Deploying Meteor to production with Meteor-Up, SSL and NGINX

Question

I'm having difficulty deploying my meteor app ("myApp" below) into production using meteor-up with https and NGINX as a proxy. In particular, I think I am having trouble configuring the correct ports and/or paths.

The deployment has worked in most respects. It is running on a digital ocean droplet with a mongohq (now compose.io) database. My mup setup, mup reconfig (run now many times on my mup.json file) and mup deploy commands with meteor-up all report no errors. If I ssh into my ubuntu environment on digital ocean and run status myApp it reports myApp start/running, process 10049, and when I check my mongohq database, I can see the expected collections for myApp were created and seeded. I think on this basis that the app is running properly.

My problem is that I cannot locate it visiting the site, and having no experience with NGINX servers, I cannot tell if I am doing something very basic and wrong setting up the ports and forwarding.

I have reproduced the relevant parts of my NGINX config file and mup.json file below.

The behavior I expected with the setup below is that if my meteor app listens on port 3000 in mup.json the app should appear when I visit the site. In fact, if I set mup.json's env.PORT to 3000, when visiting the site my browser tells me there is a redirect loop. If I change mup's env.PORT to 80, or leave the env.PORT out entirely, I receive a 502 Bad Gateway message - this part is to be expected because myApp should be listening on localhost:3000 and I wouldn't expect to find anything anywhere else.

All help is MUCH appreciated.

MUP.JSON (in relevant part, lmk if more needs to be shown)

"env": {
  "PORT": 3000,
  "NODE_ENV": "production",
  "ROOT_URL": "http://myApp.com",
  "MONGO_URL": // working ok, not reproduced here,
  "MONGO_OPLOG_URL": // working ok I think,
  "MAIL_URL": // working ok
}

NGINX

server_tokens off;

# according to a digital ocean guide i followed here, https://www.digitalocean.com/community/tutorials/how-to-deploy-a-meteor-js-application-on-ubuntu-14-04-with-nginx, this section is needed to proxy web-socket connections

map $http_upgrade $connection_upgrade {
      default upgrade;
      ''      close;
}

# HTTP

server {
      listen 80 default_server;
      listen [::]:80 default_server ipv6only=on;
      server_name myApp.com;
      # redirect non-SSL to SSL
      location / {
              rewrite ^ https://$server_name$request_uri? permanent;
      }
}

# HTTPS

server {
      listen 443 ssl spdy;

      # this domain must match Common Name (CN) in the SSL certificate

      server_name myApp.com;

      root html;
      index index.html index.htm;

      ssl_certificate /etc/nginx/ssl/tempcert.crt;
      ssl_certificate_key /etc/nginx/ssl/tempcert.key;

      ssl_stapling on;
      ssl_session_cache shared:SSL:10m;
      ssl_session_timeout 5m;

      ssl_prefer_server_ciphers on;
      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
      ssl_ciphers 'long string I didn't reproduce here'

      add_header Strict-Transport-Security "max-age=31536000;";

      location / {
              proxy_pass http://localhost:3000;
              proxy_http_version 1.1;
              proxy_set_header Upgrade $http_upgrade;
              proxy_set_header Connection "upgrade";
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header Host $host;
              proxy_set_header X-Real-IP $remote_addr;
      }
}

Also note that the SSL certificates are configured and work fine so I think it is something with how the ports, paths and forwarding is configured. I don't know where the redirect loop is coming from.

Answer 1

For anyone coming across this in the future, I was able to solve things by removing the force-ssl package from my bundled meteor app. Apparently force-ssl and an NGINX proxy are either redundant or if used together can cause too many redirects. This was not well-documented in the materials I was able to locate.

If there is a configuration that supports using force-ssl together with a proxy that serves some purpose and is preferable to removing the package altogether, please post as I would be interested to know. Thanks.

Answer 2

I believe you can keep the force-ssl package as long as you add the X-Forward-Proto header to your Nginx config.

Example:

 proxy_set_header X-Forward-Proto https;

Additionally, make sure you have the X-Forward-For set as well, though that's already in the example you posted.

Source

Answer 3

As the documentation of the force-ssl package says , you have to set the x-forwarded-proto header to https :

So your location field in the nginx configuration will be like :

location / {
          #your own config...
          proxy_set_header X-Forwarded-Proto https;
  }

Answer 4

I'm running meteor behind an NGinx proxy. I got the error about too many redirects after installing force-ssl.

What worked to remove force-ssl and then add the following lines to my location in my nginx config:

proxy_set_header X-Forward-Proto https;
proxy_set_header X-Nginx-Proxy true;

Works perfectly now.