Thanks for the detailed explanation Marc, very helpful as usual... Understand regarding Maas-Maarten, FreeBSD has a similar situation where using a Jail with NAT and the PF firewall has a limit of ~65k connections, but assigning a public IP to a Jail and skipping NAT removes that limit.
I am more of a sysop than a developer, but to get this project started I am wearing all hats. Assuming things go as expected, I will definitely be in touch regarding additional functionality needed for Phase 2, as anything beyond adding custom content blocks might be challenging... Thanks again, very much appreciate your work. Seann On Tuesday, March 26, 2024 at 3:20:58 AM UTC-6 Marc Worrell wrote: > Hi Seann, > > We are generally running Zotonic directly on port 80/443 or just with > firewall redirect rules. > In our cloud-init file we are now using the direct approach, as > Maas-Maarten found that there is a problem with the firewall-redirecting > taking up too many resources and not being able to handle the amount of > connections they need. > > Having a proxy indeed kind of doubles the request overhead. > We confirmed that in tests for ping-like requests and files. > > There are a couple of reasons people do use a proxy: > > - Being able to (with standard tools) block requesting IPs > - Manage certificates in a central way (if you have a sysop person) > - Separate responsibilities between sysop and devop. > - Extra logging via the proxy > > There are a couple of reasons people do NOT use a proxy: > > - Simple setup - less moving parts > - Let Zotonic handle all certificates > - Performance (useful for smaller servers) > > Zotonic can log as well, we just don’t do it per default as the millions > of log lines do not help. > > We have been thinking about a simple access-log-counting thing. > Just didn’t have a customer yet that wanted it, and wanted to pay for it > :-) > > The email is almost always sent by Zotonic directly. > > Unless there is a sysop responsible for all email, then sometimes the > email is sent via a relay. > We also sent email via (for example) mailgun, which gives us better > control of inbox placement with especially hotmail/outlook and still good > email-address status via mod_mailgun. > > We also receive email, sometimes via a relay on a central server (that > also manages the corporate email addresses). > Most often just by directly listening on port 25. > > Cheers, > > Marc > > > > On 25 Mar 2024, at 21:30, 'Seann Aswell' via Zotonic developers < > zotonic-d...@googlegroups.com> wrote: > > Question regarding the typical way Zotonic is deployed on (potentially) > high-traffic production sites. > > How many people use Zotonic/Cowboy without a proxy in front? I read that > the creator of Cowboy recommends using a proxy, and many Elixir/Phoenix > developers appear to use a proxy also, partially for the security that > having a well-tested front end filtering bad requests can provide...along > with nice traffic stats. > > I ask this question because I am setting up a new server now, and there > are two issues that have come up using HAProxy in front of Zotonic so far. > > 1) There are some issues with Stripe/mod_payment(_stripe) that may be > related to Stripe headers being modified (need further testing). > 2) It would be nice for Zotonic to send emails directly, rather than using > an external SMTP server. However, that requires Erlang compatible > certificates, which means overhauling the current certificate > acquisition/distribution flow and/or managing different certificates types > for the Proxy and Zotonic. > > In both cases it seems simpler to simply remove the proxy and let > Zotonic/Cowboy handle traffic directly. I read somewhere that MZeeman found > Zotonic was much faster without a proxy, but in his situation most users > are paying customers, not random internet users. > > Any feedback is welcome... > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "Zotonic developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to zotonic-develop...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/zotonic-developers/39652344-de30-43dd-bd54-b2c23c89b5adn%40googlegroups.com > > <https://groups.google.com/d/msgid/zotonic-developers/39652344-de30-43dd-bd54-b2c23c89b5adn%40googlegroups.com?utm_medium=email&utm_source=footer> > . > > > -- --- You received this message because you are subscribed to the Google Groups "Zotonic developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to zotonic-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/zotonic-developers/6937064c-7927-4081-8a98-9bd54abca2a7n%40googlegroups.com.
