Secure web framework

Hey there!

I'm a rust noobie, looking for a web framework to write a secure RESTful server,
I read about rocket, actix-web, gotham and so on, but I couldn't find any documentation about the encryptions methods and security these frameworks provide (secure connection like TLS, or any data encryption like AES).
Can anyone explain?

In addition, can anyone explain how can I add additional encryptions to these frameworks? (i.e. TLS + AES via rustls)

Thanks! :grinning:

The encryption you're going to be using doesn't really depend on which web server library you're using. You have pretty much three options:

  1. Using your system OpenSSL.
  2. Using the Rust implementation in rustls.
  3. Letting a reverse proxy handle it (e.g. nginx).

The above choice determines what encryption options are available, and I'm pretty sure that all three options are available for all popular web frameworks.

1 Like

My approach to this is to run Nginx at the front. Have it take care of all the HTTPS stuff.

Nginx is configured to "proxy pass" requests to back end servers over HTTP. Some of those back ends being Rust and Rocket.

Works a treat.

+1 to this strategy. I like to containerize and use a CertBot container to enable HTTPS when Nginx starts. Although I think it’s a good time to shop around for Nginx alternatives, its integration with existing tools is nice.

Any particular reason(s) why?

A diversity of ideas and implementations is a good thing. Maybe someone can improve on Nginx or Apache or already has. Developers need to be willing to learn and try new things or we’ll be stuck with monolithic software options. For someone who does not know either, I would suggest the industry standards. For those who are comfortable with the common tooling, I would encourage experimentation and even embracing a little risk in terms of stability.

I googled, and found this rather alarming event ( not a reason to avoid Nginx ):

"On 12 December 2019, it was reported that the Moscow offices of Nginx Inc. had been raided by police, and that Sysoev and Konovalov had been detained. The raid was conducted under a search warrant connected to a copyright claim over Nginx by Rambler—which asserts that it owns all rights to the code because it was written while Sysoev was an employee of the company. On 16 December 2019, Russian state lender Sberbank, which owns 46.5 percent of Rambler, called an extraordinary meeting of Rambler's board of directors asking Rambler's management team to request Russian law enforcement agencies cease pursuit of the criminal case, and begin talks with Nginx and with F5."

That case by Rambler has been dropped.

However someone called Lynwood has recently made a claim on Nginx. New turn in a law suit against Nginx founders

However: Lynwood's claims do not apply to a freeware part of the software.

I'm not going to worry about it. This all sounds like SCO claims on the Linux kernel.

This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.