Add Auto-HTTPS

Question

Add Auto-HTTPS

Opened this issue 6 years ago · 9 comments

bscott commented 6 years ago

Add support for automatic TLS with LetsEncrypt using custom server.

Answer 1 · 2018-06-17T02:22:43.000Z

In most cases, won't your app sit behind a reverse proxy/load balancer?

Answer 2 · 2018-06-18T04:55:34.000Z

@robbyoconnor In most cases, yes. But prod setups are not all the same, so we should help in those cases too. :)

Answer 3 · 2018-06-18T16:59:37.000Z

I wasn't saying it was a bad idea :)

…

On 06/18/2018 12:55 AM, Stanislas Michalak wrote: @robbyoconnor <https://github.com/robbyoconnor> In most cases, yes. But prod setups are not all the same, so we should help in those cases too. :) — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#1113 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AABaMHeLHE8kVb5nXeG2f0hEDxjaN09Iks5t9zLLgaJpZM4UqpO_>.

Answer 4 · 2018-06-20T04:45:46.000Z

Trying to think how to approach a PR for this. Wondering if buffalo new should take an argument to enable Auto TLS?, Any ideas how we would support this?

Example client:
https://godoc.org/golang.org/x/crypto/acme/autocert

Answer 5 · 2018-06-20T05:30:29.000Z

Yeah -- why not make an argument to `buffalo new` --- or even a plugin maybe?

…

On 06/20/2018 12:45 AM, Brian Scott wrote: Trying to think how to approach a PR for this. Wondering if |buffalo new| should take an argument to enable Auto TLS?, Any ideas how we would support this? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#1113 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AABaMAwNDNYOBLNJoK6gP8uchwcktSsWks5t-dN9gaJpZM4UqpO_>.

Answer 6 · 2018-06-20T11:02:11.000Z

If it was me, :), I would write a package somewhere that has an implementation of the new Server interface and then people can just import it and pass in a version of that server to Start.

…

On Jun 20, 2018, 1:30 AM -0400, robbyoconnor ***@***.***>, wrote: Yeah -- why not make an argument to `buffalo new` --- or even a plugin maybe? On 06/20/2018 12:45 AM, Brian Scott wrote: > > Trying to think how to approach a PR for this. Wondering if |buffalo > new| should take an argument to enable Auto TLS?, Any ideas how we > would support this? > > — > You are receiving this because you were mentioned. > Reply to this email directly, view it on GitHub > <#1113 (comment)>, > or mute the thread > <https://github.com/notifications/unsubscribe-auth/AABaMAwNDNYOBLNJoK6gP8uchwcktSsWks5t-dN9gaJpZM4UqpO_>. > — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

Answer 7 · 2019-08-09T15:20:02.000Z

Some example code for this if anyone is interested in making it official: https://gist.github.com/hdm/d271eb94a51f7f908ecb9ddc82d2b644

Answer 8 · 2019-11-20T19:47:28.000Z

Just my 2 cents: CertMagic is a fine option.

Answer 9 · 2022-04-26T00:15:44.000Z

I used https://gist.github.com/hdm/d271eb94a51f7f908ecb9ddc82d2b644 today and it worked perfectly. Big fan of that. Thanks, @hdm ! I'm trying to integrate this into buffalo itself. As far as I can tell, the contents of that gist wouldn't actually need to be generated and put into one's project, it seems like Buffalo could just run this instead of the other code to generate the "servers.Server" if an environment variable or YAML config says so. Thoughts on implementation?

My only concern would be this:
If you have your buffalo app running on several servers, and the cert cache directory isn't shared, each app will attempt to get its own LetsEncrypt cert. Maybe this is a documentation issue mostly. Also, when deployed in a container, the place that the certs are stored needs to be configured separately in a volume somewhere. Likewise, if you have N webservers, and the directory is shared, then if they are all deployed simultaneously, they will still attempt to obtain N certificates simultaneously which is probably bad (I am not a letsencrypt expert so maybe this isn't even a problem).