Node.js e Plesk Giacomo Lanzi

Node.js via SOD hosting panel

If you are interested in hosting Node.js apps on your web space, we have good news! The control panel offered by SOD, based on Plesk, is equipped with a Node.js extension that allows you to easily manage applications. In this article we see how it is possible to integrate Node through the control panel.

Host a Node.js application from the Plesk panel

To verify that everything is working, let’s try hosting a Node.js application in the panel. We will use a generic “Hello, World” application. To do this, we will use the Git extension that you find directly from the panel. It would also be possible to upload the application directly to the server, but I thought that implementing a second extension could also be useful for the purposes of this mini guide.

Once you have accessed the SOD Plesk panel, you will need to create a destination folder for the application. Select the “Files” tab, create a “hello-world” folder. From the “Websites & Domains” tab, among the available components, select Git. If you own more than one domain, be sure to select the option under the correct one.

Create Folder by Application

The second screen on where to find the Git icon:

Git icon

Setting up a local repository

Now let’s set up a local repository as a clone of a remote one to download the code to the folder you created a moment ago. The URL of the repository we will clone is:

To do this, click on the Git icon, set the URL in the space provided and select the “hello-world” folder you created a while ago.

Repository settings

Differences between “Application root” and “Document root” folders

The next step is to change the Document root folder for the domain. Note that the Document root and Application root folders are not the same. When we talk about web apps (such as those based on Node.js), the document root is the position where the static resources are located, while the application root is the root directory where the app. In most cases, the Document root is a folder within the Application root.

Right now we need to change the document root. To do this, go to the “Websites & Domains” panel, select the correct site and go to “Hosting Settings” (right above Git) and click the link:

Root of documents - Node.js

Change the current “Document root” to hello-world/public.

Enable support for Node.js

Before running the “Hello World” app, the last thing you need to do is enable support for Node.js on the domain. Then go to the “Websites & Domain” panel and click on the appropriate option. Here you can see some information about the app. Click on “Enable Node.js” and in a few moments this will be enabled.

Enable Node.jsAbilitato

At this point, if everything went well, clicking on the “Application URL” you should see a screen that says “Hello World!”. Congratulations, you have just installed and run an app on your domain.

Applications with dependencies

Applications built with Node.js, more often than not, must satisfy dependencies that are defined in the package.json file, which is installed in the “node_modules” directory.

Let’s look at another ExpressJS-based application. You can find it in its repository, upload it manually, or repeat the steps described in the previous section. Here is the repository: Once you have things sorted out, you will find yourself as in the screenshot below, assuming you have cloned the repository in the express-demo folder:

Node.js Express-demo

Install the dependencies and change the startup file

Before trying to access the app, you need to initialize it. Let’s start by installing the dependencies. Fortunately, in the Plesk panel of SOD, there is a simple “NPM install” button. This is done to install app dependencies based on the “package.json” file. Install the dependencies this way, for convenience.

Finally, we need to set up the app’s startup file. Plesk uses the Phusion Passenger server application to service the Node.js apps. In the demonstration repository, there is a file called “server.js”. This, which is not a common part of ExpressJS-based apps, contains a few lines of code necessary to make the app work:

const app = require (‘./ app’);
const http = require (‘http’);

http.createServer (app) .listen (process.env.PORT);
You can use the idea behind this file when hosting other Node.js applications, for example based on a different framework. The last thing you have to do is change the “Application Startup File” option and set it to “server.js”.

Node.js Startup File

At this point, browsing to the address that hosts the app, you should see the ExpressJS welcome screen.

Solve problems

For every Node.js developer it is essential to know how to identify problems to find a solution. To do this, here are a couple of tips that might help you Debug.

Checking the log file

The first thing to do when debugging a Node.js application is to check the log files. For example, if you forget to install the dependencies for the Express demo app, the server error log will contain the error “cannot find module ‘express'”. Unfortunately, due to how Phusion Passenger works, server level error logs are used instead of per domain error logs. In this case, end users will see a simple generic error message.

To check the server log messages, go to the “Websites & Domain” panel, under the domain concerned, look for the log option. Clicking on it will give you access to a screen of the logged messages.


See messages directly on the app screen

It can be very useful to see the error messages directly on the app website, without looking for the option in the control panel. Go to the Node.js app settings screen and change the application mode to “development”. The next time a problem occurs, the error will be shown in the browser window.

Furthermore, if the app is in “development” mode, it is not necessary to restart the app every time you change the contents of a file.


As we have seen, implementing Node.js applications on your domain is really simple with the Plesk control panel of the SOD hosting service, which is once again very flexible, intuitive and easy to use.

If you want to try this and other features, you can test the demo version by simply clicking here.

Useful links:

VPS hosting services – Cloud server







More Articles…

Categories …


RSS darkreading

RSS Full Disclosure

  • APPLE-SA-06-10-2024-1 visionOS 1.2 June 12, 2024
    Posted by Apple Product Security via Fulldisclosure on Jun 11APPLE-SA-06-10-2024-1 visionOS 1.2 visionOS 1.2 addresses the following issues. Information about the security content is also available at Apple maintains a Security Releases page at which lists recent software updates with security advisories. CoreMedia Available for: Apple Vision Pro Impact: An app may be […]
  • CyberDanube Security Research 20240604-0 | Multiple Vulnerabilities in utnserver Pro/ProMAX/INU-100 June 9, 2024
    Posted by Thomas Weber via Fulldisclosure on Jun 09CyberDanube Security Research 20240604-0 ------------------------------------------------------------------------------- title| Multiple Vulnerabilities product| SEH utnserver Pro/ProMAX / INU-100 vulnerable version| 20.1.22 fixed version| 20.1.28 CVE number| CVE-2024-5420, CVE-2024-5421, CVE-2024-5422 impact| High homepage|
  • SEC Consult SA-20240606-0 :: Multiple critical vulnerabilities in Kiuwan SAST on-premise (KOP) & cloud/SaaS & Kiuwan Local Analyzer (KLA) June 9, 2024
    Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Jun 09SEC Consult Vulnerability Lab Security Advisory < 20240606-0 > ======================================================================= title: Multiple critical vulnerabilities product: Kiuwan SAST on-premise (KOP) & cloud/SaaS Kiuwan Local Analyzer (KLA) vulnerable version: Kiuwan SAST
  • Blind SQL Injection - fengofficev3.11.1.2 June 9, 2024
    Posted by Andrey Stoykov on Jun 09# Exploit Title: FengOffice - Blind SQL Injection # Date: 06/2024 # Exploit Author: Andrey Stoykov # Version: # Tested on: Ubuntu 22.04 # Blog: Steps to Reproduce: 1. Login to application 2. Click on "Workspaces" 3. Copy full URL 4. Paste the HTTP GET request into […]
  • Trojan.Win32.DarkGateLoader (multi variants) / Arbitrary Code Execution June 9, 2024
    Posted by malvuln on Jun 09Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024 Original source: Contact: malvuln13 () gmail com Media: Threat: Trojan.Win32.DarkGateLoader (multi variants) Vulnerability: Arbitrary Code Execution Description: Multiple variants of this malware look for and execute x32-bit "urlmon.dll" PE file in its current directory. Therefore, we can...
  • SQL Injection Vulnerability in Boelter Blue System Management (version 1.3) June 9, 2024
    Posted by InfoSec-DB via Fulldisclosure on Jun 09Exploit Title: SQL Injection Vulnerability in Boelter Blue System Management (version 1.3) Google Dork: inurl:"Powered by Boelter Blue" Date: 2024-06-04 Exploit Author: CBKB (DeadlyData, R4d1x) Vendor Homepage: Software Link: Version: 1.3 Tested on: Linux Debian 9 (stretch), Apache 2.4.25, MySQL >= 5.0.12 CVE:...
  • CyberDanube Security Research 20240528-0 | Multiple Vulnerabilities in ORing IAP-420 May 30, 2024
    Posted by Thomas Weber via Fulldisclosure on May 29CyberDanube Security Research 20240528-0 ------------------------------------------------------------------------------- title| Multiple Vulnerabilities product| ORing IAP-420 vulnerable version| 2.01e fixed version| - CVE number| CVE-2024-5410, CVE-2024-5411 impact| High homepage| found| 2024-01-19 by| T. Weber...
  • HNS-2024-06 - HN Security Advisory - Multiple vulnerabilities in Eclipse ThreadX May 30, 2024
    Posted by Marco Ivaldi on May 29Hi, Please find attached a security advisory that describes multiple vulnerabilities we discovered in Eclipse ThreadX (aka Azure RTOS). * Title: Multiple vulnerabilities in Eclipse ThreadX * OS: Eclipse ThreadX < 6.4.0 * Author: Marco Ivaldi * Date: 2024-05-28 * CVE IDs and severity: * CVE-2024-2214 - High - […]
  • SEC Consult SA-20240527-0 :: Multiple vulnerabilities in HAWKI didactic interface May 28, 2024
    Posted by SEC Consult Vulnerability Lab via Fulldisclosure on May 27 SEC Consult Vulnerability Lab Security Advisory < 20240527-0 > ======================================================================= title: Multiple vulnerabilities product: HAWKI (Interaction Design Team at the University of Applied Sciences and Arts in Hildesheim/Germany) vulnerable version: 1.0.0-beta.1, versions before commit 146967f     fixed version: Github commit 146967f...
  • SEC Consult SA-20240524-0 :: Exposed Serial Shell on multiple PLCs in Siemens CP-XXXX Series May 28, 2024
    Posted by SEC Consult Vulnerability Lab via Fulldisclosure on May 27SEC Consult Vulnerability Lab Security Advisory < 20240524-0 > ======================================================================= title: Exposed Serial Shell on multiple PLCs product: Siemens CP-XXXX Series (CP-2014, CP-2016, CP-2017, CP-2019, CP-5014) vulnerable version: All hardware revisions fixed version: Hardware is EOL, no fix CVE number: - impact: Low...