HTTPS with Phoenix, Ecto and Absinthe on GCP's GKE

This may not be the right forum to ask this as the question might not be strictly Elixir related, but since I have no clue, here it goes:

I just deployed an OTP release on Google Kubernetes Engine which is a Phoenix application with no frontend at all, it just serves a GraphQL API endpoint.

Everything went as as planned until I realized I wouldn’t be able access that API from my frontend (Next.js deployed on Now) as it doesn’t allow me to access a non https resource.

Now, here’s my question; am I supposed to achieve this by generating certificates and configuring it on config/releases.exs or would I have to configure it with something like a nginx ingress? Or maybe both?

I’m having the hardest time understading what I’m doing here. I saw some tutorials in this forum but it seems to suggest that I need to have a domain so I can generate certificates? Isn’t it possible to have https on the ip address of my Kubernetes cluster?

Any help or indication of material to read would be highly appreciated here :slight_smile:

Not too sure about kubernetes specifically, but to get HTTPS, I can think of 2 approaches, first is to configure nginx. For your case, you may want to consider the Kubernetes way in configuring nginx with reverse proxy and SSL.

Another approach is you let services such as Cloudflare handle the SSL, and CloudFlare will direct the requests to your Kubernetes cluster. To secure this setup, you may need to set your ingress firewall to only accept requests from CloudFlare.

To have HTTPS, yes you need a domain name. You can get .tk domain which is free if need be.

1 Like

Take into consideration that even if you use a CDN like CloudFlare, you should still setup HTTPS on your server (either at the ingress level or in the app). That’s because CloudFlare is outside of your cluster, so if the traffic between CloudFlare and your app is not encrypted, you can still be vulnerable to MITM attacks.

Typically, one would use a public certificate on CloudFlare, and a “private” one on the server, setting authenticated origin pulls to make sure that only CloudFlare can connect directly to the server.

That said, back to the original question, there are indeed two approaches:

  • Terminating SSL at the Kubernetes ingress level
  • Terminating SSL in Phoenix

Doing it at the ingress level might make more sense if you plan to have several apps running on the same cluster, all needing HTTPS.

In both case you need to obtain a key and certificate, for example from Let’s Encrypt (yes, you’ll need a domain name to do that). Unfortunately, the instructions to obtain a valid certificate are simpler to follow if you have control of your webserver (like when you run your own Nginx), but once you obtain it, it’s simple enough to set it up either on the ingress or on Phoenix.


Thanks for the replies, guys!

It was also my first post here, great vibes :slight_smile:

1 Like

Not entirely related, but it is probably overkill to user kubernetes if you are only using it to deploy this one phoenix app. Unless its a learning exercise I would recomend reaching for kubernetes only when needed