Do people really run Phoenix servers without a load balancer in front?

I’m in the middle of trying to deploy a Phoenix app, and I’ve been rather surprised by how painful it is to run it without a load-balancer.

The main pain point for me at the moment is how there appears to be no facility to start the server (I use mix release) as root to grab privileged ports and SSL certificates that only root should have access to, and then drop privileges to run as an unprivileged user.

Pretty much any other unixy server that uses certificates has this exact facility.

But here, it seems the only options open to me are:

  1. to run BEAM as root
  2. to use all sorts of tricks to disable the normal Linux security mechanisms protecting access to privileged ports and SSL certs
  3. run a loadbalancer (like Traefik) in front of Phoenix to handle all the security-sensitive parts

Did I miss something? I find it hard (and scary) to imagine that people are regularly using options 1 or 2.

2 Likes

There is also option to use your router to redirect ports to one that you can bind as non-root. In future it probably will also became possible to use systemd socket activation to make systemd to open port for you and your will just attach to it (as non-root). Alternatively if FS allows for that then you can also set capabilities for Erlang executable.

So from an security in depth perspective is it really a huge problem to have userspace apps get access to privileged ports (option 2)? Windows does it, and I thought the major danger is if your software gets compromised it can spoof other systems on the network. But you can also lock that down with iptables rules, which you should do anyways and/or have your CSP do.

No, presuming you have a firewall, it’s just annoying and fiddly to set up, you have to dig deep into the dark lore of Linux security to get it working.

More troubling is having your SSL certs accessible to unprivileged users. It makes it trivial to extract secret keys from vulnerable servers.

1 Like

cool thanks for the info… I’ll be deploying a userfacing frontend soon and wanted to get an idea for the landscape/best practices.

Out of curiosity, wouldn’t performing encryption require the running server to have a version of the key loaded in memory? It seems like it’d just make it slightly more inconvenient to access the SSL key than a nice known FS location. Unless SSL makes some sort of “one-time sub key” from the master key initially and then uses that in a process with dropped privileges. I’m not that familiar with the depths of SSL so I’m curious.

1 Like

Correct, it does.

I’m not a professional hacker, but to my understanding, compromising protected memory would be significantly more difficult than just grabbing a file.

If you follow guides or use automated tools (on Linux), they almost all explicitly set the private key files only to be accessible to root. Unless they’re all just cargo-culting, there must be a point to such measures.