mikl

mikl

Do people really run Phoenix servers without a load balancer in front?

I’m in the middle of trying to deploy a Phoenix app, and I’ve been rather surprised by how painful it is to run it without a load-balancer.

The main pain point for me at the moment is how there appears to be no facility to start the server (I use the server generated by mix release) as root to grab privileged ports and SSL certificates that only root should have access to, and then drop privileges to run as an unprivileged user.

Pretty much any other unixy server that uses certificates has this exact facility.

But here, it seems the only options open to me are:

  1. to run BEAM as root
  2. to use all sorts of tricks to disable the normal Linux security mechanisms protecting access to privileged ports and SSL certs
  3. run a loadbalancer (like Traefik) in front of Phoenix to handle all the security-sensitive parts

Did I miss something? I find it hard (and scary) to imagine that people are regularly using options 1 or 2.

Marked As Solved

mikl

mikl

Pretty much. I never found a solution for reading the SSL certs and then dropping privileges, and I did not like the options of running BEAM as root or leaving the SSL cert files relatively unprotected either, so I ended up using Caddy as a reverse proxy instead.

Also Liked

hauleth

hauleth

You can do so using systemd (example - erlang-systemd/examples/plug at master · hauleth/erlang-systemd · GitHub). And about certs - just make it readable (and only readable) by the Phoenix process, even as non-root. If someone will achieve RCE with your service, then you lost anyway, so that isn’t something that I would worry about really.

dch

dch

I wrote a long post related to this old thread, https://people.freebsd.org/~dch/posts/2022-01-05-phoenix-lb.html if you have any comments or clarifications I’m happy to add them to the post.

TLDR

  • security is a journey, not a destination — “constant vigilance”
  • low ports are no longer significant
  • don’t run as root, use capabilities instead
  • consider injecting your TLS certs and other secrets via one-time “cubbyholes” with tools like vault
hauleth

hauleth

I have side project where I test a lot of stuff that is reimplementation of https://lobste.rs in Elixir with some additional stuff. It isn’t deployed anywhere nor tested with systemd directly, but I have tested it against my implementation of the systemd socket activation protocol (Dolores is meant as a development reverse proxy for handling the subdomains and TLS).

It is not really different from the plug example in the systemd repo:

https://gitlab.com/hauleth/langusta/-/blob/558923f80e7ba632062411de2dbd26b58a2d3910/lib/langusta_web/endpoint.ex#L91

Where Next?

Popular in Questions Top

sen
Hi All, I set a environment variables in dev.exs , like below code. when i start server, how can i set the ${enable} value? thanks. d...
New
nobody
How to bind a phoenix app to a specific ip address? could not find anything about that, nowhere, unfortunately, but for me this is quite...
New
beno
I will often find my self writing things similar to: case some_value do nil -> something() "" -> something() _ -> somethi...
New
Darmani72
If I have a post route which an argument: post /my_post_route/:my_param1, MyController.my_post_handler How would get the post params ...
New
baxterw3b
Hi guys, i’m new in the Elixir world, and i have to say, that i love it! i’m having some problem to understand anonymous functions with ...
New
stefanluptak
Hello everybody, usually, I use a 29" ultra-wide monitor for VSCode which can easily accomodate explorer (files panel) + file with code ...
New
sergio_101
I am VERY much an elixir newbie. I have taken one elixir course and one phoenix course on Udemy. During that course, I saw the instructor...
New
komlanvi
Hi everyone, I was playing with phoenix liveView but I run into an issue. I have a form and want to validate each input text when the te...
New
yawaramin
In the Dialyzer docs ( dialyzer — OTP 29.0.2 (dialyzer 6.0.1) ), there is a way to turn off a specific warning for a function: -dialyzer...
New
jaysoifer
Is there a way to rollback a specific migration and only that one (“skipping” all the other ones)? Would mix ecto.rollback -v 200809061...
New

Other popular topics Top

sen
Hi All, I set a environment variables in dev.exs , like below code. when i start server, how can i set the ${enable} value? thanks. d...
New
danschultzer
None of the current solutions worked well for me, so I went ahead and built a user management system from scratch. This project took far...
548 29603 241
New
baxterw3b
Hi guys, i’m new in the Elixir world, and i have to say, that i love it! i’m having some problem to understand anonymous functions with ...
New
greenz1
I have a phoenix application from which a user can download multiple(5-6) files of size 1MB. I couldn’t find anything related to sending ...
New
jononomo
I am trying to figure out how Mix knows whether the environment is test, dev, or prod – where is this set? Thanks.
New
belgoros
I’m not a pro in using Regex and can’t figure out why the following behaviour happens, especially if we take into account the difference ...
New
Qqwy
Original source of discussion: This topic on the Pragmatic Programmers’ Functional Web Development with Elixir, OTP, and Phoenix forum. ...
New
alice
Hey, Just curious what are the main benefits of Elixir compared to Clojure? When is Elixir more useful than Clojure and vice versa? Th...
New
boundedvariable
I am going through the kafka architecture. All the features what the kafka is providing are already in Erlang. I would like hear your opi...
New
joaquinalcerro
Hi there, I am working with Ecto-Postgresql and I need to call all of the records from a specific table but the table has 40,000 records...
New

Latest on Elixir Forum

Elixir Forum

We're in Beta

About us Mission Statement