konstantine

konstantine

Is using a reverse proxy considered best practice for a Phoenix setup?

There are use cases where a reverse proxy may be a necessity. There are administrators that are may be used to having a reverse proxy in place. More generally, however, do you consider the use of a reverse proxy to be best practice for a Phoenix setup?

Cowboy is great, for instance, but support for newer protocols (HTTP2, TLS 1.3) tends to lag considerably behind the likes of Nginx or Caddy. On the other hand, having fewer moving parts (here a lone Cowboy) is usually preferable. Other than the obvious “it depends”, what do you think?

Most Liked

konstantine

konstantine

Having now spent some time experimenting with Caddy 2, I wish to share my experience as to how it complements my Phoenix setup, by compiling a list of areas in which Caddy excels:

• adding support for the latest protocols, such as TLS 1.3 or HTTP/3 (experimental)
• serving a maintenance page when the Cowboy / Phoenix web server is down
• adding security and other headers to all requests, or to a broad range of requests
• adding an authentication token header, e.g. to protect a staging server
• redirecting automatically from the domain root to the www subdomain
• dealing with the issue of trailing slashes in URL paths

On the contrary, I found that for complex request-specific operations (such as the addition of Content Security Policy headers), Caddy is not the right tool. Phoenix mechanisms offer far more flexibility.

I hope that someone finds this information useful.

konstantine

konstantine

Just to bring some closure to this thread:

I decided to go down the reverse proxy path and tried Caddy. I got TLS 1.3 working in no time and removed much more configuration than I added! My basic setup required a Caddyfile as simple as this:

{
  http_port   [port1]
  https_port  [port2]
}

cdn.[my.website] www.[my.website] {
  reverse_proxy [ipv4]:[port3]
}

[my.website] {
  header strict-transport-security "max-age=63072000; includesubdomains; preload"
  redir https://www.[my.website]{uri}
}

derpycoder

derpycoder

I am using Caddy, not only in production, but also in local. As it allows me to forget random port number to access different sub programs running alongside the server.

Plus I get HTTP/3, HTTPS and ease of configuration.

(common) {
	header /* {
		-server
		-X-Powered-By
		-via
	}
	@static {
		file
		path *.ico *.css *.js *.gif *.webp *.avif *.jpg *.jpeg *.png *.svg *.woff *.woff2
	}
	header @static cache-control "max-age=0; must-revalidate; public;"

	handle_errors {
		@custom_err file /errors/{err.status_code}.html /errors/error.html
		handle @custom_err {
			rewrite * {file_match.relative}
			file_server
		}
		respond "{err.status_code} {err.status_text}"
	}
}

www.derpytools.site {
	redir https://derpytools.site permanent
}

derpytools.site {
	tls certs/caddy/cert.pem certs/caddy/key.pem
	# tls /etc/caddy/certs/cert.pem /etc/caddy/certs/key.pem
	encode zstd gzip

	# Directly reverse proxy to Phoenix
	reverse_proxy localhost:4000

	# Proxy to Varnish Cache (Only use with production builds)
	# reverse_proxy localhost:3080

	import common
}

img.derpytools.site {
	# Directly reverse proxy to imgproxy
	reverse_proxy localhost:9080

	# Reverse proxy to Varnish cache instead (Only use with production builds)
	# reverse_proxy localhost:3080 {
	# 	# header_down Cache-Control "max-age=0; must-revalidate; public;"
	# 	# header_down Cache-Control "public; max-age=31536000; immutable;"
	# }

	import common
}

docs.derpytools.site {
	encode zstd gzip

	root * doc
	file_server browse
}

netdata.derpytools.site {
	encode zstd gzip

	reverse_proxy localhost:19999

	basicauth * {
		DerpyCoder $2b$05$4N/0p0i/fsNkiYHhNs9yruEMPbiOsQqxEfMkmrkan9w5hKNxSFRdK
	}

	import common
}

canary.derpytools.site {
	encode zstd gzip

	reverse_proxy localhost:4001

	basicauth * {
		DerpyCoder $2b$05$4N/0p0i/fsNkiYHhNs9yruEMPbiOsQqxEfMkmrkan9w5hKNxSFRdK
	}

	import common
}

metrics.derpytools.site {
	metrics

	import common
}

livebook.derpytools.site {
	encode zstd gzip

	reverse_proxy localhost:49223
}

search.derpytools.site {
	encode zstd gzip

	reverse_proxy localhost:7700
}

grafana.derpytools.site {
	encode zstd gzip

	reverse_proxy localhost:3000
}

prometheus.derpytools.site {
	encode zstd gzip

	reverse_proxy localhost:9090
}

Where Next?

Popular in Questions Top

9mm
I am constructing a JSON object (map) and I need to conditionally set a field. I’m trying to write proper elixir-way code… and I’m at a l...
New
senggen
Erlang/OTP 25 [erts-13.2.2] [source] [64-bit] [smp:8:8] [ds:8:8:10] [async-threads:1] 15:22:35.803 [error] gen_event {lager_file_backend...
New
chrisalley
ExUnit now has describe blocks which is a welcome addition coming from RSpec. In the docs, it states that nested hierarchies of describe ...
New
lessless
I believe there are people here who are dealing with CSV files import on the daily basis, and since Excel is a really popular tool there ...
New
fireproofsocks
I’m working on defining a simple Ecto schema for a table (in PostGres), but I don’t see where I can define a column as NOT NULL. Conside...
New
JulienCorb
I am trying to implement my new.html.eex file to create new posts on my website. new.html.eex: <h1>Create Post</h1> <%= ...
New
stefanchrobot
What’s the safe way to decode a JSON string into a struct? I want to avoid calling String.to_atom. Jason.decode can give me a map with st...
New
JDanielMartinez
Hi! May someone helps me, please! I have two apps into an umbrella project: the first one is Database, which manages queries, and the se...
New
ashish173
I am using Ecto timestamps with postgres, I can see the timestamps() use the :naive_dateime but for my use case I wanted to store the ti...
New
chensan
I have a User schema with a :from_id field set to type :string: defmodule TweetBot.Repo.Migrations.CreateUsers do use Ecto.Migration ...
New

Other popular topics Top

New
mcarvalho
What is the difference between System.get_env and Application.get_env? For example, what are best practices to use one versus another.
New
skosch
To my knowledge, put_in, Map.update etc. all have the one limitation of not automatically creating intermediate keys when needed (for exa...
New
chrismccord
As promised, the first release candidate of Phoenix 1.3.0 is out! This release focuses on code generators with improved project structure...
New
Patoshizzle
After calling mix ecto.create I get this error: 17:00:32.162 [error] GenServer #PID<0.412.0> terminating ** (Postgrex.Error) FATAL...
New
johnnyicon
Hi all, I’ve just started learning Elixir and Phoenix Framework, so please pardon my n00bness at this stage. I’m trying to use Postgres...
New
Fl4m3Ph03n1x
About me? ( if you have nothing better to do than reading about some random guy in the internet :stuck_out_tongue: ) Hello all, this is ...
New
vegabook
I’m brand new to Phoenix and I have stripped one of the demo applications to the bone. I just want to get an svg up on the screen. Here i...
New
grych
Hi folks, Few months ago I have announced the proof-of-concept of the library to manipulate the browsers DOM objects directly from Elixi...
639 52341 488
New
RisingFromAshes
I’ve read in another post that it may be possible with a router helper - but I couldn’t find an appropriate one, and tbh, I’m still just ...
New

We're in Beta

About us Mission Statement