问题描述
刚刚开始处理NodeJS Web应用程序,并且有一个基本问题.
Just started deal with NodeJS web apps and have a fundamental question.
由于我来自PHP领域,所以我知道PHP具有 -在HTTP服务器中,但实际上没有人使用它,我们使用nginx并在史前项目中将Apache作为HTTP服务器,当我进入ExpressJS时,我发现所有示例都在谈论监听ExpressJS打开的HTTP服务器(通过http NodeJS课程模块),但没有人谈论过通过FastCGI使用它(nginx-> FastCGI(例如 node-fastcgi )->我的ExpressJS应用),就像我以前使用PHP一样(nginx-> PHP-fpm->我的PHP env),我想知道为什么吗?
Since i came from the PHP realm, i know PHP have a built-in HTTP server but no one actually use it and we used nginx and in the prehistoric projects Apache as HTTP server, when i came into ExpressJS i found that all examples talking about listening to the HTTP server that ExpressJS open (via http NodeJS module of-course) but no one talking about use it via FastCGI (nginx -> FastCGI (e.g. node-fastcgi) -> my ExpressJS app) like i used to do with PHP (nginx -> PHP-fpm -> my PHP env) and i wonder why?
据我了解,NodeJS应用程序非常快,无阻塞的I/O等等,但是像所有人一样,使用该应用程序存在一个安全漏洞,因为运行的服务在JavaScript环境中具有相同的公共资源. ,例如,一个用户可以错误地(或不可以)与其他用户共享敏感信息.我们假设开发人员犯了这样的错误:
As far as i understood, NodeJS app is very fast, non-blocking I/O and so on but there is a security hole using the app like everybody show, since the service that run have same common resources in the JavaScript environment, one user can share by mistake (or not) sensitive information with others, for instance. let's assume the developer made a mistake like this:
router.post('/set-user-cc', function(res){
global.user = new User({
creditCard: req.param('cc')
});
});
其他用户确实会这样请求:
And other user do request like that:
router.get('/get-user-cc', funciton(req, res){
res.json(global.user);
});
这时每个用户都将获得该用户的抄送信息.
At this point each user will get the user's CC info.
通过FastCGI使用我的ExpressJS应用将为每个HTTP请求打开一个干净的JavaScript环境,并且用户不会互相伤害.
Using my ExpressJS app via FastCGI will open a clean JavaScript environment for each HTTP request and users won't hurt each other.
很高兴听到NodeJS(网络)应用程序经验丰富的开发人员,为什么没人建议使用FastCGI解决方案(在Google上搜索却几乎什么也没找到),如果这样,为什么太糟糕了?
It'll nice to hear form NodeJS (web) apps experienced developers why no one suggest to use the FastCGI solution (searched on Google and found almost nothing) and if so, why it's too bad?
(p.s.这个例子只是为了说明问题,这实际上不是某人做的,而是我们知道宇宙中存在许多愚蠢的人:)
(p.s. the example is just to demonstrate the problem it's not something that someone actually did, but as we know lot of stupid people exists in the universe :)
谢谢!
推荐答案
如果您整理代码,在严格的条件下运行模式,并且不要使用这样的全局变量.
You won't do mistakes like that if you lint your code, run under strict mode, and don't use global variables like that.
此外,在nodejs Web应用程序中,您通常还希望使服务器无状态并将所有数据保留在数据库中.这也将使其成为更具扩展性的体系结构.
Also in nodejs web applications you generally want to make the server stateless and keep all the data in the databases. This would also make it a more scalable architecture.
在安全性非常重要的应用程序中,您也可以对其进行大量的模糊测试,以发现类似的问题.
In applications that are security super important, you can throw heavy fuzzy testing at it to find problems like that too.
如果您执行了所有这些操作,再加上严格的代码审查过程,则完全不必担心.
If you do all this, plus having a strict code review process, you won't have to worry about it at all.
FastCGI不能防止此问题,因为单个或几个连接用于与处理请求的服务器进行通信(在这种情况下为node.js),并且HTTP连接通过它进行多路复用.一个node.js进程将一次处理多个请求.
FastCGI doesn't prevent this problem as a single or a few connections is used to communicate with the server that processes the requests(node.js in this case) and HTTP connections are multiplexed through it. A node.js process will handle multiple requests at a time.
您可能会以某种方式提出一种启动线程的解决方案,但速度会慢很多.如果您将node.js用于需要高可靠性或无法承担小错误的事情(例如与健康相关的设备),则node.js是错误的平台.
You can potentially somehow make a solution that launches a thread but it'll be a lot slower. In case if you are using node.js for things that are required to be have high reliability or can't afford small mistakes(for example health related devices), node.js is the wrong platform for it.
这篇关于通过FastCGI使用ExpressJS应用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!