Deployment
Introduction
At some point you want to deploy your Supercharge application to production. When “going live” you want to serve your application as best as possible to your audience. This documentation page will point you to different deployment ideas.
Asset Pipeline
At this point, Supercharge doesn’t ship with an asset pipeline to minify your client-side CSS and JS assets. Please choose your favorite build tool and bundler and create your custom setup. We’ve good experience using Webpack or Parcel.
Zero-Downtime Deployments
You want to minimize downtimes when running your application in production. Supercharge supports zero-downtime deployments out-of-the-box. Any processing that you want to run while your HTTP server stops should be part of the application lifecycle.
Supercharge uses hapi-pulse to gracefully stop the HTTP server and run your lifecycle methods. It listens for the SIGINT and SIGTERM events to gracefully shut down.
PM2 Deployments
We recommend to use a process manager, like PM2, to run your application in production. Zero-downtime deployments with PM2 are only available cluster mode:
Here’s a sample PM2 configuration which you could save as pm2.json in your app:
{
"apps": [
{
"name": "my-supercharge-app",
"script": "./server.js",
"instances": 2,
"exec_mode": "cluster",
"env": {
"NODE_ENV": "production",
"PORT": 2019
}
}
]
}SSL
Ensure your application uses HTTPS in production. At this point, Supercharge will create a Node.js HTTP server and you can’t adjust the setup to bootstrap an HTTPS server.
You should deploy a reverse proxy (like nginx) to terminate Internet traffic and pass requests through to your application.
Let's Encrypt offers free SSL certificates to protect your applications. The Certbot command line utility generates Let's Encrypt SSL certificates and integrates with nginx. It updates the nginx configurations for your domains to support HTTPS.
Deployment Checklist
Serving this documentation as fast as possible in “always on” manner is important to let you read it whenever you want. Therefore, we collected a list of deployment tips. Use this checklist as a reference when deploying your app to the public:
Application
- ensure
NODE_ENV=production - enable error logging or use an error tracking service (e.g., Sentry)
- use an LTS or stable Node.js release
- check if your server has sufficient resources
- ensure you’re not using
JSON.parse()for large data (large is1 MBor more) - validate request input values
Performance
- activate HTTP/2 (nginx or your Node.js server)
- use a process manager to run your application (e.g., PM2)
- remove unused dependencies from your
package.json - offload computational intensive operations from route handlers/controllers to worker threads
- prefer asynchronous operations to not block the Node.js event-loop
- minify static assets: CSS and JavaScript
- minify your images (e.g., tinypng.com)
- serve static files with long-lasting expiration headers
- lazy load images
Security
- use SSL
- check your SSL configuration
- all tests pass
- the
.envfile is not checked-in to your source control - no sensitve data (API keys, passwords) in the configuration files
- check your depencencies for securiy concerns with
npm audit - enable rate limiting whenever possible
- run your application as a non-root user
- use HTTPS when requesting external links
- check your HTTP headers