Add support for TLS.
A small data point: At work, we've been pushing folks to use and out-of-process proxy (very similar to Envoy) that handles TLS termination. That system handles a _lot_ of complexity for people. It might be worth telling folks using Tide to heavily consider _not_ handling TLS themselves and instead outsource it to a system like Linkerd, Envoy, or their cloud provider's hosted load balencer.
The tls-api crate seems very intriguing: it's a TLS trait with multiple backends that can be swapped out. It seems like a pretty cool idea, but it's unclear if it's actively maintained.
Other options for TLS would include:
rust-native-tls - picks whichever TLS implementation is available on the target platform.rust-openssl - OpenSSL.rustls - TLS implementation in Rust.mundane - BoringSSL.Interestingly, while I agree that deployment usually works well through terminating/offloading proxies, TLS support during development is an incredibly nice thing to have, catching many errors on https deployments early.
It might be worth telling folks using Tide to heavily consider not handling TLS themselves and instead outsource it to a system like Linkerd, Envoy, or their cloud provider's hosted load balencer.
I don't really see why this direction has to be taken. While it is a common practise in edge services, I don't see why Tide has to be deployed with another proxy just for TLS in simplified infrastructures, where a side car pattern is not desired.
While I don't see Tide being deployed on the edge any time soon, I do think Tide without a sidecar pattern in infrastructures that desire secure internal communication is a highly valid use case and should be supported from the beginning.
@Darkspirit we should probably provide support for TLS out of the box though; but async-tls definitely seems like the right starting point!
Note from triage: we now have https://github.com/http-rs/tide-rustls! -- we want to build a native version of this as well, so that we can compare both and then move them into Tide proper.
__edit:__ this would become a lot simpler if we can merge async-native-tls and async-tls into the same crate.
After more conversation: the integration with tide will likely be a re-export of the tide-rustls; which means that that UX is about the same. We'll look to merge the crate with Tide proper at some point, but we have a solution now so closing this issue!
Most helpful comment
I don't really see why this direction has to be taken. While it is a common practise in edge services, I don't see why Tide has to be deployed with another proxy just for TLS in simplified infrastructures, where a side car pattern is not desired.
While I don't see Tide being deployed on the edge any time soon, I do think Tide without a sidecar pattern in infrastructures that desire secure internal communication is a highly valid use case and should be supported from the beginning.