The latest articles on Forem by Felix (@fwman). https://forem.com/fwman https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F865421%2F0cda0383-83e0-420b-8f7f-16cf00c5334e.png https://forem.com/fwman en Felix Fri, 27 May 2022 20:44:29 +0000 https://forem.com/fwman/secure-your-go-rest-api-in-docker-using-letsencrypt-47d1 https://forem.com/fwman/secure-your-go-rest-api-in-docker-using-letsencrypt-47d1 <p>I recently had to figure this out and could not find a good resource, I hope this is the first one then.<br> <br><br> <br></p> <h2> How to set up HTTPS for a Go (Gin) REST API using Docker and Letsencrypt </h2> <h3> What is used (what you need to install): </h3> <ol> <li><a href="https://go.dev/">Go</a></li> <li><a href="https://gin-gonic.com/">Gin</a></li> <li><a href="https://www.docker.com/">Docker</a></li> </ol> <h3> Source code for the demo Go REST API: </h3> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">main</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"net/http"</span> <span class="s">"github.com/gin-gonic/gin"</span> <span class="p">)</span> <span class="k">func</span> <span class="n">setupRouter</span><span class="p">()</span> <span class="o">*</span><span class="n">gin</span><span class="o">.</span><span class="n">Engine</span> <span class="p">{</span> <span class="n">r</span> <span class="o">:=</span> <span class="n">gin</span><span class="o">.</span><span class="n">Default</span><span class="p">()</span> <span class="n">r</span><span class="o">.</span><span class="n">GET</span><span class="p">(</span><span class="s">"/ping"</span><span class="p">,</span> <span class="k">func</span><span class="p">(</span><span class="n">c</span> <span class="o">*</span><span class="n">gin</span><span class="o">.</span><span class="n">Context</span><span class="p">)</span> <span class="p">{</span> <span class="n">c</span><span class="o">.</span><span class="n">JSON</span><span class="p">(</span><span class="n">http</span><span class="o">.</span><span class="n">StatusOK</span><span class="p">,</span> <span class="s">"pong"</span><span class="p">)</span> <span class="p">})</span> <span class="k">return</span> <span class="n">r</span> <span class="p">}</span> <span class="k">func</span> <span class="n">main</span><span class="p">()</span> <span class="p">{</span> <span class="n">r</span> <span class="o">:=</span> <span class="n">setupRouter</span><span class="p">()</span> <span class="n">r</span><span class="o">.</span><span class="n">Run</span><span class="p">(</span><span class="s">":80"</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <h2> How to encrypt it using letsencrypt </h2> <ol> <li>Add <code>"github.com/gin-gonic/autotls"</code> to your imports.</li> <li>Open a goroutine for the run on port 80 to prevent blocking the thread while still enabling access via http: Change: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">r</span><span class="o">.</span><span class="n">Run</span><span class="p">(</span><span class="s">":80"</span><span class="p">)</span> </code></pre> </div> <p>To:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">go</span> <span class="n">r</span><span class="o">.</span><span class="n">Run</span><span class="p">(</span><span class="s">":80"</span><span class="p">)</span> </code></pre> </div> <ol> <li>Add the option to access the service via ssl: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">m</span> <span class="o">:=</span> <span class="n">autocert</span><span class="o">.</span><span class="n">Manager</span><span class="p">{</span> <span class="n">Prompt</span><span class="o">:</span> <span class="n">autocert</span><span class="o">.</span><span class="n">AcceptTOS</span><span class="p">,</span> <span class="n">HostPolicy</span><span class="o">:</span> <span class="n">autocert</span><span class="o">.</span><span class="n">HostWhitelist</span><span class="p">(</span><span class="s">"domain.com"</span><span class="p">),</span> <span class="n">Cache</span><span class="o">:</span> <span class="n">autocert</span><span class="o">.</span><span class="n">DirCache</span><span class="p">(</span><span class="s">"/var/www/.cache"</span><span class="p">),</span> <span class="p">}</span> <span class="n">autotls</span><span class="o">.</span><span class="n">RunWithManager</span><span class="p">(</span><span class="n">r</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">m</span><span class="p">)</span> </code></pre> </div> <p>You have to enter your domain instead of "domain.com"</p> <h2> Dockerize it </h2> <h3> Dockerfile: </h3> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">FROM</span><span class="s"> golang:latest</span> <span class="k">WORKDIR</span><span class="s"> /</span> <span class="k">COPY</span><span class="s"> . .</span> <span class="k">EXPOSE</span><span class="s"> 80</span> <span class="k">EXPOSE</span><span class="s"> 443</span> <span class="k">ENV</span><span class="s"> GIN_MODE=release</span> <span class="k">VOLUME</span><span class="s"> ["/var/www/.cache"]</span> <span class="k">CMD</span><span class="s"> [ "go","run", "main.go" ]</span> </code></pre> </div> <h3> You should also add a volume to docker-compose because you will be rate limited by letsencrypt if you request to many certificates </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>go-backend: build: context: ./go-backend dockerfile: Dockerfile ports: - 80:80 - 443:443 container_name: go-backend volumes: - certcache:/var/www/.cache </code></pre> </div> <p>Here the gin project is located in <code>./go-backend</code> which might be different for your project. The important part is that the volume is created at <code>/var/www/.cache</code> to prevent to many requests to letsencrypt.</p> <h2> Final notes: </h2> <p>If you want to encrypt your api and make it accessible using https, it might be a good idea to prevent using http. This would be especially important if you send passwords or other sensitive data to or from the server via your api. In this case you should remove this from your go code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">go</span> <span class="n">r</span><span class="o">.</span><span class="n">Run</span><span class="p">(</span><span class="s">":80"</span><span class="p">)</span> </code></pre> </div> <p>You also should close (not open) port 80 in your Dockerfile and in docker-compose because they are not needed.</p> <h3> Full go code: </h3> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">package</span> <span class="n">main</span> <span class="k">import</span> <span class="p">(</span> <span class="s">"github.com/gin-gonic/autotls"</span> <span class="s">"github.com/gin-gonic/gin"</span> <span class="s">"golang.org/x/crypto/acme/autocert"</span> <span class="s">"net/http"</span> <span class="p">)</span> <span class="k">func</span> <span class="n">setupRouter</span><span class="p">()</span> <span class="o">*</span><span class="n">gin</span><span class="o">.</span><span class="n">Engine</span> <span class="p">{</span> <span class="n">r</span> <span class="o">:=</span> <span class="n">gin</span><span class="o">.</span><span class="n">Default</span><span class="p">()</span> <span class="n">r</span><span class="o">.</span><span class="n">GET</span><span class="p">(</span><span class="s">"/ping"</span><span class="p">,</span> <span class="k">func</span><span class="p">(</span><span class="n">c</span> <span class="o">*</span><span class="n">gin</span><span class="o">.</span><span class="n">Context</span><span class="p">)</span> <span class="p">{</span> <span class="n">c</span><span class="o">.</span><span class="n">JSON</span><span class="p">(</span><span class="n">http</span><span class="o">.</span><span class="n">StatusOK</span><span class="p">,</span> <span class="s">"pong"</span><span class="p">)</span> <span class="p">})</span> <span class="k">return</span> <span class="n">r</span> <span class="p">}</span> <span class="k">func</span> <span class="n">main</span><span class="p">()</span> <span class="p">{</span> <span class="n">r</span> <span class="o">:=</span> <span class="n">setupRouter</span><span class="p">()</span> <span class="k">go</span> <span class="n">r</span><span class="o">.</span><span class="n">Run</span><span class="p">(</span><span class="s">":80"</span><span class="p">)</span> <span class="n">m</span> <span class="o">:=</span> <span class="n">autocert</span><span class="o">.</span><span class="n">Manager</span><span class="p">{</span> <span class="n">Prompt</span><span class="o">:</span> <span class="n">autocert</span><span class="o">.</span><span class="n">AcceptTOS</span><span class="p">,</span> <span class="n">HostPolicy</span><span class="o">:</span> <span class="n">autocert</span><span class="o">.</span><span class="n">HostWhitelist</span><span class="p">(</span><span class="s">"domain.com"</span><span class="p">),</span> <span class="n">Cache</span><span class="o">:</span> <span class="n">autocert</span><span class="o">.</span><span class="n">DirCache</span><span class="p">(</span><span class="s">"/var/www/.cache"</span><span class="p">),</span> <span class="p">}</span> <span class="n">autotls</span><span class="o">.</span><span class="n">RunWithManager</span><span class="p">(</span><span class="n">r</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">m</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> go docker letsencrypt