{"__v":1,"_id":"5777c96e5b2b430e00b982c7","category":{"version":"5777c9635b2b430e00b982a5","project":"54348ec95b10711400c6c445","_id":"5777c9635b2b430e00b982aa","__v":0,"sync":{"url":"","isSync":false},"reference":false,"createdAt":"2014-12-03T21:36:49.014Z","from_sync":false,"order":4,"slug":"bonus-guides","title":"Bonus Guides"},"parentDoc":null,"project":"54348ec95b10711400c6c445","user":"5435e00ad7d8700800bbec51","version":{"__v":1,"_id":"5777c9635b2b430e00b982a5","project":"54348ec95b10711400c6c445","createdAt":"2016-07-02T14:02:11.084Z","releaseDate":"2016-07-02T14:02:11.084Z","categories":["5777c9635b2b430e00b982a6","5777c9635b2b430e00b982a7","5777c9635b2b430e00b982a8","5777c9635b2b430e00b982a9","5777c9635b2b430e00b982aa"],"is_deprecated":false,"is_hidden":false,"is_beta":false,"is_stable":true,"codename":"","version_clean":"1.2.0","version":"1.2.0"},"updates":["54a4fecdcf36a01d00b10aba","5738581913fb8f0e00999b55"],"next":{"pages":[],"description":""},"createdAt":"2014-12-03T22:13:25.248Z","link_external":false,"link_url":"","githubsync":"","sync_unique":"","hidden":false,"api":{"results":{"codes":[]},"settings":"","auth":"never","params":[],"url":""},"isReference":false,"order":9,"body":"To prepare an application to serve requests over SSL, we need to add a little bit of configuration and two environment variables. In order for SSL to actually work, we'll need a key file and certificate file from a certificate authority. The environment variables that we'll need are paths to those two files.\n\nThe configuration consists of a new `https:` key for our endpoint whose value is a keyword list of port, path to the key file, and path to the cert (pem) file. If we add the `otp_app:` key whose value is the name of our application, Plug will begin to look for them at the root of our application. We can then put those files in our `priv` directory and set the paths to `priv/our_keyfile.key` and `priv/our_cert.crt`.\n\nHere's an example configuration from `config/prod.exs`.\n\n```elixir\nuse Mix.Config\n\n. . .\nconfig :hello_phoenix, HelloPhoenix.Endpoint,\n  http: [port: {:system, \"PORT\"}],\n  url: [host: \"example.com\"],\n  cache_static_manifest: \"priv/static/manifest.json\",\n  https: [port: 443,\n          otp_app: :hello_phoenix,\n          keyfile: System.get_env(\"SOME_APP_SSL_KEY_PATH\"),\n          certfile: System.get_env(\"SOME_APP_SSL_CERT_PATH\"),\n          cacertfile: System.get_env(\"INTERMEDIATE_CERTFILE_PATH\") # OPTIONAL Key for intermediate certificates\n          ]\n\n```\n\nWithout the `otp_app:` key, we need to provide absolute paths to the files wherever they are on the filesystem in order for Plug to find them.\n\n```elixir\nPath.expand(\"../../../some/path/to/ssl/key.pem\", __DIR__)\n```\n\nForcing requests to use SSL:\n\nIn many cases, you'll want to force all incoming requests to use SSL by redirecting http to https. This can be accomplished by setting the `:force_ssl` option in your endpoint. It expects a list of options which are forwarded to `Plug.SSL`. By default it sets the \"strict-transport-security\" header in https requests, forcing browsers to always use https. If an unsafe request (http) is sent, it redirects to the https version using the `:host` specified in the `:url` configuration. To dynamically redirect to the `host` of the current request,`:host` must be set `nil`. For example:\n\n\n```elixir\n  config :my_app, MyApp.Endpoint, \n    force_ssl: [rewrite_on: [:x_forwarded_proto]]\n```\n\nReleasing with Exrm:\n\nIn order to build and run a release with exrm, make sure you also include the ssl app in `mix.exs`:\n\n```elixir\ndef application do\n\t[mod: {HelloPhoenix, []},\n\tapplications: [:phoenix, :phoenix_html, :cowboy, :logger, :gettext,\n                 :phoenix_ecto, :postgrex, :ssl]]\nend\n```\n\nElse you might run into errors: `** (MatchError) no match of right hand side value: {:error, {:ssl, {'no such file or directory', 'ssl.app'}}}`","excerpt":"","slug":"configuration-for-ssl","type":"basic","title":"SSL"}
To prepare an application to serve requests over SSL, we need to add a little bit of configuration and two environment variables. In order for SSL to actually work, we'll need a key file and certificate file from a certificate authority. The environment variables that we'll need are paths to those two files. The configuration consists of a new `https:` key for our endpoint whose value is a keyword list of port, path to the key file, and path to the cert (pem) file. If we add the `otp_app:` key whose value is the name of our application, Plug will begin to look for them at the root of our application. We can then put those files in our `priv` directory and set the paths to `priv/our_keyfile.key` and `priv/our_cert.crt`. Here's an example configuration from `config/prod.exs`. ```elixir use Mix.Config . . . config :hello_phoenix, HelloPhoenix.Endpoint, http: [port: {:system, "PORT"}], url: [host: "example.com"], cache_static_manifest: "priv/static/manifest.json", https: [port: 443, otp_app: :hello_phoenix, keyfile: System.get_env("SOME_APP_SSL_KEY_PATH"), certfile: System.get_env("SOME_APP_SSL_CERT_PATH"), cacertfile: System.get_env("INTERMEDIATE_CERTFILE_PATH") # OPTIONAL Key for intermediate certificates ] ``` Without the `otp_app:` key, we need to provide absolute paths to the files wherever they are on the filesystem in order for Plug to find them. ```elixir Path.expand("../../../some/path/to/ssl/key.pem", __DIR__) ``` Forcing requests to use SSL: In many cases, you'll want to force all incoming requests to use SSL by redirecting http to https. This can be accomplished by setting the `:force_ssl` option in your endpoint. It expects a list of options which are forwarded to `Plug.SSL`. By default it sets the "strict-transport-security" header in https requests, forcing browsers to always use https. If an unsafe request (http) is sent, it redirects to the https version using the `:host` specified in the `:url` configuration. To dynamically redirect to the `host` of the current request,`:host` must be set `nil`. For example: ```elixir config :my_app, MyApp.Endpoint, force_ssl: [rewrite_on: [:x_forwarded_proto]] ``` Releasing with Exrm: In order to build and run a release with exrm, make sure you also include the ssl app in `mix.exs`: ```elixir def application do [mod: {HelloPhoenix, []}, applications: [:phoenix, :phoenix_html, :cowboy, :logger, :gettext, :phoenix_ecto, :postgrex, :ssl]] end ``` Else you might run into errors: `** (MatchError) no match of right hand side value: {:error, {:ssl, {'no such file or directory', 'ssl.app'}}}`