On 2020-02-21 16:13, Amnon Baron Cohen wrote: > Interesting. > > What vulnerabilities does OpenBSDs httpd protect against, which a properly > hardened net/http does not? > Default connection limits suggest it isn't production ready by default and so is the main reason...so define properly hardened, but also.
https://marc.info/?l=openbsd-cvs&m=139879883203226&w=2 http://insanecoding.blogspot.com/2014/05/protecting-private-keys.html > The problem with proxying through OpenBSD's server, nginx or any other server > is > that there is anotherĀ > moving part that you need to master, configure, monitor, httpd.conf is very simple. > and which may have its own vulnerabilities. There will be some truth to this, however I guess it is swapping out memory safe go code for code running as multiple processes as different users, rather than strictly increasing attack surface. In fact the pledge/simplicity etc. on the fcgi interface may garner some protections. I haven't considered it much at all though really, due to first point. So I guess against a properly hardened is debateable for exploit but the severity of exploit may be less likely, currently. -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/00946695-f131-8561-6bf6-c3866e8d06d9%40gmail.com.
