0

I know importing the certificate into browser trust store can dismiss the warning, but is it the only workaround? Is it possible using a domain (with a valid SSL) to reverse proxy the localhost web server: redirecting user's request to the localhost?

Eli Chen
  • 33
  • 4

1 Answers1

0

If you have an external domain and a valid certificate for it (i.e. both certificate and key) you could configure your localhost server to serve this domain and use this certificate. To make sure that any local requests to this domain actually reach your local server instead of the external IP you need the appropriate name resolution though. This can be done for example by modifying the hosts file (i.e. /etc/hosts on UNIX, c:\Windows\System32\Drivers\etc\hosts on Windows).

In other words:

  • Configure the local web server to expect requests for example.com instead of localhost, i.e. set certificate and key you have for example.com and configure the expected name to example.com.
  • Modify the local hosts file to resolve example.com with 127.0.0.1.
  • Access the local web server with the local browser by using the URL https://example.com. Due to the changed local hosts file it will use 127.0.0.1 as the IP address for example.com and thus access the local web server. This will provide the publicly trusted certificate for example.com so that the browser will not complain (issuer CA is trusted and subject of certificate matches the URL).

Remember to change your local hosts file back if you want to access the real (external) example.com.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • But how the request reach the local server since it has specific port: https://localhost:3000 for example? – Eli Chen Nov 04 '19 at 13:58
  • @EliChen: you need to specify `https://example.com:3000` instead where `example.com` points to `127.0.0.1` in your `hosts` file. – Steffen Ullrich Nov 04 '19 at 14:59
  • Thanks. I want to summarize this model before I test it out: so there is https localhost web server running on client machine; and there is an external web server with valid domain and ssl with its host file being configured to redirecting to 127.0.0.1. Sending the request from client machine browser to the external domain, will acutally open the localhost target web server without security warning appeared in browser, is it right? – Eli Chen Nov 04 '19 at 17:13
  • @EliChen: *"I want to summarize this model before I test it out"* - Unfortunately this went totally wrong. No changes will be done to the external web server. All changes are local only. See updated answer. – Steffen Ullrich Nov 04 '19 at 17:25
  • Sir Im sorry for the late reply. I tested it out, it works! But it's still a magic to me(I know you have explained the reason in the last bulletin but im still confusing because the localhost is using someelse's certificate. i mean a valid certificate cannot be applied to localhost) – Eli Chen Nov 16 '19 at 17:30
  • @EliChen: A certificate is not bound to a specific machine. A certificate is for a specific domain and as long as the domain in the URL match the domain in the certificate it is fine. Editing the `hosts` file just makes the domain resolve to 127.0.0.1 instead of the external IP address of the domain and thus you can successfully use the certificate on 127.0.0.1. – Steffen Ullrich Nov 16 '19 at 21:01
  • I see. So I guess if I want to access path and params on localhost for example: **https://localhost:3000/path/file?user=xxx** , I just need to use **https://example.com:3000/path/file?user=xxx** right? – Eli Chen Nov 16 '19 at 22:00
  • Can I just directly use the DNS instead of editing hosts file? add 127.0.01 to DNS record – Eli Chen Nov 18 '19 at 18:15
  • @EliChen: If you have access to the DNS server for this domain you can change the IP address to 127.0.0.1. But note that this way nobody will be able to access the real domain on its public IP address anymore. The advantage of editing the `hosts` file only is that it will affect only the local machine. – Steffen Ullrich Nov 18 '19 at 18:27