Is Cowboy a production ready server?

Hi guys,
I’ve heard something about cowboy slow request attacks…
And a general question came to my mind, is cowboy as a single server a production ready solution? Should i set up a nginx reverse proxy in front of it?

Can someone help me with that?

Alexander Salnikov

6 Likes

Cowboy is fast and production-ready unlike development servers such as php -S. Still, I would put Nginx in-front as a matter of convenience for SSL config and so on.

7 Likes

IIRC phoenix uses cowboy, which it wouldn’t do if it wasn’t production ready.

Robert

6 Likes

You can get Cowboy support if you need it.

http://ninenines.eu/services/

And if you’re using phoenix in production, you should really be supporting Cowboy at some level.

6 Likes

http://www.phoenixframework.org/docs/advanced-deployment covers a basic NGINX configuration for using it as a reverse proxy.

9 Likes

Heroku’s router is based on cowboy if that’s any indication of its production readiness

24 Likes

Thanks, to all of you. So the opinions have split, and since we do not know if heroku use a ngingx in front of cowboy and even phoenix tutorial have nginx part i would probably set up a reverse proxy…

but it would be great to know why am i doing it and not just in case.

1 Like

@chrismccord to be 100% fair, Heroku forked and improved early version of Cowboy. They are not aligned with upstream at all, and they develop cowboy’s fork on their own. So it’s not the same Cowboy Phoenix uses at all, and this argument probably should not be used ;). The differences in code base are massive, I checked that a while ago (heroku’s for is on github).

8 Likes

You know some of the answer to your question depends on how you define “Production Ready” If you’re expecting 10 requests/second, then yes Phoenix is more than production ready. If you’re expecting 10_000 requests/second, yes Phoenix is production ready but other web servers might not qualify under that criteria.

I’d say you’re expecting a specific answer to a pretty generic question and it’d be helpful if you added some of the problem parameters you’re considering.

3 Likes

That’s absolutely fair. As far as i remember performance is not an issue for cowboy (mb except for static assets). So i define production readiness only in case of security (DoS absence and so on).

2 Likes

Shouldn’t that be handled by the security on the server? Rather than the application server @insider?

Personally I would consider an app server production ready if it is working fine in production for 90 to 95% of use-cases without any known problematic issues.

3 Likes

This paragraph in the linked Phoenix guide explains one reason you might want to set up a proxy:

In a lot of cases, we’re going to have more than one application running in our hosting environment, all of which might need to be accessible on port 80. Since only one application can listen on a single port at a time, we need to use something to proxy our application. Typically, Apache (with mod_proxy enabled) or nginx is used for this, and we’ll be setting up nginx in this case.

5 Likes

Also while talking about proxying, look at HAProxy as well (it’s what we use on this server):

http://blog.metrink.com/blog/2014/08/12/httpd-vs-nginx-vs-haproxy

2 Likes

Yes, this is especially useful with Cowboy, since it does not have the concept of virtual hosts at all. You can spawn multiple cowboy instances on the same machine, moreover, you can start multiple Cowboy instances in the same Elixir application cluster, but they need to listen on separate ports.

I have hacked something around that allowed you to use the same Cowboy instance to “proxy” to different Phoenix applications, but it was far from perfect and in the end I abandoned the effort altogether.

This is the case when you want to have separate admin app, reporting app, web interfacr/api and maybe legacy app all running on the same cluster. In such cases you may spawn X Cowboys, but you’ll need something like Nginx to make it all presented to the user as you want.

One more thing worth mentioning about Cowboy: it is very much reversed concept of web server to what you would expect from say Apache or Nginx. Cowboy does not start your application/scripts/web pages, it’s the other way around: your app starts Cowboy. it’s a HTTP server embedded into your app.

6 Likes

FWIW Cowboy has code to protect against slow requests: http://blog.differentpla.net/blog/2013/11/03/cowboy-request-timeouts … though I have not tested if that is sufficient in practice.

That said, cowboy is used a lot in production environments, and while no software can be considered 100% secure, it seems to be quite solid in practice.

On the topic of porxying, I would definitely recommend haproxy over apache, and even nginx. Apache is far more than one needs for a simple proxy (overhead, config management, …) and while nginx makes for a fine proxy (and not just for http), haproxy is a magical combination of small, fast and extremely featureful. It does all the SSL/TLS offloading along with a variety of load-balancing and port-forwarding goodies (and a reasonable integrated web app for monitoring) while consuming minimal resources … unless you are actually needing a web server (in which case nginx can make sense; forward some requests, serve up static content for others), just use haproxy.

5 Likes

I’m a newcomer from the Ruby world where there are many choices of Rack servers such as Unicorn and Puma and Thin. Are there any application servers besides Cowboy in the Elixir world?

1 Like

Here are some:

3 Likes

Thanks a lot @mpugach. I will definitely check those servers.

1 Like

There are some other web servers, but if you want to use Phoenix, I think you will end up going with Cowboy. There are plug bindings to elli, but I do not think it’s general purpose web server - it targets APIs.

I think if you want to use Plug/Phoenix, at this moment in time Cowboy is the only option that will work for most use cases.

2 Likes

As far as I know, the situation described above happened a long time ago, before Cowboy reached 1.0. If this is the repository you were referring to, you can verify there are no commits after the middle of 2015. From my understanding they are using Cowboy 1.0 with custom transports (to support things such as HTTP 2.0 for example).

5 Likes