Question about Secure for Gin web framework

xuanbao · 2016-12-24 12:00:24 · 694 次点击    
这是一个分享于 2016-12-24 12:00:24 的资源,其中的信息可能已经有所发展或是发生改变。

Does anybody have experience using this? If so, I was hoping to ask you a few questions please! Thank you ahead of time!


评论:

nhooyr:

What do you mean by "Secure" for Gin?

theunseen:

Secure is middleware for using HTTPS.

nhooyr:

Can you link to this middleware? I'm not quite sure what you mean by "middleware" here. Why would you need middleware to use HTTPS?

theunseen:

https://github.com/unrolled/secure

nhooyr:

No reason it shouldn't work. Are you encountering any problems?

theunseen:

I'm pretty noob so I'm not sure if it is working. I have it set to redirect to HTTPS so it ensures to use HTTPS but I can't see where it sets the certificate (I'd like to use a self-signed certificate) that is used for HTTPS so I'm not even sure it's doing HTTPS properly. Chrome also gives me an error when trying to access the HTTPS endpoint. Yes, I realize I'm pretty noob at this so what I'm writing may seem completely ridiculous :P

nhooyr:

It's not setting up HTTPS for you, it's merely setting some headers for extra security. You have to set up HTTPS manually. See net/http in godoc.

theunseen:

OH. OK, that makes a lot more sense. Thank you.

1lann:

Why not just ask your questions in your post? Input from open discussions are valuable, not everyone's use cases or requirements are the same.

theunseen:

True, sorry. Basically was wondering how to specify a certificate to use for HTTPS. In the README, I saw the Secure options, but it doesn't seem to specify where I actually specify which certificate it uses for HTTPS. I'm also completely new at this, so yeah... Sorry.

1lann:

OK I'll clarify some things. "Secure" is a library that helps you to add HTTP headers recommended for security reasons, it is meant to be used in conjunction with HTTPS, but does not provide HTTPS. The headers are added to prevent XSS (Cross-site scripting) and CSRF (Cross-site request forgery).

Gin has its own "secure" library here. You can find an example use here.

It is recommended to use both HTTPS and the "secure" package's headers. To use HTTPS in Gin, simply replace

router.Run() // where typically: router := gin.Default()

with

http.ListenAndServeTLS(":443", "/path/to/cert.pem", "/path/to/key.pem", router)

Don't forget to add "http" to your import list at the top of your Go file too.

I should also mention that people typically don't use HTTPS at the web application level, but rather at the reverse proxy. So the web application will be listening with HTTP on a firewalled port, and the reverse proxy will be listening port 80/443, and will forward the request to the web application. This allows you to serve multiple websites under the same server. Such examples of reverse proxies include nginx, Apache httpd (which I recommend against), and Caddy. I personally recommend Caddy, as it's easy to setup, is written in Go, so supports Go middleware, and has automatic HTTPS through Let's Encrypt.

itsmontoya:

ListenAndServeTLS and pass the gin.Engine as the handler

theunseen:

I did see ListenAndServeTLS, but that doesn't seem to use Secure?

itsmontoya:

ListenAndServeTLS is the method for listening for secure connections


入群交流(和以上内容无关):加入Go大咖交流群,或添加微信:liuxiaoyan-s 备注:入群;或加QQ群:692541889

694 次点击  
加入收藏 微博
暂无回复
添加一条新回复 (您需要 登录 后才能回复 没有账号 ?)
  • 请尽量让自己的回复能够对别人有帮助
  • 支持 Markdown 格式, **粗体**、~~删除线~~、`单行代码`
  • 支持 @ 本站用户;支持表情(输入 : 提示),见 Emoji cheat sheet
  • 图片支持拖拽、截图粘贴等方式上传