HTTPS for the masses, or, Secure All The Things

Remember that post where I showed you how to easily run https on your local development server? Well, it just got easier.

Here is the full recipe, from raw ingredients to delicious baked https. Ready for the masses.

1: Download mkcert

All that boring and error-prone mucking with certificates got automated into a single command. What’s not to love? Head on over to mkcert and follow the installation instructions. I chose to download the binary (on Linux):

mkdir -p $HOME/.local/mkcert
wget -P $HOME/.local/mkcert \
  https://github.com/FiloSottile/mkcert/releases/download/v1.4.0/mkcert-v1.4.0-linux-amd64
chmod +x $HOME/.local/mkcert/mkcert-v1.4.0-linux-amd64
ln -s -t $HOME/.local/mkcert/mkcert-v1.4.0-linux-amd64 $HOME/.local/bin/mkcert

I have $HOME/.local/bin in my PATH, and so should you.

2: Generate the Certificate Authority

We need an additional package to insert the certificates into Chrome:

sudo apt install libnss3-tools

Then, magic:

cd $HOME
mkcert -install

3: Generate key and certificate files

Your local webserver needs these.

Also magic:

mkcert example.local

Bonus: Rails using NGINX with Passenger

As all the hard work has been away from us, there is now room for me to show you how I like to run things locally.

  • Using Virtual Hosts
  • NGINX as the web server
  • Passenger to run the application
  • As neat and organized as possible

It goes a little something like this.

4: Install NGINX

sudo apt-get install nginx

You can use Apache if you want too. If you already have Apache running locally, stop reading now and use that instead.

5: Install Passenger

Taken verbatim from the documentation

sudo apt-get install dirmngr gnupg

sudo apt-key adv \
  --keyserver hkp://keyserver.ubuntu.com:80 \
  --recv-keys 561F9B9CAC40B2F7

sudo apt-get install -y apt-transport-https ca-certificates

sudo sh -c \
  'echo deb https://oss-binaries.phusionpassenger.com/apt/passenger bionic main > /etc/apt/sources.list.d/passenger.list'

sudo apt-get update

sudo apt-get install -y libnginx-mod-http-passenger

if [ ! -f /etc/nginx/modules-enabled/50-mod-http-passenger.conf ]; then sudo ln -s /usr/share/nginx/modules-available/mod-http-passenger.load /etc/nginx/modules-enabled/50-mod-http-passenger.conf ; fi

sudo service nginx restart

6: Add a Virtual Host

Say we want to start developing example.local. I like to use .local as a convention, but you can go crazy with the name.

Create a file called /etc/nginx/sites-available/example.local with these contents:

server {
        listen 443 ssl default_server;
        listen [::]:443 ssl default_server;

        ssl_certificate certs/example.local.pem;
        ssl_certificate_key certs/example.local-key.pem;

        root /var/example.local/public;

        server_name example.local;

        passenger_enabled on;
        passenger_ruby /path/to/.rvm/wrappers/ruby-2.5.1/ruby;
        passenger_sticky_sessions on;
        passenger_app_env development;
}

The paths to root and passenger_ruby will be different for you.

7: DNS

Instead of wrestling dnsmasq or other DNS software, I manually add the hostname I want to /etc/hosts. Has worked since the seventies, will probably still work until the end of time.

127.0.0.1 localhost example.local

8: Take her for a spin

Enable the virtual host:

cd /etc/nginx/sites-enabled
ln -s ../sites-available/example.local
sudo service nginx restart

Restart chrome and visit https://example.local (fingers crossed).