<p>Does anybody have experience using this? If so, I was hoping to ask you a few questions please! Thank you ahead of time!</p>
<hr/>**评论:**<br/><br/>nhooyr: <pre><p>What do you mean by "Secure" for Gin?</p></pre>theunseen: <pre><p>Secure is middleware for using HTTPS.</p></pre>nhooyr: <pre><p>Can you link to this middleware? I'm not quite sure what you mean by "middleware" here. Why would you need middleware to use HTTPS?</p></pre>theunseen: <pre><p><a href="https://github.com/unrolled/secure" rel="nofollow">https://github.com/unrolled/secure</a></p></pre>nhooyr: <pre><p>No reason it shouldn't work. Are you encountering any problems?</p></pre>theunseen: <pre><p>I'm pretty noob so I'm not sure if it is working. I have it set to redirect to HTTPS so it ensures to use HTTPS but I can't see where it sets the certificate (I'd like to use a self-signed certificate) that is used for HTTPS so I'm not even sure it's doing HTTPS properly. Chrome also gives me an error when trying to access the HTTPS endpoint. Yes, I realize I'm pretty noob at this so what I'm writing may seem completely ridiculous :P</p></pre>nhooyr: <pre><p>It's not setting up HTTPS for you, it's merely setting some headers for extra security. You have to set up HTTPS manually. See net/http in godoc.</p></pre>theunseen: <pre><p>OH. OK, that makes a lot more sense. Thank you.</p></pre>1lann: <pre><p>Why not just ask your questions in your post? Input from open discussions are valuable, not everyone's use cases or requirements are the same.</p></pre>theunseen: <pre><p>True, sorry. Basically was wondering how to specify a certificate to use for HTTPS. In the README, I saw the Secure options, but it doesn't seem to specify where I actually specify which certificate it uses for HTTPS. I'm also completely new at this, so yeah... Sorry. </p></pre>1lann: <pre><p>OK I'll clarify some things. "Secure" is a library that helps you to add HTTP headers recommended for security reasons, it is meant to be used in conjunction with HTTPS, but <strong>does not provide HTTPS</strong>. The headers are added to prevent XSS (Cross-site scripting) and CSRF (Cross-site request forgery).</p>
<p>Gin has its own "secure" library <a href="https://godoc.org/github.com/gin-gonic/contrib/secure" rel="nofollow">here</a>. You can find an <a href="https://github.com/gin-gonic/contrib/blob/master/secure/example/example.go" rel="nofollow">example use here</a>.</p>
<p>It is recommended to use both HTTPS and the "secure" package's headers. To use HTTPS in Gin, simply replace</p>
<p><code>
router.Run() // where typically: router := gin.Default()
</code></p>
<p>with</p>
<p><code>
http.ListenAndServeTLS(":443", "/path/to/cert.pem", "/path/to/key.pem", router)
</code></p>
<p>Don't forget to add <code>"http"</code> to your import list at the top of your Go file too.</p>
<p>I should also mention that people typically don't use HTTPS at the web application level, but rather at the reverse proxy. So the web application will be listening with HTTP on a firewalled port, and the reverse proxy will be listening port 80/443, and will forward the request to the web application. This allows you to serve multiple websites under the same server. Such examples of reverse proxies include <a href="https://nginx.org/" rel="nofollow">nginx</a>, Apache httpd (which I recommend against), and <a href="https://caddyserver.com/" rel="nofollow">Caddy</a>. I personally recommend Caddy, as it's easy to setup, is written in Go, so supports Go middleware, and has automatic HTTPS through Let's Encrypt.</p></pre>itsmontoya: <pre><p>ListenAndServeTLS and pass the gin.Engine as the handler</p></pre>theunseen: <pre><p>I did see ListenAndServeTLS, but that doesn't seem to use Secure?</p></pre>itsmontoya: <pre><p>ListenAndServeTLS is the method for listening for secure connections</p></pre>
