blog post shows you how to secure a containerized Node.js application with Nginx, Let’s Encrypt, and Docker Compose.

Application security is an essential aspect of development. By using a reverse proxy like Nginx, which allows load balancing, caching of static content, and TLS implementation, you can improve the security and performance of your application. This post guides you through the steps to secure a containerized Node.js application with Nginx and Let’s Encrypt using Docker Compose.

Prerequisites – Node.js

• An Ubuntu 18.04 server with a non-root user with sudo privileges and an active firewall.
• Docker and Docker Compose installed on your server.
• A registered domain that you can use for your application.
• The DNS records for your domain configured.

Step 1 — Cloning and Testing the Node Application

First, clone the repository with the Node application code. Then, test the application to ensure everything works. This step involves building and running the application without a reverse proxy or SSL.

git clone https://github.com/do-community/nodejs-image-demo.git node_project

cd node_project

docker build -t node-demo .

docker run –name node-demo -p 80:8080 -d node-demo

Step 2 — Defining Web Server Configuration

After testing the Node application, create a configuration file for the Nginx web server. This configuration will enable forwarding requests to your Node application and handling certificate requests from Certbot.

Step 3 — Creating the Docker Compose File

The `docker-compose.yml` file defines the services for your application, the web server, and the Certbot container. It includes details like named volumes, networks, and port information.

version: ‘3’

services:

nodejs:

# Configuration for the Node service
webserver:

# Configuration for the Nginx web server
certbot:

# Configuration for the Certbot container

Step 4: Starting the Containers

First, we need to start the containers with the `docker-compose up` command. This will create and run the containers and services in the order we specified. Once the domain requests are successful, certificates will be provided in the `/etc/letsencrypt/live` folder of the web server.

docker-compose up -d

Step 5: Checking the Services

We can check the status of our services with the `docker-compose ps` command. The `nodejs` and `webserver` services should show as “Up,” while the `certbot` container should have exited with “Exit 0” status. Otherwise, we can check the service logs with the `docker-compose logs` command.

docker-compose ps

Step 6: Adjusting Certificate Requests

We can edit the `certbot` service definition to remove the `–staging` flag and replace it with the `–force-renewal` flag. This instructs Certbot to request a new certificate with the same domains as an existing certificate.

certbot:

image: certbot/certbot

container_name: certbot

volumes:

– certbot-etc:/etc/letsencrypt

– certbot-var:/var/lib/letsencrypt

– web-root:/var/www/html

depends_on:

– webserver

command: certonly –webroot –webroot-path=/var/www/html –email sammy@your_domain –agree-tos –no-eff-email –force-renewal -d your_domain -d www.your_domain

Step 7: Updating Nginx Configuration

To enable SSL in our Nginx configuration, we need to add an HTTP redirect to HTTPS and specify the SSL certificate and key locations. We must also specify the Diffie-Hellman group used for Perfect Forward Secrecy.

server {

listen 80;

listen [::]:80;

server_name your_domain www.your_domain;

location ~ /.well-known/acme-challenge {

allow all;

root /var/www/html;

}
location / {

rewrite ^ https://$host$request_uri? permanent;

}

}
server {

listen 443 ssl http2;

listen [::]:443 ssl http2;

server_name your_domain www.your_domain;
server_tokens off;
ssl_certificate /etc/letsencrypt/live/your_domain/fullchain.pem;

ssl_certificate_key /etc/letsencrypt/live/your_domain/privkey.pem;
ssl_buffer_size 8k;
ssl_dhparam /etc/ssl/certs/dhparam-2048.pem;
ssl_protocols TLSv1.2;

ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
ssl_ecdh_curve secp384r1;

ssl_session_tickets off;
ssl_stapling on;

ssl_stapling_verify on;

resolver 8.8.8.8;
location / {

try_files $uri @nodejs;

}
location @nodejs {

proxy_pass http://nodejs:8080;

add_header X-Frame-Options “SAMEORIGIN” always;

add_header X-XSS-Protection “1; mode=block” always;

add_header X-Content-Type-Options “nosniff” always;

add_header Referrer-Policy “no-referrer-when-downgrade” always;

add_header Content-Security-Policy “default-src * data: ‘unsafe-eval’ ‘unsafe-inline’” always;

#add_header Strict-Transport-Security “max-age=31536000; includeSubDomains; preload” always;

# enable strict transport security only if you understand the implications

}
root /var/www/html;

index index.html index.htm index.nginx-debian.html;

}

Step 8: Renewing Certificates

Since Let’s Encrypt certificates are only valid for 90 days, we need to set up an automated renewal process. This can be done with a cron job that runs a script to renew the certificates and reload the Nginx configuration.

#!/bin/bash

COMPOSE=”/usr/local/bin/docker-compose –ansi never”

DOCKER=”/usr/bin/docker”
cd /home/sammy/node_project/

$COMPOSE run certbot renew –dry-run && $COMPOSE kill -s SIGHUP webserver

$DOCKER system prune -af

Node.js Conclusion

With Docker Compose, we have set up SSL certificates for our application and implemented an automated renewal process. By utilizing containers, we have created a flexible and scalable solution to ensure the security of our web application. Secure Node.js Application – with Nginx, Let’s Encrypt & Docker Compose