konstantine
Is using a reverse proxy considered best practice for a Phoenix setup?
There are use cases where a reverse proxy may be a necessity. There are administrators that are may be used to having a reverse proxy in place. More generally, however, do you consider the use of a reverse proxy to be best practice for a Phoenix setup?
Cowboy is great, for instance, but support for newer protocols (HTTP2, TLS 1.3) tends to lag considerably behind the likes of Nginx or Caddy. On the other hand, having fewer moving parts (here a lone Cowboy) is usually preferable. Other than the obvious “it depends”, what do you think?
Most Liked
konstantine
Having now spent some time experimenting with Caddy 2, I wish to share my experience as to how it complements my Phoenix setup, by compiling a list of areas in which Caddy excels:
• adding support for the latest protocols, such as TLS 1.3 or HTTP/3 (experimental)
• serving a maintenance page when the Cowboy / Phoenix web server is down
• adding security and other headers to all requests, or to a broad range of requests
• adding an authentication token header, e.g. to protect a staging server
• redirecting automatically from the domain root to the www subdomain
• dealing with the issue of trailing slashes in URL paths
On the contrary, I found that for complex request-specific operations (such as the addition of Content Security Policy headers), Caddy is not the right tool. Phoenix mechanisms offer far more flexibility.
I hope that someone finds this information useful.
konstantine
Just to bring some closure to this thread:
I decided to go down the reverse proxy path and tried Caddy. I got TLS 1.3 working in no time and removed much more configuration than I added! My basic setup required a Caddyfile as simple as this:
{
http_port [port1]
https_port [port2]
}
cdn.[my.website] www.[my.website] {
reverse_proxy [ipv4]:[port3]
}
[my.website] {
header strict-transport-security "max-age=63072000; includesubdomains; preload"
redir https://www.[my.website]{uri}
}
derpycoder
I am using Caddy, not only in production, but also in local. As it allows me to forget random port number to access different sub programs running alongside the server.
Plus I get HTTP/3, HTTPS and ease of configuration.
(common) {
header /* {
-server
-X-Powered-By
-via
}
@static {
file
path *.ico *.css *.js *.gif *.webp *.avif *.jpg *.jpeg *.png *.svg *.woff *.woff2
}
header @static cache-control "max-age=0; must-revalidate; public;"
handle_errors {
@custom_err file /errors/{err.status_code}.html /errors/error.html
handle @custom_err {
rewrite * {file_match.relative}
file_server
}
respond "{err.status_code} {err.status_text}"
}
}
www.derpytools.site {
redir https://derpytools.site permanent
}
derpytools.site {
tls certs/caddy/cert.pem certs/caddy/key.pem
# tls /etc/caddy/certs/cert.pem /etc/caddy/certs/key.pem
encode zstd gzip
# Directly reverse proxy to Phoenix
reverse_proxy localhost:4000
# Proxy to Varnish Cache (Only use with production builds)
# reverse_proxy localhost:3080
import common
}
img.derpytools.site {
# Directly reverse proxy to imgproxy
reverse_proxy localhost:9080
# Reverse proxy to Varnish cache instead (Only use with production builds)
# reverse_proxy localhost:3080 {
# # header_down Cache-Control "max-age=0; must-revalidate; public;"
# # header_down Cache-Control "public; max-age=31536000; immutable;"
# }
import common
}
docs.derpytools.site {
encode zstd gzip
root * doc
file_server browse
}
netdata.derpytools.site {
encode zstd gzip
reverse_proxy localhost:19999
basicauth * {
DerpyCoder $2b$05$4N/0p0i/fsNkiYHhNs9yruEMPbiOsQqxEfMkmrkan9w5hKNxSFRdK
}
import common
}
canary.derpytools.site {
encode zstd gzip
reverse_proxy localhost:4001
basicauth * {
DerpyCoder $2b$05$4N/0p0i/fsNkiYHhNs9yruEMPbiOsQqxEfMkmrkan9w5hKNxSFRdK
}
import common
}
metrics.derpytools.site {
metrics
import common
}
livebook.derpytools.site {
encode zstd gzip
reverse_proxy localhost:49223
}
search.derpytools.site {
encode zstd gzip
reverse_proxy localhost:7700
}
grafana.derpytools.site {
encode zstd gzip
reverse_proxy localhost:3000
}
prometheus.derpytools.site {
encode zstd gzip
reverse_proxy localhost:9090
}
Popular in Questions
Other popular topics
Categories:
Sub Categories:
Forums
Popular Tags
- #ecto
- #liveview
- #troubleshooting
- #learning-elixir
- #deployment
- #library
- #erlang
- #testing
- #genserver
- #mix
- #absinthe
- #remote-other
- #otp
- #plug
- #how-to-question
- #macros
- #postgres
- #channels
- #elixirconf
- #exunit
- #discussion
- #code-sync
- #javascript
- #podcasts
- #onsite
- #dialyzer
- #docker
- #authentication
- #umbrella
- #full-time-contract
- #podcasts-by-brainlid
- #ecto-query
- #elixir-ls
- #phoenix_html
- #iex
- #blog-post
- #graphql
- #genstage
- #ai
- #websockets
- #supervisor
- #advent-of-code
- #elixirconf-us
- #distillery
- #processes
- #forms
- #api
- #metaprogramming
- #security
- #performance









