Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
Topic: Using ssl for sites across local lan |
|
Author |
|
radarlove
Joined: 07 Feb 2021 Posts: 1 Location: UK, Billericay
|
Posted: Sun 07 Feb '21 21:52 Post subject: Using ssl for sites across local lan |
|
|
I am practising development of Progressive Web Applicitions (PWAs) and testing on mobile devices.
Currently, I upload my site to a hosting company to my domain where I have installed a ceritificate, so this works fine.
However, it is a pain to keep having to upload every change in order to be able to test on the mobile devices.
Ideally, I would host the site on a Raspberry Pi I have set up with Apache - however, as PWAs need to be hosted with SSL (unless it's on localhost - but that won't work for Android/IOS devices connected on the lan), I need some way to use SSL on the Pi.
I tried using certbot to install a certificate - but it asks me for a domain name. I guess I could buy a domain and use that, but then how could I point that domain to the Pi from inside the lan?
(I don't want to use external NDS as I assume that would make it open to the world).
I have thought about creating a local DNS server so that my domain (eg mypwa.com) points to the Pi on its internal lan IP, but I understand that to do this, all devices would have to go through that DNS , so if it went down, every device in the house would not be able to access any web sites.
Am I missing something simple or is there a solution?
To sum up, I want to build PWA sites on a Pi and have other devices (pcs, mobile devices) access them via https without the sites being publicly available.
Thanks! |
|
Back to top |
|
tangent Moderator
Joined: 16 Aug 2020 Posts: 348 Location: UK
|
Posted: Mon 08 Feb '21 14:19 Post subject: |
|
|
You've evidently got a number of options, and no, I don't believe you're missing something simple.
There are two key factors here:
a) Site certificates
b) Name resolution
The prime requirement appears to be to host a local development site, which DNS issues aside, will evidently need its own certificate.
If that site certificate is to use a bona fide domain name, then that domain will have to be registered in DNS, and moreover, for an automated certificate system such as certbot to work, then that domain has to resolve to a reachable site on the Internet. Your local network won't qualify as a routable network, and I doubt you want to go down the route of asking your ISP for a fixed IP, and then start setting up a firewall, DMZ, and port forwarding (plus all the security concerns that go with it).
You don't have to use certbot of course, and could use a traditional Certificate Authority to sign your own CSR for your registered domain, which you then install locally, and move the remainder of the client connect problem over to name resolution.
You could of course use the certificate installed on your hosting company site for the local server instead. However, you'd then have keep changing local name services each time you wanted to reach the real hosting company site.
Alternatively, you could go down the route of creating your own Certificate Authority (using OpenSSL say), and issuing your own site certificate, you've then got the problem of getting that CA certificate trusted in each of your local client devices. Easy to do with Windows and Linux, but more of a challenge with mobile devices.
Looking to the name resolution side, all clients check a local hosts file before trying DNS, so you could simply add an entry to the local hosts file on each client, for your local Raspberry PI development server. Again, easy to do with Windows and Linux, but more difficult with mobile devices. Indeed, unless the device is rooted, you'll limited to using some workaround based on a local VPN service - there are a number of apps out there that claim to provide this capability, such as DNSCloak, but I've no experience of them.
Alternatively, rather than tweaking each local network client, the alternative is to set up your own DNS intercept service, and my choice would be to go for PiHole on another Raspberry PI. There are plenty of documents out there on how to set this up, including how to support local entries. Once filtered, the PiHole passes requests to an upstream DNS resolver (defaults to Google - https://docs.pi-hole.net/guides/dns/upstream-dns-providers).
If your router doesn't let you specify the DNS resolvers (increasingly ISP provided routers don't), you can always use PiHole DHCP services for your clients, and turn off DHCP in your router. Indeed, I would do this by default, since you can then set failover DNS resolvers to be your ISP (or whoever else you choose), and that gives you some service resilience should your PiHole server go down.
Yes, it's another device that you'd need to keep powered up for your network, but overall it's a small price to pay, and definitely provides the most flexible solution with no local client intervention (apart from possible local certificate stores, depending on which way you go with the site certificate).
Good luck, whatever solution you choose, and report back to let Apache Lounge users know how you get on. |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7371 Location: Germany, Next to Hamburg
|
Posted: Mon 08 Feb '21 15:53 Post subject: |
|
|
I create for example app.intern.example.com on a public DNS server with an A record to an internal IP.
I create the SSL certificate via letsenctry script with a DNS challange. |
|
Back to top |
|
tangent Moderator
Joined: 16 Aug 2020 Posts: 348 Location: UK
|
Posted: Mon 08 Feb '21 16:10 Post subject: |
|
|
That's a neat and simple solution James.
I didn't know public DNS systems would let you add non-routable IP address entries. |
|
Back to top |
|
|
|
|
|
|