WingNews logo WingNews GitHub [2]
top | item 36954998

Show HN: Local development with .local domains and HTTPS

84 points| jarekceborski | 2 years ago |localcan.com | reply

Hi HN! I'm Jarek, and I've built this tool that allows publishing .local domains on the local network using mDNS.

It also has a reverse proxy that handles HTTPS termination and port forwarding.

I'm working on adding more features, like an index page with all available domains or allowing proxy redirects, so you could redirect from HTTP to HTTPS.

Let me know if you have any questions or feedback!

104 comments

order
[+] francislavoie|2 years ago|reply
You can do this with Caddy already, with Automatic HTTPS. Caddy will automatically set up its own CA and use it to issue certs (using smallstep) with .local and .localhost domains.

We don't do anything with mDNS though but we've thought about it; none of us use macs anymore but PRs are welcome to make that work. I don't have enough expertise with mDNS to confidently implement it myself, and especially less-so because the implementation would be different on every OS (needs build flags to change the implementation depending on the build target). And this would be free and open source, rather than this paid product.

[+] qbasic_forever|2 years ago|reply
On modern systemd-based Linux systems that use its systemd-resolved DNS resolver it automatically forwards all *.localhost traffic to your local host. It works great with caddy for local development and testing of services.
[+] throwawaymobule|2 years ago|reply
<hostname>.local is usually setup if you have an mDNS daemon running. I think Ubuntu does this ootb, and if you still have an old windows install, you may have a copy of 'bonjoir' that was bundled with iTunes.

You could probably lean on existing software to do most of the work.

[+] lapcat|2 years ago|reply
This submission violates the HN guidelines: "Please don't use HN primarily for promotion. It's ok to post your own stuff part of the time, but the primary use of the site should be for curiosity." https://news.ycombinator.com/newsguidelines.html

The https://news.ycombinator.com/user?id=jarekceborski account was created 1 day ago, the only submission is this one https://news.ycombinator.com/user?id=jarekceborski and the only comments are on this submission https://news.ycombinator.com/threads?id=jarekceborski

[+] nathell|2 years ago|reply
I’d give the OP the benefit of doubt. I’ve always read that rule as discouraging excessive self-promotion, not a ban on one-off ones, and I think that should apply even when that one-off happens to be the very first submission by the account in question.
[+] manuelmoreale|2 years ago|reply
Not entirely sure why you're getting downvoted. One might disagree with the guidelines but since they clearly say that it's ok to post your work "part of the time", an account created only to post personal content is clrealy going against the spirit of the guidelines.

Do I personally care? No. Am I bothered by the submission? Also no.

Still, downvoting you doesn't seem all that fair since you do raise a valid point.

[+] ehPReth|2 years ago|reply
Also from those exact same guidelines: “Please don't post insinuations about astroturfing, shilling, brigading, foreign agents, and the like. It degrades discussion and is usually mistaken. If you're worried about abuse, email [email protected] and we'll look at the data.”
[+] 8organicbits|2 years ago|reply
N=1 is not a trend. We don't know if the submitter has other active accounts that aren't in their real name. If they are new to this site, can we be more welcoming? This is cool content and made the front page.
[+] EspressoGPT|2 years ago|reply
> Forget editing /etc/hosts or typing 192.168.0.12!

Instead, pay $19 (instead of $29!) excl. VAT for a service that does this for you! God damn, I hate this industry.

[+] afavour|2 years ago|reply
And sometimes I hate the HN comment section.

Obviously you’re not paying $19 for hosts file editing. Obviously! SSL cert generation is a pain in the ass, a tool that automates all of that for you is a valid tool. And I find the mDNS stuff really interesting, I do a lot of testing on mobile devices and connecting to my dev server from a phone can be really annoying.

If you don’t like the price that’s fine: don’t pay it. The market will decide whether this price is appropriate or not. An independent developer has made a tool that scratches their personal itch and made it available for others to use for a fee. And gets heaped with scorn for it. This place is an absolute cesspit sometimes.

[+] xeckr|2 years ago|reply
What could you possibly hate about this?

$19 is only a couple minutes worth of engineering labour.

This is actually useful if you're running multiple servers on your network and don't want to remember the IPs of every single one of them. And not having to set up HTTPS for every single one of them is a plus.

[+] vladvasiliu|2 years ago|reply
Well, it does a little more than that. You can type yourservice.local instead of 192.168.0.12:1234.

I don't know that I'd buy this if I still had a mac, but I do think that paying for quality of life improvements can be worthwhile. For example, I do pay for a license of IntelliJ idea, even though VSCode costs $0, and I'm not even a full-time software dev.

[+] raincole|2 years ago|reply
When I read this comment I knew it must be targeting MacOS users. The only reason I clicked the link is to confirm my assumption.

Edit: I'm not trying to shame MacOS users. I'm just saying that Linux and MacOS users (Windows users don't use /etc/hosts so out of discussion) have very different behaviour regarding paying for software.

[+] eddieroger|2 years ago|reply
I'm not justifying the price, but it looks more complicated than editing host files, which wouldn't just be hard but sometimes impossible on devices without access to `/etc/hosts`. Is an mDNS broadcaster worth $20? Apparently 250 people think so according to their marketing. I'm not sure I agree either.
[+] replygirl|2 years ago|reply
hate? for something that saves more than it costs?
[+] hackan|2 years ago|reply
Well, it targets Mac users ;) So, you know...
[+] 8organicbits|2 years ago|reply
Great work! Public CAs have done a wonderful job making HTTPS easy for public websites, but private networks feel under-supported and we're often stuck with legacy tools. I'm really happy to see people building here.

I've been working on getlocalcert[1] which explores this problem from the other end; how can we make TLS certificate management and trust root distribution easier? There's lots of interest in using certificates issued by public CAs for private domains. Especially the free ones from Let's Encrypt. This completely avoids trust root distribution challenges and concerns about trust roots being used to MITM traffic. My local DNS management story is admittedly currently a hand-wave[2], but I really like your approach. I was hoping we could pair our tools, but I think mDNS is for .local only, so we won't be compatible.

I'm curious about the trust root you're using. Lots of tools will create these without any nameConstraints, which is reasonable as client-side support has historically been poor[3], but restricting the root and any intermediaries to *.local can reduce the risk that a stolen trust root is used to MITM unrelated sites like google.com.

[1] https://www.getlocalcert.net/

[2] https://docs.getlocalcert.net/dns/

[3] https://alexsci.com/blog/name-non-constraint/

[+] 8organicbits|2 years ago|reply
Hmm, I may need to look at this some more. Avahi supports[1] changing the default domain, so I think you could in principal use mDNS for domains other than .local. But that's a config change, so it wouldn't have that out-of-the-box zero-config benefit.

[1] https://linux.die.net/man/5/avahi-daemon.conf

[+] Zetice|2 years ago|reply
You know you’re onto something when you get HN comments that say, “this can easily be done by just <list half a dozen tools and processes>”…

Very clever, if I weren’t leaving the industry I would for sure grab a copy.

[+] j1elo|2 years ago|reply
This is my poor man's, do-it-yourself, LAN development with HTTPS method:

https://doc-kurento.readthedocs.io/en/latest/knowledge/selfs...

Should probably be a blog post. Would be happy to get comments on improvements or updates to the explained process. For now, I already gathered that Android seems to have finally added mDNS resolution support, which is nice as a whole Note banner can then be removed from that page. I also took note that maybe the whole thing can be simplified greatly with Caddy, albeit I think that getting into explaining mkcert is useful for readers who are new to that stuff and don't know how to generate their own SSL certs (like myself a month before writing all that).

[+] hobofan|2 years ago|reply
Or you could just use Tailscale with their Tunnel feature, and you get most of those things with their free tier (up to 3 users with up to 100 devices) and at a cheaper per-user pricing after that. And it also works cross-platform.
[+] moondev|2 years ago|reply
foo-192-168-1-1.traefik.me

bar-192-168-1-1.traefik.me

http://traefik.me/fullchain.pem

http://traefik.me/privkey.pem

[+] lxgr|2 years ago|reply
This is neat!

However, given that allowing private IP resolution from a public DNS subdomain facilitates DNS rebinding attacks, it (and all equivalent approaches) will unfortunately be blocked by quite a few of the more sophisticated home routers out there, including a quite common brand in Germany.

Also, doesn't publishing a privkey for a public TLS certificate theoretically require it to be revoked under common browser CA standards...? Let's Encrypt seems to support it, at least: https://letsencrypt.org/docs/revoking/#using-the-certificate...

[+] mijoharas|2 years ago|reply
Regarding the certs. Does this do something special to trust the self-signed root certificate that you add? or do you need to manually trust it on any device that you use to connect to this?

I assume that's the case, but want to check I understand correctly.

[+] jarekceborski|2 years ago|reply
You need to manually trust on each device. There is a button for that in the app, that shows the Trust certificate dialog. For other devices it quit easy, e.g. you can AirDrop RootCA.pem into the iPhone or iPad.
[+] emadda|2 years ago|reply
Looks very nice.

Side note: I released https://tabserve.dev a few months ago.

It uses a browser tab and web workers as a reverse proxy to get a https url to localhost.

[+] capableweb|2 years ago|reply
Looks like an interesting project. What I guess is not really clear is why you'd want to do TLS for local only connections? Are the services published with the .local domain accessible from outside as well so it's like a ngrok alternative?

I'm pretty sure I'm misunderstanding the value-add of having TLS for localhost connections...

[+] xcskier56|2 years ago|reply
Dev <=> Prod parity. There are starting to be more things that require tls even for localhost
[+] rascul|2 years ago|reply
> I'm pretty sure I'm misunderstanding the value-add of having TLS for localhost connections...

.local tld is for the local subnet, not necessarily localhost.

[+] ravenstine|2 years ago|reply
TLS is easy enough... I'm just not sure why one would want or need a certificate authority involved with local connections other than to get rid of the nag screen in Firefox or Chrome.
[+] waithuh|2 years ago|reply
Maybe its just to avoid browsers nagging and blocking you from using certain APIs that require a "Secure Context (https)"
[+] agos|2 years ago|reply
browsers nowadays are picky about including content from and communicating with non secure hosts. Depending on your setup, it might make local development less of a hassle
[+] drekipus|2 years ago|reply
Is this something like how ".local" is already a mDNS standard but OSX and android won't support it yet? (Unless they buy your app)

I can already access "myserverhost.local" from everything but android and OSX. Windows and Linux work fine automatically.

[+] WorldMaker|2 years ago|reply
The FAQ admits that it is just configuring mDNS advertisements.
[+] wiredfool|2 years ago|reply
It’s been on osx since it saw called osx and not MacOS.
[+] jasonlotito|2 years ago|reply
I'm curious about the license requirements. Is it 1 license per install, or 1 per install that is currently serving?

I have two devices, but I will never use them at the same time (and if I do by accident, I'd expect your software to stop working).

[+] jarekceborski|2 years ago|reply
It's perpetual license. So you can enter the license key on a new device and it will automatically deactivate previous device.
[+] waithuh|2 years ago|reply
Risky target audience. Maybe useful for people that hop networks regularly.
[+] jareklupinski|2 years ago|reply
had a mini-heart attack reading the intro; we don't see enough of each others' names on here :)

been waiting for something like this to come along: when i set up microcontrollers that expose a mini-server, i would like to use the Geolocation API built into mobile browsers so users can tell the gadget where it is, but they block access to the API unless your site starts with 'https://' ( a silly barrier but whatever )

[+] AlexJuca|2 years ago|reply
Very cool tool! This can be done using other means but I like how easy it is with this tool and the app has a decent looking UI.

Congrats on releasing the tool.