Meteor Private Settings or regular ENV Var for Whitelist

Hi!

I’m whitelisting ips for my app on Heroku by following the pattern using Picker in How do you restrict access to a Meteor site based on IP - #6 by ivan133

Currently, I’m storing my whitelisted ips as JSON in an ENV var. My question is if it’s preferable to put into Meteor.settings.private. Or, if it makes a difference.

The post ^ has the ips stored in a Collection. But I don’t want to do that bc it’d make a DB hit everytime the Server gets an incoming request, right?

Just wanna see what people think here. Thanks!

You can store your whitelist in a collection, maybe even in a single document and use js-cache or any other similar package to maintain a server-side cache.

Note that this kind of cache has a TTL. You just need to write a few lines of code to check if the document is already in the cache, and read from mongo only if it isn’t – either because it was never fetched yet, or it has expired since.

Another solution would be to keep the IP whitelist in redis, which is optimized for quick lookups.

2 Likes

Haven’t used Redis yet and have been wanting to finally give it a try.

You see anything wrong with just storing it on Server as ENV var though?

That’s perfectly fine as long as your whitelist is static or semi-static. If there are frequent changes in your whitelist, the necessary server restarts can be a hassle.

There is also other ways to maintain a dynamically changeable ip whitelist.

You could use the Node.js API to watch for file changes. It could be just a text file that your server(s) re-read upon a detected change.

Or you could also use a linux firewall, such as ipchain or iptables to allow access to your app. That’s quite easy to set up too, and you wouldn’t need to alter a single line of your app’s codebase.

1 Like

Ah, didn’t know about listening for file changes, that’s pretty cool.

Linux firewall would’ve been ideal, but this is running on Heroku and we don’t have access to the actual Linux VM (they want to charge a lot to implement this btw)