Clarification and Enhancement Request: HTTPS Services with Reserved Domains

Hello,

Thank you for providing such a versatile tool! I have been using LocalXpose successfully to expose services over the internet with reserved domains. However, I’ve encountered some challenges when exposing HTTPS services, and I would appreciate clarification or guidance to ensure I am using the tool correctly.

Observed Behavior:

When exposing an HTTP service (e.g., via type: http), LocalXpose correctly issues a Let's Encrypt certificate for the reserved domain, ensuring a secure connection for external clients.
For HTTPS services (e.g., Proxmox) configured with type: tls, the internal service's certificate is passed directly to the client instead of issuing a Let's Encrypt certificate for the reserved domain.

This results in certificate warnings (e.g., NET::ERR_CERT_COMMON_NAME_INVALID) for external clients, as the internal service's certificate is either self-signed or does not match the reserved domain.

My Expectations:

I had anticipated that LocalXpose would handle HTTPS services in a similar manner to HTTP services:

Terminating the TLS connection externally with a valid Let's Encrypt certificate for the reserved domain.
Establishing a secure connection to the internal HTTPS service, with an option to either validate or bypass the internal certificate.

Use Case:

I am using LocalXpose to expose Proxmox, which runs internally with HTTPS and a self-signed certificate. Ideally, I would like external clients to access proxmox.home.example.com without encountering certificate warnings, while maintaining the security of the internal connection.

Here is the relevant configuration I am using in config.yaml:

proxmox:
  type: tls
  to: 192.168.5.10:8006
  region: eu
  reserved_domain: proxmox.home.example.com

Questions and Suggestions:

Clarification: Is there a recommended way to expose HTTPS services with reserved domains, ensuring that external clients receive valid Let's Encrypt certificates while maintaining internal HTTPS connections?
Plugin Inquiry: Is there currently a plugin or configuration, such as tls_skip_verify, that would allow LocalXpose to bypass validation of internal HTTPS certificates for self-signed services? If not, would it be possible to introduce this functionality?
Enhancement Suggestion: If the above options are not feasible, would it be possible to add:
- External HTTPS termination with Let's Encrypt certificates for reserved domains.
- Internal connection flexibility, including bypassing self-signed certificate validation, for services running on HTTPS.

Additional Details:

HTTP services work seamlessly with Let's Encrypt certificates and reserved domains.
SSH tunneling also functions perfectly and integrates well with reserved domains.
This issue is specific to HTTPS services, where the internal certificate is being passed through instead of issuing a Let's Encrypt certificate for the reserved domain.

Thank you for taking the time to review this request. Please let me know if I’ve missed any steps or configurations that would resolve this. I appreciate your support and look forward to your response.

Best regards,
Chris

Post Information

Subscribe to post

Get notified by email when there are changes.

Upvoters

Post Details

Board

Questions & Help

Posted on

Posted by

Someone