Gigalixir config not supporting SSL?

vrod · August 12, 2020, 2:00am

I have Phoenix app what still has some trouble with SSL. From https://gigalixir.readthedocs.io/en/latest/modify-app/mix.html#configuration-and-secrets I try using that config, but I observe the following behaviours:

http://myapp.com --> redirects to https://www.myapp.com  ok
http://www.myapp.com --> redirects to https://www.myapp.com ok
https://www.myapp.com --> works ok no redirect
https://myapp.com --> Potential Security Risk ahead!!!

The domain is DNSed at GoDaddy. The domain has “forwarding” to http://www.myapp.com but I am not sure what this means. I add CNAME to gigalixir for www and root domain:

gigalixir domains:add www.myapp.com
gigalixir domains:add myapp.com

But GoDaddy does not permit root level CNAME. I think this is problem?

Also I am not understanding why does the example config say port 443? Am I understanding this correctly that Gigalixir listens on PORT? So why does the example config say 443 and both http and port 443?

config :my_app, MyAppWeb.Endpoint,
  http: [port: {:system, "PORT"}], # Possibly not needed, but doesn't hurt
  url: [host: "${APP_NAME}.gigalixirapp.com", port: 443],
  secret_key_base: Map.fetch!(System.get_env(), "SECRET_KEY_BASE"),
  server: true

The DNS also uses A record, but I think this is incorrect.

Is it possible to get HTTPS for both www and root level domain with GoDaddy? Or do I need to find DNS with ALIAS feature? Is there something wrong with my config copied from example doc?

Many thanks!

unsek · August 12, 2020, 3:33am

I ran into this issue in the past as well. This might not be helpful but I just transferred the domain to NameCheap and set the value to @ for root level domain.

mgwidmann · August 12, 2020, 5:19am

I don’t have it configured with a custom domain but mine works fine with the standard given name. Doesn’t your url configuration have to be the custom domain name, not the gigalixirapp.com name?

App here:
https://options-tracker.gigalixirapp.com/
Code here:

vrod · August 12, 2020, 1:13pm

Thank you but my configuration still does not work I think. When custom domain is added, there is no example in the documentations for what the config must be. Is gigalixir domains:add alone enough?

I am still confused. From previous post, I am understanding that Gigalixir forwards requests and our apps must only listen on PORT… but why do some examples also listen on 443? I feel that this example of custom domain configuration is very much missing from the doc page or maybe I cannot find it?

also maybe GoDaddy is not possible to use with Gigalixir for custom domains?

LostKobrakai · August 12, 2020, 1:15pm

config :bob_versions_web, BobVersionsWeb.Endpoint,
  http: [:inet6, port: System.get_env("PORT") || 4000],
  url: [scheme: "https", port: 443],
  force_ssl: [rewrite_on: [:x_forwarded_proto], host: nil],
  …

This one works for me with the internal as well as a custom domain.

vrod · August 12, 2020, 1:58pm

Thank you, I tried this confi but still I have security warnings when I try https requests for the root domain:

both www and root domains are defined in gigalixir.

LostKobrakai · August 12, 2020, 2:19pm

Can you look at the served certificate if it actually holds your domain names?

vrod · August 12, 2020, 2:55pm

I think I found a clue. The trailing slash seems to be very important! At least with Firefox. Chrome seems to have problems with or without:

https://myapp.com --> redirects to https://www.myapp.com OK
https://myapp.com/ --> redirects to https://myapp.com  Warning: Potential Security Risk Ahead!!!

The certificate seems Ok for www.myapp.com – it says Let’s Encrypt and for “Subject Alt Names” it shows www.myapp.com

But when I get the “Security Risk” error, I inspect the cert and I see that Common Name
shortener.secureserver.net
and the DNS names are for shortener.secureserver.net

Maybe this is the GoDaddy “redirect”?

vrod · August 12, 2020, 3:06pm

I removed the GoDaddy forwarding (it forwarded http://myapp.com to http://www.myapp.com) and now I get a new error when I request https://myapp.com --> PR_END_OF_FILE_ERROR

LostKobrakai · August 12, 2020, 3:08pm

If the certificate is only valid for www.myapp.com then myapp.com is correctly insecure.

vrod · August 12, 2020, 3:09pm

But this is what gigalixir is supposed to supply I thought. I have added both domains to gigalixir domains.

LostKobrakai · August 12, 2020, 3:19pm

I’m not sure how exactly certificates are served by gigalixir. It could be one certificate for all domains, but it could be one certificate per domain and it serves only the matching one.

But all that doesn’t matter at all if your dns provider doesn’t allow root level CNAMES. Because you’re likely not even serving gigalixir resources under https://myapp.com. Meaning neither gigalixir nor phoenix can do anything, as things go the wrong way on the dns level already. I’m not sure if you can get an IP for gigalixir. If not you need to either find something similar to CNAME (e.g. ALIAS), which is supported by GoDaddy or move to a different DNS provider.

vrod · August 12, 2020, 4:13pm

Thank you for your patience. I’m sorry I am not skilled with DNS.
I do not think GoDaddy has support for ALIAS DNS records… they say “alias” but they are actually just CNAME records: GoDaddy does not have an option for creating ALIAS records. It is unfortunate for this case because there are many hundreds of domains.

LostKobrakai · August 12, 2020, 6:10pm

If you’re just doing redirects you can also see if you can do the redirect to the www.* version at the dns level using GoDaddy.