Security of node.js debug port in proxy server

[PHJArea217]

Details

I am writing a proxy server software in Node.js (https://github.com/PHJArea217/universal-relay to be specific). The nature of the proxy is that it can remotely make TCP connections to arbitrary targets, domain names, and ports, which could include the node.js debugger port. Normally, in production, the debugger is disabled. But there is a risk that the process could receive a SIGUSR1 (which could be easily triggered by k in htop and selecting SIGUSR1, while trying to do other things, like strace on the nodejs process, by s on the node.js process in htop) and allow remote compromise through the proxy functionality in different ways.

I currently have considered:

process.on('SIGUSR1', a=>0);

on the very top of index.js.

Because of the nature of the proxy server, this can still be accessible remotely even if the debug port is bound to 127.0.0.1 since the proxy server is designed to allows connections to 127.0.0.1 in the default configuration (security of this in relation to other localhost-bound services is out of scope of this question).

I think this would have been prevented since the attacker would have to guess the 128-bit UUID to compromise the process, but I'm not so certain about that given the security implications that would result if the attacker didn't have to guess the UUID.

The question is, are my security concerns valid, and is the above line of code sufficient to prevent this?

Node.js version

v18.19.0 (nodejs in Debian)

Example code

See above.

Operating system

Debian Linux

Scope

runtime

Module and version

Not applicable.

[preveen-stack]

To be on the safe side you can use ssh tunnelling

[RedYetiDev]

@PHJArea217 did @preveen-stack's suggestion help?