Hacker News new | past | comments | ask | show | jobs | submit login
Show HN: Local development with .local domains and HTTPS (localcan.com)
84 points by jarekceborski on Aug 1, 2023 | hide | past | favorite | 104 comments
Hi HN! I'm Jarek, and I've built this tool that allows publishing .local domains on the local network using mDNS.

It also has a reverse proxy that handles HTTPS termination and port forwarding.

I'm working on adding more features, like an index page with all available domains or allowing proxy redirects, so you could redirect from HTTP to HTTPS.

Let me know if you have any questions or feedback!




You can do this with Caddy already, with Automatic HTTPS. Caddy will automatically set up its own CA and use it to issue certs (using smallstep) with .local and .localhost domains.

We don't do anything with mDNS though but we've thought about it; none of us use macs anymore but PRs are welcome to make that work. I don't have enough expertise with mDNS to confidently implement it myself, and especially less-so because the implementation would be different on every OS (needs build flags to change the implementation depending on the build target). And this would be free and open source, rather than this paid product.


On modern systemd-based Linux systems that use its systemd-resolved DNS resolver it automatically forwards all *.localhost traffic to your local host. It works great with caddy for local development and testing of services.


Yep! And some browsers now hard-coded resolve *.localhost to ::1 by default, so you often don't need any resolver at all. See https://dev.to/k4ml/firefox-and-chrome-resolve-any-localhost...


I’m initially bothered by browsers doing this but perhaps it’s fine


<hostname>.local is usually setup if you have an mDNS daemon running. I think Ubuntu does this ootb, and if you still have an old windows install, you may have a copy of 'bonjoir' that was bundled with iTunes.

You could probably lean on existing software to do most of the work.


I agree that reaching out to systemd-resolved on Linux and Bonjour on Mac/Windows is probably the way to go, but I don't have the time/energy to learn these APIs and test it right now, hence why I'm asking for help! :)


Windows has had built-in mDNS (and DNS-SD) support built-in since Windows 10, I wouldn't recommend using Bonjour on Windows today.

That said, the tricky part to Windows' mDNS support is that the APIs to work with it are WinRT-only and you'll need a WinRT projection of one sort or another to use them.


This submission violates the HN guidelines: "Please don't use HN primarily for promotion. It's ok to post your own stuff part of the time, but the primary use of the site should be for curiosity." https://news.ycombinator.com/newsguidelines.html

The https://news.ycombinator.com/user?id=jarekceborski account was created 1 day ago, the only submission is this one https://news.ycombinator.com/user?id=jarekceborski and the only comments are on this submission https://news.ycombinator.com/threads?id=jarekceborski


I’d give the OP the benefit of doubt. I’ve always read that rule as discouraging excessive self-promotion, not a ban on one-off ones, and I think that should apply even when that one-off happens to be the very first submission by the account in question.


I'm not saying that the account should be banned, or that self-promotion should never be allowed. Nonetheless, the account creation date and lack of other comments clearly shows that it was created for the purpose of selling the submitter's product. I think it's fair to flag this submission dead and then see what else the person does with their account, if anything.


Not entirely sure why you're getting downvoted. One might disagree with the guidelines but since they clearly say that it's ok to post your work "part of the time", an account created only to post personal content is clrealy going against the spirit of the guidelines.

Do I personally care? No. Am I bothered by the submission? Also no.

Still, downvoting you doesn't seem all that fair since you do raise a valid point.


Also from those exact same guidelines: “Please don't post insinuations about astroturfing, shilling, brigading, foreign agents, and the like. It degrades discussion and is usually mistaken. If you're worried about abuse, email hn@ycombinator.com and we'll look at the data.”


> Please don't post insinuations about astroturfing, shilling, brigading, foreign agents, and the like. It degrades discussion and is usually mistaken.

It's not an insinuation. The submission author literally said: "I'm Jarek, and I've built this tool". It's an undeniable fact that the submitter is self-promoting. There's no mistake.

The submitter's profile also shows irrefutably that the HN account has never been used for anything except self-promotion.

Another problem is that it's not clear the submission is even on topic for Show HN. Is there anything that HN users can try? It just seems to be a "Buy" page. https://news.ycombinator.com/showhn.html


N=1 is not a trend. We don't know if the submitter has other active accounts that aren't in their real name. If they are new to this site, can we be more welcoming? This is cool content and made the front page.


> N=1 is not a trend.

Every spammer is N=1.

> We don't know if the submitter has other active accounts that aren't in their real name.

That would be yet another HN guidelines violation: "Throwaway accounts are ok for sensitive information, but please don't create accounts routinely." https://news.ycombinator.com/newsguidelines.html

> If they are new to this site, can we be more welcoming?

Would you say the same to all spammers?

> This is cool content and made the front page.

There are a lot of cool paid products in the world. You're giving permission for everyone to just post their own "Buy" page here. That's not what HN is for. I'm a software developer myself, and while I have submitted some of my technical blog posts, I've never just submitted my product marketing pages.

And as I said in another comment, this shouldn't even be a "Show HN" post: https://news.ycombinator.com/item?id=36959608


Every spammer is not N=1. The user could submit their marketing page repeatedly. They could submit it from multiple accounts. That hasn't happened here, there's no need for outrage.

https://news.ycombinator.com/from?site=localcan.com


> Forget editing /etc/hosts or typing 192.168.0.12!

Instead, pay $19 (instead of $29!) excl. VAT for a service that does this for you! God damn, I hate this industry.


And sometimes I hate the HN comment section.

Obviously you’re not paying $19 for hosts file editing. Obviously! SSL cert generation is a pain in the ass, a tool that automates all of that for you is a valid tool. And I find the mDNS stuff really interesting, I do a lot of testing on mobile devices and connecting to my dev server from a phone can be really annoying.

If you don’t like the price that’s fine: don’t pay it. The market will decide whether this price is appropriate or not. An independent developer has made a tool that scratches their personal itch and made it available for others to use for a fee. And gets heaped with scorn for it. This place is an absolute cesspit sometimes.


Start your app, put Caddy issuing TLS certs in front of it, put your PC's IP behind some name on your router (maybe using something like Zeroconf), and spend the $19 buying some flowers for your partner.


$19 would be a business expense so I don’t think buying my partner flowers with it would go down well.

In a professional context time is money. Setting up everything you’re discussing takes time and would need tweaking every time my network changes (not to mention require router access). $19 a year is a rounding error in terms of developer expenses. It’s entirely legitimate to pay for a tool to just do it for you.


mDNS is proper standards name for what used to be called Zeroconf. This app is doing the same thing you'd do by hand, it's just saving you time by automating it. If it only takes you an hour to setup by hand, is your time less valuable than $19/hour?


  pip install https.server
  python -m https.server <port>


I guess you must have just omitted the line where the SSL certs are generated and the mDNS is handled?

Smart Alec replies are one thing but badly thought out Smart Alec replies contribute so very little.


SSL cert is generated (untrusted)

mDNS is a QoL feature I am not sure is that useful.


What could you possibly hate about this?

$19 is only a couple minutes worth of engineering labour.

This is actually useful if you're running multiple servers on your network and don't want to remember the IPs of every single one of them. And not having to set up HTTPS for every single one of them is a plus.


Which programmers are paid $570 per hour?


If you don't take couple to mean literally two and instead use the colloquial definition of 'a handful', say 10, then you'll find there are many devs making $120 an hour.

Also you pay this once, this isn't some recurring charge every 10 minutes.


Well, it does a little more than that. You can type yourservice.local instead of 192.168.0.12:1234.

I don't know that I'd buy this if I still had a mac, but I do think that paying for quality of life improvements can be worthwhile. For example, I do pay for a license of IntelliJ idea, even though VSCode costs $0, and I'm not even a full-time software dev.


Sure, but there are also excellent FOSS solutions for this, such as https://github.com/peterldowns/localias which has the benefit of being cross-platform.


Multiple, different solutions to the same problem, some paid, others free and/or open source? Inconceivable!


I do have a MacBook and I do have a JetBrains All-Products license, yet I'm not going to pay for a service that does something existing tools can do for free today (see Puma, Caddy etc.) – and that $19 isn't even a one-time purchase since you'll only get updates for a year.


When I read this comment I knew it must be targeting MacOS users. The only reason I clicked the link is to confirm my assumption.

Edit: I'm not trying to shame MacOS users. I'm just saying that Linux and MacOS users (Windows users don't use /etc/hosts so out of discussion) have very different behaviour regarding paying for software.


I mean, the creator's personal website exactly looks like the Apple website and he's selling clones of Apple wallpapers, too.


Why are you trying to dismiss this guy? I don't understand it. If you don't like the product or feel that $19 is too much money, then move along. God forbid someone tries to make a living by selling software.

I've personally struggled to test https locally [1], and I'm sure others have too. The next time I have the problem, though, I'll save myself the configuration and spend $19.

[1] https://www.louzell.com/notes/serve_https_on_localhost.html


There is an /etc/hosts on Windows, just fyi.


Yep...in strange directory

C:\Windows\System32\drivers\etc\hosts


I'm not justifying the price, but it looks more complicated than editing host files, which wouldn't just be hard but sometimes impossible on devices without access to `/etc/hosts`. Is an mDNS broadcaster worth $20? Apparently 250 people think so according to their marketing. I'm not sure I agree either.


hate? for something that saves more than it costs?


Well, it targets Mac users ;) So, you know...


Can recommend https://github.com/FiloSottile/mkcert for this purpose (local development certs).


I'm a big fan of mkcert for local HTTPS cert generation.


I just setup a local https dev domain wildcard (*.internal) with mkcert and caddy a few days ago - working great on all my devices and only took a few hours to figure out and get working.


FYI if you're using Caddy, you don't need mkcert. Caddy has smallstep built-in which does the same thing, automatically.

If you're not using .local or .localhost, just add `tls internal` to your config to make Caddy issue certs using its local CA. Caddy attempts to auto-install its root CA cert, just like mkcert (almost identical code, in fact; see https://github.com/smallstep/truststore).


Great work! Public CAs have done a wonderful job making HTTPS easy for public websites, but private networks feel under-supported and we're often stuck with legacy tools. I'm really happy to see people building here.

I've been working on getlocalcert[1] which explores this problem from the other end; how can we make TLS certificate management and trust root distribution easier? There's lots of interest in using certificates issued by public CAs for private domains. Especially the free ones from Let's Encrypt. This completely avoids trust root distribution challenges and concerns about trust roots being used to MITM traffic. My local DNS management story is admittedly currently a hand-wave[2], but I really like your approach. I was hoping we could pair our tools, but I think mDNS is for .local only, so we won't be compatible.

I'm curious about the trust root you're using. Lots of tools will create these without any nameConstraints, which is reasonable as client-side support has historically been poor[3], but restricting the root and any intermediaries to *.local can reduce the risk that a stolen trust root is used to MITM unrelated sites like google.com.

[1] https://www.getlocalcert.net/

[2] https://docs.getlocalcert.net/dns/

[3] https://alexsci.com/blog/name-non-constraint/


Hmm, I may need to look at this some more. Avahi supports[1] changing the default domain, so I think you could in principal use mDNS for domains other than .local. But that's a config change, so it wouldn't have that out-of-the-box zero-config benefit.

[1] https://linux.die.net/man/5/avahi-daemon.conf


We use puma-dev for this https://github.com/puma/puma-dev


Wow! Didn't know about this one.


This looks really great!

When do you expect to add Linux support? Until then, I'm using a devenv.sh Nix-based setup (without mDNS), with something like this: https://github.com/cachix/devenv/blob/main/examples/mkcert/d...


You know you’re onto something when you get HN comments that say, “this can easily be done by just <list half a dozen tools and processes>”…

Very clever, if I weren’t leaving the industry I would for sure grab a copy.


This is my poor man's, do-it-yourself, LAN development with HTTPS method:

https://doc-kurento.readthedocs.io/en/latest/knowledge/selfs...

Should probably be a blog post. Would be happy to get comments on improvements or updates to the explained process. For now, I already gathered that Android seems to have finally added mDNS resolution support, which is nice as a whole Note banner can then be removed from that page. I also took note that maybe the whole thing can be simplified greatly with Caddy, albeit I think that getting into explaining mkcert is useful for readers who are new to that stuff and don't know how to generate their own SSL certs (like myself a month before writing all that).


Or you could just use Tailscale with their Tunnel feature, and you get most of those things with their free tier (up to 3 users with up to 100 devices) and at a cheaper per-user pricing after that. And it also works cross-platform.


foo-192-168-1-1.traefik.me

bar-192-168-1-1.traefik.me

http://traefik.me/fullchain.pem

http://traefik.me/privkey.pem


This is neat!

However, given that allowing private IP resolution from a public DNS subdomain facilitates DNS rebinding attacks, it (and all equivalent approaches) will unfortunately be blocked by quite a few of the more sophisticated home routers out there, including a quite common brand in Germany.

Also, doesn't publishing a privkey for a public TLS certificate theoretically require it to be revoked under common browser CA standards...? Let's Encrypt seems to support it, at least: https://letsencrypt.org/docs/revoking/#using-the-certificate...


The certificate is revoked, your browser must not be checking for revocation. Browser support for revocation is pretty poor, unfortunately.

https://crt.sh/?id=9497801989&opt=ocsp


Hm, are these automatically revoked then as part of the service, or did somebody just revoke it?

Update: Seems to have just happened – after restarting, Firefox now does not accept it anymore!


Nice, thanks for sharing this. I use sslip.io but they do not provide TLS certificates, so acme v1 validation is required using a wan IP address and ensuring router port forwarding or cloudflare tunnel etc is running. This magic domain is so much easier.


I don't think this is actually compatible with the browser security model – specifically, CAs are required to revoke certificates for known-compromised private keys, according to point 4.9.1 here: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-...


Regarding the certs. Does this do something special to trust the self-signed root certificate that you add? or do you need to manually trust it on any device that you use to connect to this?

I assume that's the case, but want to check I understand correctly.


You need to manually trust on each device. There is a button for that in the app, that shows the Trust certificate dialog. For other devices it quit easy, e.g. you can AirDrop RootCA.pem into the iPhone or iPad.


Looks very nice.

Side note: I released https://tabserve.dev a few months ago.

It uses a browser tab and web workers as a reverse proxy to get a https url to localhost.


Looks like an interesting project. What I guess is not really clear is why you'd want to do TLS for local only connections? Are the services published with the .local domain accessible from outside as well so it's like a ngrok alternative?

I'm pretty sure I'm misunderstanding the value-add of having TLS for localhost connections...


> I'm pretty sure I'm misunderstanding the value-add of having TLS for localhost connections...

It often feels like the noose is tightening tbh. There are things that contemporary "evergreen" web browsers just flat out refuse to do without https.

I think this is where they document this... https://www.chromium.org/Home/chromium-security/prefer-secur...

which I got from this stack overflow answer https://stackoverflow.com/a/34161385


Yes, which makes sense I guess, but localhost et al are already considered "secure origins" by that, so the features should be available regardless if you're doing TLS or not, if you're loading the document/page/application from localhost.


Certain browser features/apis are only available when in a secure context https://www.digicert.com/blog/https-only-features-in-browser... so I imagine this might be a reason you would want it.

That being said I don't know why you would pay for an application that does this but I guess I'm not the target market.


Yep. A lot of OAuth integrations will refuse to work on HTTP, too. Some have a `localhost` exception to that restriction, but not all.


This long article helpfully forgets to mention, that localhost/loopback addresses are considered secure without https.

https://developer.mozilla.org/en-US/docs/Web/Security/Secure...


Some features have still moved to TLS-only even for localhost. "Considered secure" is somewhat orthogonal to "requires TLS". You can only use HTTP/2 with TLS, for instance, whether or not you are in a "secure context".


Dev <=> Prod parity. There are starting to be more things that require tls even for localhost


> I'm pretty sure I'm misunderstanding the value-add of having TLS for localhost connections...

.local tld is for the local subnet, not necessarily localhost.


TLS is easy enough... I'm just not sure why one would want or need a certificate authority involved with local connections other than to get rid of the nag screen in Firefox or Chrome.


Mkcert makes it easy, why not?


Maybe its just to avoid browsers nagging and blocking you from using certain APIs that require a "Secure Context (https)"


browsers nowadays are picky about including content from and communicating with non secure hosts. Depending on your setup, it might make local development less of a hassle


Is this something like how ".local" is already a mDNS standard but OSX and android won't support it yet? (Unless they buy your app)

I can already access "myserverhost.local" from everything but android and OSX. Windows and Linux work fine automatically.


Android supports it now.

https://source.android.com/docs/core/ota/modular-system/dns-...


Do you mean that this issue report can now be considered as resolved?

https://issuetracker.google.com/issues/140786115

I'd love to update my notes if that's the case.


I don't know anything more than the docs I linked to.


Ok checked some info and, in summary:

Your linked article (the official source from Google) states "November 2021" [1], which by date would correspond to API Level 32 aka. Android 12.1.

Android 12.0 might also have the feature backported on some devices, according to some reports such as seen in the issue report for the feature [2].

Finally, the feature has apparently not been backported to Android 10 or 11, according to a blog post I found about this topic [3].

[1]: https://source.android.com/docs/core/ota/modular-system/dns-...

[2]: https://issuetracker.google.com/issues/140786115

[3]: https://www.esper.io/blog/android-dessert-bites-26-mdns-loca...


The FAQ admits that it is just configuring mDNS advertisements.


It’s been on osx since it saw called osx and not MacOS.


I'm curious about the license requirements. Is it 1 license per install, or 1 per install that is currently serving?

I have two devices, but I will never use them at the same time (and if I do by accident, I'd expect your software to stop working).


It's perpetual license. So you can enter the license key on a new device and it will automatically deactivate previous device.


Risky target audience. Maybe useful for people that hop networks regularly.


had a mini-heart attack reading the intro; we don't see enough of each others' names on here :)

been waiting for something like this to come along: when i set up microcontrollers that expose a mini-server, i would like to use the Geolocation API built into mobile browsers so users can tell the gadget where it is, but they block access to the API unless your site starts with 'https://' ( a silly barrier but whatever )


We use mkcert for this, it works wonderfully.

https://github.com/FiloSottile/mkcert


Very cool tool! This can be done using other means but I like how easy it is with this tool and the app has a decent looking UI.

Congrats on releasing the tool.


"Forget editing /etc/hosts!"

Right.

Why would you edit a local file (or create a record on your own local DNS), generate your own self-signed certificate, and immediately get a website that can be tested on your machine, on your local network or on your VPN, when you can pay someone $19 per device (MacOS only) for something less powerful?

I understand that everybody needs to make money for a living, but this seems like the digital equivalent of bottling tap water and asking people to pay for it.


> digital equivalent of bottling tap water

That's intended as a criticism, but bottled water is a $300B market in the US alone. Most of which is tap water.

https://www.latimes.com/business/story/2021-09-28/bottled-wa...


Isn't that just a sidecar? Maybe Kubernetes is hard enough that some engineers are willing to pay $19 to avoid using it.


Forget editing /etc/hosts

Why?


Cause you pay then not 19$, but you want to pay, did you not know this?


Might not be able to, if you're looking to test out something on a mobile device, or a school/work device that's locked down.


Really like what this does and the look of it! Congrats


Thanks, glad you find it useful!


Interesting. Does it have gzip and HTTP/2? Thanks


Currently only http 1.1 and no compression. But these could be added in the future.


I feels this is something that should NOT be a payable service at all. I am sure its not rocket science, not even Linux support?

Probably some open source tools for this to set it up your self for free.


The mDNS broadcast thing is pretty easy, I've used pybonjour for that for a while. The SSL part, well, it's a bigger hassle.


Bigger yes but valuable knowledge for anyone. The good thing is once you understand it only takes little effort to repeat it.


I automated that away a long time ago: https://github.com/piku/piku/blob/master/piku.py#L814


is it secure?


Lets introduce proprietary service with a payment plan. That will simplify things LOL.

Just switch to Linux and you will never ever had to deal with this weird stuff agian!


Just to be fair: it seems it has no "payment plan", but a one-time payment.


That "one-time payment" will only give you updates for a year.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: