Yes. Sort of. OpenZiti will make a mutual TLS connection from any piece of the overlay to another. If you are using a zitified client with a zitified server - then yes that’s 100% perfectly secure and fine.
It’s when you bring the tunneler into the mix that it’ll get more complex. Accessing that service via TLS using a tunneler would require a THIRD layer of encryption, provided by “the http server”. Conceptually you might think of that like three pipes… sorta like this… the inner pipe is the third layer of encryption that is NOT provided by openziti. This would be done from “the browser” to “the https server”. In my pic below that would be the yellow pipe…
Wrapping your yellow pipe, the https protocol negotiated by your browser and the https server, is the orange pipe. This represents the end to end encryption (e2ee) that OpenZiti provides by default (you can disable it but why would you??? ). That’s negotiated on the “client side” (the tunneler, or inside your golang app itself, wherever) and the far side.
Finally there is the “mutual TLS” (mTLS) encryption that you get also provided by OpenZiti which you cannot disable. This layer protects the links from being inspected by tools like Wireshark/tcpdump.
You should start by making a web server WITHOUT ziti and providing https. There’s a bunch of tutorials on the web how to do that. Once you understand that - then I think you could move over to ‘zitifying’ that app and using OpenZiti on the server too… That’d be my reccomendation.