Starting work on Secure Meteor

We have been using sikka in production and we have yet to see problems.

To see it at work, set perIp to something fairly small, say 10, then do something like

for (let i = 0; i < 100; i++) {
  Meteor.call('myMethodNameHere');
}

in the console, and you’ll see how quickly it kicks you out and asks you to prove you’re human.

Pay attention to the x-forwarded-for setting if you use a reverse proxy, or it will perceive all the traffic as coming from one source.

2 Likes

Makes sense, I was just curious because you also mentioned this issue in the older thread you started.

If have actually not found that much on the web because most of the nginx literature focuses on HTTP in general. If I find something interesting that proves right in my setup I will link it here.

I think sikka is a good package but it is combined with reCaptcha and (as with Cloudflare) I unfortunately can’t use any third party services.

Is this also an issue with single instances that run on nginx or only for clusters / load balancers?

1 Like

If you have the luxury of spare time, you could actually try and modify sikka to work with a local captcha package such as this one. I had a (very quick) look, and it seems the only modifications are needed in:

https://github.com/meteorhacks/sikka/blob/master/lib/server/captcha_page.html
https://github.com/meteorhacks/sikka/blob/master/lib/server/routes.js#L52

If you use something like NGINX for both tasks, then you only need to set it once. If you use a separate load balancer between the reverse proxy and your Meteor app (e.g. HAProxy), then you should also configure IP forwarding in that one as well.

1 Like

Thanks for the svg captcha link it!

I really would like to grab a copy, but the amount is currently on the high side for me right now.

I personally think it’s very reasonably priced given the amount of specialized and useful knowledge that went into it, 25$ is the price of 2 meals or something.

Paying reasonably for something you appreciate is also a vote and encouragement for community members to contribute.

I agree generally but consider that $25 could be worth 12 meals in other parts of the world.

3 Likes

Fair point, well taken, I should have said US/Europe meals, world global inequality is staggering, internet/open source surely helps to level the ground a bit, on the flip side their income from their Meteor global SaaS will also have higher ROI, but I can’t imagine authors selling their content for 2$ to adjust for global inequality.

This comment reminded me of the dollar-street project, helps to visualize this kind of global economic inequalities. According to that site, 27$ will feed a family in Burundi for a month, but needless to say they’re not the main audience of the book.

3 Likes

Just bought it - looking forward to getting into it!

3 Likes