Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How can I deploy a secure (HTTPS) Meteor app on Heroku?

Tags:

https

ssl

ssl-certificate

heroku

meteor

I would like to deploy my Meteor app to Heroku and make it only accessible through HTTPS. Ideally, I want to do this as cheaply as possible.

like image 403
Merlin -they-them- Avatar asked Mar 11 '23 05:03

Merlin -they-them-

1 Answers

Create the Certificate

Run these commands to get certbot-auto. certbot-auto should work on most systems

wget https://dl.eff.org/certbot-auto
chmod 755 certbot-auto

This command starts the process of getting your certificate. The -d flag allows you to pass in the domain you would like to secure. Alternatively, without the -d flag, it will pop up a prompt where you can enter the domain.

./certbot-auto certonly --manual -d app.yoursite.com

Then it will ask you the following. Do not hit enter.

Make sure your web server displays the following content at                                                      
http://app.yoursite.com/.well-known/acme-challenge/SOME-LENGTHY-KEY before continuing:

SOME-LONGER-KEY

Use Picker

I suggest using this method because on renewal, you will only need to update an environment variable. You can use public/ as below, but it will require a rebuild of your entire app every time

Run meteor add meteorhacks:picker

In a server side file, add the following

import { Picker } from 'meteor/meteorhacks:picker';

Picker.route('/.well-known/acme-challenge/:routeKey', (params, request, response) => {
  response.writeHead('200', {'Content-Type': 'text/plain'});
  response.write(process.env.SSL_PAGE_KEY)
  response.end();
});

Then set an environment variable SSL_PAGE_KEY to SOME-LONGER-KEY with

heroku config:set SSL_PAGE_KEY=SOME-LONGER-KEY

Use public/

Create the directory path in your public folder. If you don't have one, create one.

mkdir -p public/.well-known/acme-challenge/

Then create the file SOME-LENGTHY-KEY and place SOME-LONGER-KEY inside it

echo SOME-LONGER-KEY > public/.well-known/acme-challenge/SOME-LENGTHY-KEY

Commit and push that change to your Heroku app.

git push heroku master

Now hit enter to continue the verification process. You should receive a message like this

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/app.yoursite.com/fullchain.pem. Your cert will
   expire on 2016-04-11. To obtain a new version of the certificate in
   the future, simply run Let's Encrypt again.

Upload the Certificate

To upload your certificates to Heroku, first enable the SSL Beta

heroku labs:enable http-sni -a your-app
heroku plugins:install heroku-certs

Then add your fullchain.pem and privkey.pem to Heroku.

sudo heroku _certs:add /etc/letsencrypt/live/app.yoursite.com/fullchain.pem /etc/letsencrypt/live/app.yoursite.com/privkey.pem

You can verify that the certificate was uploaded with

heroku _certs:info

Change your DNS Settings

Update your DNS to point to app.yoursite.com.herokudns.com

Verify SSL is working

To check that SSL is set up, run the following. -v gives you verbose output. -I shows the document info only. -H passes a header to the URL. The header we're passing ensures that a cache is not being used and will ensure you get your new certificate and not an old one.

curl -vI https://app.yoursite.com -H "Cache-Control: no-cache"

Check that the output contains the following

* Server certificate:
*    subject: C=US; ST=CA; L=SF; O=SFDC; OU=Heroku; CN=app.yoursite.com

If the subject line does not contain CN=app.yoursite.com, wait 5 to 10 minutes and try again. If it does, you're almost good to go.

Make Meteor Specific Changes

To finish up the process, you'll want to change your ROOT_URL environment variable to the new https version.

heroku config:set ROOT_URL=https://app.yoursite.com

Then you'll want to ensure that your users are always using SSL with the force-ssl package

meteor add force-ssl

Lastly, if you have any OAuth logins set up in your app (Facebook, Google, etc), you'll want to provide them with the new https version of your URL.

Renewal

Run certbot-auto again

./certbot-auto certonly --manual -d app.yoursite.com

It may prompt you for the same endpoint with the same content. If it does, just hit enter. If it does not, you will need to repeat the above steps.

It will then create new certificate files, which you will upload to Heroku with

heroku certs:update /etc/letsencrypt/live/app.yoursite.com/fullchain.pem /etc/letsencrypt/live/app.yoursite.com/privkey.pem

Then to confirm, run the Verify SSL is working commands above

Sources

  • https://certbot.eff.org/#ubuntutrusty-other
  • https://devcenter.heroku.com/articles/ssl-beta
  • https://themeteorchef.com/blog/securing-meteor-applications/
like image 69
Merlin -they-them- Avatar answered Mar 13 '23 20:03

Merlin -they-them-
Sign in to Comment

Related questions

How to run django runserver over TLS 1.2

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!