Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If you're just using it locally, you can use a self-signed cert. Caddy generates one automatically by just adding "self_signed" to your config[1]. Or you can copy-paste a single OpenSSL or PowerShell command to generate one.

[1]: https://caddyserver.com/blog/caddy-0_9-released#easy-self-si...



I tried out Caddy on a project the other day, it was incredibly simple to set up HTTP2 with Let's Encrypt.


But this implies you can then deploy your caddy server. Which means a private server with root rights. Do you realize most devs don't even know server admin ? If you know the command line, you are not most dev. You are far, far away from the reality of enterprise software.

Tomcat and apache are still massively deployed. If you moved to nginx years ago, remember than it's still a new toy for a huge number of people. So caddy...


Caddy doesn't require root. You can easily use systemd/upstart/custom scripts to run as an unprivileged user.


Apache is easy to configure with TLS or Let's Encrypt.

The only unfortunate thing is, that RHEL7/CentOS7 have OpenSSL 1.0.1 and mod_http2 requires OpenSSL 1.0.2. Thus no http2 there.


You don't need caddy, you just need a self-signed cert, which is pretty easy to generate.


This is the closest thing to reasonable that anybody has suggested. I seem to be getting brigaded by the encryption cargo cult and while I agree that nothing public facing should not have encryption it's a different thing to force all developing students to learn TLS/SSL before they start actually learning to code.

I expressed dissatisfaction with the fact that learning to code for the web has a barrier to entry now that can be very difficult for various reasons. Learning To debug TLS issues is another problem in of itself which often takes a lot of years to fully understand.

A new programmer should be very aware of the tools that are available to make this easier. But 14 year old me with a php book and no internet did not have such luxuries and that was all I said.


The difference between 14 year old you and now, is that crappy php app you made then might have made it years before it was hacked. These days it could last just minutes.

The problem here is you are thinking about just yourself. Yes, it's hard to do learn all these things. It was especially hard back then because the the sources to learn were pretty crappy and taught a lot of bad things. That's part of the reason we have the 'exploit a day' internet we suffer from now.

If new web developers have to learn both protocol security and code development, it will probably mean less developers. Which is great for the ones that take the time to learn, they'll get paid more. It also is probably better for the customer, hopefully it will mean they are less likely to get served virus_porn_encrypt-your-computer.exe from your half baked website.


People downvoting you completely forgot how it was when they started. They don't see the huge gap between us now, experts, and the beginners arriving on the market. In the quest of making our field more professional, we failed to make it gradual improvements.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: