Recommendations

This document contains a set of recommendations when using Fastify.

Use A Reverse Proxy

Node.js is an early adopter of frameworks shipping with an easy-to-use web server within the standard library. Previously, with languages like PHP or Python, one would need either a web server with specific support for the language or the ability to set up some sort of CGI gateway that works with the language. With Node.js, one can write an application that directly handles HTTP requests. As a result, the temptation is to write applications that handle requests for multiple domains, listen on multiple ports (i.e. HTTP and HTTPS), and then expose these applications directly to the Internet to handle requests.

The Fastify team strongly considers this to be an anti-pattern and extremely bad practice:

  1. It adds unnecessary complexity to the application by diluting its focus.
  2. It prevents horizontal scalability.

See Why should I use a Reverse Proxy if Node.js is Production Ready? for a more thorough discussion of why one should opt to use a reverse proxy.

For a concrete example, consider the situation where:

  1. The app needs multiple instances to handle load.
  2. The app needs TLS termination.
  3. The app needs to redirect HTTP requests to HTTPS.
  4. The app needs to serve multiple domains.
  5. The app needs to serve static resources, e.g. jpeg files.

There are many reverse proxy solutions available, and your environment may dictate the solution to use, e.g. AWS or GCP. Given the above, we could use HAProxy or Nginx to solve these requirements:

HAProxy

  1. # The global section defines base HAProxy (engine) instance configuration.
  2. global
  3.   log /dev/log syslog
  4.   maxconn 4096
  5.   chroot /var/lib/haproxy
  6.   user haproxy
  7.   group haproxy
  9.   # Set some baseline TLS options.
  10.   tune.ssl.default-dh-param 2048
  11.   ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
  12.   ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
  13.   ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11
  14.   ssl-default-server-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
  16. # Each defaults section defines options that will apply to each subsequent
  17. # subsection until another defaults section is encountered.
  18. defaults
  19.   log   global
  20.   mode  http
  21.   option        httplog
  22.   option        dontlognull
  23.   retries       3
  24.   option redispatch
  25.   # The following option make haproxy close connections to backend servers
  26.   # instead of keeping them open. This can alleviate unexpected connection
  27.   # reset errors in the Node process.
  28.   option http-server-close
  29.   maxconn       2000
  30.   timeout connect 5000
  31.   timeout client 50000
  32.   timeout server 50000
  34.   # Enable content compression for specific content types.
  35.   compression algo gzip
  36.   compression type text/html text/plain text/css application/javascript
  38. # A "frontend" section defines a public listener, i.e. an "http server"
  39. # as far as clients are concerned.
  40. frontend proxy
  41.   # The IP address here would be the _public_ IP address of the server.
  42.   # Here, we use a private address as an example.
  43.   bind 10.0.0.10:80
  44.   # This redirect rule will redirect all traffic that is not TLS traffic
  45.   # to the same incoming request URL on the HTTPS port.
  46.   redirect scheme https code 308 if !{ ssl_fc }
  47.   # Technically this use_backend directive is useless since we are simply
  48.   # redirecting all traffic to this frontend to the HTTPS frontend. It is
  49.   # merely included here for completeness sake.
  50.   use_backend default-server
  52. # This frontend defines our primary, TLS only, listener. It is here where
  53. # we will define the TLS certificates to expose and how to direct incoming
  54. # requests.
  55. frontend proxy-ssl
  56.   # The `/etc/haproxy/certs` directory in this example contains a set of
  57.   # certificate PEM files that are named for the domains the certificates are
  58.   # issued for. When HAProxy starts, it will read this directory, load all of
  59.   # the certificates it finds here, and use SNI matching to apply the correct
  60.   # certificate to the connection.
  61.   bind 10.0.0.10:443 ssl crt /etc/haproxy/certs
  63.   # Here we define rule pairs to handle static resources. Any incoming request
  64.   # that has a path starting with `/static`, e.g.
  65.   # `https://one.example.com/static/foo.jpeg`, will be redirected to the
  66.   # static resources server.
  67.   acl is_static path -i -m beg /static
  68.   use_backend static-backend if is_static
  70.   # Here we define rule pairs to direct requests to appropriate Node.js
  71.   # servers based on the requested domain. The `acl` line is used to match
  72.   # the incoming hostname and define a boolean indicating if it is a match.
  73.   # The `use_backend` line is used to direct the traffic if the boolean is
  74.   # true.
  75.   acl example1 hdr_sub(Host) one.example.com
  76.   use_backend example1-backend if example1
  78.   acl example2 hdr_sub(Host) two.example.com
  79.   use_backend example2-backend if example2
  81.   # Finally, we have a fallback redirect if none of the requested hosts
  82.   # match the above rules.
  83.   default_backend default-server
  85. # A "backend" is used to tell HAProxy where to request information for the
  86. # proxied request. These sections are where we will define where our Node.js
  87. # apps live and any other servers for things like static assets.
  88. backend default-server
  89.   # In this example we are defaulting unmatched domain requests to a single
  90.   # backend server for all requests. Notice that the backend server does not
  91.   # have to be serving TLS requests. This is called "TLS termination": the TLS
  92.   # connection is "terminated" at the reverse proxy.
  93.   # It is possible to also proxy to backend servers that are themselves serving
  94.   # requests over TLS, but that is outside the scope of this example.
  95.   server server1 10.10.10.2:80
  97. # This backend configuration will serve requests for `https://one.example.com`
  98. # by proxying requests to three backend servers in a round-robin manner.
  99. backend example1-backend
  100.   server example1-1 10.10.11.2:80
  101.   server example1-2 10.10.11.2:80
  102.   server example2-2 10.10.11.3:80
  104. # This one serves requests for `https://two.example.com`
  105. backend example2-backend
  106.   server example2-1 10.10.12.2:80
  107.   server example2-2 10.10.12.2:80
  108.   server example2-3 10.10.12.3:80
  110. # This backend handles the static resources requests.
  111. backend static-backend
  112.   server static-server1 10.10.9.2:80

Nginx

  1. # This upstream block groups 3 servers into one named backend fastify_app
  2. # with 2 primary servers distributed via round-robin
  3. # and one backup which is used when the first 2 are not reachable
  4. # This also assumes your fastify servers are listening on port 80.
  5. # more info: http://nginx.org/en/docs/http/ngx_http_upstream_module.html
  6. upstream fastify_app {
  7.   server 10.10.11.1:80;
  8.   server 10.10.11.2:80;
  9.   server 10.10.11.3:80 backup;
  10. }
  12. # This server block asks NGINX to respond with a redirect when
  13. # an incoming request from port 80 (typically plain HTTP), to
  14. # the same request URL but with HTTPS as protocol.
  15. # This block is optional, and usually used if you are handling
  16. # SSL termination in NGINX, like in the example here.
  17. server {
  18.   # default server is a special parameter to ask NGINX
  19.   # to set this server block to the default for this address/port
  20.   # which in this case is any address and port 80
  21.   listen 80 default_server;
  22.   listen [::]:80 default_server;
  24.   # With a server_name directive you can also ask NGINX to
  25.   # use this server block only with matching server name(s)
  26.   # listen 80;
  27.   # listen [::]:80;
  28.   # server_name example.tld;
  30.   # This matches all paths from the request and responds with
  31.   # the redirect mentioned above.
  32.   location / {
  33.     return 301 https://$host$request_uri;
  34.   }
  35. }
  37. # This server block asks NGINX to respond to requests from
  38. # port 443 with SSL enabled and accept HTTP/2 connections.
  39. # This is where the request is then proxied to the fastify_app
  40. # server group via port 3000.
  41. server {
  42.   # This listen directive asks NGINX to accept requests
  43.   # coming to any address, port 443, with SSL, and HTTP/2
  44.   # if possible.
  45.   listen 443 ssl http2 default_server;
  46.   listen [::]:443 ssl http2 default_server;
  48.   # With a server_name directive you can also ask NGINX to
  49.   # use this server block only with matching server name(s)
  50.   # listen 443 ssl http2;
  51.   # listen [::]:443 ssl http2;
  52.   # server_name example.tld;
  54.   # Your SSL/TLS certificate (chain) and secret key in the PEM format
  55.   ssl_certificate /path/to/fullchain.pem;
  56.   ssl_certificate_key /path/to/private.pem;
  58.   # A generic best practice baseline for based
  59.   # on https://ssl-config.mozilla.org/
  60.   ssl_session_timeout 1d;
  61.   ssl_session_cache shared:FastifyApp:10m;
  62.   ssl_session_tickets off;
  64.   # This tells NGINX to only accept TLS 1.3, which should be fine
  65.   # with most modern browsers including IE 11 with certain updates.
  66.   # If you want to support older browsers you might need to add
  67.   # additional fallback protocols.
  68.   ssl_protocols TLSv1.3;
  69.   ssl_prefer_server_ciphers off;
  71.   # This adds a header that tells browsers to only ever use HTTPS
  72.   # with this server.
  73.   add_header Strict-Transport-Security "max-age=63072000" always;
  75.   # The following directives are only necessary if you want to
  76.   # enable OCSP Stapling.
  77.   ssl_stapling on;
  78.   ssl_stapling_verify on;
  79.   ssl_trusted_certificate /path/to/chain.pem;
  81.   # Custom nameserver to resolve upstream server names
  82.   # resolver 127.0.0.1;
  84.   # This section matches all paths and proxies it to the backend server
  85.   # group specified above. Note the additional headers that forward
  86.   # information about the original request. You might want to set
  87.   # trustProxy to the address of your NGINX server so the X-Forwarded
  88.   * fields are used by fastify.
  89.   location / {
  90.     # more info: http://nginx.org/en/docs/http/ngx_http_proxy_module.html
  91.     proxy_http_version 1.1;
  92.     proxy_cache_bypass $http_upgrade;
  93.     proxy_set_header Upgrade $http_upgrade;
  94.     proxy_set_header Connection 'upgrade';
  95.     proxy_set_header Host $host;
  96.     proxy_set_header X-Real-IP $remote_addr;
  97.     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  98.     proxy_set_header X-Forwarded-Proto $scheme;
  100.     # This is the directive that proxies requests to the specified server.
  101.     # If you are using an upstream group, then you do not need to specify a port.
  102.     # If you are directly proxying to a server e.g.
  103.     # proxy_pass http://127.0.0.1:3000 then specify a port.
  104.     proxy_pass http://fastify_app;
  105.   }
  106. }

Kubernetes

The readinessProbe uses (by default) the pod IP as the hostname. Fastify listens on 127.0.0.1 by default. The probe will not be able to reach the application in this case. In order to make it work, the application must listen on 0.0.0.0 or specify a custom hostname in the readinessProbe.httpGet spec, as per the following example:

  1. readinessProbe:
  2.     httpGet:
  3.         path: /health
  4.         port: 4000
  5.     initialDelaySeconds: 30
  6.     periodSeconds: 30
  7.     timeoutSeconds: 3
  8.     successThreshold: 1
  9.     failureThreshold: 5