Nginx reverse proxy with Phoenix and Let's Encrypt SSL config

I’m trying to run Phoenix 1.5 with Nginx reverse proxy with Let’s Encrypt SSL and having little success with the configuration. I’m using edeliver to deploy, which seems to be working fine. This may be because the tutorials or configs I’m using are outdated, but it seems to be right from my end. I started with these tutorials Setting up Phoenix…2016, Nginx config w/ phx

This is what I have for my Nginx config (gist link):

upstream phoenix_upstream {
  server 127.0.0.1:4000;
}

server {
  listen 80;
  server_name espresso.kickinespresso.com;
  return 301 https://$server_name$request_uri;
}

server { 
  listen [::]:443 ssl ipv6only=on; # managed by Certbot
  listen  443 ssl;
  server_name espresso.kickinespresso.com;
  
  ssl_certificate /etc/letsencrypt/live/espresso.kickinespresso.com/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/espresso.kickinespresso.com/privkey.pem; # managed by Certbot
  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

  location / {
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_redirect off;
    proxy_pass http://phoenix_upstream;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }
}

Here is my config/prod.exe for the endpoint (gist link:

config :espresso, EspressoWeb.Endpoint,
  http: [port: 4000],
  check_origin: false,
  cache_static_manifest: "priv/static/cache_manifest.json",
  server: true,
  code_reloader: false

I’m also not sure if I should have other configurations in the Endpoint for URL or port. I’ve seen configurations where the url is specified like this: url: [host: "espresso.kickinespresso.com", port: 443], but if it is a proxy_pass from nginx shouldn’t this not matter? I’ve also seen configurations where the IP is specified for localhost like http: [ip: {127, 0, 0, 1}, port: 4000],

I’m at a bit of a loss as of how to troubleshoot this since I can’t really find any logs from nginx in /var/log/nginx/ that show any issues. The erlang log /home/espresso/app_release/espresso/var/log also isn’t providing anything back.

Has anyone done anything similar?

  http: [:inet6, port: 4000],
  url: [host: "domain", port: 443],

I have it done this way

I just did the same thing so memory is still fresh. A couple of things:

you are missing:

proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;

They are important to make Plug.SSL work, which you should add to your endpoint:

if Mix.env == :prod do
    plug Plug.SSL, rewrite_on: [:x_forwarded_proto, :x_forwarded_host, :x_forwarded_port]
  end

Secondly, if you use web socket or the built in live-dashboard, you need to turn on websocket for those end points, such as:

location /live {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection “upgrade”;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_pass http://localhost:4001/live;
proxy_read_timeout 6000s; # raise the proxy timeout for the websocket
}

Lastly, you still need to make sure your endpoint has the proper external url. the url is used to generate full url in your application, such as email links, from the router helper functions.

Do you have any snippets or Gits?

See the above for the reverse proxy config. For endpoint config you can check this out:

Please note this application is intended to be deployed in a sub directory, so there is some special handling of LV socket location. Other than that, it is bog standard.