aah Server

aah server is built using Go provided http.Server. It supports HTTP, HTTPS, UNIX Socket, Let’s Encrypt cert and TLS Config. It gives a flexible way to configure server { ... } in aah.conf.

Learn Server Config, Server Extension, Access Log, Dump Request and Response.

Table of Contents

HTTP

aah starts the HTTP server based on the address and port configured.

HTTPS

aah starts the server if server.ssl.enable is set to true with the given SSL cert and key. In HTTPS mode, aah sets the header Strict-Transport-Security with max-age=31536000; includeSubDomains. Know more about STS.

Let’s Encrypt Auto Cert

aah supports automatic Let’s Encrypt certs. To enable this functionality, set config server.ssl.lets_encrypt.enable to true. For more options, have a look at the configuration.

Note: Let's Encrypt CA does not provide certificates for localhost.

UNIX Socket

To start the aah server on UNIX socket, set server.address to socket file.

Example:

address = "unix:/tmp/myapp.sock"

TLS Config

aah HTTPS server mode is amenable in customizing TLS configuration via aah.SetTLSConfig().


func init()  {
  aah.SetTLSConfig(/* TLS config comes here */)
}

How to?

The TLS config can be added by using either of the following two ways-

  • aah.OnInit event - This way is better since aah.AppConfig() values are readily accessible.
  • func init()
// On file <app-base-dir>/app/init.go
func init() {
  // Using `aah.OnInit` event
  aah.OnInit(func(e *aah.Event) {
    // `aah.AppConfig()` values are readily accessible

    aah.SetTLSConfig(&tls.Config{
      // configure TLS
    })
  })
}

// Without using `aah.OnInit` event
func init() {
  aah.SetTLSConfig(&tls.Config{
    // configure TLS
  })
}

Example: Hardening SSL Ciphers

// On file <app-base-dir>/app/init.go
func init() {
  aah.OnInit(func(e *aah.Event) {
    // `aah.AppConfig()` values are readily accessible

    // Customizing a TLS config
    tlsCfg := &tls.Config{
      MinVersion:               tls.VersionTLS12,
      CurvePreferences:         []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
      PreferServerCipherSuites: true,
      CipherSuites: []uint16{
        tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
        tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
        tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
        tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
        tls.TLS_RSA_WITH_AES_256_CBC_SHA,
      },
    }

    aah.SetTLSConfig(tlsCfg)
  })
}