mikl

mikl

Do people really run Phoenix servers without a load balancer in front?

I’m in the middle of trying to deploy a Phoenix app, and I’ve been rather surprised by how painful it is to run it without a load-balancer.

The main pain point for me at the moment is how there appears to be no facility to start the server (I use the server generated by mix release) as root to grab privileged ports and SSL certificates that only root should have access to, and then drop privileges to run as an unprivileged user.

Pretty much any other unixy server that uses certificates has this exact facility.

But here, it seems the only options open to me are:

  1. to run BEAM as root
  2. to use all sorts of tricks to disable the normal Linux security mechanisms protecting access to privileged ports and SSL certs
  3. run a loadbalancer (like Traefik) in front of Phoenix to handle all the security-sensitive parts

Did I miss something? I find it hard (and scary) to imagine that people are regularly using options 1 or 2.

Marked As Solved

mikl

mikl

Pretty much. I never found a solution for reading the SSL certs and then dropping privileges, and I did not like the options of running BEAM as root or leaving the SSL cert files relatively unprotected either, so I ended up using Caddy as a reverse proxy instead.

Also Liked

hauleth

hauleth

You can do so using systemd (example - erlang-systemd/examples/plug at master · hauleth/erlang-systemd · GitHub). And about certs - just make it readable (and only readable) by the Phoenix process, even as non-root. If someone will achieve RCE with your service, then you lost anyway, so that isn’t something that I would worry about really.

dch

dch

I wrote a long post related to this old thread, https://people.freebsd.org/~dch/posts/2022-01-05-phoenix-lb.html if you have any comments or clarifications I’m happy to add them to the post.

TLDR

  • security is a journey, not a destination — “constant vigilance”
  • low ports are no longer significant
  • don’t run as root, use capabilities instead
  • consider injecting your TLS certs and other secrets via one-time “cubbyholes” with tools like vault
hauleth

hauleth

I have side project where I test a lot of stuff that is reimplementation of https://lobste.rs in Elixir with some additional stuff. It isn’t deployed anywhere nor tested with systemd directly, but I have tested it against my implementation of the systemd socket activation protocol (Dolores is meant as a development reverse proxy for handling the subdomains and TLS).

It is not really different from the plug example in the systemd repo:

https://gitlab.com/hauleth/langusta/-/blob/558923f80e7ba632062411de2dbd26b58a2d3910/lib/langusta_web/endpoint.ex#L91

Where Next?

Popular in Questions Top

9mm
I am constructing a JSON object (map) and I need to conditionally set a field. I’m trying to write proper elixir-way code… and I’m at a l...
New
Harrisonl
We have an ECS cluster with 4 services, where each task joins a single cluster, via discovery ECS discovery service. Currently when I de...
New
mcarvalho
What is the difference between System.get_env and Application.get_env? For example, what are best practices to use one versus another.
New
ovidiubadita
Hey all, I discovered Elixir and I love it. I always wanted to learn a functional programming and I intended to go for Haskell, but afte...
New
jason.o
In the code below, if the create action is not set to accept “extra_key” as an input, it errors out with a message shown above. Is there ...
New
komlanvi
Hi everyone, I was playing with phoenix liveView but I run into an issue. I have a form and want to validate each input text when the te...
New
joaquinalcerro
Hi there, I am working with Ecto-Postgresql and I need to call all of the records from a specific table but the table has 40,000 records...
New
openscript
Hello! Sorry for this astonishing simple question, but I’m really stuck. I try to set up the intellij-elixir plugin, but I don’t know ho...
New
earth10
Hi, I’m just starting to build a side-project with Elixir and Phoenix and doing some basic test with Elixir alone. What strikes me is th...
New
vonH
In asking this question I am more interested about the expressiveness of the language itself and less concerned about the availability of...
New

Other popular topics Top

AstonJ
Posting this to see if we can make things easier for people to get into Neovim. If you use Neovim and have a favourite distro please let ...
New
albydarned
Hello all! I am typing this post from my new MacBook Pro with the M1 chip. I’m loving it so far, and will probably use it as my daily dr...
New
chrismccord
Phoenix 1.4.0 released Phoenix 1.4 is out! This release ships with exciting new features, most notably with HTTP2 support, improved deve...
688 31013 112
New
belgoros
I’m not a pro in using Regex and can’t figure out why the following behaviour happens, especially if we take into account the difference ...
New
josevalim
Hi everyone, One of the features added to Elixir early on to help integration with Erlang code was the idea of overridable function defi...
New
joeerl
Hello again - after a longish gap I’ve decided I really must dig into Elixir and see what’s been happening here - so I have a few questio...
New
vrod
I am using the Starship cross-shell prompt – it seems pretty nice, but I get some errors: [WARN] - (starship::utils): Executing command ...
New
saif
Hello everyone, Long time lurker first time poster here. I’ve recently begun working on Elixir full-time again! :raised_hands: It’s been...
New
KronicDeth
Elixir plugin for JetBrain’s IntelliJ Platform (including Rubymine) This is a plugin that adds support for Elixir to JetBrains IntelliJ...
289 36352 110
New
openscript
Hello! Sorry for this astonishing simple question, but I’m really stuck. I try to set up the intellij-elixir plugin, but I don’t know ho...
New

Latest on Elixir Forum

Elixir Forum

We're in Beta

About us Mission Statement