Enable HTTPS for Local Development with Nginx Reverse Proxy and Docker

Background

Company projects use front‑back separation. When a new feature or bug requires the front‑end to call a local service, the simplest way is to modify the host file to point the test domain to the local IP. This works for HTTP but the test environment uses HTTPS, so the local service must also support HTTPS.

Solution

Spring Boot can serve HTTPS, but that requires code changes. Instead, use Nginx as a reverse proxy that terminates HTTPS and forwards traffic to the local HTTP service, allowing host redirection without modifying the application.

Generate Certificates

Use OpenSSL to create a root certificate and a server certificate.

Root certificate generation:

# 生成一个RSA私钥
openssl genrsa -out root.key 2048
# 通过私钥生成一个根证书
openssl req -sha256 -new -x509 -days 365 -key root.key -out root.crt \
    -subj "/C=CN/ST=GD/L=SZ/O=lee/OU=work/CN=fakerRoot"

Server certificate generation:

# 生成一个RSA私钥
openssl genrsa -out server.key 2048
# 生成一个带SAN扩展的证书签名请求文件
openssl req -new \
    -sha256 \
    -key server.key \
    -subj "/C=CN/ST=GD/L=SZ/O=lee/OU=work/CN=xxx.com" \
    -reqexts SAN \
    -config <(cat /etc/pki/tls/openssl.cnf \
        <(printf "[SAN]
subjectAltName=DNS:*.xxx.com,DNS:*.test.xxx.com")) \
    -out server.csr
# 使用根证书签发
openssl ca -in server.csr \
    -md sha256 \
    -keyfile root.key \
    -cert root.crt \
    -extensions SAN \
    -config <(cat /etc/pki/tls/openssl.cnf \
        <(printf "[SAN]
subjectAltName=DNS:xxx.com,DNS:*.test.xxx.com")) \
    -out server.crt

The three key files are root.crt (root certificate), server.key (private key), and server.crt (server certificate). The server certificate must include the test domain, otherwise browsers will flag it as insecure.

Nginx Configuration

Run an Nginx container, mount the certificates and a custom nginx.conf:

server {
    listen 443 ssl;
    server_name _;
    ssl_certificate "/usr/local/nginx/ssl/server.pem";
    ssl_certificate_key "/usr/local/nginx/ssl/server.key";
    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_pass http://127.0.0.1:3000;
        proxy_redirect off;
        proxy_http_version 1.1;
    }
}

Start the container:

docker run -d --name https -p 443:443 \
    -v ~/forword/ssl:/usr/local/nginx/ssl \
    -v ~/forword/config/nginx.conf:/etc/nginx/conf.d/default.conf \
    nginx

Install Root Certificate

Because the server certificate is self‑signed, import root.crt into the OS trust store (e.g., Chrome → Settings → Advanced → Manage certificates → Trusted Root Certification Authorities → Import).

Modify Hosts

When debugging, start the local service, point the test domain to the Nginx IP in the hosts file, and the front‑end will be forwarded to the local environment over HTTPS. The browser lock icon confirms a successful deployment.

Afterword

Other approaches exist, such as using a man‑in‑the‑middle tool like Fiddler, but they are not covered here.