11

I run a local development web server for testing out code changes.

Often I have to test my local changes with remote services that can only connect securely to another domain.

e.g. https://external1.com will only talk to https://someOtherDomain.com, but I've got to test integration of my new code changes with https://external1.com

While I've got a setup configured that works, it seems complex, and took a bit to get setup right. It seems to me that many developers would want to do this same thing, so my question is this:

Is there an easy way to proxy my local webserver as https://someOtherDomain.com ?

EDIT: So maybe this should be asked this way - Does a command line or GUI tool exist that you can pass a local port and a domain name, and it serves your local port securely over https://someOtherDomain.com - no config or SSL cert creation required? Of course it'd be nice if the SSL cert could be replaced through configuration if need be, but by default, it'd work automatically, by using a precanned SSL cert. And even though I'm using Apache, I'm looking for a solution that actually doesnt use Apache - it uses something else. Why? Because I want this solution to work well with any other webserver that's being used by people on our team - as we all run different stacks, and I'd like to be able to let any of us securely serve our sites without having to configure each webserver individually.

Here's my current setup for taking my local webserver and serving it up at https://www.someOtherDomain.com

To test this locally, I've been:

  • editing my hosts file, and adding an entry to make www.someOtherDomain.com point to my local machine, which of course is running my dev server. This makes it so my local site is now available at http://www.someOtherDomain.com

    127.0.0.1 www.someOtherDomain.com

  • Running Apache with a SSL Cert setup and mod_proxy to redirect all https requests to my local http server, thus making my site available at https://www.someOtherDomain.com. Here's my Apache config for this:

    ServerName www.someOtherDomain.com

<Location /balancer-manager>
   SetHandler balancer-manager
</Location>

ProxyPass /balancer-manager !
ProxyPass / balancer://mycluster/ 

<Proxy balancer://mycluster>
  BalancerMember http://localhost route=1
</Proxy>
ProxyPass / balancer://mycluster
ProxyPassReverse / balancer://mycluster

SSLHonorCipherOrder On
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite RC4-SHA:HIGH:!ADH

# Rewrite all http requests to https
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

I run this on a mac, but am interested in solutions for linux as well. I've seen various Man in the Middle proxy's that sound like they'd work with some configuration... but I'm looking for something really simple to install and run - not just for me, but something I can tell team members about too, as we may all have to do this a lot in the future.

IMPORTANT NOTE: My local webserver isn't running on Port 80, though I've put it this way in the above example, to keep it simple. I understand port 80 on a mac is a bit special, but am very happy with solutions that work fine on all ports but port 80.

Brad Parks
  • 66,836
  • 64
  • 257
  • 336
  • I think [Squid](http://www.squid-cache.org/) is often used for this sort of thing. – jww Aug 20 '14 at 22:35
  • If external1.com will only talk to the real someOtherDomain.com, doing anything with a proxy on your dev machine will not help you. If external1.com will talk to your dev station as long as it claims to be someOtherDomain.com, you don't need a proxy, you just setup your dev apache for the right name and put that in your `hosts` file. If the external will only talk to the real domain, you would need to setup some kind of proxy system on that host. But in that situation I would prefer to ask external's admin to give me some access on a dev IP. – Roderick Bant Aug 21 '14 at 10:50
  • thanks for the feedbacks guys.... Maybe my terminology is off in some uses of proxy, but from the perspective of a browser, I'd like to map `http://localhost` to `https://someOtherDomain.com`, so both a DNS entry *and* SSL layer. What I've got works - it just seems like there should be an easier/turnkey way of doing this, as I think lots of devs would like to do this. My use case is for integrating my local changes with other staging servers, to see if my code works without having to build 10 other projects. Thanks! – Brad Parks Aug 21 '14 at 12:04
  • Why don't you use a virtualhost having "someOtherDomain.com" as Servername for your local application instead of "localhost"? Then only the hosts modification is required, no proxy. – regilero Aug 26 '14 at 12:14
  • hey... thanks for the info! ultimately, I'm looking to find something other than Apache to do this - as I don't want everyone to have to create/setup their own SSL cert as well. Using a self signed cert is fine, but no one should have to create it. I'd love to find a tool that's that you startup and pass a local port, and a domain name, and it serves your local port securely over https://someOtherDomain.com - no config or SSL cert creation required. What I have works - I just think it's a bit of a pain for people to setup! Thanks! – Brad Parks Aug 26 '14 at 12:24
  • Other alternatives can be found here: https://stackoverflow.com/questions/8129260/man-in-the-middle-mitm-proxy-with-https-support?noredirect=1&lq=1 – Brad Parks May 23 '19 at 11:11

2 Answers2

3

I think mitmproxy can do this for you, as least on linux and os-x. I haven't tried it myself but this question seems to show how it is done. It's still not a trivial program though.

There are however other approaches, which I have used:

The first one is the most pretty simple one, create a DNS entry for develop.mydomain.com which points to 127.0.0.1 and a single certificate for a (sub)domain where you control the DNS. Spread that certificate to all your developers. They'll still need to setup SSL themself but they don't need to generate certificates anymore. It has the added benefit that everybody is developing against https://develop.mydomain.com which allows them to share the configuration. For bonus points, create a DNS entry for *.develop.mydomain.com and a wildcard certificate and your developers can have different sites (e.g. https://project1.develop.mydomain.com and https://project2.develop.mydomain.com) on there local machine. (Contrary to what the internet sometimes tells you, name based virtual hosting works fine with SSL as long as the certificate is valid for all the named hosts). Since the domain is the same for everybody you can consider getting a valid wildcard certificate to get rid of the warnings.

Unlike the solutions below this works even outside of the office network, which may be relevant when people are working from home or at the customer.

Building on this you could also create DNS entries for the internal IP's of the developer machines (if those are fixed). This does add some work, but it means the ongoing work of a developer can be reached by others in the local network, which can be very convenient for demo's, testing on mobile devices, etc.

An other option is to configure a single machine to proxy for all your developers. Create a DNS entry pointing to the internal IP of this box on something like *.develop.mydomain.com, a matching wildcard certificate and configure that box once with the correct certificate. Now you can create a virtual host for each proxied server, and again, all sites will be reachable throughout the local network, but it does require the developer to have fixed ip addresses (or hostnames added to DNS through DHCP). Combined with the ability of apache to include all files in a directory in it's configuration makes it trivial to create a script which adds a new site based on a template. All it has to do is write a new file based on the requested subdomain plus the destination and reload the apache config. This means something like a simple PHP script can do what you want the application to do.

Community
  • 1
  • 1
AVee
  • 3,348
  • 17
  • 17
  • thanks for the feedback... I took a look at *mitmproxy* and it looks cool - but I can't see how to do exactly what i want though... I'll try again in a bit and see how it goes... – Brad Parks Aug 29 '14 at 16:36
  • 1
    If mitmproxy can't do the trick (as I've said I haven't used it myself) maybe it will work with one of the tools mentioned in http://stackoverflow.com/questions/8129260/man-in-the-middle-mitm-proxy-with-https-support – AVee Aug 30 '14 at 23:20
  • 1
    For reference, this can be done with mitmproxy: https://github.com/mitmproxy/mitmproxy/issues/355 – Maximilian Hils Sep 09 '14 at 22:57
2

If you want to expose your web on your local machine to the internet try Runscope Passageway, it's easy to setup and "just works" (from experience).

Another alternative is ngrok which I also used, but it didn't always work for me.

codeclash
  • 2,053
  • 19
  • 17