Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature request: serve https #19

Closed
llimllib opened this issue Nov 6, 2015 · 5 comments
Closed

Feature request: serve https #19

llimllib opened this issue Nov 6, 2015 · 5 comments

Comments

@llimllib
Copy link
Contributor

llimllib commented Nov 6, 2015

It would be good to be able to serve an app with a self-signed SSL certificate, to make sure that it's not throwing mixed content warnings etc before pushing it out.

@cortesi You're much more expert on the topic than I am; is this a plausible feature?
@cortesi
Copy link
Owner

cortesi commented Nov 6, 2015

One way to do this would be to add a feature that a) lets devd generate a self-signed cert, and b) gives us a hook for easily installing that cert in the browser. Mitmproxy works like this, and cert installation is reliable across pretty much all platforms. This is a significant feature, and will add complexity to devd. For instance, we'd have to store the certs on disk, which suddenly adds a persistent dimension that wasn't there before.

Weighed against that, you can currently generate a self-signed cert like so:

 openssl req -subj '/CN=*.devd.io/O=devd/C=NZ' -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout devd.bundle -out devd.bundle

And then fire it up in devd like so:

devd -c ./devd.bundle .

This almost works perfectly. The caveat is that the CN covers *.devd.io, but not devd.io itself. To make that work you have to add SANs, which OpenSSL in its wisdom had made impossible to do purely using the command-line (you need a config file instead). So, unfortunately doing this correctly is NOT a one-liner, which means we should at least think about tool support of some sort.

I guess there are intermediate solutions here too - say, a command that lets devd generate a correct cert bundle, and write it to the destination of your choice. The user can then specify it explicitly when they want to use it:

devd --gencert devd.bundle
devd -c ./devd.bundle .

Lets think about the best way to do this.

@cortesi
Copy link
Owner

cortesi commented Nov 10, 2015

Bill, let me know if this meets your use case. I've gone for a simple approach: -s turns on TLS with a self-signed cert that lives at ~/.devd.cert. If the file exists, we use that, if not, we generate it. We could make the user's life easier by helping them register the cert as trusted, but that might be too complicated a feature for devd.

@llimllib
Copy link
Contributor Author

I think that's exactly what I was looking for; for my use case I just want the page served over https to make sure nothing breaks when it gets deployed (to the real https with an actual cert).

Thanks!

@llimllib
Copy link
Contributor Author

☝️ @cortesi

@cortesi
Copy link
Owner

cortesi commented Nov 10, 2015

:)

@llimllib llimllib mentioned this issue Nov 13, 2015
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@llimllib @cortesi