Hi, Evan Phoenix, Rubinius creator here. I just wanted to stop in and say thank you for this comment. It means a lot to me, even after all these years that Rubinius helped you out.
Hi Evan, I'm happy you found this comment heartwarming. Your work on Rubinius (and even more - Puma!) was really amazing, it had a big influence on my career
Templar does not do SSL termination because it does not terminate requests for your api. It's designed to mediate connections between you and any APIs that you use, protecting you against those APIs being unreliable.
Yup! That's on the todo list. Auto-caching, as I'm calling it, would figure out a how long to cache something for and then be able to later on use HEAD to check if the url in question has changed.
That cache time could be as long as 5 seconds, so that Templar is checking pretty often if the upstream has changed.
Templar is designed to be used within your own infrastructure on a trusted network, where you talk to it and it talks to the outside world.
An attacker would have to be already within your private network, and if they were, they could observe the traffic in plain text already.
I think the confusion is around where Templar sits in relation to your app making HTTP API calls and the services you want to talk to. I'm going to draw up a diagram to help explain this better.
A great question. Nginx is not typically configured as a normal proxy but it can certainly do it. A difference is that Templar gives you control of options applied to each request differently rather than the same the same to all.
From timeouts to caching, one Templar can be used for all different kinds of upstream APIs.
Well, if it's worth adding a whole new layer to my stack to deal with this kind of stuff, surely it's even more worth extending an existing layer to deal with it; as a corollary, if I know enough about the problems I'm having to know what I need Templar to do for me, then I know enough about them to know what I need nginx to do for me, too.
Again, though, maybe I'm just missing the point here. Perhaps it would help to know what use case prompted Templar's development.
In my opinion, the draw is the ability to use it when connecting to third party endpoints (so you can't control how they cache or how they respond) with third party libraries (which means you lack fine grained control over timeouts and caching on your end).
Personally, I'd rather gain the necessary control through the request mechanisms, but for a quick-and-dirty solution, this would probably work pretty well.
It's very true that things like timeouts are done better within the client library. But Templar can combine timeouts with caching, allowing an API to appear to still be active and returning something even when it's just very slow.
Because a cache is best when it's populated often, it make sense to put that into a service that many different processes on different machines can use.
Everything within templar can be done by adding capabilities to client libraries, no argument. But most client libraries don't provide these capabilities in one programming language, let alone many of them. By having the functional available as a service, Templar provides these capabilities fairly transparently (and even more transparently in the future when there is per/host and per/url configuration).
Fire-and-Forget is on the todo list. Since you're asking about it I'll bump it up. The later, Templar could have an option that tell it to only connect to public ips. Would that do it for ya?
Yes, that would be excellent - do you mean just public IP ranges?
One possible snag: I heard from a co-worker that if you are running on EC2 and you make an HTTP request to another site that coincidentally is also hosted on EC2 that traffic can sometimes be routed over a private IP range.
Looking at that CPAN module, it wouldn't be hard at all to add a blacklist to Templar via a config file that is checked. The EC2 => EC2 issue is probably the biggest stumbling block to getting what you want. I'll have to investigate that, it seems like that would only happen if internal to EC2 they do ICMP redirects...
It's more about hitting internal services, where there may not be adequate protections in place. There's some earlier discussion here: https://news.ycombinator.com/item?id=7139176
Ah! Ok, I got it. Feels like the right way to handle this is the allow a blacklist to be defined via config file, then applied as request, something like "X-Templar-Blacklist: internal". The list would be a set of ip ranges and thus you'd have to construct the list so that the EC2 => EC2 problem doesn't crop up, but it's doable!
Author here! That's certainly an interesting feature that could be added. I have on the future list to support sending responses back via AMQP. Your callback scheme isn't much different than that.
I agree, async responses are a great tool. It's a question of figuring out a good way of delivering them back to the client. Another option is a long poll endpoint within Templar that it can deliver a stream of responses on. AMQP is an easy option because it keeps Templar simple.
They started with a specific version of systemd and have been mutating it since then, so the whole this is "tainted" with LGPL now.