redirect to https

config/runtime.exs

@@ -69,12 +69,7 @@ http_port =
 
 https_port = get_int_from_path_or_env(config_dir, "HTTPS_PORT")
 
-acme_directory_url =
-  get_var_from_path_or_env(
-    config_dir,
-    "ACME_DIRECTORY_URL",
-    "https://acme-v02.api.letsencrypt.org/directory"
-  )
+acme_directory_url = get_var_from_path_or_env(config_dir, "ACME_DIRECTORY_URL")
 
 base_url = get_var_from_path_or_env(config_dir, "BASE_URL")
 
@@ -315,26 +310,30 @@ config :plausible,
   custom_script_name: custom_script_name,
   log_failed_login_attempts: log_failed_login_attempts,
   license_key: license_key,
-  data_dir: data_dir
+  data_dir: data_dir,
+  acme_directory_url: acme_directory_url
 
 config :plausible, :selfhost,
   enable_email_verification: enable_email_verification,
-  disable_registration: disable_registration,
-  https_port: https_port,
-  acme_directory_url: acme_directory_url
+  disable_registration: disable_registration
+
+default_http_opts = [
+  transport_options: [max_connections: :infinity],
+  protocol_options: [max_request_line_length: 8192, max_header_value_length: 8192]
+]
 
 config :plausible, PlausibleWeb.Endpoint,
   url: [scheme: base_url.scheme, host: base_url.host, path: base_url.path, port: base_url.port],
-  http: [
-    port: http_port,
-    ip: listen_ip,
-    transport_options: [max_connections: :infinity],
-    protocol_options: [max_request_line_length: 8192, max_header_value_length: 8192]
-  ],
+  http: [port: http_port, ip: listen_ip] ++ default_http_opts,
   secret_key_base: secret_key_base,
   websocket_url: websocket_url,
   secure_cookie: secure_cookie
 
+if https_port do
+  config :plausible, PlausibleWeb.Endpoint,
+    https: [port: https_port, ip: listen_ip, cipher_suite: :compatible] ++ default_http_opts
+end
+
 db_maybe_ipv6 =
   if get_var_from_path_or_env(config_dir, "ECTO_IPV6") do
     if config_env() in [:ce, :ce_dev, :ce_test] do

lib/plausible_web/endpoint.ex

@@ -8,6 +8,10 @@ defmodule PlausibleWeb.Endpoint do
     use SiteEncrypt.Phoenix.Endpoint, otp_app: :plausible
   end
 
+  on_ce do
+    plug :maybe_force_ssl, Plug.SSL.init(_no_opts = [])
+  end
+
   @session_options [
     # key to be patched
     key: "",
@@ -120,10 +124,20 @@ defmodule PlausibleWeb.Endpoint do
   end
 
   on_ce do
+    def maybe_force_ssl(conn, opts) do
+      if :persistent_term.get({:plausible, :https}) do
+        Plug.SSL.call(conn, opts)
+      else
+        conn
+      end
+    end
+
     @impl SiteEncrypt
     def certification do
+      endpoint_config = Application.fetch_env!(:plausible, PlausibleWeb.Endpoint)
+
       domain =
-        Application.fetch_env!(:plausible, PlausibleWeb.Endpoint)
+        endpoint_config
         |> Keyword.fetch!(:url)
         |> Keyword.fetch!(:host)
 
@@ -146,17 +160,18 @@ defmodule PlausibleWeb.Endpoint do
           email when is_binary(email) -> email
         end
 
-      selfhost_config = Application.fetch_env!(:plausible, :selfhost)
-
       # we basically disable site_encrypt if https port is not set
-      https_port = Keyword.fetch!(selfhost_config, :https_port)
+      https_port = get_in(endpoint_config, [:https, :port])
       mode = if https_port, do: :automatic, else: :manual
-
-      directory_url = Keyword.fetch!(selfhost_config, :acme_directory_url)
+      :persistent_term.put({:plausible, :https}, !!https_port)
 
       data_dir = Application.get_env(:plausible, :data_dir)
       db_folder = Path.join(data_dir || System.tmp_dir!(), "site_encrypt")
 
+      directory_url =
+        Application.get_env(:plausible, :acme_directory_url) ||
+          "https://acme-v02.api.letsencrypt.org/directory"
+
       SiteEncrypt.configure(
         mode: mode,
         log_level: :notice,