Auto HTTPS in CE #4491
Auto HTTPS in CE #4491
Conversation
| @@ -61,7 +63,13 @@ listen_ip = | |||
| ) | |||
|
|
|||
| # System.get_env does not accept a non string default | |||
| port = get_var_from_path_or_env(config_dir, "PORT") || 8000 | |||
| http_port = | |||
| get_int_from_path_or_env(config_dir, "HTTP_PORT") || | |||
There was a problem hiding this comment.
HTTP_PORT is added for consistency with the new HTTPS_PORT.
| get_int_from_path_or_env(config_dir, "HTTP_PORT") || | ||
| get_int_from_path_or_env(config_dir, "PORT", 8000) | ||
|
|
||
| https_port = get_int_from_path_or_env(config_dir, "HTTPS_PORT") |
There was a problem hiding this comment.
Setting HTTPS_PORT enables site_encrypt so that auto-TLS is opt-in.
ruslandoga
force-pushed
the
auto-https
branch
2 times, most recently
from
c368f0f
to
a551f4b
Compare
| mode: :auto, | ||
| log_level: :notice, | ||
| client: :certbot, | ||
| domains: [domain], |
There was a problem hiding this comment.
I wonder if it should try to issue "www.#{domain}" as well.
I think it's OK as is for now, and if someone complains I'll add extra logic to check if www should be issued too. Plausible CE is probably mostly served from a subdomain anyway.
| PlausibleWeb.Endpoint.enable_https(https_enabled?) | ||
|
|
||
| if https_enabled? do | ||
| {SiteEncrypt.Phoenix.Endpoint, endpoint: PlausibleWeb.Endpoint} |
There was a problem hiding this comment.
Maybe this can be further limited to http_port==80 check since ACME issues challenges only on the default HTTP port.
config/runtime.exs
Outdated
| secret_key_base: secret_key_base, | ||
| websocket_url: websocket_url, | ||
| secure_cookie: secure_cookie | ||
|
|
||
| if https_port do | ||
| config :plausible, PlausibleWeb.Endpoint, | ||
| https: [port: https_port, ip: listen_ip, cipher_suite: :compatible] ++ default_http_opts |
There was a problem hiding this comment.
The Compatible cipher suite supports tlsv1, tlsv1.1 and tlsv1.2.
From https://hexdocs.pm/plug/1.16.1/Plug.SSL.html#configure/1-cipher-suites
The reasoning for using this suite instead of a "strong" one is the same as in #1708 (comment)
|
Changes
This PR starts using https://github.com/sasa1977/site_encrypt in CE to generate (and keep up-to-date) TLS certificates using https://certbot.eff.org.
The goal is to simplify CE deployments by removing the reverse-proxy requirement.
Trying it out locally
Launch a local CA like Pebble:
$ docker run --rm --name pebble -d -p 14000:14000 -p 15000:15000 -e "PEBBLE_VA_NOSLEEP=1" ghcr.io/letsencrypt/pebbleUPDATE: since Docker Desktop 4.34.0 host networking can be used on non-Linux machines: https://docs.docker.com/engine/network/drivers/host/?uuid=ebc0dd6c-ae8d-43ac-aa17-81671a3a76dd%0A#docker-desktop, that would remove the need for
host.docker.internalworkaround below.Install Certbot, e.g. with
brew install certbotInstall new CE deps, e.g. with
MIX_ENV=ce mix deps.getEdit config/.env.dev and .iex.exs so as not to interfere with custom ENV used in the next step:
config/.env.dev
.iex.exs
... import_if_available(Ecto.Query) import_if_available(Plausible.Factory) - Logger.configure(level: :warning) ...Launch Plausible with the following ENV:
console
I use
host.docker.internalto make Pebble be able to access localhost from its container in "Docker Desktop" for Mac. For Linux machines, I think the host can belocalhostwith--network hostadded todocker runflags.Wait for success:
Visit
https://host.docker.internal:5001(you might need to add127.0.0.1 host.docker.internalto/etc/hostsfor it to be resolvable)Tests
Changelog
Documentation
Dark mode