I like to put my hobby node.js/express server applications behind nginx reverse proxy for SSL termination and host binding. Nginx accepts https connections (using letsencrypt); then nginx uses SNI to determine which app they are intended for; and finally passes them through to node as plain http requests. Basically, I have node apps listening on ports in the 9000-9999 range, nginx listens on 443 and 80 then passes the requests through to the backend ports. I do not, however, want the apps to be publicly accessible on their “backend” ports.

The following code is how you typically start listening for http requests in a node/express server app.

app.listen(port, () => console.log(`listening on `${port}`))

This change will force node to only listen to local requests, such as those generated by nginx’s reverse proxy. And ignore those coming from external interfaces.

app.listen(port, "localhost", () => console.log(`listening on `${port}`))