You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
So, not being able to assign the port (443) makes sense to me (limitation of ACME), but there should still be a way to assign a listening address.
Background
Now, I know this was probably left out, because your average web developer doesn't usually have a need for specifying the listening address. Most common web dev applications are intended to be exposed on all addresses running on a web server.
However, it is important in "edge nodes" and for security-concerned developers to have a way to limit what network adapters/addresses that a web service is listening on
A common example would be networking equipment ("edge nodes") with web UIs. The most common web-dev concern in routers is that you don't want your router's mgmt web UI listening on all interfaces including the one with the WAN IP address.
Another less common example is for localhost web-based applications where you don't necessarily want to turn a client's computer into a publicly "broadcasting" webserver, you just need a local web server for IPC.
A security concern is that limiting the listening addresses is a common method for reducing the attack surface of a web application and that feature is missing in this library.
Solution
I believe this would be a simple fix, and modifying these lines of code to accept an array of listening addresses (as a parameter) would satisfy the above issues:
So, not being able to assign the port (443) makes sense to me (limitation of ACME), but there should still be a way to assign a listening address.
Background
Now, I know this was probably left out, because your average web developer doesn't usually have a need for specifying the listening address. Most common web dev applications are intended to be exposed on all addresses running on a web server.
However, it is important in "edge nodes" and for security-concerned developers to have a way to limit what network adapters/addresses that a web service is listening on
A common example would be networking equipment ("edge nodes") with web UIs. The most common web-dev concern in routers is that you don't want your router's mgmt web UI listening on all interfaces including the one with the WAN IP address.
Another less common example is for localhost web-based applications where you don't necessarily want to turn a client's computer into a publicly "broadcasting" webserver, you just need a local web server for IPC.
A security concern is that limiting the listening addresses is a common method for reducing the attack surface of a web application and that feature is missing in this library.
Solution
I believe this would be a simple fix, and modifying these lines of code to accept an array of listening addresses (as a parameter) would satisfy the above issues:
autotls/autotls.go
Lines 22 to 33 in 621262a
autotls/autotls.go
Lines 90 to 103 in 621262a
Other recommendations:
I recommend adding some logic to ensure the listening address is fixated to ports 80 and 443, so that it works with ACME
The text was updated successfully, but these errors were encountered: