Configs for SSL

I am working on security in my application, and hence looking at ssl.

I have seen some different examples on configs for this, including using the https-config-field:

https: [port: 443,
          otp_app: :blackbook,
          keyfile: Application.get_env(:blackbook, :keyfile),
          certfile: Application.get_env(:blackbook, :certfile)

(example from this post

and other examples that have lead to my current implementation:

config :app_name, AppNameWeb.Endpoint,
  load_from_system_env: true,
  http: [:inet6, port: System.get_env("PORT") || 4000],
  force_ssl: [rewrite_on: [:x_forwarded_proto]],
  url: [
    scheme: "https",
    host: "#{APP_NAME}",
    port: System.get_env("PORT") || 443
  cache_static_manifest: "priv/static/cache_manifest.json",
  server: true,
  root: ".",
  secret_key_base: "${SECRET_KEY_BASE}",
  version: Application.spec(:app_name :vsn),
  secret_key_base: System.get_env("SECRET_KEY_BASE") || raise("SECRET_KEY_BASE doesn't exist")

What are the differences between them, and is one of them more correct than the other?

I am also wondering why I in some examples have seen htst: true in the force_ssl?

Using Phoenix 1.4.0

They describe different setups: the former terminates TLS in the application, whereas the second relies on an external process/service (reverse proxy, load balancer) to terminate TLS, proxying requests to the application over plain HTTP.

The Phoenix guide on ssl does not really cover external TLS termination, you may want to have a look at the Plug HTTPS guide (specifically this part): much of it applies to Phoenix too, except that you wouldn’t use Plug.SSL directly, but rather pass the options through the force_ssl endpoint option.

This is the default, so omitting it does not make any difference. If you don’t want the application to send the HTTP Strict-Transport-Security header, for example because the element terminating TLS in front of your application takes care of that, you need to explicitly set htst: false.


I think I ended up giving up on serving SSL through elixir and just put up an nginx server in front of it. Little bit of a learning curve with it but way easier (for me) at the end of the day. Lets Encrypt with nginx is a breeze.