If you have not yet heard about Cloudflare, it’s a must-have item for your web toolbox. It offers many services for web apps—primarily for increased performance and security. Here is a list of services Cloudflare offers (in ordered of my personal preference).
In addition to these features, Cloudflare’s pricing model is extremely attractive. Cloudflare does not charge for the usage: instead, it offers an affordable per-application flat fee. Of course, a free tier is offered as well.
Using Meteor with Cloudflare is a bit tricky, as Meteor’s DDP connection uses WebSockets, which is not supported by Cloudflare yet. But with few simple tweaks, you will be able to use Meteor with Cloudflare.
This is not a guide on how to use Cloudflare’s features, but on how to use Cloudflare with Meteor
Cloudflare runs on top of a customized nginx server but it does not yet support WebSockets. If you’ve just added Cloudflare support to your Meteor app, you’ll find issues connecting to the DDP server. You have two options here.
This is the simplest and the best option. All you have to do is export the following environment variable before starting your Meteor app.
With this option, you can continue to use WebSockets with your Meteor app, but you will not be able to use some of the Cloudflare’s features. All you need to do is add a separate DDP connection to your Meteor app, which will bypass Cloudflare. Follow the steps below:
Now your DDP connection is bypassing Cloudflare and your Meteor can use WebSockets.
Now it’s time to explore how Cloudflare helps Meteor with Cloudflare’s features. However, not all of the features help Meteor; some of them need to be turned off or to be used with care.
However, Cloudflare does not cache any HTML content. That helps us to load balance our Meteor app correctly with sticky sessions.
As I’ve also previously mentioned, NodeJS is not good at serving SSL, and Meteor has no option to configure SSL. Therefore, we need to use a separate SSL terminator such as stud or nginx.
Cloudflare has a very interesting SSL service that acts as both an SSL certificate provider and as an SSL terminator. Simply put, you don’t need to buy an SSL certificate and make any configurations; you just need to click a button.
Unfortunately, if you’ve used Option 2 to allow DDP support, you can’t enjoy this feature, as now your DDP connection is bypassing Cloudflare.
To use SSL support, you need to use the Cloudflare Pro subscription plan
Meteor does already minify all your JS and CSS files. There is therefore no reason to do so inside Cloudflare. However, minifying multiple times does not break anything.
Cloudflare has some security options, which asks users to enter a CAPTCHA before entering the site. This is used to block malicious users. Sometimes, your users may be using a shared Internet connection, or the ISP is using a transparent proxy or something similar. This might cause Cloudflare to trigger the CAPTCHA, which might confuse the users of your app.
I really can’t say whether it is a good option to turn this off or not. But keep in mind that there is a situation like this also.
First of all, if you are considering this, your app is popular :)
Cloudflare does a good job at handling DDOS, and it has prevented some major attacks. This is how you can gain its benefit
To obtain the DDOS protection, you need to hide the IP address (or direct access) to your Meteor app from the public. This relates to both your main website and the DDP connection.
If you are using Option 1 with disabling WebSockets, you are already behind Cloudflare, and direct access to your Meteor app is hidden from the public. So whenever you need DDOS protection, you can simply turn it on.
But if you are using Option 2 with a separate DDP connection, your DDP connection is exposing direct access to your site. This allows the attacker to bypass Cloudflare and directly attack your app. If you are keep using this option, and if you decided to use DDOS protection at a later point, migrate your app (or load balancer) into a new server. Then apply Option 1 and turn on the DDOS protection.
Hope this article helps you to use Cloudflare with Meteor correctly and handover some responsibilities to it and keep focus on building your app.