Great post on some not so great defaults in the Go server, which are easy to change. It is definitely worth upgrading to Go 1.8 sooner rather than later for a few improvements to timeouts (ReadHeaderTimeout) and tls, along with all the other nice things in it (shame about plugins being broken though). Also useful to know that ReadTimeout is broken in 1.7 - this should perhaps be highlighted in a clearer way in the article next to the proposed config, as it makes the recommendations only safe for 1.8.
It'd be nice if there were a simpler way to set the recommended defaults for server config in Golang, I can't see why they couldn't do this with a new function in http which returned a server with a default config which was more battle-hardened as recommended in this library.
It also briefly covers using autocert, which is a great library to interface with Let's Encrypt which I'm planning rolling out on this site soon (currently proxying behind caddy). Users of caddy server of course have already been serving with the Go stdlib server for some time without incident, but it sounds like the time has come to eschew proxies even for larger sites.
Also on HN, warning 🗑🔥
https://news.ycombinator.com/item?id=13213902
Great post on some not so great defaults in the Go server, which are easy to change. It is definitely worth upgrading to Go 1.8 sooner rather than later for a few improvements to timeouts (ReadHeaderTimeout) and tls, along with all the other nice things in it (shame about plugins being broken though). Also useful to know that ReadTimeout is broken in 1.7 - this should perhaps be highlighted in a clearer way in the article next to the proposed config, as it makes the recommendations only safe for 1.8.
It'd be nice if there were a simpler way to set the recommended defaults for server config in Golang, I can't see why they couldn't do this with a new function in http which returned a server with a default config which was more battle-hardened as recommended in this library.
It also briefly covers using autocert, which is a great library to interface with Let's Encrypt which I'm planning rolling out on this site soon (currently proxying behind caddy). Users of caddy server of course have already been serving with the Go stdlib server for some time without incident, but it sounds like the time has come to eschew proxies even for larger sites.
This is a really good article from someone who knows a lot about this stuff (works at cloudflare), I didn't know about the timouts.
I do wish they could change some of the defaults in the stdlib.
Yep, cloudflare are big go users, so if they're happy exposing go servers, I can't see why anyone else would be worried about it.