11 comments

[ 3.0 ms ] story [ 38.1 ms ] thread
Ironically it was only yesterday that someone asked "Ask HN: Why do tutorial writers combine 10 technologies when 1 or 2 would do?"[1]

I think this is a perfect example of how not to write a tutorial. It doesn't actually teach anything - instead it is effectively a set of commands that someone should type in exactly and it will work.. hopefully.

I think this point in the introduction sums up this approach:

I’d like to point out that the broken branch wasn’t working for some (still) unknown reason related to versioning between when we set up the system and when we upgraded some of the components including nodejs.

and later:

Note for the app we created we used nodejs v8.10.0 and npm v6.4.0, although installing newer versions shouldn’t be an issue.

So.. they don't know why it broke, but any newer version should be fine.

[1] https://news.ycombinator.com/item?id=18950679

Also thought about that other thread.
Yeah, that's why in the 'Lessons from Docker' section in point #3 I mentioned that docker might be better off for larger projects, since it seems excessive, especially for small projects. The point of this exercise was to learn more about the technology itself, this clearly isn't a viable way of doing things in production though :) Thanks for the feedback!
It is a bad idea to use a full-blown Node.js web server to serve some static content. A better solution would be to build the app in one container and then build another Nginx container to serve it. This container can then be hardened (run as non-root, use a read-only filesystem). An added benefit is that Nginx uses fewer system resources (~10 megabytes of RAM will work just fine).

We’re running such a setup in production; a sample Dockerfile can be found on https://github.com/WISVCH/docker-nginx.

I know that nginx is more traditionally known for hosting static content than node.js, but are there any particular reasons why it's bad to just use node for static content these days?
It happened to me to have memory leaks and eventually OOM errors using Node.js as static files server. Switched then to Nginx...
Generally nginx is written in C which simply performs better than garbage collected, dynamically typed javascript.

But regarding sending static files, nginx uses Linux' sendFile[0] which outperforms anything in user-space.

Up until a few years ago this wasn't something Node could use. I'm not sure if still that's the case though. My information could be badly outdated.

[0] http://man7.org/linux/man-pages/man2/sendfile.2.html

From a security standpoint, the attack surface of Node.js and whatever libraries are used to make `npm start` happen is a lot larger than plain Nginx.

From a general usability standpoint, a Node.js container with all build dependencies will surely turn into a bloated several hundred megabyte Docker image — an Nginx image with just the built static files is a lot smaller.

I understand you're comparing NodeJS vs Nginx there, but for my curiosity, if someone is building an API, how do you think NodeJS would compare to Ruby on Rails or Python/Django from a security standpoint?
I don’t think either language is fundamentally more secure than the other.

That being said, the Node.js ecosystem feels more immature than Python’s. The common practice of using microdependencies means that an average project has countless dependencies with varying levels of support — it’s all but impossible to make sure every one of those dependencies is properly maintained.

The framework/library churn rate seems to have decreased though, so that’s certainly good from a security standpoint as well.

Definitely agree! This project was put together in order to learn more about the technology itself, and much of this wouldn't be useful in production. For example our versioning was broken and we didn't figure out why, but that wouldn't be tenable either. We concluded for smaller projects Docker may be more trouble than it's worth, at least from a little experimenting with it. Thanks for the link!