Configuring a reverse proxy to apply authentication, or issuing client certificates, is laborious. It hampers the initial setup flow in environments that already have other means of authentication.
It should be possible to configure the server to listen on a UNIX socket rather than a network interface.
This is widely supported by the Go standard library, and has the added advantage of using the systems existing file permissioning system.
This would likely be configured by passing a filename to --listen instead of a host:port combination.
A decision must be made as to what permissions are initially assigned to the socket. My working idea as this would be the same user/group as the process and 0660 to allow only the process user/group access to the socket. There must be a command line flag to configure this, otherwise any change to permissions will not be persisted across restarts.
Configuring a reverse proxy to apply authentication, or issuing client certificates, is laborious. It hampers the initial setup flow in environments that already have other means of authentication.
It should be possible to configure the server to listen on a UNIX socket rather than a network interface.
This is widely supported by the Go standard library, and has the added advantage of using the systems existing file permissioning system.
This would likely be configured by passing a filename to
--listeninstead of a host:port combination.A decision must be made as to what permissions are initially assigned to the socket. My working idea as this would be the same user/group as the process and
0660to allow only the process user/group access to the socket. There must be a command line flag to configure this, otherwise any change to permissions will not be persisted across restarts.