This is a wishlist item to start some discussion around making 2 changes to Evergreen's handling of TLS.
1, given the existence of LetsEncrypt and the fact that encrypted communications aren't that large a drain on modern hardware, TLS should simply be required and assumed across the board. This could be reflected in our sample configs.
2, Enforcing #1 should also be the responsibility of apache or nginx, not OpenILS::WWW::EGCatLoader. (This is essentially the case already in many installations because redirects are so easy.) This would allow proxying to be simpler because you only need to manage certs in a single place (nginx, haproxy, whatevs) and could then use HTTP on the backend. Standing up a local test server would be significantly simpler, though Chrome's insistence on a TLS connection for localhost websocket connections is beyond our control. (Maybe more testing with FF? just requires changing wss:// to ws://...)
What do folks think?
+1 to both suggestions.
With Hatch using native messaging, is websockets on localhost still a concern?