From 0741095a849bc0940e7a887ef2cb89af0115070a Mon Sep 17 00:00:00 2001
From: jamey <jamey@server.jamey.stream>
Date: Mon, 9 Mar 2026 10:06:26 +0000
Subject: [PATCH] exclude /health from force_ssl redirect

Fly.io internal health checks are made over HTTP, so they get redirected
to HTTPS with a 301 which fails the health check. Exclude /health path
from SSL enforcement.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 config/prod.exs | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/config/prod.exs b/config/prod.exs
index 51a307b..5ee751b 100644
--- a/config/prod.exs
+++ b/config/prod.exs
@@ -9,7 +9,12 @@ config :berrypod, BerrypodWeb.Endpoint,
   cache_static_manifest: "priv/static/cache_manifest.json",
   # HSTS tells browsers to always use HTTPS for this domain (1 year, include subdomains)
   # This must be set at compile time, not runtime
-  force_ssl: [hsts: true, rewrite_on: [:x_forwarded_proto]]
+  # Exclude /health for Fly.io internal health checks (made over HTTP)
+  force_ssl: [
+    hsts: true,
+    rewrite_on: [:x_forwarded_proto],
+    exclude: [hosts: ["localhost", "127.0.0.1"], paths: ["/health"]]
+  ]
 
 # Configures Swoosh API Client
 config :swoosh, api_client: Swoosh.ApiClient.Req