我如何在Heroku上部署安全（HTTPS）Meteor应用程序？ [英] How can I deploy a secure (HTTPS) Meteor app on Heroku?

问题描述

我想将我的Meteor应用程序部署到Heroku，并使其只能通过HTTPS访问。理想情况下，我希望尽可能便宜。

解决方案

创建证书

运行这些命令以获取certbot-auto。 certbot-auto应该可以在大多数系统上运行。

  wget https://dl.eff.org/certbot-auto 
 chmod 755 certbot-auto 
  

该命令启动获取证书的过程。 -d 标志允许您传入您想要保护的域。或者，如果没有 -d 标志，它会弹出一个提示，您可以在其中输入域名。

  ./ certbot-auto certonly --manual -d app.yoursite.com 
  

然后它会问你以下。

 确保您的Web服务器在
中显示以下内容http：//app.yoursite .com / .well-known / acme-challenge / SOME-LENGTHY-KEY继续之前：
 
某些长钥匙
  

使用Picker

我建议使用这种方法，因为在续订时，您只需更新环境变量。您可以像下面那样使用 public / ，但每次都需要重新构建整个应用程序。

运行 meteor add meteorhacks：picker

在服务器端文件中，添加以下内容：

 从'meteor / meteorhacks：picker'导入{Picker}; 
 
 Picker.route（'/。well-known / acme-challenge /：routeKey'，（params，request，response）=> {
 response.writeHead（'200'， {'Content-Type'：'text / plain'}）; 
 response.write（process.env.SSL_PAGE_KEY）
 response.end（）; 
}）; 
  

然后将环境变量 SSL_PAGE_KEY 设置为 SOME-LONGER-KEY with

  heroku config：set SSL_PAGE_KEY = SOME- LONGER-KEY 
  

使用public /

在 public 文件夹中创建目录路径。如果您还没有，请创建一个。

  mkdir -p public / .well-known / acme-challenge / 
  

然后创建文件 SOME-LENGTHY-KEY 并在其中放置 SOME-LONGER-KEY

  echo SOME-LONGER -KEY> public / .well-known / acme-challenge / SOME-LENGTHY-KEY 
  

提交并推送更改到您的Heroku应用程序。

  git push heroku master 
  

现在点击回车继续验证过程。您应该收到这样的消息

 重要注意事项：
  - 恭喜！您的证书和链条已保存在
 /etc/letsencrypt/live/app.yoursite.com/fullchain.pem。您的证书
将于2016-04-11到期。要获取
未来版本的新版证书，只需再次运行Let's Encrypt即可。 
  

上传证书

证书到Heroku，首先启用SSL Beta

  heroku实验室：启用http-sni -a您的应用
 heroku插件：安装heroku-certs 
  

然后添加您的 fullchain.pem 和 privkey.pem 到Heroku。

  sudo heroku _certs：add /etc/letsencrypt/live/app.yoursite.com/fullchain.pem /etc/letsencrypt/live/app.yoursite.com/privkey.pem 
  

您可以验证证书是否已上传

  heroku _certs： info 
  

更改您的DNS设置

更新您的DNS指向 app.yoursite.com.herokudns.com

确认SSL正在工作

要检查是否设置了SSL，请运行以下命令。 -v 为您提供详细的输出。 -I 仅显示文档信息。 -H 将标题传递给URL。我们传递的头部确保缓存没有被使用，并且可以确保你获得新的证书而不是旧的。

  curl -vI https://app.yoursite.com -HCache-Control：no-cache
  

检查输出是否包含以下内容：

  *服务器证书：
 * subject：C = US; ST = CA; L = SF; O = SFDC; OU = Heroku的; CN = app.yoursite.com 
  

如果主题行不包含 CN = app.yoursite.com ，等待5到10分钟，然后重试。如果确实如此，那么你几乎可以走了。

制作流星特定变更

过程中，您需要将 ROOT_URL 环境变量更改为新的 https 版本。

  heroku config：set ROOT_URL = https：//app.yoursite.com 
  

然后，您需要确保用户始终对 force-ssl 软件包使用SSL

  meteor add force-ssl 
  

最后，如果你在你的应用（Facebook，Google等）中设置了OAuth登录，你需要为他们提供新的 https 版本的您的网址。

重建

运行 certbot-auto 再次

  ./ certbot-auto certonly --manual -d app.yoursite.com 
  

可能提示您输入具有相同内容的同一端点。如果是这样，只需按Enter即可。如果没有，您需要重复上述步骤。

然后它将创建新的证书文件，您将使用 $ b上传到Heroku
$ b

  heroku证书：更新/etc/letsencrypt/live/app.yoursite.com/fullchain.pem /etc/letsencrypt/live/app.yoursite.com /privkey.pem 
  

然后确认，运行验证SSL正在运行 上面的命令

来源

• https://certbot.eff.org/#ubuntutrust-other


• https://devcenter.heroku.com/articles/ssl-beta


• https://themeteorchef.com/blog/securing-meteor-applications/

I would like to deploy my Meteor app to Heroku and make it only accessible through HTTPS. Ideally, I want to do this as cheaply as possible.

解决方案

Create the Certificate

Run these commands to get certbot-auto. certbot-auto should work on most systems

wget https://dl.eff.org/certbot-auto
chmod 755 certbot-auto

This command starts the process of getting your certificate. The -d flag allows you to pass in the domain you would like to secure. Alternatively, without the -d flag, it will pop up a prompt where you can enter the domain.

./certbot-auto certonly --manual -d app.yoursite.com

Then it will ask you the following. Do not hit enter.

Make sure your web server displays the following content at                                                      
http://app.yoursite.com/.well-known/acme-challenge/SOME-LENGTHY-KEY before continuing:

SOME-LONGER-KEY

Use Picker

I suggest using this method because on renewal, you will only need to update an environment variable. You can use public/ as below, but it will require a rebuild of your entire app every time

Run meteor add meteorhacks:picker

In a server side file, add the following

import { Picker } from 'meteor/meteorhacks:picker';

Picker.route('/.well-known/acme-challenge/:routeKey', (params, request, response) => {
  response.writeHead('200', {'Content-Type': 'text/plain'});
  response.write(process.env.SSL_PAGE_KEY)
  response.end();
});

Then set an environment variable SSL_PAGE_KEY to SOME-LONGER-KEY with

heroku config:set SSL_PAGE_KEY=SOME-LONGER-KEY

Use public/

Create the directory path in your public folder. If you don't have one, create one.

mkdir -p public/.well-known/acme-challenge/

Then create the file SOME-LENGTHY-KEY and place SOME-LONGER-KEY inside it

echo SOME-LONGER-KEY > public/.well-known/acme-challenge/SOME-LENGTHY-KEY

Commit and push that change to your Heroku app.

git push heroku master

Now hit enter to continue the verification process. You should receive a message like this

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/app.yoursite.com/fullchain.pem. Your cert will
   expire on 2016-04-11. To obtain a new version of the certificate in
   the future, simply run Let's Encrypt again.

Upload the Certificate

To upload your certificates to Heroku, first enable the SSL Beta

heroku labs:enable http-sni -a your-app
heroku plugins:install heroku-certs

Then add your fullchain.pem and privkey.pem to Heroku.

sudo heroku _certs:add /etc/letsencrypt/live/app.yoursite.com/fullchain.pem /etc/letsencrypt/live/app.yoursite.com/privkey.pem

You can verify that the certificate was uploaded with

heroku _certs:info

Change your DNS Settings

Update your DNS to point to app.yoursite.com.herokudns.com

Verify SSL is working

To check that SSL is set up, run the following. -v gives you verbose output. -I shows the document info only. -H passes a header to the URL. The header we're passing ensures that a cache is not being used and will ensure you get your new certificate and not an old one.

curl -vI https://app.yoursite.com -H "Cache-Control: no-cache"

Check that the output contains the following

* Server certificate:
*    subject: C=US; ST=CA; L=SF; O=SFDC; OU=Heroku; CN=app.yoursite.com

If the subject line does not contain CN=app.yoursite.com, wait 5 to 10 minutes and try again. If it does, you're almost good to go.

Make Meteor Specific Changes

To finish up the process, you'll want to change your ROOT_URL environment variable to the new https version.

heroku config:set ROOT_URL=https://app.yoursite.com

Then you'll want to ensure that your users are always using SSL with the force-ssl package

meteor add force-ssl

Lastly, if you have any OAuth logins set up in your app (Facebook, Google, etc), you'll want to provide them with the new https version of your URL.

Renewal

Run certbot-auto again

./certbot-auto certonly --manual -d app.yoursite.com

It may prompt you for the same endpoint with the same content. If it does, just hit enter. If it does not, you will need to repeat the above steps.

It will then create new certificate files, which you will upload to Heroku with

heroku certs:update /etc/letsencrypt/live/app.yoursite.com/fullchain.pem /etc/letsencrypt/live/app.yoursite.com/privkey.pem

Then to confirm, run the Verify SSL is working commands above

Sources

• https://certbot.eff.org/#ubuntutrusty-other
• https://devcenter.heroku.com/articles/ssl-beta
• https://themeteorchef.com/blog/securing-meteor-applications/

这篇关于我如何在Heroku上部署安全（HTTPS）Meteor应用程序？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！