Our great sponsors
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
-
LAN-port-scan-forbidder
Forbid untrusted webs to access localhost or LAN. An anti-scan protection 🛡️🏡
I was also curious about IPv6 non-local scopes. The spec linked in the article says
> User Agents MAY allow certain IP address blocks' address space to be overridden through administrator or user configuration. This could prove useful to protect e.g. IPv6 intranets where most IP addresses are considered public per the algorithm above, by instead configuring user agents to treat the intranet as private.
https://wicg.github.io/private-network-access/#ip-address-sp...
So aside from loopback and link-local, the only effect this will have on IPv6 is what the browser decides to do. If that's a manual add/remove or a look into the routing table seems unspecified.
Assuming you are working on the dev machine, the process is as follows:
1. Buy a domain name. Certificates can only be issued if you have a real domain name. You can't get a certificate for "localhost" or "blah.localhost". You don't actually need to point this domain at your dev machine, you just need to own it. Let's call this domain "my-domain.com"
2. Follow the instructions for setting up the DNS-01 challenge. As a part of this, you'll need to provide credentials to allow LE to change your DNS records so it can renew the certificate automatically. Most registrars you can buy domains from will provide free DNS service and many will also provide API access to change DNS records. If this is the case, there's probably already support in LE for setup so you can just follow the instructions [here](https://github.com/acmesh-official/acme.sh/wiki/dnsapi) to provide the needed credentials.
3. Once the setup is complete, you should have a certificate (public certificate chain + private key) issued by LE and it should also automatically renew. Edit your dev server's configuration to use to these issued files for HTTPS.
4. Add something in /etc/hosts (or equivalent in Windows) like:
> No chance at all of most people being able to do that today.
http://neocities.org seems fine for this purpose?
> Since there's still no mdns (resolution of .local domains) in android nor in chromium despite long standing feature requests…
If you run your own DNS resolver for your local network, you can use a Discovery Proxy (RFC 8766) to allow unicast DNS resolution of multicast DNS records. I'm using mdns-discovery-proxy[0] (slightly modified to support a newer version of the zeroconf Python library) with a forward-only zone rule in bind9 so that xyz.local is mirrored in unicast DNS as xyz.home.arpa. The latter address will work for any program on the network regardless of mDNS support.
[0] https://github.com/nybble41/mdns-discovery-proxy
Related posts
- Dehydrated: Letsencrypt/acme client implemented as a shell-script
- How to Build Email Server with Exim on Alma Linux 9
- Ask HN: What is your experience with ZeroSSL?
- The Bureau of Meteorology website does not support connections via HTTPS
- How to get LetsEncrypt certs from PfSense/ACME to other machines? (automated??)