Looking for a 12factor app reverse proxy

Ever since I started using docker for running web stuff, I’ve been looking for a HTTP reverse proxy for the routing part. There are a couple requirements I have:

  1. Dynamic configuration. Bringing up a new backend or service should auto-configure the router. Having to update config files or restart the router is not something you want to bother with.
  2. Support for SSL, in particular, multiple certificates, ideally SNI.
  3. Authentication features, to serve internal services.

I’ve been using hipache so far, but notably, hipache doesn’t support SNI. Other commonly suggested solutions include node-http-proxy, which is essentially a build-it-yourself kit, and the hipache version written in nginx Lua (with touted speed advantages, which is also just a proof of concept requiring you to build something yourself.

One might think that a proxy could be used that just proxies the encryption connection through, letting the backend deal with SSL (e.g. sniproxy). Apart from not supporting dynamic configuration either, there are downsides to this approach: You cannot add X-Forwarded-For headers, which is not optimal. Also, I’m not a fan of the approach: I’d much rather have the proxy hold the SSL configuration.

There is a hipache fork that uses etcd.

Authentication

A lot of internal services (say my qless web interface) do not support authentication – and neither should they. They still need to be protected though (One option is a VPN, of course).

Nobody seems to support authentication in combination with a dynamic data backend, though multiple people have written about the issue, like here (OAuth Apache module) or Nginx Lua OAuth.

In additional challenge is that for an internal service, you may not want to prefer to run it on a path, /qless, as opposed to a separate (sub)domain, so ideally that would be supported.

Resolution

I’m not sure yet. If I have to build something myself, Nginx with Lua might be worth the effort. You could build one in Python, for a change (the Gilliam project also has one). I always wanted to have a closer look at go, too. There are actually multiple reverse proxy projects in Go out there. drunken-hipster only support one SSL cert per IP. A shoutout to the folks building http-master – they support SNI, and are planning to add auth, so that is pretty close (not to mention other useful stuff like redirects).

etcedge will copy information from etcd into Redis to be consumed by hipache.

Finally, there is Flynn’s router, based on etcd, which should be promising because it should be designed to solve this exact problem.

HAProxy does seem popular, is integrated with Amazon OpsWorks, and allows enabling/disabling instances via a socket, but not, as far as I can tell, to add new ones. Maybe AWS is simply rewriting their HAProxy config file when instances change? HAP It has the benefit of supporting all kinds of advanced features (repeated routing to the same backend based on cookies)

Update: I am working on adding SSL routing to strowger.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s