Secure

Provides utilities to improve application security.

Secure TCP Server

The Secure TCP Server has builtin abilities to

  • graceful shutdown
  • defend against DDoS attacks by limiting max number of concurrent connections
  • close idle connections
  • defend against slow attacks
  • get peer identity
  • generate connection id
  • etc.
import (
    "github.com/burningxflame/gx/secure/tcp"
    "github.com/burningxflame/gx/sync/sem"
)

// Create a Secure TCP Server
srv := &tcp.Server{
    // The address to listen
    Addr: "host:port",
    // Connection handler is where you communicate with a client, i.e. receive/send data from/to a client.
    // Connection handler should return ASAP when ctx.Done channel is closed, which usually means an exit signal is sent.
    ConnHandler: func(ctx context.Context, conn net.Conn) error { ... },
    // If graceful shutdown takes longer than ShutdownTimeout, exit instantly.
    // Default to no timeout.
    ShutdownTimeout: time.Second*3,
    // Used to limit max number of concurrent connections
    // Default to no limit.
    ConnLimiter: sem.New(n),
    // If no data is sent from a connection in the specified duration, close the connection.
    // Default to no timeout.
    IdleTimeout: time.Minute,
    // Used for TLS handshake. If not provided, no TLS handshake.
    TlsConfig *tls.Config
    // If TLS handshake does not finish in the specified duration, close the connection.
    // Default to no timeout.
    TlsHandshakeTimeout: time.Second*5
    // If true, the Context argument of ConnHandler contains the identity of the TLS peer.
    // Call GetTlsPeer(ctx) to get peer identity.
    // And of course the peer should send a certificate, i.e. TlsConfig.ClientAuth should be RequireAnyClientCert or RequireAndVerifyClientCert.
    // Peer identity is a set of Common Name and SAN DNS Names of certificate holder, i.e. cert.Subject.CommonName and cert.DNSNames.
    CtxTlsPeer: false
    // If true, the Context argument of ConnHandler contains the connection id.
    // Call GetConnId(ctx) to get connection id.
    CtxConnId: false
    // Used to tag log messages
    Tag: "someTag",
    // A TagLogger used to log messages
    Log: ...,
}

// Start the Server
err := s.Serve(ctx)

Connection Handler is where you communicate with a client, i.e. receive/send data from/to a client. Connection handler should return ASAP when ctx.Done channel is closed, which usually means an exit signal is sent.

func handleConn(ctx context.Context, conn net.Conn) error {
    ...

    // Return the identity of the TLS peer. See Server.CtxTlsPeer
    peer, ok := tcp.GetTlsPeer(ctx)
    ...

    // Return the connection id. See Server.CtxConnId
    connId, ok := tcp.GetConnId(ctx)
    ...
}

Secure HTTP Server

The Secure HTTP Server has builtin abilities to

  • graceful shutdown
  • defend against DDoS attacks by limiting max number of concurrent requests
  • etc.
import (
    "net/http"

    sh "github.com/burningxflame/gx/secure/http"
    "github.com/burningxflame/gx/sync/sem"
)

// Create a Secure HTTP Server
srv := &sh.Server{
    // http.Server in std lib
    Std: http.Server{
          Addr:      ...,
          Handler:   ...,
          TLSConfig: ...,
      ...
    },
    // Used to limit max number of concurrent requests.
    // Default to no limit.
    Limiter: sem.New(n),
    // If graceful shutdown takes longer than ShutdownTimeout, exit instantly.
    ShutdownTimeout: time.Second*3,
    // Used to tag log messages
    Tag: "someTag",
    // A TagLogger used to log messages
    Log: ...,
}

// Start the Server
err := s.Serve(ctx)

Idle Timeout

Deprecated. Use Net / Idle Timeout → instead.

import "github.com/burningxflame/gx/secure/conns"

// If no data has been sent from conn by the time the timeout period elapses, conn.Read will return ErrIdleTimeout.
// Zero timeout means no timeout.
conn, err := conns.WithIdleTimeout(conn, timeout)