Auto Encrypt Localhost
Adds automatic provisioning and renewal of trusted localhost TLS certificates via mkcert for development without browser security warnings in Node.js.
How it works
Before creating your HTTPS server, uses mkcert to create a local certificate authority, adds it to the various trust stores, and uses it to create locally-trusted TLS certificates that are installed in your server.
Installation
npm i @small-tech/auto-encrypt-localhost
Usage
Instructions
-
Import the module:
const AutoEncryptLocalhost = require('@small-tech/auto-encrypt-localhost')
-
Prefix your server creation code with a reference to the Auto Encrypt Localhost class:
const server = AutoEncryptLocalhost.https.createServer(…)
Example
const AutoEncryptLocalhost = require('@small-tech/auto-encrypt-localhost')
const server = AutoEncryptLocalhost.https.createServer((request, response) => {
response.end('Hello, world!')
})
server.listen(() => {
console.log('Web server is running at https://localhost')
})
PS. You can find this example in the example/ folder in the source code. Run it by typing node example
.
Note that on Linux, ports 80 and 443 require special privileges. Please see A note on Linux and the security farce that is “privileged ports”. If you just need a Node web server that handles all that and more for you (or to see how to implement privilege escalation seamlessly in your own servers, see Site.js).
Configuration
You can specify a custom settings path for your local certificate authority and certificate data to be stored in by adding the Auto Encrypt Localhost-specific settingsPath
option to the options object you pass to the Node https
server. If not specified, the default settings path (~/.small-tech.org/auto-encrypt-localhost/) is used.
Example
const AutoEncrypt = require('@small-tech/auto-encrypt-localhost')
const options = {
settingsPath: '/custom/settings/path'
}
const server = AutoEncryptLocalhost.https.createServer(options, listener)
Developer documentation
If you want to help improve Auto Encrypt Localhost or better understand how it is structured and operates, please see the developer documentation.
Like this? Fund us!
Small Technology Foundation is a tiny, independent not-for-profit.
We exist in part thanks to patronage by people like you. If you share our vision and want to support our work, please become a patron or donate to us today and help us continue to exist.
Audience
This is small technology.
If you’re evaluating this for a “startup” or an enterprise, let us save you some time: this is not the right tool for you. This tool is for individual developers to build personal web sites and apps for themselves and for others in a non-colonial manner that respects the human rights of the people who use them.
Command-line interface
Install
npm i -g @small-tech/auto-encrypt-localhost
Use
auto-encrypt-localhost
Your certificates will be created in the ~/.small-tech.org/auto-encrypt-localhost directory.
Caveats
Windows
Locally-trusted certificates do not work under Firefox. Please use Edge or Chrome on this platform. This is a mkcert limitation.
Related projects
From lower-level to higher-level:
Auto Encrypt
Adds automatic provisioning and renewal of Let’s Encrypt TLS certificates with OCSP Stapling to Node.js https servers (including Express.js, etc.)
HTTPS
A drop-in replacement for the standard Node.js HTTPS module with automatic development-time (localhost) certificates via Auto Encrypt Localhost and automatic production certificates via Auto Encrypt.
Site.js
A complete small technology tool for developing, testing, and deploying a secure static or dynamic personal web site or app with zero configuration.
A note on Linux and the security farce that is “privileged ports”
Linux has an outdated feature dating from the mainframe days that requires a process that wants to bind to ports < 1024 to have elevated privileges. While this was a security feature in the days of dumb terminals, today it is a security anti-feature. (macOS has dropped this requirement as of macOS Mojave.)
On Linux, ensure your Node process has the right to bind to so-called “privileged” ports by issuing the following command before use:
sudo setcap cap_net_bind_service=+ep $(which node)
If you are wrapping your Node app into an executable binary using a module like Nexe, you will have to ensure that every build of your app has that capability set. For an example of how we do this in Site.js, see this listing.
Help wanted
- Linux: certutil (nss) auto-installation has not been tested with yum.
- macOS: certutil (nss) auto-installation has not been tested with MacPorts.
Like this? Fund us!
Small Technology Foundation is a tiny, independent not-for-profit.
We exist in part thanks to patronage by people like you. If you share our vision and want to support our work, please become a patron or donate to us today and help us continue to exist.
Copyright
Copyright © Aral Balkan, Small Technology Foundation.
License
Auto Encrypt Localhost is released under AGPL 3.0 or later.