Security considerations when using Apache with SSL enabled and Node.JS without SSL
So I have a peculiar setup to work with. The main server is your standard off-the-mill Apache server with SSL enabled bound to a public domain (NOT localhost!). My Node.JS server runs on localhost:8080. They both run on the same machine so there are no network security considerations.
I have successfully setup a ProxyPass and VirtualHost for port 8080.
httpd.conf:
SSLProxyEngine on
ProxyPass /mycustompath http://localhost:8080
http-vhosts.conf:
<VirtualHost *:8080>
ServerName example.com
ServerAlias *.example.com
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
ProxyPreserveHost On
ProxyPass /mycustompath http://localhost:8080
ProxyPassReverse /mycustompath http://localhost8080
SSLCertificateFile "mypathto/server.crt"
SSLCertificateKeyFile "mypathto/server.key"
</VirtualHost>
The URL https://example.com/mycustompath points internally to the http://localhost:8080. Using Postman I was able to confirm that the entire setup works properly.
However, I am unsure if this is safe and if SSL is used properly. Does Apache handle the SSL and the forward the decrypted request or is the connecting client fully redirected to the Node.JS server on localhost? Right now I am not using HTTPS in my Node.JS server code. Do I need to?
Additional note: I have tried without the SSLProxyVerify portion in http-vhosts.conf, but then I get an SSL handshake error. I assume the Apache server is expecting the Node.JS server to have SSL enabled in this case.
