psmod2
By:
psmod2

Moving from Compose and Heroku to Digital Ocean

January 17, 2017 1.2k views
MongoDB MEAN

Hi,

I have a MEAN app. Its still in its infancy so I don't need any fancy hosting and also am very interested in making my own.

My DB is with Compose. And the Node API and Angular front end are hosted with Heroku.

This question is broken into 2 parts and I'll ask my questions under each:

THE MONGODB

  • I've seen this is setup quite easily with one click setup
  • Regarding security i've seen a lot of great articles and all looks ok
  • Is it possible to do encryption at rest?
  • My DB will be on one droplet and the Node site on another. So can i restrict all access to the DB droplet to requests only from the Node droplet? Do i need to follow a VPC setup guide to achieve this?

THE NODE/ANGULAR SITE

  • I'll need to setup DNS for the URL. Is this straight forward to do? May also need to create mail records.
  • I'll only want the outside world to access the static files, like index.html and .js. These files should only have access to the API which goes to the DB droplet. What security considerations do i need to observe to achieve this.

Hope my question makes sense.

Any help would be appreciated.

Thanks!!

(Looking forward to this project :-)).

3 Answers

@psmod2

MongoDB

DigitalOcean does offer a one-click image that you can select when deploying a new Droplet which will setup MongoDB 3.2.11 on Ubuntu 16.04 (the latest LTS, or Long Term Support release). As far as security goes, I'd recommend checking out the following:

MongoDB - Encryption At Rest

MongoDB Tutorials - DigitalOcean

10 Tips to Improve MongoDB Security

As far as restricting access to the DB Droplet and only allowing access from the NodeJS server, yes, that's definitely possible using a Firewall. If using Ubuntu, you can use ufw and setup a default policy to deny all connections and then add rules that are more specific, such as allowing connection from only the NodeJS server. That can be done very easily and with only a few CLI commands.

NodeJS

When it comes to DNS, how it's handled is really up to you. You'll add DNS entries either where your domain is registered (your domain registrar) or you can change the DNS that your domain uses and set the name servers to DigitalOcean's and use the super-nice panel that they offer. Modifying DNS is relatively straight-forward, though if you have any specific questions, feel free to ask!

When it comes to denying access to certain file types, there's two ways to handle that. The first would be at the web server level (I'd recommend NGINX) and the other is within your Application where you would break down the request and check what is being requested and then either pass the request through or deny the request. You could also use a combination of the two.

  • Thanks for the very helpful reply.

    Two questions off that:

    1 - DB - So as mentioned moving from Compose.io. One of the features they mention is "private VLAN". Is this essentially the same as me having a droplet and restricting IPs to allow input from my node app droplet? Or is more that that means e.g. I've seen enabled 'private networking'?

    2 - NodeJS - This may be a question more for a Node group, however in case you know, I basically just want the static files folder to be visible to the world, not the API that exists, i.e. accessed at xxxxx.com/mysuperapi. You mention NGINX or application level control, is there any documentation you could point me to.

    Many thank once again.

@psmod2

No problem, always happy to help!

Private Networking + UFW

DigitalOcean provides Private Networking access, though given a VPS is still technically a shared environment, you'd need to use a firewall to block access on both the public and private network.

For Ubuntu and ufw, I'd recommend taking a look at the guide below to get a good feel. It covers all aspects of ufw from the basics to slightly more complex. Should you have any questions after looking at this guide, just let me know and I'll be happy to help! The most important thing is that you setup rules on both servers.

Beyond that, always make sure you define your ports before enabling the firewall. If, for example, you setup a default deny policy and turn on the firewall without allowing SSH through, you're going to end up not being able to SSH in to your server and will then have to re-image it.

UFW Essentials: Common Firewall Rules and Commands

NGINX

If it were me, I would use NGINX and then set it up to work as a proxy which essentially takes an incoming request on Port 80 (the default HTTP port) or Port 443 (the default SSL Port) and sends it to the port where your NodeJS application is listening on.

We can setup deny policies on file types with NGINX, or we can simply keep the files you want to prevent others from accessing out of the public web root (easiest option).

If you're not familiar with NGINX, I would recommend looking at the following guides to get a quick start. I work with NGINX quite a bit, so if you have any questions, feel free to ask and I'll be more than happy to help you.

How To Install Nginx on Ubuntu 16.04

Understanding Nginx HTTP Proxying, Load Balancing, Buffering, and Caching

The second guide has a lot of information in it, but don't let it scare you off. It's really easy to work with. The vast majority of that guide is prepping you to work with the various ways of working with NGINX. If you can develop with NodeJS, I have absolutely no doubt that you can handle NGINX.

Nginx is a high performance reverse proxy server and web server. In this guide, we will explore Nginx's http proxying and load balancing capabilities. We will cover how Nginx can use buffers and caching to improve the proxying experience for clients.
  • Thanks so much again - great article - really interesting.

    Impressed by the articles on DigitalOcean - great ease and quality!

Have another answer? Share your knowledge.