Unable to access Phoenix app after deployment to Ubuntu 18.04

Phoenix Forum Questions / Help
, ,
21

So, have you already added server: true and http: [port: 4013] to your endpoint configuration?

22

My prod.exs now looks like this:

config :wtmitu, WtmituWeb.Endpoint,
  load_from_system_env: false,
  url: [host: "127.0.0.1"],
  http: [ port: 4013 ],
  cache_static_manifest: "priv/static/cache_manifest.json",
  check_origin: true,
  root: ".",
  version: Mix.Project.config[:version]

config :logger, level: :info

config :phoenix, :serve_endpoints, true

import_config "prod.secret.exs"

And I have config :wtmitu, WtmituWeb.Endpoint, server: true in prod.secret.exs

23

Iā€™m building a new release now.

24

That is a good point, maybe try something like

  http: [port: 4013]

I wish I could confirm this setting, but I donā€™t have access to our production servers right now :confused:

I mean you are so German it physically hurts xD (speaking as a fellow German, donā€™t worry, we are all kind of like that)

25

Try changing your production config to use

config :your_app,  YourApp.Endpoint,
  http: [port: 4013]

and remove the :url option

26

This attitude of ā€œIā€™m right, so noone else isā€? Yes, Iā€™m totally guilty of that :smiley:

1 Like
27

Now we understand each other!

Even though I am not sure I can agreeā€¦ Unless you admit I was right first! :slightly_smiling_face:

2 Likes
28

Trying that now.

29

If that does not work, try to change the :url option to use port: 80 - it does not make sense to me, but you knowā€¦

I deployed a standalone cowboy server before, and you can not make it listen to port 80, unless it is running on root - are you using a separate user for you app? Something like deploy app_user or whatever?

EDIT: You should be using a separate user, donā€™t run your apps on root.

30

Yes, its not running as root

31

Guys, if itā€™s easier, I can put the app on a public GitHub repo? Thereā€™s nothing private about it, other than the db config, and a sendmail key, which are in prod.secret.exs.

I really appreciate your trying to help, so am happy to do whatever I can to help you help me. Sh*t, if it comes to it, Iā€™ll give you access to the server if necessaryā€¦

32

Still no joy with the changes to the config suggested.

I need to pop out now for an hour, my dogā€™s begging for her walk :dog2:

33

Try to keep your projects obscure, even if you donā€™t think itā€™s not a big dealā€¦ Hackers will try to hijack your app - I would bet everything I have that your server is already under attack, if it has been online for more than 24 hours.

There are a lot of possible pitfalls, maybe we have reached the limits of a forum in terms of solutions - you can send me a message and I will try to help you, or message someone else in this thread, I am sure they will try to help as well.

1 Like
34

There are requests in the Nginx logs that arenā€™t from me going back to when I first set the server up yesterday morning. Maybe I should tear it down and re-build, and use a different app name. I did wonder about including the app name in a reply earlier, should have thought harder.

I will pm you when I get back, donā€™t like messaging if not offered :+1:

35

Consider this an offer :+1:

EDIT: I am also active on the Discord Server, that might make things easier (communication).

1 Like
36

LOL, no, thatā€™s pointless. Any publicly exposed interface on the net is under constant automated attack.

37

Yes, but itā€™s annoying to see those thousands daily attempt to ssh in. I usually change the default sshd port, to rule out all bots trying to connect on port 22. This alone is enough to make my access.log quiet. There is also fail2ban which can help keeping the nosy scripts out. Iā€™m far from being a network security expert, so I guess there is a lot more that could be done, like i.e. setting up ufw to start with. But this is not the topic of this thread.

1 Like
38

That was why I thought about tearing down and re-building my server - quick thought out loud. I didnā€™t set up ufw until today, and as Iā€™m definitely not a network security expert I donā€™t know what I may have left open.

I will look into that.

Maybe not, but itā€™s my thread :wink: so I would be happy with this sort of tangent. After all, it canā€™t hurt.

Edit: I guess a good start, just in case, would be to change my ssh key, and replace the authorised_keys file.

1 Like
39

Be careful not to lock you out of your droplet by changing the sshd port before allowing the new one in the firewall!

1 Like
40

Will do :+1: