Open dlsniper opened 7 years ago
Normally we are only listening on localhost so it should be ok, but sure, it could be useful.
@dlsniper With an example use case of Gogland making use of this, what's the workflow you're thinking of?
I'm familiar with using SSL/TLS certs to auth against a server. The code itself isn't very complex... the tricky bit (for certs) is in making the workflow for generating the certs, adding them to config files, etc.
Using token's might be easier... it'd still need a user friendly workflow though. Now trying to think what that might be... :smile:
@justinclift it doesn't have to be mutual-TLS, just "normal" TLS should be ok. The point of TLS is to encrypt the data sent over not protect the endpoint itself.
The scenario I have in mind is where someone uses the ability to "remote debug" but instead of debugging a local application / container, tries to debug it over the internet from their datacenter / cloud provider .
As for the workflow itself:
On the server:
dlv --api-version=2 --listen=:43210 --backend=default --tls --token=someT0k3n exec ./buggyApp
On the client :
dlv --api-version=2 --backend=default --tls --token=someT0k3n connect 127.0.0.1:43210
I think this would have a minimal disruption for the user workflow and at the same time allow integrations to provide a simple UI to use these features.
Yeah, that sounds like a decent workflow. For the TLS component itself, dlv would probably need an additional argument --tls-cert=foo.crt
so it has something to use.
That'd be up to the user to provide. (?)
For a Gogland point of view, maybe auto generated by Goglang (or maybe upon some button press), with a message to the user along the lines of:
For secure remote debugging, please upload ~/path/to/gogland/generated/foo.crt to the
remote server, then add `--tls-cert=foo.crt` to the dlv command line:
dlv --api-version=2 --listen=:43210 --backend=default --tls --tls-cert=foo.crt --token=someT0k3n exec ./buggyApp
This is actually a suggestion / feature request.
I've just realized that it would be preferable to support TLS and token authentication for the debugger when running in the remote configuration in order to protect against possible issues.
What do you think?