Does it make sense to have Phoenix default to http?

I don’t fully agree with this. Sure the redirection thing I tried this morning frustrated me I will give you that. Beyond that, I find running mix phx.gen.cert simple enough and following the docs does get me close enough with little effort and pain. The only other obstacle is how the browser handles the requests for localhost while in development but I feel most people figure that out fairly quickly. Also as I stated before I do believe there are some benefits to running https locally. Such as finding requests that are not secure or just the maybe its better to become familiar with ssl in a local evn vs doing it on production. IDK but I’d rather try https locally for development rather than not.

1 Like

I also offload SSL before hitting the Phoenix app. Probably not a lot to add on top of the existing points, more just to add another voice to that model.

Something else I had not noted was I want to start to explore http2 which from what I understand will require this and has issues working on nginx via upstream proxy.

There may be use cases, but I don’t see how this is one of them. If your load balancer is configured to force HTTPS and present them to your app via HTTP then all your requests have to be secure and your apps behaviour has nothing to do with it, it is down to testing your infrastructure is set up correctly not your app.

HTTP2 by itself does not require encryption, its just that the browsers made it a requirement. You can safely use curl with HTTP2 and without encryption, it’ll work.

Also I use traefik as a LB, it terminates HTTP and HTTP2, and does the HTTP->HTTPS redirection for me, it will renew the lets encrypt certificates if necessary and is even able to talk HTTP2 unencrypted with the backend application if I enable it.

And all of this with very little configuration. Configuration that should be done by the Ops team, and not by the Devs.

Testing HTTPS locally does give you nothing, as you know nothing about how the production will look like…

3 Likes

I was just speaking from this experience The hard 3 day lesson I learned trying to use http2 with Phoenix, Cowboy and Nginx

Maybe you know a way that works.

I guess I better hire an opts team then.

Sorry I wasn’t speaking directly to the HTTP2 point more the rouge unsecured route one. I don’t have experience setting this up with HTTP2 which is one of the reasons why i said that there may be use cases.

Ok I guess I was wrong, except I’m not using curl for development I’m working in a browser that does require it…

Well, if you are both in omniperson, then try at least to separate both concerns mentally, thats what I usually do.

I code locally, and when I deploy, I concentrate on the deployment not on stuff that happened locally.

For the deplyoment I have to use an LB anyway, as I have many services of different languages behind the same “domain”, and I need to dispatch them by request path.

This is and was very easy with traefik so far, especially as it does everything for me and as it can reverse-proxy HTTP2 and even does accept HTTP2 on the frontend while talking HTTP on the backend and vice versa.

2 Likes

That’s good to know as I’ve learned nginx still cant by itself. (or maybe it can now, I haven’t checked lately)

And maybe I’m completely wrong about all this and everyone is behind a LB for prod and no one really cares about local https because they never have to deal with https.

Would you say traefik with its file configuration is a good option for someone who isn’t using containers or interested in auto discovery? (Not counting those out for the future.)

1 Like

Lots of other comments since my post. I forgot to mention that I do use https locally so that we don’t mix protocols with chrome. I don’t use local orchestration right now, so I do use Phoenix https with self signed certs.

3 Likes

I prefer this as well

It worked pretty well for me, though I have to admit, I have not yet made the step from 1.7 to 2.0, as too much changes and I still didn’t manage to convert my config…

For the sake of providing just another data point: we run all our services using HTTP and put Nginx in front to manage HTTPS. Since we use a multitude of technologies, this setup allows the DevOps team to easily manage certificates on their own.

1 Like

I can see how maybe I conflated implementation vs the general use of https. It’s very well possible this is more the common day De facto and would say this is also how I commonly do it myself. Though as of the moment I wanted to look at possibly consolidating to cowboy and I’m looking at alternatives to Nginx on the front.

As a newbie in deployment here is my experience. I deployed for now a single Phoenix project and I thought it would be simpler for me to let Phoenix manage the ssl files. I had some difficulties but succeed to config https both in production and dev envs. But what I found really a lot more unfriendly is the renewal of certicats. Besides, I gave up on learning that and just chose to renew them manually every three months, until I configure something like haproxy/traefik/nginx to handle that and just forget all https things in Phoenix. I have to say that my project is an umbrella one and has two web apps, the public web app and the admin web app.

If you know a really easy way to handle ssl certs renewal in Phoenix, that interests me though.

1 Like

I use certbot with lets encrypt and nginx normally. I bet you can use certbot in the same way but without the update to nginx and just make sure your paths are right.

2 Likes