Hi all! Simple question, really just want to get a feel for what everyone else is doing here.
When it comes to, well, exactly what the title says, are most of you guys just isolating your distributed nodes within a vpc and then having an application load balancer/network load balancer sit in top to validate authentication? I don’t imagine anyone is running http requests WITH bearer auth directly to a cowboy server at like 10-20k sustained requests/second, but I could be wrong?
Again, just curious and hoping to potentially spark some constructive conversation here. Thank you!
We have been using termit for bearer tokens in Zotonic for a long time. Zotonic runs on cowboy + cowmachine, which is a web machine like implementation for cowboy. Zotonic ran on mochiweb + an highly optimized webmachine version.
Some people run zotonic behind a proxy, which terminates the TLS streams, the tokens are still decoded in erlang though. Other people want to keep things simple and directly expose erlang to the internet.
Personally I have done some measurements on using a proxy vs not using one. Using a proxy usually doubles your response times.
Personally I have ran Zotonic servers with easily handled 200k concurrent open tcp connections. That was with mochiweb. Before you hit that, you have probably ran into some host os configuration issues. The bearer token validation itself is not a real performance concern. I guess there just is an enormous gap in time needed to do crypto versus doing io.
The termit module itself is up for some modernization though. It uses md5 for key derivation. Doesn’t have mac and encryption key separation, uses hmac sha1 for signing and aes cfb. The algorithms are not broken, but all a bit dated.
Interesting! Checking both of those things out, and surprised this thread didn’t get more attention, it seemed pretty relevant for every day jobs, at least to me
FYI @mworrell added token validation caching to Zotonic today. We are looking into future proofing the termit module. Some things needs to change there. Everything is safe, but some things will be flagged when the code is reviewed.
