Moving from Compose and Heroku to Digital Ocean


I have a MEAN app. Its still in its infancy so I don’t need any fancy hosting and also am very interested in making my own.

My DB is with Compose. And the Node API and Angular front end are hosted with Heroku.

This question is broken into 2 parts and I’ll ask my questions under each:


  • I’ve seen this is setup quite easily with one click setup
  • Regarding security i’ve seen a lot of great articles and all looks ok
  • Is it possible to do encryption at rest?
  • My DB will be on one droplet and the Node site on another. So can i restrict all access to the DB droplet to requests only from the Node droplet? Do i need to follow a VPC setup guide to achieve this?


  • I’ll need to setup DNS for the URL. Is this straight forward to do? May also need to create mail records.
  • I’ll only want the outside world to access the static files, like index.html and .js. These files should only have access to the API which goes to the DB droplet. What security considerations do i need to observe to achieve this.

Hope my question makes sense.

Any help would be appreciated.


(Looking forward to this project :-)).


Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

This comment has been deleted


No problem, always happy to help!

Private Networking + UFW

DigitalOcean provides Private Networking access, though given a VPS is still technically a shared environment, you’d need to use a firewall to block access on both the public and private network.

For Ubuntu and ufw, I’d recommend taking a look at the guide below to get a good feel. It covers all aspects of ufw from the basics to slightly more complex. Should you have any questions after looking at this guide, just let me know and I’ll be happy to help! The most important thing is that you setup rules on both servers.

Beyond that, always make sure you define your ports before enabling the firewall. If, for example, you setup a default deny policy and turn on the firewall without allowing SSH through, you’re going to end up not being able to SSH in to your server and will then have to re-image it.

UFW Essentials: Common Firewall Rules and Commands


If it were me, I would use NGINX and then set it up to work as a proxy which essentially takes an incoming request on Port 80 (the default HTTP port) or Port 443 (the default SSL Port) and sends it to the port where your NodeJS application is listening on.

We can setup deny policies on file types with NGINX, or we can simply keep the files you want to prevent others from accessing out of the public web root (easiest option).

If you’re not familiar with NGINX, I would recommend looking at the following guides to get a quick start. I work with NGINX quite a bit, so if you have any questions, feel free to ask and I’ll be more than happy to help you.

How To Install Nginx on Ubuntu 16.04

Understanding Nginx HTTP Proxying, Load Balancing, Buffering, and Caching

The second guide has a lot of information in it, but don’t let it scare you off. It’s really easy to work with. The vast majority of that guide is prepping you to work with the various ways of working with NGINX. If you can develop with NodeJS, I have absolutely no doubt that you can handle NGINX.



DigitalOcean does offer a one-click image that you can select when deploying a new Droplet which will setup MongoDB 3.2.11 on Ubuntu 16.04 (the latest LTS, or Long Term Support release). As far as security goes, I’d recommend checking out the following:

MongoDB - Encryption At Rest

MongoDB Tutorials - DigitalOcean

10 Tips to Improve MongoDB Security

As far as restricting access to the DB Droplet and only allowing access from the NodeJS server, yes, that’s definitely possible using a Firewall. If using Ubuntu, you can use ufw and setup a default policy to deny all connections and then add rules that are more specific, such as allowing connection from only the NodeJS server. That can be done very easily and with only a few CLI commands.


When it comes to DNS, how it’s handled is really up to you. You’ll add DNS entries either where your domain is registered (your domain registrar) or you can change the DNS that your domain uses and set the name servers to DigitalOcean’s and use the super-nice panel that they offer. Modifying DNS is relatively straight-forward, though if you have any specific questions, feel free to ask!

When it comes to denying access to certain file types, there’s two ways to handle that. The first would be at the web server level (I’d recommend NGINX) and the other is within your Application where you would break down the request and check what is being requested and then either pass the request through or deny the request. You could also use a combination of the two.