我如何在Heroku上部署安全(HTTPS)Meteor应用程序? [英] How can I deploy a secure (HTTPS) Meteor app on Heroku?
问题描述
我想将我的Meteor应用程序部署到Heroku,并使其只能通过HTTPS访问。理想情况下,我希望尽可能便宜。
创建证书
运行这些命令以获取certbot-auto。 certbot-auto应该可以在大多数系统上运行。
wget https://dl.eff.org/certbot-auto
chmod 755 certbot-auto
该命令启动获取证书的过程。 -d
标志允许您传入您想要保护的域。或者,如果没有 -d
标志,它会弹出一个提示,您可以在其中输入域名。
./ certbot-auto certonly --manual -d app.yoursite.com
然后它会问你以下。
确保您的Web服务器在
中显示以下内容http://app.yoursite .com / .well-known / acme-challenge / SOME-LENGTHY-KEY继续之前:
某些长钥匙
使用Picker
我建议使用这种方法,因为在续订时,您只需更新环境变量。您可以像下面那样使用 public /
,但每次都需要重新构建整个应用程序。
运行 meteor add meteorhacks:picker
在服务器端文件中,添加以下内容:
从'meteor / meteorhacks:picker'导入{Picker};
Picker.route('/。well-known / acme-challenge /:routeKey',(params,request,response)=> {
response.writeHead('200', {'Content-Type':'text / plain'});
response.write(process.env.SSL_PAGE_KEY)
response.end();
});
然后将环境变量 SSL_PAGE_KEY
设置为 SOME-LONGER-KEY
with
heroku config:set SSL_PAGE_KEY = SOME- LONGER-KEY
使用public /
在 public
文件夹中创建目录路径。如果您还没有,请创建一个。
mkdir -p public / .well-known / acme-challenge /
然后创建文件 SOME-LENGTHY-KEY
并在其中放置 SOME-LONGER-KEY
echo SOME-LONGER -KEY> public / .well-known / acme-challenge / SOME-LENGTHY-KEY
提交并推送更改到您的Heroku应用程序。
git push heroku master
现在点击回车继续验证过程。您应该收到这样的消息
重要注意事项:
- 恭喜!您的证书和链条已保存在
/etc/letsencrypt/live/app.yoursite.com/fullchain.pem。您的证书
将于2016-04-11到期。要获取
未来版本的新版证书,只需再次运行Let's Encrypt即可。
上传证书
证书到Heroku,首先启用SSL Beta
heroku实验室:启用http-sni -a您的应用
heroku插件:安装heroku-certs
然后添加您的 fullchain.pem
和 privkey.pem
到Heroku。
sudo heroku _certs:add /etc/letsencrypt/live/app.yoursite.com/fullchain.pem /etc/letsencrypt/live/app.yoursite.com/privkey.pem
您可以验证证书是否已上传
heroku _certs: info
更改您的DNS设置
更新您的DNS指向 app.yoursite.com.herokudns.com
确认SSL正在工作
要检查是否设置了SSL,请运行以下命令。 -v
为您提供详细的输出。 -I
仅显示文档信息。 -H
将标题传递给URL。我们传递的头部确保缓存没有被使用,并且可以确保你获得新的证书而不是旧的。
curl -vI https://app.yoursite.com -HCache-Control:no-cache
检查输出是否包含以下内容:
*服务器证书:
* subject:C = US; ST = CA; L = SF; O = SFDC; OU = Heroku的; CN = app.yoursite.com
如果主题
行不包含 CN = app.yoursite.com
,等待5到10分钟,然后重试。如果确实如此,那么你几乎可以走了。
制作流星特定变更
过程中,您需要将 ROOT_URL
环境变量更改为新的 https
版本。
heroku config:set ROOT_URL = https://app.yoursite.com
然后,您需要确保用户始终对 force-ssl
软件包使用SSL
meteor add force-ssl
最后,如果你在你的应用(Facebook,Google等)中设置了OAuth登录,你需要为他们提供新的 https
版本的您的网址。
重建
运行 certbot-auto
再次
./ certbot-auto certonly --manual -d app.yoursite.com
可能提示您输入具有相同内容的同一端点。如果是这样,只需按Enter即可。如果没有,您需要重复上述步骤。
然后它将创建新的证书文件,您将使用 $ b上传到Heroku
$ b
heroku证书:更新/etc/letsencrypt/live/app.yoursite.com/fullchain.pem /etc/letsencrypt/live/app.yoursite.com /privkey.pem
然后确认,运行验证SSL正在运行 上面的命令
来源
- https://certbot.eff.org/#ubuntutrust-other
- https://devcenter.heroku.com/articles/ssl-beta
- https://themeteorchef.com/blog/securing-meteor-applications/
I would like to deploy my Meteor app to Heroku and make it only accessible through HTTPS. Ideally, I want to do this as cheaply as possible.
Create the Certificate
Run these commands to get certbot-auto. certbot-auto should work on most systems
wget https://dl.eff.org/certbot-auto
chmod 755 certbot-auto
This command starts the process of getting your certificate. The -d
flag allows you to pass in the domain you would like to secure. Alternatively, without the -d
flag, it will pop up a prompt where you can enter the domain.
./certbot-auto certonly --manual -d app.yoursite.com
Then it will ask you the following. Do not hit enter.
Make sure your web server displays the following content at
http://app.yoursite.com/.well-known/acme-challenge/SOME-LENGTHY-KEY before continuing:
SOME-LONGER-KEY
Use Picker
I suggest using this method because on renewal, you will only need to update an environment variable. You can use public/
as below, but it will require a rebuild of your entire app every time
Run meteor add meteorhacks:picker
In a server side file, add the following
import { Picker } from 'meteor/meteorhacks:picker';
Picker.route('/.well-known/acme-challenge/:routeKey', (params, request, response) => {
response.writeHead('200', {'Content-Type': 'text/plain'});
response.write(process.env.SSL_PAGE_KEY)
response.end();
});
Then set an environment variable SSL_PAGE_KEY
to SOME-LONGER-KEY
with
heroku config:set SSL_PAGE_KEY=SOME-LONGER-KEY
Use public/
Create the directory path in your public
folder. If you don't have one, create one.
mkdir -p public/.well-known/acme-challenge/
Then create the file SOME-LENGTHY-KEY
and place SOME-LONGER-KEY
inside it
echo SOME-LONGER-KEY > public/.well-known/acme-challenge/SOME-LENGTHY-KEY
Commit and push that change to your Heroku app.
git push heroku master
Now hit enter to continue the verification process. You should receive a message like this
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/app.yoursite.com/fullchain.pem. Your cert will
expire on 2016-04-11. To obtain a new version of the certificate in
the future, simply run Let's Encrypt again.
Upload the Certificate
To upload your certificates to Heroku, first enable the SSL Beta
heroku labs:enable http-sni -a your-app
heroku plugins:install heroku-certs
Then add your fullchain.pem
and privkey.pem
to Heroku.
sudo heroku _certs:add /etc/letsencrypt/live/app.yoursite.com/fullchain.pem /etc/letsencrypt/live/app.yoursite.com/privkey.pem
You can verify that the certificate was uploaded with
heroku _certs:info
Change your DNS Settings
Update your DNS to point to app.yoursite.com.herokudns.com
Verify SSL is working
To check that SSL is set up, run the following. -v
gives you verbose output. -I
shows the document info only. -H
passes a header to the URL. The header we're passing ensures that a cache is not being used and will ensure you get your new certificate and not an old one.
curl -vI https://app.yoursite.com -H "Cache-Control: no-cache"
Check that the output contains the following
* Server certificate:
* subject: C=US; ST=CA; L=SF; O=SFDC; OU=Heroku; CN=app.yoursite.com
If the subject
line does not contain CN=app.yoursite.com
, wait 5 to 10 minutes and try again. If it does, you're almost good to go.
Make Meteor Specific Changes
To finish up the process, you'll want to change your ROOT_URL
environment variable to the new https
version.
heroku config:set ROOT_URL=https://app.yoursite.com
Then you'll want to ensure that your users are always using SSL with the force-ssl
package
meteor add force-ssl
Lastly, if you have any OAuth logins set up in your app (Facebook, Google, etc), you'll want to provide them with the new https
version of your URL.
Renewal
Run certbot-auto
again
./certbot-auto certonly --manual -d app.yoursite.com
It may prompt you for the same endpoint with the same content. If it does, just hit enter. If it does not, you will need to repeat the above steps.
It will then create new certificate files, which you will upload to Heroku with
heroku certs:update /etc/letsencrypt/live/app.yoursite.com/fullchain.pem /etc/letsencrypt/live/app.yoursite.com/privkey.pem
Then to confirm, run the Verify SSL is working commands above
Sources
- https://certbot.eff.org/#ubuntutrusty-other
- https://devcenter.heroku.com/articles/ssl-beta
- https://themeteorchef.com/blog/securing-meteor-applications/
这篇关于我如何在Heroku上部署安全(HTTPS)Meteor应用程序?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!