# plugin-waf-enforce-ssl Enforce SSL at WAF level. ## Quickstart ```bash npx pockethost install @pockethost/plugin-waf-enforce-ssl # now only accepts https npx pockethost waf serve ``` ## Discussion When SSL is enforced on WAF, `PH_WAF_PORT` is ignored. Instead, it will listen on 80 and 443, redirecting any port 80 traffic to 443. In dev mode (`PH_DEV`), a wildcard dev certificate for the `PH_APEX_DOMAIN` value will be created. In prod mode, you must create your own certificate. For example, Cloudflare issues [origin certificates](https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/) which must be downloaded and used here. Use `npx pockethost config set PH_WAF_ENFORCE_SSL_KEY ` and `npx pockethost config set PH_WAF_ENFORCE_SSL_CERT ` to set production mode settings. ## Variables The following variables will be used if they are found in the shell environment. PocketHost will also load them from an `.env` file if found at load time. | Name | Default | Discussion | | ----------------------- | --------------------------------------------- | ------------------------------------------------------------- | | PH_WAF_ENFORCE_SSL_HOME | `.pockethost/plugin-waf-enforce-ssl` | The home directory for any data storage needs of this plugin. | | PH_WAF_ENFORCE_SSL_KEY | `.pockethost/plugin-waf-enforce-ssl/tls.key` | The path to your SSL cert. | | PH_WAF_ENFORCE_SSL_CERT | `.pockethost/plugin-waf-enforce-ssl/tls.cert` | The path to your SSL key. | ## Support PocketHost has a thriving [Discord community](https://discord.gg/nVTxCMEcGT). --- ### Sponsored by https://pockethost.io. Instantly host your PocketBase projects. ---