Go-Safeweb

(github.com)

188 points jcbhmr | 1 comments | 14 Nov 24 03:04 UTC | HN request time: 0s | source

Show context

pushupentry1219 ◴[14 Nov 24 04:54 UTC] No.42133267[source]▶

Not sure how I feel about the HTTPS/TLS related bits. These days anything I write in Go uses plain HTTP, and the TLS is done by a reverse proxy of some variety that does some other stuff with the traffic too including security headers, routing for different paths to different services, etc. I never run a go web application "bare", public facing, and manually supplying cert files.

replies(6): >>42133422 #>>42133588 #>>42133628 #>>42134049 #>>42134283 #>>42135953 #

ongy ◴[14 Nov 24 06:21 UTC] No.42133588[source]▶

>>42133267 #

I suspect this is partially from google's internal 0 trust cluster networking.

I.e. even if the communication is entirely between components inside a k8s (or borg) cluster, it should be authenticated and encrypted.

In this model, there may be a reverse proxy at the edge of the cluster, but the communication between this service and the internal services wouls still be https. With systems like cert-manager it's also incredibly easy to supply every in-cluster process with a certificate form the cluster-internal CA.

-- Googler, not related to this project

replies(2): >>42133623 #>>42136458 #

1. kevinmgranger ◴[14 Nov 24 14:33 UTC] No.42136458[source]▶

>>42133588 #

The policy(?) change came ever since "SSL added and removed here ;-)", right?

That's when I remember seeing a broader shift towards app-terminated TLS.

↑