Add SSL termination to the explorer #1586

klaus993 · 2024-12-06T13:34:20Z

Add SSL termination to the explorer

Manage SSL termination directly from the explorer, to remove the reverse-proxy dependency (caddy)

explorer/lib/explorer_web/router.ex: make CSP less strict for the website to be able to:
- 'unsafe-inline': execute JS scripts inline
- img-src https://w3.org blob: data:;: fetch some image/data from w3
explorer/config/runtime.exs: handle SSL certificates from elixir endpoint
- PORT_SSL env var sets the port for HTTPS endpoint to listen on, not needed as it's defaulted to 443
  - for the 443 binding to work, it's needed to either:
    - run the release with sudo (not recommended for security reasons)
    - add capabilities to the BEAM binary to bind to low ports, for example in staging: sudo setcap CAP_NET_BIND_SERVICE=+eip /home/app/repos/explorer/aligned_layer/explorer/_build/prod/rel/explorer/erts-14.2.1/bin/beam.smp
- KEYFILE_PATH and CERTFILE_PATH are the local paths to the SSL private key and the certificate, if not set, HTTP endpoint will be brought up, but not HTTPS one
- NOTE: as this config is all inside the if config_env() == :prod, local development setup changes are not needed

klaus993 added 2 commits December 6, 2024 11:34

Add SSL termination to the explorer

f6a8725

Make CSP less strict

569b4ba

klaus993 force-pushed the explorer-ssl branch from 95c42d0 to 569b4ba Compare December 6, 2024 14:34

klaus993 changed the base branch from staging to testnet December 6, 2024 14:35

klaus993 added 2 commits December 9, 2024 16:42

Add http://raw.githubusercontent.com/ to allowed content in CSP

edf3d26

Allow images from https://*.github.io

0b4547c

samoht9277 self-requested a review December 10, 2024 15:39

This comment was marked as outdated.

Sign in to view

PatStiles approved these changes Dec 10, 2024

View reviewed changes