Digital Ocean
Use this link to register Digital Ocean with $10 credit.
Droplet Setup (Ubuntu) for Node.js App (Meteor etc)
Follow mup guide:
And you also need to add NOPASSWD to your sudoers file. Open it with: sudo visudo Then, replace the line that says %sudo ALL=(ALL) ALL with %sudo ALL=(ALL) NOPASSWD:ALL
Add Public Key to New Remote User, by follow https://gist.github.com/jamiewilson/4e1d28f9a200cb34ad59#set-up-ssl
disable root access, change port(using the same guide by editing '/etc/ssh/sshd_config')
Don't need to add swap when using SSD
Use unattended-upgrades to only do security updates (Otherwise when you do
apt-get upgrade
it'll update your version to Non-LTS version!)
Optional:
change editor to use vi sudo update-alternatives --config editor
References:
If you want nginx support:
mup doc (which automatically use nginx, you don't need to setup anything)
More security setup from this linux workstation checklist:
MongoDB
automatic backup
#!/bin/bash
MONGO_DATABASE="USE_YOUR_APP_NAME"
APP_NAME="USE_YOUR_APP_NAME"
MONGO_HOST="127.0.0.1"
MONGO_PORT="27017"
TIMESTAMP=`date +%F-%H%M`
MONGODUMP_PATH="/usr/local/bin/mongodump"
BACKUPS_DIR="./backups/$APP_NAME"
BACKUP_NAME="$APP_NAME-$TIMESTAMP"
# mongo admin --eval "printjson(db.fsyncLock())"
# $MONGODUMP_PATH -h $MONGO_HOST:$MONGO_PORT -d $MONGO_DATABASE
$MONGODUMP_PATH -d $MONGO_DATABASE
# mongo admin --eval "printjson(db.fsyncUnlock())"
mkdir -p $BACKUPS_DIR
mv dump $BACKUP_NAME
tar -zcvf $BACKUPS_DIR/$BACKUP_NAME.tgz $BACKUP_NAME
rm -rf $BACKUP_NAME
crontab:
# run every day at 12am
00 00 * * * path/backup_mongodb.sh
How to manually backup or restore
mongodump -d dbname
#or
mongodump --port 3001 --username meteor
mongorestore --port 3001 -d meteor FOLDER_THAT_HAS_BSON_FILES
Oplog
How to enable oplog if the db is already in use?
ref:
(outdated: it's using mongodb 2.4) https://gentlenode.com/journal/meteor-10-set-up-oplog-tailing-on-ubuntu/17
SSL
How to check?
Online tool: https://www.sslshopper.com/ssl-checker.html
Or use ssl-cert-check
on server (reference):
sudo ssl-cert-check -c /etc/letsencrypt/live/yourdomain.tld/cert.pem
(LATEST 2021) With Mup you don't need to do manual setup SSL anymore
Setup SSL using mupx and Let’s Encrypt
Steps
Make sure A record is already updated for your domain first
SSH to server:
# ssh to your server
git clone https://github.com/letsencrypt/letsencrypt
./letsencrypt-auto certonly --standalone --agree-tos --email YOUR_EMAIL -d YOURDOMAIN.COM -d www.YOURDOMAIN.COM
The following 4 files will be generated in the archive folder: /etc/letsencrypt/archive/YOURDOMAIN.COM
(Note the ones in /etc/letsencrypt/live/YOURDOMAIN.COM
is symlinked to archive folder)
cert1.pem
chain1.pem
fullchain1.pem
privkey1.pem
Now we want to copy those files to your local machine:
# compress them on server first
sudo tar -cvvf letsencrypt_YYYY_MM_DD.tar /etc/letsencrypt/archive/YOURDOMAIN.COM
# then on your local terminal, use scp to get the above file, copy to home folder
scp -P 22 USER@IP:/home/USER/letsencrypt_YYYY_MM_DD.tar ~
# or
Put the downloaded two files (fullchain.pem and privkey.pem) in your local folder where mup can access (see mup.json)
Update mup.json
“ROOT_URL”: “https://yourdomain.com",
...
"ssl": {
"certificate": "PATH_TO/fullchain.pem", // this is a bundle of certificates
"key": "PATH_TO/privkey.pem", // this is the private key of the certificate
"port": 443 // 443 is the default value and it's the standard HTTPS port
},
Don't forget to add force-ssl
package: meteor add force-ssl
Renew automatically
NOTE this will NOT work because the server has to be stopped
Let’s Encrypt expires 90 days, so we create cron job to automatically update:
30 2 * * 1 /home/USER/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log
To renew manually
# on dev machine, stop server:
mupx stop
# on server
/home/USER/letsencrypt/letsencrypt-auto renew
# above command will generate new files (cert2.pem etc), get the files to local machine
# by doing the same steps above: 'sudo tar -cvvf ...' (see above)
mupx setup
mupx deploy
Key points:
You need to stop server before running renew.
if cert is expired, you need to run
mpux setup
againif you run letsencrypt renew, new files will be generated (such as cert2.pem)
cert.pem: Your domain's certificate
chain.pem: The Let's Encrypt chain certificate
fullchain.pem: cert.pem and chain.pem combined
privkey.pem: Your certificate's private key
Reference:
Additional:
Last updated