Skip to main content

Echo SSL/TLS Configuration

Introduction

Securing your web applications with HTTPS is no longer optional in modern web development. Transport Layer Security (TLS), the successor to Secure Sockets Layer (SSL), provides encrypted communication between your server and clients, ensuring data confidentiality and integrity. In this guide, we'll learn how to configure SSL/TLS in the Echo framework to enable HTTPS for your Go web applications.

HTTPS offers several important benefits:

  • Data encryption: Prevents eavesdropping on data transmitted between client and server
  • Data integrity: Ensures data isn't modified during transmission
  • Authentication: Verifies your server's identity to users
  • SEO advantages: HTTPS is a ranking factor for search engines
  • Browser compatibility: Modern browsers mark HTTP sites as "Not Secure"

Prerequisites

Before you begin, make sure you have:

  1. Go installed on your system
  2. Basic familiarity with the Echo framework
  3. SSL/TLS certificate and private key files (we'll cover how to generate test certificates)

Basic SSL/TLS Configuration

Setting Up a Simple HTTPS Server

Echo makes it straightforward to configure HTTPS. The Echo.StartTLS() method allows you to start an HTTPS server by providing certificate and key files:

go
package main

import (
    "net/http"
    
    "github.com/labstack/echo/v4"
)

func main() {
    e := echo.New()
    
    // Define routes
    e.GET("/", func(c echo.Context) error {
        return c.String(http.StatusOK, "Hello, HTTPS World!")
    })
    
    // Start TLS server
    e.Logger.Fatal(e.StartTLS(":8443", "cert.pem", "key.pem"))
}

In this example:

  • :8443 is the port for HTTPS (common alternatives are 443, the default HTTPS port)
  • cert.pem is the path to your TLS certificate file
  • key.pem is the path to your private key file

Generating Self-Signed Certificates for Testing

For development and testing, you can generate self-signed certificates using the openssl command-line tool:

bash
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes

This command will:

  1. Generate a 4096-bit RSA key pair
  2. Create a self-signed certificate valid for 365 days
  3. Output the certificate to cert.pem and the private key to key.pem
  4. The -nodes flag means "no DES", so the private key won't be password-protected

Follow the prompts to complete the certificate generation process. When done, you'll have the certificate files needed for the previous code example.

Note: Self-signed certificates are suitable for development but will trigger browser warnings in production. For production environments, obtain certificates from trusted Certificate Authorities like Let's Encrypt, DigiCert, or Comodo.

Advanced TLS Configuration

Customizing TLS Settings

For more control over your TLS configuration, Echo allows you to use Go's standard http.Server with custom TLS settings:

go
package main

import (
    "crypto/tls"
    "net/http"
    "time"
    
    "github.com/labstack/echo/v4"
)

func main() {
    e := echo.New()
    
    // Define routes
    e.GET("/", func(c echo.Context) error {
        return c.String(http.StatusOK, "Secure Echo Server")
    })
    
    // Create custom server with TLS config
    s := &http.Server{
        Addr:         ":8443",
        ReadTimeout:  5 * time.Minute,
        WriteTimeout: 5 * time.Minute,
        TLSConfig: &tls.Config{
            MinVersion:               tls.VersionTLS12,
            PreferServerCipherSuites: true,
            CipherSuites: []uint16{
                tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
                tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
                tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
                tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
            },
        },
    }
    
    // Start server with custom config
    e.Logger.Fatal(e.StartServer(s))
}

This example shows how to:

  1. Set minimum TLS version to 1.2 (more secure than older versions)
  2. Choose specific cipher suites in preferred order
  3. Configure server timeouts

Important: Starting with Go 1.16, TLS 1.0 and 1.1 are disabled by default because they're considered insecure.

Automatically Redirecting HTTP to HTTPS

In production environments, you'll want to redirect all HTTP traffic to HTTPS. Here's how to implement that with Echo:

go
package main

import (
    "net/http"
    
    "github.com/labstack/echo/v4"
    "github.com/labstack/echo/v4/middleware"
    "golang.org/x/crypto/acme/autocert"
)

func main() {
    e := echo.New()
    
    // Middleware
    e.Use(middleware.Recover())
    e.Use(middleware.Logger())
    
    // Routes
    e.GET("/", func(c echo.Context) error {
        return c.String(http.StatusOK, "Secure Echo Server with HTTP->HTTPS Redirect")
    })
    
    // Create an HTTP server for redirection
    go func() {
        httpServer := echo.New()
        httpServer.Pre(middleware.HTTPSRedirect())
        httpServer.Logger.Fatal(httpServer.Start(":80"))
    }()
    
    // Start TLS server
    e.Logger.Fatal(e.StartTLS(":443", "cert.pem", "key.pem"))
}

This example:

  1. Creates two Echo instances: one for HTTPS (main server) and one for HTTP (redirect server)
  2. Uses Echo's built-in HTTPSRedirect middleware on the HTTP server
  3. Runs the HTTP redirect server in a goroutine on port 80
  4. Runs the main HTTPS server on port 443 (standard HTTPS port)

Using Automatic Certificate Management with Let's Encrypt

For production applications, Let's Encrypt provides free TLS certificates that are automatically renewed. Echo can be configured to use Let's Encrypt through the autocert package:

go
package main

import (
    "golang.org/x/crypto/acme/autocert"
    "github.com/labstack/echo/v4"
    "github.com/labstack/echo/v4/middleware"
)

func main() {
    e := echo.New()
    
    // Middleware
    e.Use(middleware.Recover())
    e.Use(middleware.Logger())
    
    // Routes
    e.GET("/", func(c echo.Context) error {
        return c.String(200, "Secure server with auto-certificates!")
    })
    
    // Setup autocert manager
    autoTLSManager := autocert.Manager{
        Prompt:     autocert.AcceptTOS,
        HostPolicy: autocert.HostWhitelist("example.com", "www.example.com"), // Replace with your domain
        Cache:      autocert.DirCache("/var/www/.cache"),
    }
    
    // Enable HTTP/2 support
    s := e.TLSServer
    s.TLSConfig = autoTLSManager.TLSConfig()
    s.TLSConfig.GetCertificate = autoTLSManager.GetCertificate
    
    // Handle HTTP-01 challenge
    go func() {
        h := autoTLSManager.HTTPHandler(nil)
        if err := http.ListenAndServe(":80", h); err != nil {
            e.Logger.Fatal(err)
        }
    }()
    
    // Start TLS server with autocert
    e.Logger.Fatal(e.StartTLS(":443", "", ""))
}

In this example:

  1. We create an autocert.Manager to handle certificate issuance and renewal
  2. We specify which domains are allowed to obtain certificates
  3. We configure a cache directory for storing certificates
  4. We set up an HTTP server to handle ACME HTTP-01 challenges
  5. We start the HTTPS server without specifying certificate files (autocert handles this)

Note: For Let's Encrypt to work, your server must be accessible from the internet on ports 80 and 443. Also, ensure the cache directory is writable.

Best Practices for TLS Configuration

When configuring SSL/TLS for production use, follow these best practices:

  1. Use TLS 1.2 or higher: Older versions have known vulnerabilities
  2. Configure strong cipher suites: Prioritize ECDHE with AES-GCM
  3. Enable HTTP Strict Transport Security (HSTS) to prevent downgrade attacks:
go
e.Use(middleware.SecureWithConfig(middleware.SecureConfig{
    HSTSMaxAge:            31536000, // 1 year
    HSTSIncludeSubdomains: true,
    HSTSPreloadEnabled:    true,
}))
  1. Implement Content Security Policy to protect against XSS attacks
  2. Regularly rotate and update certificates before they expire
  3. Use certificate pinning for highly sensitive applications
  4. Monitor SSL/TLS configuration using tools like SSL Labs

Testing Your SSL/TLS Configuration

After setting up HTTPS, it's essential to verify your configuration. Here's how to test it:

  1. Visit your site in a browser and check for the lock icon

  2. Run an SSL/TLS server test using online tools like:

  3. Use OpenSSL to examine your certificate from the command line:

bash
openssl s_client -connect example.com:443 -servername example.com

Troubleshooting Common SSL/TLS Issues

If you encounter problems with your SSL/TLS configuration, check these common issues:

  1. Certificate path issues: Verify that the paths to your certificate and key files are correct
  2. File permissions: Ensure private key files have restricted permissions (600)
  3. Certificate chain problems: Make sure the full certificate chain is included
  4. Certificate mismatch: Confirm the certificate matches the domain name
  5. Expired certificates: Check certificate validity dates

Summary

Configuring SSL/TLS in Echo is essential for securing your web applications. In this guide, we've learned how to:

  • Set up a basic HTTPS server with Echo
  • Generate self-signed certificates for testing
  • Configure advanced TLS options
  • Implement HTTP to HTTPS redirection
  • Use Let's Encrypt for automatic certificate management
  • Follow best practices for secure TLS configuration

By implementing these patterns, you'll ensure that your Echo applications communicate securely with clients, protecting sensitive information and building trust with users.

Additional Resources

Exercises

  1. Set up an Echo server with a self-signed certificate
  2. Configure HTTP to HTTPS redirection
  3. Implement HSTS headers in your Echo application
  4. Use Let's Encrypt to obtain a certificate for a domain you own
  5. Test your configuration using SSL Labs and improve it to achieve an A+ rating

Happy secure coding!


If you spot any mistakes on this website, please let me know at [email protected]. I’d greatly appreciate your feedback! :)