EvertYipYip

EvertYipYip

AWS SSL Healthcheck

Hi,

I have my phoenix application running in a docker container hosted on AWS behind an application load balancer. The loadbalancer handles ssl for me. The application however handles the force ssl and redirects http requests to https based on the x-forwarded-proto header (this header is set by the loadbalancer). Below my endpoint configuration for my staging environment:

config :foo_endpoint, FooEndpoint.Endpoint,
  load_from_system_env: true,
  url: [host: "staging-foo.org"],
  cache_static_manifest: "priv/static/cache_manifest.json",
  check_origin: false,
  force_ssl: [rewrite_on: [:x_forwarded_proto], hsts: true, host: nil]

The target group in AWS that handles the dynamic port mapping from docker to docker-host, also handles a healthcheck. However this healthcheck does not have any headers and AWS does not allow me to set them. Since ssl is handled before the target group (in the loadbalancer) the protocol used for the healthcheck is http, this results in a 301 redirect from the ssl plug. The healthcheck does not follow the 301, this means the controller isn’t reached and the healthcheck functionality is not actually executed.

Is there a possibility to exclude one endpoint from the redirect? Or does anyone have a different solution or approach to this handle this situation. I think the same situation can occur while using nginx, or an other kind of loadbalancer, that handles ssl for you.

Thanks in advance.

Marked As Solved

Gazler

Gazler

Phoenix Core Team

The easiest way to do this is to set your success code to 200-399 on the health check in the load balancer.

You can also use Plug.SSL manually in your endpoint instead of setting it in your config. Something like this in your endpoint (untested):

  plug :respond_to_ping, "/ping"
  plug Plug.SSL, rewrite_on: [:x_forwarded_proto], hsts: true, host: nil

  defp respond_to_ping(%{halted: true} = conn, _), do: conn

  defp respond_to_ping(%{request_path: path} = conn, path) do
    conn
    |> Plug.Conn.put_resp_header("content-type", "text/html")
    |> Plug.Conn.send_resp(200, "pong")
    |> Plug.Conn.halt()
  end

  defp respond_to_ping(conn, _), do: conn

Also Liked

EvertYipYip

EvertYipYip

Thanks for your response.

Setting the success code to 200-399 on the health check is not sufficient in our case since we also check for database connection in our health check, and the health check doesn’t follow a 301. The second options however does allow for this to happen.

Thanks again for your advice.

OvermindDL1

OvermindDL1

I would just have nginx specialize on the specific healthcheck path and then perform whatever test it itself wants (including an internal, not external, redirect if wanted).

Where Next?

Popular in Questions Top

mcarvalho
What is the difference between System.get_env and Application.get_env? For example, what are best practices to use one versus another.
New
ovidiubadita
Hey all, I discovered Elixir and I love it. I always wanted to learn a functional programming and I intended to go for Haskell, but afte...
New
earth10
Hi, I’m just starting to build a side-project with Elixir and Phoenix and doing some basic test with Elixir alone. What strikes me is th...
New
jay1
Why is it that the mnesia database isn’t the most preferred database for use in Elixir/Phoenix?
New
SoCreat
i’m a new one to elixir which editor can i use vs code? or atom? Thanks! :smiley:
New
aalberti333
As the title describes, I’m trying to run Enum.map() over a list of key/value pairs, where the value is a map. My data looks like this: ...
New
sergio_101
I am VERY much an elixir newbie. I have taken one elixir course and one phoenix course on Udemy. During that course, I saw the instructor...
New
dblack
I’ve got an issue with an app and I’ve no idea of how to troubleshoot it. I’m hoping someone here might have seen something similar. I p...
New
chensan
I have a User schema with a :from_id field set to type :string: defmodule TweetBot.Repo.Migrations.CreateUsers do use Ecto.Migration ...
New
WestKeys
Currently suffering from paralysis by [HTTP client] analysis. This is rather unusual in Elixirland as there tends to be consensus on the ...
New

Other popular topics Top

lastday4you
I wanted to check elixir version in phoenix because i found that my elixir is 1.5 but when i use Enum.chunk_by it said the function is un...
New
TunkShif
This post is an instruction guide to help you setup your Neovim for Elixir development from scratch. It includes general information on h...
274 41539 114
New
mcarvalho
What is the difference between System.get_env and Application.get_env? For example, what are best practices to use one versus another.
New
Nvim
Anybody knows a comprehensive comparison of Django and Phoenix, thanks for the help. Where are they similar? Where do they differ the m...
New
gshaw
What is the idiomatic way of matching for not nil in Elixir? E.g., First way: defp halt_if_not_signed_in(conn, signed_in_account) when...
New
jononomo
I am trying to figure out how Mix knows whether the environment is test, dev, or prod – where is this set? Thanks.
New
JorisKok
I have a server on AWS, and was running a load test using artillery. When looking at the Phoenix dashboard I see the Ports going to 100% ...
New
alice
Hey, Just curious what are the main benefits of Elixir compared to Clojure? When is Elixir more useful than Clojure and vice versa? Th...
New
hariharasudhan94
I would like to know what is the best IDE for elixir development?
New
sergio
Kind of like when jquery came out, it was super necessary. Existing drag and drop libraries have a bunch of baggage to support old browse...
New

Latest on Elixir Forum

We're in Beta

About us Mission Statement