How we split Plug.SSL to control SSL redirection


Corresponding tweet for this thread:

Share link for this tweet.

1 Like

Great post Sascha, I am sure it will help a lot of people!

I don’t have a Phoenix app in production yet but for anyone using HAProxy, these lines on the frontend may also be of help:

reqadd X-Forwarded-Proto:\ https if { ssl_fc }
redirect scheme https if ssl_redirect_hosts !{ ssl_fc }
redirect scheme https code 301 if !{ ssl_fc }

In conjunction with configuring plug to handle X-Forwarded-* headers as per Sascha’s post.

1 Like

exclude some requests from the redirect (and as such the HSTS header)

From the moment you set the HSTS header the browser will honor it for any endpoint not just for the one from where you sent it in a response.

The HTTP Strict Transport Security header informs the browser that it should never load a site using HTTP and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead.

Or am I misunderstanding your proposal?

1 Like