Question posted in 
I have a web server on EC2. I am facing a security problem.
Since I am running Spring boot in my instance, I need to use port 8080.
Should I allow anyone visits port 8080 directly(allow port 8080 in AWS security policy and the spring boot is listening to myip:8080) or use a proxy (Apache2’s) to forward so that people can only visit port 80 and proxy can forward to localhost:8080 (in this case, Apache2 is listening to port 80 and spring boot is listening to localhost:8080)? In other words, which one is better (more secure):
visitor -> myip:8080 or
visitor -> myip:80 -proxy forward-> localhost:8080
Or they are the same?
Also, Apache2 says that we have to secure our server (https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#access) before using a proxy. What should I put for the highest security?
2
Answers
The first point with your question is you are using unprotected communication over the mentioned ports. The best practice suggests not to use either 80 or 8080 and configure SSL/TLS & use 443 and 8443 instead. This is to serve web over secure communication channels and protect data in transit.
I would go with This: “visitor -> myip:80 -proxy forward-> localhost:8080”, i.e. having a reverse proxy is a wiser choice. In the first sight that means your visitor wouldn’t have any clue about your back-end technology (hiding your app from reconnaissance studies).
Back to a more scientific reasoning what are the advantages of using revers proxies in security context? This helps not to directly expose the Spring Boot to the world. How ? you will configure Apache or Nginx as a revers proxy on the Public IP, port:80/443 and pass the requests to the Loopback/Local Address on port 8080/8443. Please note on AWS SG Firewall rules you need to only open port 80/443 and not anything else, since 8080/8443 will fall on Loopback.
This practice is in accordance with the basic security principle of Least common mechanism and to some extent separation of privileges. Lets say not putting all Eggs in one basket. Example: A web-server only needs to Server web, but Spring Boot might need to Access Database ? lets not mixing Web serving functionality and Database read/write access in one component.
By using a Reverse proxy and having Web Server logic separated from Application Logic you can achieve the followings:
0– Satisfy compliance requirements. Many Compliance requirements are dictating this isolation/logical separation of Web Service and Application. Where the Application Logic remains in an Internal network (Reducing the Attack Surface by isolating the precious component).
1– Define Redirection Rules, URL Overwriting and Simplify Domain Names, Redirect/Forward specific paths or Request to other places, etc.
2– You can simplify access Control, Load Balancing or maybe use Application Firewall and Data Control Flow to filter traffic before hitting the actual app logic: Spring Boot.
3– Transparent maintenance of App is possible.
4– Avoid Actuator End Points to be Exposed to the World.
5– Implement Caching Mechanism.
6– Have WebLogs and App Logs separated for easier troubleshootings.
Etc.
I dont know what do you mean by I am facing a security problem.
google.comruns on172.217.27.196If you try this in your browser it will open Google Home Page.So at the end you will have to open your Application to the world whether its on 80 or 8080.
But yes
http://test.com
is different from
https://test.com
As in case of https all data send over network is encrypted.
Lets say you fires a Login API and someone has access to your network people can use wireshark to see what data is actually send
as on http as Data will not be encrypted.
There are many other ways which will add security
You can use
proxy Serversas you described in question