polypush135
Forcing https not working on localhost, what am I missing?
I’m trying to force all http request to redirect to https.
In short I have added the below to my endpoint config.
url: [host: "localhost", port: 80],
force_ssl: [hsts: true, rewrite_on: [:x_forwarded_proto], host: "localhost"]
I’ve tried just simply force_ssl: [hsts: true] with no luck as well.
Apps:
:phoenix, "1.4.10"
:plug, "1.8.3"
Browsers:
Chrome: Ubuntu Version 78.0.3904.97 (Official Build) (64-bit)
When making a http request the request is successful but it never redirects to https.
Heres the whole config.
config :morphic_pro, MorphicProWeb.Endpoint,
http: [port: 4000],
https: [
port: 4001,
cipher_suite: :strong,
certfile: "priv/cert/localhost.crt",
keyfile: "priv/cert/localhost.key"
],
debug_errors: true,
code_reloader: true,
check_origin: false,
watchers: [
node: [
"node_modules/webpack/bin/webpack.js",
"--mode",
"development",
"--watch-stdin",
cd: Path.expand("../assets", __DIR__)
]
],
url: [host: "localhost", port: 80],
force_ssl: [hsts: true, rewrite_on: [:x_forwarded_proto], host: "localhost"]
I have read over https://hexdocs.pm/phoenix/1.4.10/endpoint.html#using-ssl and was a little confused about the note about making https requests on 4000. I assume that maybe a typo that the protocol was https not http
EDIT: I now understand the point of the comment around being redirected from http to https but still keeping the port as 4000 but I’ve yet to see that since I don’t seem to be redirecting any of my requests.
Marked As Solved
polypush135
whoot! finally!. Ok so it looks like I have to use the host option too.
force_ssl: [hsts: false, rewrite_on: [:x_forwarded_proto], exclude: [], host: "localhost:4001"]
Also Liked
NobbZ
The example config just has force_ssl: :hsts, not even wrapped in a list.
PS: having HSTS for localhost is nasty… You shouldn’t activate it before you know how to remove it from your browser after wards…
NobbZ
Also please read the full section over HSTS I linked above, HSTS will only work for port 80 according to that page.
antew
I believe localhost is excluded from the SSL plug by default, check out https://github.com/elixir-plug/plug/blob/master/lib/plug/ssl.ex#L46
NobbZ
HSTS is a bad idea for localhost, as it will require you to provide HTTPS for all applications that you happen to develop on that computer, also for some browsers you won’t be able to use self signed or outdated certificates along with HSTS.
They become very strict once HSTS was activated for a domain.








