20130529

HTTPS in local development environment (with subdomains, stunnel and [optionally] pow and [bonus] iPad)

In every web developer's life there's a moment your baby wants to go secure, and this means putting your web app on HTTPS. That is, simply put, adding SSL on top of everything. Sounds simple? Well it should be. For production/staging solution you should read your own app hosting provider's docs, e.g. SSL Endpoint | Heroku Dev Center. And for your local dev env, read on (well if you're on OSX or *nix at least).

First, I've found no reason not to use pow, both for same-machine (via http://somesub.yourbaby.dev) and same-network (via http://somesub.yourbaby.192.168.1.111.xip.io) testing.
Tip: even if you don't fancy pow, and use different ports for running stuff instead, you can still use this technique with http://somesub.lvh.me:3000 (same-machine, resolves to 127.0.0.1:3000) or http://somesub.192.168.1.111.xip.io:3000 (same-network, resolves to 192.168.1.111:3000), somesub being any subdomain.

Then, we're going to use stunnel to put that SSL on top of our fine-running web app. So, I've compiled a little script to automate the stunnel certificate + configuration generation, here it is (any patches/comments are welcome). Install/copy it somewhere, then go to your project's directory and run:

stunnelo.sh yourbaby.192.168.1.111.xip.io

Hopefully, it will produce all the necessary files in ./var/stunnel/yourbaby.192.168.1.111.xip.io/

Finally, you may run (in a dedicated terminal window):

stunnel var/stunnel/yourbaby.192.168.1.111.xip.io/stunnel.cnf

then hopefully go to https://anysub.yourbaby.192.168.1.111.xip.io and see your same old app running in total security.

Wait! In a moment you'll notice your browser not being happy about the certificate we've just created, so here's a...

Bonus:
The self-signed certificates this technique creates are obviously will not be trusted by any browser on any device by default. This will get even more messy if your app involves a number of services you're running in the same dev env.
For computers, a browser will usually allow you to install the certificate in question when it sees it, so you will be annoyed just once. For iPads/iPhones — that's what same-network testing is for — you will have to take var/stunnel/yourbaby.192.168.1.111.xip.io/stunnel.crt and mail it to yourself, then open the attachment on your iPad and that's how you install the certificate there and go debugging.
Obviously, you can have any number of such stunnel configs in ./var/stunnel/ — go wild with the domains you are to test.

p.s. I've tried to use tunnels, but it provides no means of control over the certificates and thus, complicated scenarios bring... uh... complications.
p.p.s. Thanks go to xip.io-cert for outlining self-signed certificate generation.