Http Who? Securing my offline network requests for Xcode's Simulator

I have an issue. Or rather, I had an issue. As I write this I am at DeepDishSwift, a wonderful and amazing indie developer conference for apple platforms. The pizza is also great, but the wifi is not.

BUT, I still have work to do. Currently, I am writing a new backend for an app of mine and without wifi, it became difficult to test my API. Previously, I tried a couple things:

1. I tried deploying to my test server offsite, but that takes a while to compile the docker container, so I tried to drop that.

2. Next, I tried to setup a tunnel with Ngrok.

The Common Issue

With both of these solutions and other ideas I could find online, it was based in one of two flawed options:

The easy solution would be to create an exception in my app to allow http requests to localhost. Unfortunately, if I forgot to disable it before pushing my app to production, it would have a pretty decent security flaw

So instead of doing this, I decided to try and create an entirely offline network tunnel to make localhost support SSL. Luckily, it was easier than I immagined, and a bit over 20 minutes later, I was done!

The Setup

Installing Dependencies

To make this happen, you don't need to install much software, but it is easiest with Homebrew and some form of NPM. Before we continue, you only need two small command-line tools: local-ssl-proxy and Minica. You can install them with the following commands:

brew install minica
npm install -g local-ssl-proxy

Creating a Working Directory

To create our working directory, I recommend creating a new folder in your home folder and cd-ing into it (this is what I did):

cd ~/
mkdir localhost-ssl
cd localhost-ssl

Actually Creating the Proxy (The Important Stuff)

You have now installed local-ssl-proxy and Minica, and made a working directory and cd-ed into it. Now it is time to finally create the proxy.

Creating a Self-Signed Certificate

I am not going to go much into how SSL works and Certificates. If you want to learn about that, Cloudflare made an amazing web page explaining it all and you can find it here.

For our purposes, we cannot get any kind of authority to sign the certificate because signing localhost to whoever wanted it could be a massive security issue. Instead, we have to self-sign it and trust it.

To create the certificates you need, we are going to use Minica to create the untrusted certificates. All we need to run is:

minica --domains localhost

Now, you will see a subfolder called localhost. We can safely ignore that for now, it will be used for the actual proxy later. Before we can use those certificates, we need to trust the root authority that signed them.

Trusting the Signing Authority for MacOS

Trusting the signing authority is super simple but can be slightly scary. First you have to add the minica.pem to keychain. To do this, open the keychain app, select your login keychain, and drag it in.

Now the root certificate is in your keychain, but your system still doesn't trust it. To trust it, double click on the certificate and expand the trust section. Next, change SSL and IP Security to be always trust.

Unfortunately, this will not take effect until you close the window at which point you will be prompted for administrative authentication to make the change. After that it will update, but you may need to clear search and search it again to see the change to "marked as trusted."

Trusting the Signing Authority for Xcode's Simulator

Unfortunately, I have not found a way to do this blanket for the simulator, so the steps I am about to share with you must be done for each individual simulator you test on. Luckily, it is super easy!

Open up the simulator, and drag the same root file (minica.pem) into the simulator. You won't see any popup, but that is alright. To check that the certificate was installed correctly, open the Settings app in the simulator, and go to General, then About, Certificate Trust Settings.

If Minica is listed there, it means that the installation was successfully and you can now proceed to using the proxy.

Starting the Proxy

After all of your setup, this should be a very easy thing to do. If everything is configured correctly, you can run the following command (changing port numbers and file locations as needed).

local-ssl-proxy --source 8081 --target 8080 --key ~/localhost-ssl/localhost/key.pem --cert ~/localhost-ssl/localhost/cert.pem

For my own use, I made this a complicated command a simple one by creating an alias. To do this, just add this line to ~/.zprofile:

alias <command-name>='local-ssl-proxy --source 8081 --target 8080 --key ~/localhost-ssl/localhost/key.pem --cert ~/localhost-ssl/localhost/cert.pem'

(Replacing <command-name> with the desired command you would run)

Conclusion

Congradulations! If you did this all correctly, you have a local SSL connection that does not depend on the internet while allowing you to safely and easily develop your backend locally.

Personally, I plan to use this setup indefinately for times I am not testing remote database and server integrations in ways that require an actual internet connection.

Happy Coding!

Got Questions?

DM or Tweet at me: @morrisinlife

Email me: morris@mcrich23.com