I’m developing a web API with Plug and Cowboy, which I want to be available only over HTTPS for security reasons.
I have a single Cowboy instance running, configured as follows:
{
Plug.Cowboy,
scheme: :https,
plug: MyApp.Plug,
port: 443,
cipher_suite: :strong,
certfile: "path/to/cert",
keyfile: "path/to/key",
}
Now I see that in the Plug HTTPS guide (https://hexdocs.pm/plug/https.html#content), using Plug.SSL
is mentioned as a way to force HTTPS (by redirecting HTTP to HTTPS). This seems like something I would want, but I’m not sure if I actually need it: with the current configuration, my server already seems to not accept HTTP connections. For example, trying to connect via http://localhost:443
fails, and of course http://localhost:80
also fails.
It seems like when running Cowboy with the :https
scheme, HTTP is not accepted, so Plug.SSL
is not required? Plug.SSL
would only be required if there was another Cowboy instance set to the :http
scheme, serving on port 80 (which would then be redirected to the HTTPS instance)?
Is this reasoning correct? I’m concerned about misunderstanding this and potentially introducing security weaknesses.