FileServer提供RPC接口还是RESTful API接口？

[gongweibao]

我和 @Yancey1989 @typhoonzero 线下讨论了一下，准备采用RESTful API。以下是讨论部分：

• RPC是否用HTTP协议
  • 如果走自己的协议，需要开一个新的端口，Ingress需要做TCP转发、不能做会话保持。
  • 走HTTP协议用两者其实差不多。
• 目前看到的大家采用RESTful API的案例更多点
  • 比如Docker，Kubernetes，ETCD。

对应的PR在这里，我把这个话题单独拿出来讨论一下

[wangkuiyi]

Why we need a FileServer?

If the intention was to support file upload and download, there has been one defined in Go's standard package: https://golang.org/pkg/net/http/#FileServer

[helinwang]

@gongweibao 用HTTP或者goRPC，我理解它们都是一种RPC，没有什么特别倾向，感觉那个简单选哪个就好。

更重要的问题可能是如何做双向的TLS验证。一般的服务器不需要验证用户的身份，只要用户相信服务器的身份就好了。这里我们需要验证用户的身份，并且从用户证书里面的账户信息提取用户名。
我不是很确定ingress支不支持双向验证、这种双向验证用Kubernetes哪个模块实现比较好。还是直接叫Kubernetes把tls encrypted traffic交给我们的程序来做。
我理解如果Kubernetes做不了双向验证，就没法做TLS termination，看不到HTTP request明文，也就没法做session stickyness load balancing。

双向用户认证可以参考：http://www.levigross.com/2015/11/21/mutual-tls-authentication-in-go/

[typhoonzero]

I recommend this repo: https://github.com/divio/django-filer.

https://golang.org/pkg/net/http/#FileServer seems only do file downloads.

[gongweibao]

I would suggest that our "big file uploading" feature be compatible with open standards like HTML5. So users can write a Web page (or some other programs) that call the HTML5 Filesystem API to upload big files to PaddlePaddle Cloud. Here is a link to the HTML5 client API http://stackoverflow.com/a/10845664/724872. I'd recommend that we read it and understand it, before we write the server code.

[gongweibao]

@helinwang
There is an explanation

Finally, when we proxy traffic onto our back-end service, we also create a new custom HTTP header to be proxied on as well; which I've named: X-ClientCert-DN. The value assigned to this custom header uses the Nginx $ssl_client_s_dn variable, which extracts the Common Name section of the client's certificate.

And another way: proxy_set_header X-SSL-CERT $ssl_client_cert can transfer CRT to backend.