Run dev as HTTPS

[jmakeig]

Pages behave differently in subtle ways when you serve them over HTTPS versus HTTP. Because most apps will eventually be deployed as HTTPS, it’s helpful to configure all of your development and test environments with HTTPS as well.

This is all possible today. However, it requires an extra lift to generate keys and an even a potentially more complicated process to get self-signed keys to be automatically trusted by the browser. There are several ways to do this with various not-so-attractive tradeoffs.

I’ve got a PoC working on my local development environment of the fewest moving parts that I’ve come across. It uses mkcert to generate keys for localhost (or any other hostname) using a trusted certificate authority that it also creates. It’s not yet production ready because it relies on a prerelease version of livereload to open the WebSocket over HTTPS as well.

This issue is mostly to judge whether there’s interest in this. If so, I could put together a PR, and probably queue that up for after livereload@1.0.0 is released.

[antony]

@jmakeig oddly enough a lot of production sites run as HTTP, and then offload certificate handling and SSL to a router / webserver / gateway at the edge.

I think running in HTTPS is out of scope for this template, and IMHO out of scope for this very simplistic template.

However, I have seen this question asked a few times, and I know that using Facebook SSO locally requires running in HTTPS mode (albeit briefly), so I would strongly encourage you ro, rather than open a PR here, create a recipe over at https://github.com/svelte-society/recipes-mvp where we are building a repository of useful things like this.

[TJKoury]

@antony I would ask to reconsider, since this is the template that Svelte recommends on the homepage. There are at least two immediate, basic use cases need that need https out of the box:

1. Using an https enabled CDN for hosted assets
2. Developing Service Workers

[frederikhors]

@TJKoury I think @antony is right!

[pngwn]

@TJKoury Service workers work locally even without HTTPS.

[TJKoury]

@pngwn True, if you are developing on localhost, but I use a hosts file for local network development.

[lukeed]

IMO: if you're willing to go through the trouble to setup a hosts file, then you're capable/willing to setup your own localhost certificates. We certainly can't scaffold that for all users with all cases – it'd raise more issues that are entirely system-dependent.

If you plop in sirv-cli@next, you can easily pass your own key/cert and get going with a HTTPS/2 server if you don't already have one. You just need to pass the paths as flags.

This will be marked and published as 1.0 this week. Everything looking good.

[TJKoury]

@lukeed I did try sirv-cli@next, would recommend this be the default behavior. It would be easy enough to add the options as flags in the serve method in the rollup config.

[lukeed]

I'm sure this template will update, but I don't think it will start a HTTP/2 server by default. At best we can provide instructions as to how to generate a valid certificate chain and how to use it. It'd be an easy, quick guide – but as mentioned, we can't provide a one-size-fits-all solution out of the box. There are too many system-level variables.

[TJKoury]

Sounds reasonable. Thanks for the consideration.

…

On Mon, Jun 8, 2020 at 3:30 PM Luke Edwards ***@***.***> wrote: I'm sure this template will update, but I don't think it will start a HTTP/2 server by default. At *best* we can provide instructions as to how to generate a valid certificate chain and how to use it. It'd be an easy, quick guide – but as mentioned, we can't provide a one-size-fits-all solution out of the box. There are too many system-level variables. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#128 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAFW4KFXN64C6F5ZKRMDG4LRVU34DANCNFSM4MZCWAFA> .

[jmakeig]

jmakeig/markdown-annotations-svelte@07d0b65...413b065

The link in the original comment shows the changes that I made in my project to support HTTP/2 and HTTPS. They would be easy to add to the default template. This thread is more of a “Should we?” question than “How?”