←back to thread

Go-Safeweb

(github.com)
188 points jcbhmr | 2 comments | 14 Nov 24 03:04 UTC | HN request time: 0.768s | source
Show context
pushupentry1219 ◴[14 Nov 24 04:54 UTC] No.42133267[source]
Not sure how I feel about the HTTPS/TLS related bits. These days anything I write in Go uses plain HTTP, and the TLS is done by a reverse proxy of some variety that does some other stuff with the traffic too including security headers, routing for different paths to different services, etc. I never run a go web application "bare", public facing, and manually supplying cert files.
replies(6): >>42133422 #>>42133588 #>>42133628 #>>42134049 #>>42134283 #>>42135953 #
1. karmarepellent ◴[14 Nov 24 08:06 UTC] No.42134049[source]
I have use cases for both approaches (letting a reverse proxy handle TLS, letting the application listen on an external socket and handling TLS in the application).

I find is is easier to configure an application with a reverse proxy in front when different paths require e.g. different cache-control response headers. At the end of the day I do not want to replicate all the logic that nginx (and others) already provide when it integrates well with the application at the back.

Other commenters suggest that both ways (with or without additional reverse proxy) add "tons of complexity". I don't see why. Using a reverse proxy is what we have done for a while now. Installation and configuration (with a reasonable amount of hardening) is not complex and there exist a lot of resources to make it easier. And leaving the reverse proxy out and handling TLS in the application itself should not be "complex" either. Just parse a certificate and private key and supply them to whatever web framework you happen to use.

replies(1): >>42135467 #
2. eptcyka ◴[14 Nov 24 12:12 UTC] No.42135467[source]
And implement cert reloading if your application reaches any kind of respectable uptime.