After getting traffic on port 8443 encrypted, you feel like you are doing your part in keeping your users' information secure. But you are wrong. Clients can bypass your proxy server. They can speak unencrypted HTTP directly with your Express service through http://example.com:5001/
.
The fix is to block outside clients from ever connecting to port 5001. This is done using a firewall. A popular Linux firewall is Uncomplicated Firewall. It is far easier to use than the fictitious Complicated Firewall. You install it with this command in your terminal:
sudo apt install ufw
Out of the box, ufw
blocks all incoming communication from other parties on the network. It allows all outgoing communication. Thank goodness the firewall does not start running immediately after you install it. Otherwise your SSH session would get cut off. You confirm that it is not running with this command:
sudo ufw status
You open up traffic on port 22, which is the one usually used by SSH, with this command:
sudo ufw allow 22
Try similarly allowing traffic on ports 80, 443, and 8443. These are the ones that Apache and Nginx are listening to.
Now you are ready to enable the firewall with this command:
sudo ufw enable
Try accessing your web service through port 5001 now. The connection attempt will be blocked by the firewall and should eventually time out.