Starting work on Secure Meteor

I was so excited that I bought it before checking my email with the discount code :laughing:

Even full price is pretty cheap so I don’t mind

2 Likes

Looking forward to read this soon

Screenshot%20from%202019-03-06%2018-32-23

3 Likes

:laughing: Same for me. Didn’t even occur to me.

1 Like

Bought the book!

Excellent stuff so far @pcorey. MDG should make this recommended reading.

Hopefully this motivates @sacha to start work on Discover Meteor II.

3 Likes

Congrats on the release!

I think the chances of this happening are pretty small, but if I did write that book it would be pretty much indistinguishable from the Vulcan.js documentation so you might as well check that out instead :wink:

2 Likes

Hey everyone, the first week of Secure Meteor went above and beyond my expectations. Based on the feedback I’m getting, it sounds like people are really finding the book helpful, which is great to hear. I just wanted to say thanks for all of the support and feedback. It means a lot!

11 Likes

Just bought it! Excited to give it a read. Your blog posts and the security audits you’ve done for us over the years have been immensely helpful.

2 Likes

We bought a copy for our team at comatch.com :slight_smile:

On a side node, it’s great to see that Meteor resources are still in demand. If you can disclose, I would be quite interested to some figures.

3 Likes

Hello Pete, thank you for the good work. I just bought your book to see if I can even improve the (I think already ok security) of my meteor apps.

1 Like

Is there anything related to DoS / DDos and rate limiting websocket requests? I also found not much in the forums on this, besides The Missing Link in Meteor's Rate Limiter (which was also by @pcorey)

I basically want to lock out users that exceeded the limit using nginx instead of using the software layer. But I am still unsure how to keep the bridge from my Meteor Environment to my nginx config.

I could just add IPs to a blacklist using fs and let nginx use this file to know when to lock-out IPs but this gives me somehow a bad feeling. And using services like Cloudflare are unfortunately an anti-requirement in my projects :frowning:

Any suggestions on that in the book or anything planned @pcorey ? Since you opened the linked forum thread I’d like to know how you solved it in the end.

There’s nothing about that in the book. In my mind, that’s more of an issue fixed at an infrastructure level (with nginx rate limiting, like you’re saying), and I wanted to keep the book focused on application-level security. That may be an arbitrary distinction, but I needed to draw the line somewhere.

In the past I’ve set up some basic rate limiting on the /websocket route to reduce the potential for abuse, but I didn’t integrate that into the application in any way. I’m not sure what the best way to do that would be, to be honest.

We have been using sikka in production and we have yet to see problems.

To see it at work, set perIp to something fairly small, say 10, then do something like

for (let i = 0; i < 100; i++) {
  Meteor.call('myMethodNameHere');
}

in the console, and you’ll see how quickly it kicks you out and asks you to prove you’re human.

Pay attention to the x-forwarded-for setting if you use a reverse proxy, or it will perceive all the traffic as coming from one source.

2 Likes

Makes sense, I was just curious because you also mentioned this issue in the older thread you started.

If have actually not found that much on the web because most of the nginx literature focuses on HTTP in general. If I find something interesting that proves right in my setup I will link it here.

I think sikka is a good package but it is combined with reCaptcha and (as with Cloudflare) I unfortunately can’t use any third party services.

Is this also an issue with single instances that run on nginx or only for clusters / load balancers?

1 Like

If you have the luxury of spare time, you could actually try and modify sikka to work with a local captcha package such as this one. I had a (very quick) look, and it seems the only modifications are needed in:

https://github.com/meteorhacks/sikka/blob/master/lib/server/captcha_page.html
https://github.com/meteorhacks/sikka/blob/master/lib/server/routes.js#L52

If you use something like NGINX for both tasks, then you only need to set it once. If you use a separate load balancer between the reverse proxy and your Meteor app (e.g. HAProxy), then you should also configure IP forwarding in that one as well.

1 Like

Thanks for the svg captcha link it!

I really would like to grab a copy, but the amount is currently on the high side for me right now.

I personally think it’s very reasonably priced given the amount of specialized and useful knowledge that went into it, 25$ is the price of 2 meals or something.

Paying reasonably for something you appreciate is also a vote and encouragement for community members to contribute.

I agree generally but consider that $25 could be worth 12 meals in other parts of the world.

3 Likes

Fair point, well taken, I should have said US/Europe meals, world global inequality is staggering, internet/open source surely helps to level the ground a bit, on the flip side their income from their Meteor global SaaS will also have higher ROI, but I can’t imagine authors selling their content for 2$ to adjust for global inequality.

This comment reminded me of the dollar-street project, helps to visualize this kind of global economic inequalities. According to that site, 27$ will feed a family in Burundi for a month, but needless to say they’re not the main audience of the book.

3 Likes

Just bought it - looking forward to getting into it!

3 Likes