From 226dd0cd9d7cce54592d4ae8c6b3383c3bf425c7 Mon Sep 17 00:00:00 2001
From: Klaus Lungwitz <klaus.lungwitz@lambdaclass.com>
Date: Tue, 4 Feb 2025 15:50:39 -0300
Subject: [PATCH] Manage SSL termination directly from Elixir

To remove caddy (or any reverse proxy) as middleman
For this to work (bind port 443), the release binary has to either
* be run as root
* be given capabilities to bind privileged ports (<10000)
  - we currently do this with this command
```shell
sudo setcap CAP_NET_BIND_SERVICE=+eip /path/to/repo/mirra_backend/_build/prod/rel/arena/erts-13.2.2.12/bin/beam.smp
```
---
 config/runtime.exs | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/config/runtime.exs b/config/runtime.exs
index cc511f1ab..dda23ae53 100644
--- a/config/runtime.exs
+++ b/config/runtime.exs
@@ -87,11 +87,22 @@ if config_env() == :prod do
 
   host = System.get_env("PHX_HOST") || "example.com"
   port = String.to_integer(System.get_env("PORT") || "3000")
+  port_ssl = String.to_integer(System.get_env("PORT_SSL") || "443")
 
   config :arena, :dns_cluster_query, System.get_env("DNS_CLUSTER_QUERY")
 
   config :arena, ArenaWeb.Endpoint,
-    url: [host: host, port: 443, scheme: "https"],
+    url: [
+      scheme: "https",
+      port: port_ssl,
+      host: host
+    ],
+    https: [
+      port: port_ssl,
+      cipher_suite: :strong,
+      keyfile: System.get_env("KEYFILE_PATH"),
+      certfile: System.get_env("CERTFILE_PATH")
+    ],
     http: [
       # Enable IPv6 and bind on all interfaces.
       # Set it to  {0, 0, 0, 0, 0, 0, 0, 1} for local network only access.