HTTPS for containers ​

Web services running in OrbStack are accessible via HTTPS by their orb.local domain names. No setup is required; OrbStack automatically sets up a reverse proxy with a local CA and TLS certificates for each domain.

This removes the need to generate, install, and trust self-signed certificates manually and configure a reverse proxy for each service, which can easily take hours.

Simply visit https://orb.local to get started in under 5 seconds. OrbStack will automatically ask to install the certificate on first use.

Firefox ​

If you're on Firefox 119 or older, certificates added to the macOS system keychain are ignored by default, so OrbStack's certificate won't be trusted. To fix this:

1. Visit about:config
2. Dismiss the warning ("Accept the Risk") if necessary
3. Set security.enterprise_roots.enabled to true

No restart is necessary for the setting to take effect.

Security ​

OrbStack's HTTPS implementation is one of the most secure ways to develop locally. Due to the sensitive nature of the root CA, private keys are only stored in encrypted keychain storage and in memory. Keys are never stored unencrypted on disk, unlike most alternatives.

Redirect port 443 ​

If you want to run your own HTTPS server without using our proxy, listen on port 443 or 8443.

Alternatively, you can use the https-port label to redirect port 443 to any port:

docker run --rm -l dev.orbstack.https-port=8443 nginx

docker run --rm -l dev.orbstack.https-port=8443 nginx

Or with Compose:

services:
  nginx:
    image: nginx
    labels:
      - dev.orbstack.https-port=8443

services:
  nginx:
    image: nginx
    labels:
      - dev.orbstack.https-port=8443