Deployment
Introduction
At some point you want to deploy your Supercharge application to production. You want to serve your application as best as possible to your audience when going live. This documentation page will point you to different deployment ideas.
Asset Pipeline
At this point, Supercharge doesn’t ship with an asset pipeline to minify your client-side CSS and JS assets. Please choose your favorite build tool and bundler and create your custom setup. We’ve good experience using Webpack or Parcel.
Zero-Downtime Deployments
You want to minimize downtimes when running your application in production. Supercharge supports zero-downtime deployments out-of-the-box. You can extend the HTTP kernel in case you need to send signal messages.
For example, this Supercharge website uses PM2 in production. We configured PM2 two run two app instances in cluster mode in production. Two app instances allow us to have an “always on” setup while one instance reboots. We also send a READY signal from the HTTP kernel telling PM2 that the instance is online.
PM2 Deployments
We recommend to use a process manager, like PM2, to run your application in production. Zero-downtime deployments with PM2 are only available cluster mode. You may check out the PM2 configuration file from this Supercharge website.
Here’s a sample PM2 configuration which you could save as pm2.json in your app:
{
"apps": [
{
name: 'superchargejs.com',
script: './node_modules/ts-node/dist/bin.js',
args: 'server.ts',
exec_mode: 'cluster',
instances: 2,
/**
* The `wait-ready` and `listen-timeout` settings support graceful restarts in a
* zero-downtime manner. A “booted” callback in the HTTP kernel sends the `wait`
* signal when the server is ready to accept connections. PM2 waits at most
* the configured `listen-timeout` before marking the app as ready.
*/
wait_ready: true,
listen_timeout: 15_000,
env: {
NODE_ENV: 'production',
PORT: 2021
}
}
]
}SSL
Ensure that your application uses HTTPS in production. At this point, Supercharge will create a Node.js HTTP server and you can’t adjust the setup to bootstrap an HTTPS server.
You should deploy a reverse proxy (like nginx or Caddy) to terminate Internet traffic and pass requests through to your application.
Let's Encrypt offers free SSL certificates to protect your applications. The Certbot command line utility generates Let's Encrypt SSL certificates and integrates with nginx. It updates the nginx configurations for your domains to support HTTPS.
Deployment Checklist
Serving this documentation as fast as possible in “always on” manner is important to let you read it whenever you want. Therefore, we collected a list of deployment tips. Use this checklist as a reference when deploying your app to the public:
Application
- ensure
NODE_ENV=production - enable error logging or use an error tracking service (e.g., Sentry)
- use an LTS or stable Node.js release
- check if your server has sufficient resources
- ensure you’re not using
JSON.parse()for large data (large is1 MBor more) - validate request input values
Performance
- activate HTTP/2 (nginx or your Node.js server)
- use a process manager to run your application (e.g., PM2)
- remove unused dependencies from your
package.json - offload computational intensive operations from route handlers/controllers to worker threads
- prefer asynchronous operations to not block the Node.js event-loop
- minify static assets: CSS and JavaScript
- minify your images (e.g., tinypng.com)
- serve static files with long-lasting expiration headers
- lazy load images
Security
- use SSL
- check your SSL configuration
- all tests pass
- the
.envfile is not checked-in to your source control - no sensitve data (API keys, passwords) in the configuration files
- check your depencencies for securiy concerns with
npm audit - enable rate limiting whenever possible
- run your application as a non-root user
- use HTTPS when requesting external links
- check your HTTP headers