Phoenix Deployment: Application + SSL/TLS + NGINX

Hey Folks,

My first experience with Phoenix is coming full circle. The marketing website I’ve been developing for my company is complete, fully functional and the only thing left to do is setup SSL/TLS on my production machine.

Deployment Setup

The marketing website, which will eventually be turned into online design software, is hosted entirely on Amazon Web Services. I’m using a PostgreSQL RDS instance for my database and am pushing the compiled release directly to a Linux EC2 instance. I’m NOT using Amazon ECS or any container technology such as Docker. I wanted to keep the initial release as simple as possible, but will probably use it in future releases when I pin down a proper CI pipeline for the project.

As it stands the release is compiled on an EC2 staging environment, copied and then started on the production machine of the same OS (Ubuntu) and hardware. The running instance currently runs on port 4000. I’m running NGINX as a service to listen for inbound requests on port 80 and proxying the requests to port 4000. My question is regarding where and how to setup SSL/TLS? The way I see it, I have two options. I can add SSL/TLS to the projects config/prod.exs or config/runtime.exs and set force_ssl:.

The second option would be to configure SSL/TLS inside the NGINX server configuration and link to the private/public SSL certificate and key within this configuration. The Phoenix project would keep the same configurations and NGINX would simply just proxy the requests from port 443 to port 4000.

This is the last piece of the puzzle for my Phoenix application. Please let me know which approach is best practice, If I’m missing something important, or if there’s simply just a better way to do this.


As you are proxying using Nginx - you can configure SSL certificate at nginx.

If you are using load balancer - you can do SSL termination at load balancer (as opposed to server) - it will keep things simple.

I don’t think you need SSL passthrough.

If Nginx and Phoenix server are both on the same machine - it does not make much difference security (proxy or server).

Letencrypt with certbot takes care of auto renewal of ssl cert as well.


I agree, since you are already proxying, I would definitely let NGINX handle it.

1 Like

Thanks @kartheek for the great answer and the certbot tip!

1 Like