Configs for SSL

teatimes · March 15, 2020, 9:29am

I am working on security in my application, and hence looking at ssl.

I have seen some different examples on configs for this, including using the https-config-field:

https: [port: 443,
          otp_app: :blackbook,
          keyfile: Application.get_env(:blackbook, :keyfile),
          certfile: Application.get_env(:blackbook, :certfile)
          ],

(example from this post

and other examples that have lead to my current implementation:

config :app_name, AppNameWeb.Endpoint,
  load_from_system_env: true,
  http: [:inet6, port: System.get_env("PORT") || 4000],
  force_ssl: [rewrite_on: [:x_forwarded_proto]],
  url: [
    scheme: "https",
    host: "#{APP_NAME}.gigalixirapp.com",
    port: System.get_env("PORT") || 443
  ],
  cache_static_manifest: "priv/static/cache_manifest.json",
  server: true,
  root: ".",
  secret_key_base: "${SECRET_KEY_BASE}",
  version: Application.spec(:app_name :vsn),
  secret_key_base: System.get_env("SECRET_KEY_BASE") || raise("SECRET_KEY_BASE doesn't exist")

What are the differences between them, and is one of them more correct than the other?

I am also wondering why I in some examples have seen htst: true in the force_ssl?

Using Phoenix 1.4.0

voltone · March 15, 2020, 9:52am

They describe different setups: the former terminates TLS in the application, whereas the second relies on an external process/service (reverse proxy, load balancer) to terminate TLS, proxying requests to the application over plain HTTP.

The Phoenix guide on ssl does not really cover external TLS termination, you may want to have a look at the Plug HTTPS guide (specifically this part): much of it applies to Phoenix too, except that you wouldn’t use Plug.SSL directly, but rather pass the options through the force_ssl endpoint option.

This is the default, so omitting it does not make any difference. If you don’t want the application to send the HTTP Strict-Transport-Security header, for example because the element terminating TLS in front of your application takes care of that, you need to explicitly set htst: false.

Codball · March 15, 2020, 3:32pm

I think I ended up giving up on serving SSL through elixir and just put up an nginx server in front of it. Little bit of a learning curve with it but way easier (for me) at the end of the day. Lets Encrypt with nginx is a breeze.