How can I secure an insecure Meteor by using Nginx?

Question

I have an insecure Meteor running on AWS. For those not familiar with Meteor, that means I am using the "insecure" package, which trades security for rapid prototyping.

I only need our development team and stakeholders to access the server. In the past, I solved the problem by just white-listing everybody's IP addresses in the firewall. Now the team is kind of big, and collecting everybody's IP addresses might be difficult to do.

So I want to password-protect Meteor using Nginx.

I know how to password-protect the html; but Meteor uses Websockets, something I am completely unfamiliar with. How do I password-protect the websockets?

How do I do that? I am worried about experimenting with security at this point, esp. where websockets are concerned. — Ruby, Jun 11 '15 at 06:27

score 1 · Answer 1 · answered Sep 05 '15 at 03:18

there's alot of ground to cover in this.

You can use auth_basic for sure, but well, that's no more secure than using tokens.

To secure your server and nginx proxy, try this guide by Digital Ocean.

To secure you app, try this guide to get started.

Be sure you secure your methods and publications. Understand who can call your methods, and what data is published to the client. Once you've done that, your set. At that point, asking another meteor dev to review your work is a good option.

Security isn't a mystery, just follow the best practices and you'll be ok. So many developers don't do that, so you just have to not be the lowest hanging fruit.

score 0 · Answer 2 · answered Aug 14 '15 at 02:43

0

HTTP Basic authentication applies to websockets connections as well as "regular" HTTP connections, so enabling auth_basic should do the trick, for suitably low thresholds of "trick".

answered Aug 14 '15 at 02:43

womble

95,029
29
173
228

How can I secure an insecure Meteor by using Nginx?

2 Answers2