Set listening address

[anonhostpi]

So, not being able to assign the port (443) makes sense to me (limitation of ACME), but there should still be a way to assign a listening address.

Background

Now, I know this was probably left out, because your average web developer doesn't usually have a need for specifying the listening address. Most common web dev applications are intended to be exposed on all addresses running on a web server.

However, it is important in "edge nodes" and for security-concerned developers to have a way to limit what network adapters/addresses that a web service is listening on

A common example would be networking equipment ("edge nodes") with web UIs. The most common web-dev concern in routers is that you don't want your router's mgmt web UI listening on all interfaces including the one with the WAN IP address.

Another less common example is for localhost web-based applications where you don't necessarily want to turn a client's computer into a publicly "broadcasting" webserver, you just need a local web server for IPC.

A security concern is that limiting the listening addresses is a common method for reducing the attack surface of a web application and that feature is missing in this library.

Solution

I believe this would be a simple fix, and modifying these lines of code to accept an array of listening addresses (as a parameter) would satisfy the above issues:

https://github.com/gin-gonic/autotls/blob/621262aa0ad2296adaf5113276c3d6579de7f27e/autotls.go#L22-L33 https://github.com/gin-gonic/autotls/blob/621262aa0ad2296adaf5113276c3d6579de7f27e/autotls.go#L90-L103

Other recommendations:

I recommend adding some logic to ensure the listening address is fixated to ports 80 and 443, so that it works with ACME