3 minutes, 14 seconds
Hey hey! I’d been meaning to consolidate some of my VMs I’m paying for and semi-accidentally deleted the place where I was hosting my work’s instance of Keys-To-The-Tunnel (KTTT). With this VM deletion, I decided to leverage my recent dabblings with Caddy and do a big refactor of KTTT by replacing Apache with Caddy.
As a reminder, KTTT is an easy way for an organization which both develops web apps and uses GitHub to share their local dev app on the internet via a publicly accessible URL all protected with solid TLS and SSH encryption.
Let’s dive into what the update means and why I did it!
Parenthetical aside about TLS for local Android development
Originally I asked if potential KTTT users :
ever need to test an Android application against a web server such that you need a valid TLS certificate?
Not so good idea on my original KTTT post
This is actually a bad idea if all you need is a valid TLS cert for Android testing. The reason is that you’ll literally be holding your phone in your hand which is less than a foot from the computer hosting your app you want to test against. By introducing KTTT into the mix, you send your traffic thousands of miles/kilometers (you pick which) and back just to get a TLS cert. Crazy times!
A much better approach is to use something like local-ip.co . If you want an easy way to keep your traffic entirely local, you can use nginx-local-ip with a one line docker compose call to set up everything you need to locally run a local-ip.co TLS. It’s a really sweet set up! (I’m biased because I help author some of it ;)
KTTT is still a great idea if you need to share your local dev environment though!
With that out of the way, back to KTTT updates…
What’s new with KTTT
For an end user of KTTT who just wants to share their app, it’s now WAY easier to figure out which SSH command to run and which URL to share. This is thanks to the handy web app which walks you through three easy questions:
- What is your GitHub Username?
- What port is your app running on locally?
- Is your local app using
httporhttps?
This is MUCH better than wading through a list of random ports and other GitHub usernames which you only cared about your username and port. Here’s what the updated web app looks like in action (15 second video):
For the administrators of KTTT, you’ll note that KTTT now uses Caddy instead of Apache. While there’s nothing wrong with Apache, Caddy is a simpler take on the needs of an app like KTTT that requires a bunch of small reverse proxies. Caddy is 7 years old and came to being in the world of Docker, containers and micro-services. Where as Apache is 27 years old and came being near the birth of world wide web.
Ironically, a key feature of Caddy, the ability to automatically provision and renew TLS certs, is NOT being used. Instead, the opportunity to use a wildcard TLS cert came up via acme-dns.io and I took it.
That all said, it’s a joy to use Caddy because I can create a simple JSON file with four lines to define a reverse proxy:
mrjones-plip.awesome-tunnel.plip.com {
tls /etc/certs/fullchain.pem /etc/certs/privkey.pem
reverse_proxy 127.0.0.1:3089
}Love it!
Putting it all together
The web app above gives a pretty good idea of the improvements, but since I added a demo video of the whole KTTT experience on GitHub, may as well post it here in case you’re curious (44 second video):
Other odds and ends in 1.1.0
There’s also a bunch of other fixes and improvments I made while in there. Here’s the notes from the 1.1.0 release:
- Replace Apache with Caddy
- Add mini web app to help devs figure which URL and SSH command to use
- Unify mutli SNI certs to one wildcard with acme-dns.io (still using Let’s Encrypt though) per #1
- Don’t overwrite existing user’s ports every time you run setup per #3
- Don’t regenerate TLS certs every time you run setup per #3
- Don’t rewrite vhosts in web server every time you run setup per #3
- Update MOTD on login per #4
- Try my hand at being an artist and create a KTTT logo
