Meteor Community Logo

Meteor Community

Packosphere

undefined's Avatar

storyteller:ssl

v0.3.1Published 3 years ago

SSL for Meteor

Simple built-in Meteor SSL functionality for development on localhost

Quickstart

meteor add stoyteller:ssl

After the package installation has finished, you place your SSL key & cert files inside your Meteor private directory.

I highly recommend using mkcert to setup the certificates for you. Bellow is a simple setup which will fork, but the browser won't be happy about it.

openssl genrsa -out localhost.key 2048
openssl req -new -x509 -key localhost.key -out localhost.cert -days 3650 -subj /CN=localhost

If you want to use a host other than localhost then replace every reference to “localhost” above with your custom domain.

// server.js
SSL(
  Assets.getText("localhost.key"),
  Assets.getText("localhost.cert"));
// We default to 443 port

API

SSL(key, cert, [port])

Server Javascript function

The SSL() function is used to launch the SSL functionality from the server, the SSL feature wont be present unless you use it, it must only be used inside the server directory.

The function has two obligatory arguments: The UTF-8 formatted string of the SSL key & the SSL cert files, respectively. The third argument is optional: Define the SSL port (Default: 443).

Example:

SSL(
  Assets.getText("localhost.key"),
  Assets.getText("localhost.cert"));

isHTTPS()

Client Javascript boolean function

Returns true if user is using HTTPS connection

warning: Because this is a client function, this does not prevent the server from sending templates over HTTP connection, neither it prevents it from sending data over HTTP unless you prevent it from the client side.

switchHTTPS([port])

Client Javascript function

This function refreshes the page after switching the browser to HTTPS. This function takes one optional argument: The SSL port previously specified by the SSL() server function (Default is 443).

Example with the iron:router:

Router.route('/', function(){
  if(isHTTPS()){
    this.route('home');
  } else {
    switchHTTPS();
  }
})

For the above example to work, the HTTP port must be 80, and the HTTPS port must be 443 (default).

Notes

  • If your SSL Certificate has a password, you will be prompted with "Enter PEM passphrase" everytime the server is started.
  • In order for Meteor to use port 443 for SSL (the default port), it must be started as root:
sudo meteor

Failing to do this can cause error Error: listen EACCES being thrown by dependency node-http-proxy

  • In order for the force-ssl package to work with this package, please make sure the SSL port is 443 (default).
  • You have to add the https:// prefix to the url if you use the port number in the url. For example, assuming you chose 443 as SSL port, this will NOT work:
localhost:443

It will keep your browser loading forever instead of redirecting you to an HTTPS connection. To make it work, you have to add the https// prefix:

https://localhost:443

This is why you are encouraged to use the default SSL port 443 so that you can open:

https://localhost

To revert the effects caused by running sudo, run this command:

sudo chown -Rh <username> .meteor/local
  • This package does not encrypt communication between Meteor & MongoDB, to workaround this you must put MongoDB on Meteor's localhost or a server inside your secure private network.

FAQ

Does it support Websockets?

Yes, it encrypts both HTTP packets and Websockets (including DDP).

Does it work with Phonegap/Cordova?

Yes, when you run it in development, just set the --mobile-server argument to the the server location preceded by the https:// prefix & followed by the SSL port, for example if you use it on an Android device:

meteor run android-device --mobile-server=https://localhost:443

When you build the mobile application, use the same syntax with the --server argument, for example:

meteor build --server=https://localhost:443

Does it work with server-to-server DDP connections?

Yes, just adjust DDP.connect() to the appropriate SSL port.

Example:

DDP.connect('https://example.com:443');

Does it encrypt the connection between Meteor & MongoDB?

No it doesn't, unless MongoDB is located on localhost, all communication between Meteor & MongoDB is compromised, be careful!

Browser shows a security warning

This is because your SSL certificate is self-signed, to prevent this you need to buy certificate signed from a Certificate Authority.

How do I force Meteor to always use SSL?

Set the SSL port to 443 (default) and install the force-ssl package:

meteor add force-ssl