←back to thread

.localhost Domains

(inclouds.space)
301 points todsacerdoti | 1 comments | 10 Apr 25 14:19 UTC | HN request time: 0s | source
Show context
peterldowns ◴[10 Apr 25 15:51 UTC] No.43645135[source]
If you’re interested in doing local web development with “real” domain names, valid ssl certs, etc, you may enjoy my project Localias. It’s built on top of Caddy and has a nice CLI and config file format that you can commit to your team’s shared repo. It also has some nice features like making .local domain aliases available to any other device on your network, so you can more easily do mobile device testing on a real phone. It also syncs your /etc/hosts so you never need to edit it manually.

Check it out and let me know what you think! (Free, MIT-licensed, single-binary install)

Basically, it wraps up the instructions in this blogpost and makes everything easy for you and your team.

https://github.com/peterldowns/localias

replies(3): >>43645234 #>>43652121 #>>43678363 #
CodesInChaos ◴[10 Apr 25 15:59 UTC] No.43645234[source]
How do valid certs for localhost work? Does that require installing an unconstraint root certificate to sign the dev certs? Or is there a less risky way (name constraints?)
replies(2): >>43645298 #>>43645643 #
sangeeth96 ◴[10 Apr 25 16:06 UTC] No.43645298[source]
It's mentioned in the README:

  - If Caddy has not already generated a local root certificate:
     - Generate a local root certificate to sign TLS certificates
     - Install the local root certificate to the system's trust stores, and the Firefox certificate store if it exists and an be accessed.
So yes. I had written about how I do this directly with Caddy over here: https://automagic.blog/posts/custom-domains-with-https-for-y...
replies(2): >>43648598 #>>43651755 #
1. lxgr ◴[10 Apr 25 22:25 UTC] No.43648598{3}[source]
> Install the local root certificate to the system's trust stores

I really wish there was a safer way to do this, i.e. a way to tag a trusted CA as "valid for localhost use only". The article mentions this in passing

> The sudo version of the above command with the -d flag also works but it adds the certificate to the System keychain for all users. I like to limit privileges wherever possible.

But this is a clear case of https://xkcd.com/1200/.

Maybe this could be done using the name constraint extension marked as critical?