PonyExpress

Securely extend a Phoenix PubSub over SSL.

PonyExpress creates two-way authenticated SSL connections over the WAN which are intended to unidirectionally extend a PubSub over the internet.

The use case is when you have a trusted pair of nodes (for example a backend and a BFF) that could use live-updating pubsub propagation. These might be located in distinct layer-2 networks, for example, a BFF in the cloud which services an on-premises backend. Or you may be wanting security in-depth with end-to-end encryption in your layer-2 network to mitigate damage from a potential network intrusion event. In either case, if full erlang distribution is not right for you, this is a low-footprint way of propagating those Phoenix.PubSub messages (without writing a full Phoenix.Channel client).

SSL is required, except in :test. See below for how to set up a series of SSL certs in test, which can be adapted for deploying in :prod. However, You may want a more comprehensive CA provider solution, instead of manually configuring CA roots and certs.

On the server side:

iex> Phoenix.PubSub.PG2.start_link(:source, [])
iex> PonyExpress.Daemon.start_link(
       pubsub_server: :source,
       ssl_opts: [
         cacertfile: <ca_certfile>
         certfile: <certfile>
         keyfile: <keyfile>
       ])

On the client side:

iex> Phoenix.PubSub.PG2.start_link(:dest, [])
iex> PonyExpress.Client.start_link(
       server: <server IP>
       topic: "my_topic",
       pubsub_server: :dest,
       ssl_opts: [
         cacertfile: <ca_certfile>
         certfile: <certfile>
         keyfile: <keyfile>
       ])
iex> Phoenix.PubSub.subscribe(:dest, "my_topic")

Then you can send a message on the server side:

iex> Phoenix.PubSub.broadcast(:source, "my_topic", "my_message")

And it will appear on the client side:

iex> flush()
"my_message"
:ok

Consult the documentation for more comprehensive OTP-compliant strategies for using this library.

Installation

If available in Hex, the package can be installed by adding pony_express to your list of dependencies in mix.exs:

def deps do
  [
    {:pony_express, "~> 0.1.0"}
  ]
end

Documentation can be generated with ExDoc and published on HexDocs. Once published, the docs can be found at https://hexdocs.pm/pony_express.

Testing

To test PonyExpress, youll want to build a set of testing keys.

first, make the directory test_ssl_assets.

In this directory, perform the following steps:

Make your own CA

• generate 2048-bit rsa key for the root CA.

  openssl genrsa -des3 -out rootCA.key 2048
  

• self-sign the root certificate.

  openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
  

Authenticate your server with the CA

• generate cert rsa key (this shouldn't have a password)

  openssl genrsa -out server.key 2048
  

• create the cert signing request to be signed by your fictional CA:

  openssl req -new -key server.key -out server.csr
  

  note, that the certificate needs to have the correct common name for your host. For testing, 127.0.0.1 is probably a good choice.

• sign the certificate request, generating the cert:

  openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.cert -days 500 -sha256
  

Authenticate your client with the CA

• the process is repeated basically verbatim.

  openssl genrsa -out client.key 2048
  openssl req -new -key client.key -out client.csr
  openssl x509 -req -in client.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out client.cert -days 500 -sha256