Replies: 2 comments 1 reply
-
|
There is: NixOS/nixpkgs#112322 of potential corollary relevance and inspirational resourcefulness. |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
I had a closer look at step-ca. Looks promising, indeed. Also found this good read: https://smallstep.com/blog/everything-pki/ |
Beta Was this translation helpful? Give feedback.
-
|
I found this, not sure if it works tl;dr:
|
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Related to #74 and #75 .
This is not directly a responsibility of devshell but is related to making a comfortable development environment.
Oftentimes, developers want to be able to test one or more services locally, with HTTPS enabled, in order to replicate the production environment as much as possible. This ticket contains some notes on what I think is the ideal setup.
Localhost HTTPS interface
We need the cooperation of the host on two fronts:
*.testTLD for localhostThe .test TLD is reserved and is therefore guaranteed to never be clashing with external domains. https://en.wikipedia.org/wiki/.test
The developer can either edit their /etc/hosts, or have a local DNS resolver that maps all the *.test domains to localhost.
Open question: how to handle port-mapping so that multiple services can bind? On Linux, 127.X.X.X is all reserved for localhost so each service could technically get their own IPs. Maybe we can use a dictionary to IP mapping or something like that.
Let's encrypt for localhost
Ideally, a localhost service is running that talks ACME protocol.
The CA public certificate would be installed in the computer's trust cert.
The CA private certificate is installed in the ACME service and used to issue new certificates.
The services themselves would query the ACME protocol to acquire new certs and use http01 for validation.
Ideally, the CA can be pinned to it can only issue certs for the .test top-level. That way if the private certificate gets leaked, the impact would still be limited.
Beta Was this translation helpful? Give feedback.
All reactions