0

im buildin a MEAN stack application, and i just found out that it's a best practice to let Nginx serve static file (Currently my node is serving static file) and use reverse proxy. so i was able to serve a static file and reverse proxy on Nginx, my question is, is there a way to secure the access to the static file?

This is my Nginx code

server {
    listen 80;


    location /static {
    alias /var/www/project/public;
    autoindex off;
} 

    location / {
        proxy_pass http://127.0.0.1:3000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}

Under the public folder, i have style.css so when i go to the url localhost/static/style.css, i could see my code, so i imagine lets say i deployed my website to the public and have it's domain name, the users could access my static files by just going to www.domainname.com/static/style.css Is this normal? or there's a way to just limit the access to NodeJS server? being the only thing could access the static file? or im getting this wrong.

Thanks! sorry im new to this web development world, but im learning.

Improve this question

1 Answer 1

Reset to default
1

You can limit access using nginx by adding the following to your location definition:

#This would be the IP of the server you want to have access to your protected file
allow 123.123.123.123/32;
deny all;

But in this case, you don't want to restrict access to your static files. The user loading the web page needs access to the css files to display it correctly. If you were to watch the network traffic of when you loaded a web page, you would see that your browser downloads all the client side CSS, JS, and HTML files it needs to run properly. So it is completely normal for people to be able to just look at CSS files that are hosted statically. Usually a backend NodeJS server has no use for CSS files.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thanks sir! What im worrying about is, since im building an angularjs application, i need to also serve statically my controllers, services, directives and my main app.js(where my .config and modules defined) i was worrifying if a user will check this files.
Anything you put in client side javascript will be viewable by users using your website. Though there are tools to "build" javascript which will obfuscate it and shove it all into a single JS file so it is not as easy to see what is being done in the JS file, this still doesn't guarantee the safety of keys/credentials you might be using in your application. Anything sensitive such as credentials should only be used in server side code that is not available to the client.
Thanks for this helpful info!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.