Is using a reverse proxy considered best practice for a Phoenix setup?

There are use cases where a reverse proxy may be a necessity. There are administrators that are may be used to having a reverse proxy in place. More generally, however, do you consider the use of a reverse proxy to be best practice for a Phoenix setup?

Cowboy is great, for instance, but support for newer protocols (HTTP2, TLS 1.3) tends to lag considerably behind the likes of Nginx or Caddy. On the other hand, having fewer moving parts (here a lone Cowboy) is usually preferable. Other than the obvious “it depends”, what do you think?

1 Like

Caddy 2 supports http2 (but afaik you need tls setup for the upstream server):

Edit: Seems this has also been the case for caddy v1

I use nginx as reverse proxy now almost entirely because I found it much easier to use certbot/let’s encrypt with it. I also just know how to config nginx better than cowboy and it comes out of the box with most servers I’d be using, so it’s familiarity and convenience. Though yeah, I probably should consider trying a flow that uses just cowboy again some time.

Just to bring some closure to this thread:

I decided to go down the reverse proxy path and tried Caddy. I got TLS 1.3 working in no time and removed much more configuration than I added! My basic setup required a Caddyfile as simple as this:

  http_port   [port1]
  https_port  [port2]

cdn.[] www.[] {
  reverse_proxy [ipv4]:[port3]

[] {
  header strict-transport-security "max-age=63072000; includesubdomains; preload"
  redir https://www.[]{uri}


Having now spent some time experimenting with Caddy 2, I wish to share my experience as to how it complements my Phoenix setup, by compiling a list of areas in which Caddy excels:

• adding support for the latest protocols, such as TLS 1.3 or HTTP/3 (experimental)
• serving a maintenance page when the Cowboy / Phoenix web server is down
• adding security and other headers to all requests, or to a broad range of requests
• adding an authentication token header, e.g. to protect a staging server
• redirecting automatically from the domain root to the www subdomain
• dealing with the issue of trailing slashes in URL paths

On the contrary, I found that for complex request-specific operations (such as the addition of Content Security Policy headers), Caddy is not the right tool. Phoenix mechanisms offer far more flexibility.

I hope that someone finds this information useful.