mikl
Do people really run Phoenix servers without a load balancer in front?
I’m in the middle of trying to deploy a Phoenix app, and I’ve been rather surprised by how painful it is to run it without a load-balancer.
The main pain point for me at the moment is how there appears to be no facility to start the server (I use the server generated by mix release) as root to grab privileged ports and SSL certificates that only root should have access to, and then drop privileges to run as an unprivileged user.
Pretty much any other unixy server that uses certificates has this exact facility.
But here, it seems the only options open to me are:
- to run BEAM as root
- to use all sorts of tricks to disable the normal Linux security mechanisms protecting access to privileged ports and SSL certs
- run a loadbalancer (like Traefik) in front of Phoenix to handle all the security-sensitive parts
Did I miss something? I find it hard (and scary) to imagine that people are regularly using options 1 or 2.
Marked As Solved
mikl
Pretty much. I never found a solution for reading the SSL certs and then dropping privileges, and I did not like the options of running BEAM as root or leaving the SSL cert files relatively unprotected either, so I ended up using Caddy as a reverse proxy instead.
Also Liked
hauleth
You can do so using systemd (example - erlang-systemd/examples/plug at master · hauleth/erlang-systemd · GitHub). And about certs - just make it readable (and only readable) by the Phoenix process, even as non-root. If someone will achieve RCE with your service, then you lost anyway, so that isn’t something that I would worry about really.
dch
I wrote a long post related to this old thread, https://people.freebsd.org/~dch/posts/2022-01-05-phoenix-lb.html if you have any comments or clarifications I’m happy to add them to the post.
TLDR
- security is a journey, not a destination — “constant vigilance”
- low ports are no longer significant
- don’t run as root, use capabilities instead
- consider injecting your TLS certs and other secrets via one-time “cubbyholes” with tools like vault
hauleth
I have side project where I test a lot of stuff that is reimplementation of https://lobste.rs in Elixir with some additional stuff. It isn’t deployed anywhere nor tested with systemd directly, but I have tested it against my implementation of the systemd socket activation protocol (Dolores is meant as a development reverse proxy for handling the subdomains and TLS).
It is not really different from the plug example in the systemd repo:
Popular in Questions
Other popular topics
Categories:
Sub Categories:
Forums
Popular Tags
- #ecto
- #liveview
- #troubleshooting
- #learning-elixir
- #deployment
- #library
- #erlang
- #testing
- #genserver
- #mix
- #absinthe
- #remote-other
- #otp
- #plug
- #how-to-question
- #macros
- #postgres
- #channels
- #elixirconf
- #exunit
- #discussion
- #code-sync
- #javascript
- #podcasts
- #onsite
- #dialyzer
- #docker
- #authentication
- #umbrella
- #full-time-contract
- #podcasts-by-brainlid
- #ecto-query
- #elixir-ls
- #phoenix_html
- #iex
- #blog-post
- #graphql
- #genstage
- #ai
- #websockets
- #supervisor
- #advent-of-code
- #elixirconf-us
- #distillery
- #processes
- #forms
- #api
- #metaprogramming
- #security
- #performance









