add force ssl as config variable

b310-digital · Jan 1, 2025 · c8c7db0 · c8c7db0
1 parent 8ded880
commit c8c7db0
Show file tree

Hide file tree

Showing 5 changed files with 8 additions and 4 deletions.
diff --git a/.env.default b/.env.default
@@ -12,7 +12,6 @@ DOCKER_COMPOSE_APP_DATABASE_USER=mindwendel-user
 DOCKER_COMPOSE_APP_MW_DEFAULT_LOCALE=en
 DOCKER_COMPOSE_APP_MW_FEATURE_BRAINSTORMING_REMOVAL_AFTER_DAYS=30
 DOCKER_COMPOSE_APP_MW_FEATURE_BRAINSTORMING_TEASER=true
-DOCKER_COMPOSE_APP_MW_FEATURE_STORAGE_PROVIDER=local
 DOCKER_COMPOSE_APP_MW_FEATURE_IDEA_FILE_UPLOAD=true
 DOCKER_COMPOSE_APP_OBJECT_STORAGE_USER=
 DOCKER_COMPOSE_APP_OBJECT_STORAGE_PASSWORD=

diff --git a/.env.prod.default b/.env.prod.default
@@ -26,6 +26,7 @@ DOCKER_COMPOSE_APP_PROD_VAULT_ENCRYPTION_KEY_BASE64=
 # - `date +%s | sha256sum | base64 | head -c 64 ; echo`
 # - `date +%s | shasum -a 256 | base64 | head -c 64 ; echo`
 DOCKER_COMPOSE_APP_PROD_SECRET_KEY_BASE=
+DOCKER_COMPOSE_APP_PROD_FORCE_SSL=true
 DOCKER_COMPOSE_APP_PROD_URL_HOST=
 DOCKER_COMPOSE_APP_PROD_URL_PORT=443
 DOCKER_COMPOSE_APP_URL_SCHEME=https

diff --git a/.github/workflows/on_push_main_publish.yml b/.github/workflows/on_push_main_publish.yml
@@ -6,7 +6,7 @@ name: Create and publish a Docker image
 # Configures this workflow to run every time a change is pushed to the branch called `master`.
 on:
   push:
-    branches: ["master"]
+    branches: ["master", "543-make-ssl-configurable"]
   release:
     types: [published]
 

diff --git a/config/prod.exs b/config/prod.exs
@@ -23,6 +23,8 @@ end
 
 config :mindwendel, :s3_storage_provider, Mindwendel.Services.S3ObjectStorageService
 
+force_ssl = System.get_env("FORCE_SSL", "true") == "true"
+
 config :mindwendel, MindwendelWeb.Endpoint,
   # This configuration ensures / enforces ssl requests sent to this mindwendel instance.
   # See https://hexdocs.pm/phoenix/Phoenix.Endpoint.html#module-compile-time-configuration
@@ -33,7 +35,7 @@ config :mindwendel, MindwendelWeb.Endpoint,
   # See https://hexdocs.pm/plug/Plug.SSL.html#module-x-forwarded
   # See https://hexdocs.pm/phoenix/Phoenix.Endpoint.html#module-compile-time-configuration
   force_ssl: [
-    hsts: true,
+    hsts: force_ssl,
     rewrite_on: [
       :x_forwarded_host,
       :x_forwarded_port,

diff --git a/docker-compose-prod.yml b/docker-compose-prod.yml
@@ -39,6 +39,8 @@ services:
       # E.g. `date +%s | sha256sum | base64 | head -c 64 ; echo`
       # See https://www.howtogeek.com/howto/30184/10-ways-to-generate-a-random-password-from-the-command-line/
       SECRET_KEY_BASE: ${DOCKER_COMPOSE_APP_PROD_SECRET_KEY_BASE:?}
+      # force ssl for production, see config/prod.exs
+      FORCE_SSL: ${DOCKER_COMPOSE_APP_PROD_FORCE_SSL:-true}
 
       # Add the url host that points to this mindwendel installation.
       # This is used by mindwendel to generate urls with the right host throughout the app.
@@ -48,7 +50,7 @@ services:
 
       # This env var defines to what port the phoeinx (cowboy) server should listen to.
       # Given that we are target port is 4000 (see below) it likely that the phoenix server should also listen to this port 4000.
-      MW_ENDPOINT_HTTP_PORT: ${DOCKER_COMPOSE_APP_MW_ENDPOINT_HTTP_PORT:-4000}
+      MW_ENDPOINT_HTTP_PORT: ${DOCKER_COMPOSE_APP_PROD_PORT_TARGET:-4000}
     ports:
       - "${DOCKER_COMPOSE_APP_PROD_PORT_PUBLISHED:-4000}:${DOCKER_COMPOSE_APP_PROD_PORT_TARGET:-4000}"
     depends_on: