analytics/lib/plausible_web/endpoint.ex
ruslandoga 2180ab4764
Auto HTTPS in CE (#4491)
* auto https

* changelog

* enable auto-tls only when http_port is 80

* make erlang ssl less verbose

* simplify config

* simplify config

* fix ce_dev typo

* fix another typo

---------

Co-authored-by: Adrian Gruntkowski <adrian.gruntkowski@gmail.com>
2024-09-10 14:15:43 +02:00

197 lines
5.1 KiB
Elixir

defmodule PlausibleWeb.Endpoint do
use Plausible
use Sentry.PlugCapture
use Phoenix.Endpoint, otp_app: :plausible
on_ce do
plug :maybe_handle_acme_challenge
plug :maybe_force_ssl, Plug.SSL.init(_no_opts = [])
end
@session_options [
# key to be patched
key: "",
store: :cookie,
signing_salt: "I45i0SKHEku2f3tJh6y4v8gztrb/eG5KGCOe/o/AwFb7VHeuvDOn7AAq6KsdmOFM",
# 5 years, this is super long but the SlidingSessionTimeout will log people out if they don't return for 2 weeks
max_age: 60 * 60 * 24 * 365 * 5,
extra: "SameSite=Lax"
# in EE domain is added dynamically via RuntimeSessionAdapter, see below
]
socket("/live", Phoenix.LiveView.Socket,
websocket: [
check_origin: true,
connect_info: [
:peer_data,
:uri,
:user_agent,
session: {__MODULE__, :runtime_session_opts, []}
]
]
)
# Serve at "/" the static files from "priv/static" directory.
#
# You should set gzip to true if you are running phx.digest
# when deploying your static files in production.
plug(PlausibleWeb.Tracker)
plug(PlausibleWeb.Favicon)
static_paths = ~w(css js images favicon.ico)
static_paths =
on_ee do
# NOTE: The Cloud uses custom robots.txt from https://github.com/plausible/website: https://plausible.io/robots.txt
static_paths
else
static_paths ++ ["robots.txt"]
end
static_compression =
if Plausible.ce?() do
[brotli: true, gzip: true]
else
[gzip: false]
end
plug(
Plug.Static,
[at: "/", from: :plausible, only: static_paths] ++ static_compression
)
on_ee do
plug(Plug.Static,
at: "/kaffy",
from: :kaffy,
gzip: false,
only: ~w(assets)
)
end
# Code reloading can be explicitly enabled under the
# :code_reloader configuration of your endpoint.
if code_reloading? do
socket("/phoenix/live_reload/socket", Phoenix.LiveReloader.Socket)
plug(Phoenix.LiveReloader)
plug(Phoenix.CodeReloader)
end
plug(Plug.RequestId)
plug(PromEx.Plug, prom_ex_module: Plausible.PromEx)
plug(Plug.Telemetry, event_prefix: [:phoenix, :endpoint], log: false)
plug(Plug.Parsers,
parsers: [:urlencoded, :multipart, :json],
pass: ["*/*"],
json_decoder: Phoenix.json_library()
)
plug(Sentry.PlugContext)
plug(Plug.MethodOverride)
plug(Plug.Head)
plug(:runtime_session)
plug(CORSPlug)
plug(PlausibleWeb.Router)
def secure_cookie?, do: config!(:secure_cookie)
def websocket_url() do
config!(:websocket_url)
end
def runtime_session(conn, _opts) do
Plug.run(conn, [{Plug.Session, runtime_session_opts()}])
end
def runtime_session_opts() do
session_options =
on_ee do
# `host()` provided by Phoenix.Endpoint's compilation hooks
# is used to inject the domain - this way we can authenticate
# websocket requests within single root domain, in case websocket_url()
# returns a ws{s}:// scheme (in which case SameSite=Lax is not applicable).
Keyword.put(@session_options, :domain, host())
else
# CE setup is simpler and we don't need to worry about WS domain being different
@session_options
end
session_options
|> Keyword.put(:key, "_plausible_#{Application.fetch_env!(:plausible, :environment)}")
|> Keyword.put(:secure, secure_cookie?())
end
defp config!(key) do
:plausible
|> Application.fetch_env!(__MODULE__)
|> Keyword.fetch!(key)
end
on_ce do
require SiteEncrypt
@behaviour SiteEncrypt
@force_https_key {:plausible, :force_https}
@allow_acme_challenges_key {:plausible, :allow_acme_challenges}
@doc false
def force_https do
:persistent_term.put(@force_https_key, true)
end
@doc false
def allow_acme_challenges do
:persistent_term.put(@allow_acme_challenges_key, true)
end
defp maybe_handle_acme_challenge(conn, _opts) do
if :persistent_term.get(@allow_acme_challenges_key, false) do
SiteEncrypt.AcmeChallenge.call(conn, _endpoint = __MODULE__)
else
conn
end
end
defp maybe_force_ssl(conn, opts) do
if :persistent_term.get(@force_https_key, false) do
Plug.SSL.call(conn, opts)
else
conn
end
end
@impl SiteEncrypt
def handle_new_cert, do: :ok
@doc false
def app_env_config do
# this function is being used by site_encrypt
Application.get_env(:plausible, _endpoint = __MODULE__, [])
end
@impl SiteEncrypt
def certification do
selfhost_config = Application.fetch_env!(:plausible, :selfhost)
config = Keyword.fetch!(selfhost_config, :site_encrypt)
domain = Keyword.fetch!(config, :domain)
email = Keyword.fetch!(config, :email)
db_folder = Keyword.fetch!(config, :db_folder)
directory_url = Keyword.fetch!(config, :directory_url)
SiteEncrypt.configure(
mode: :auto,
log_level: :notice,
client: :certbot,
domains: [domain],
emails: [email],
db_folder: db_folder,
directory_url: directory_url
)
end
end
end