Update documentation related to built-in SSL vs proper production setupΒ #765
Description
Cheroot's SSL support has had fatal but difficult to reproduce / fix bugs for many years-- for example, #245 was reported 6 years ago and is just now maybe getting fixed (or maybe not, we'll see). Not necessarily directly related to cheroot's code base, which is even more reason supporting the below proposal.
Without a doubt, built-in SSL is convenient and valuable for non-production purposes. Also without a doubt, a production-grade setup that is better-- in terms of security, performance, management and in many cases, development ease-- and also more inline with industry best practices, is to instead use TLS termination for any inter-node traffic (via e.g. nginx or-- god forbid but let's face it very, very popular in corporate environments-- IIS and/or its Azure equivalent).
Would you please consider updating / adding documentation to that effect-- something like the below? I am certain it would benefit everyone:
- Explicitly label cheroot's internal SSL support as "for development, not production, purposes"
- Recommend a TLS termination solution for production purposes
- Provide a few basic examples and related resources for the above (e.g. a diagram of how it works, a list of proxies that could be used (nginx, IIS etc), and ideally some sample configs (e.g. nginx.conf block)
(PS wasn't sure how to label this from the given list of choices but since it stems from bugs, that's how I labelled it)