Skip to content

HTTPS for containers

Web services running in OrbStack are accessible via HTTPS by their orb.local domain names. No setup is required; OrbStack automatically sets up a reverse proxy with a local CA and TLS certificates for each domain.

This removes the need to generate, install, and trust self-signed certificates manually and configure a reverse proxy for each service, which can easily take hours.

Simply visit https://orb.local to get started in under 5 seconds. OrbStack will automatically ask to install the certificate on first use.

HTTPS connection to OrbStack domain

Firefox

If you're on Firefox 119 or older, certificates added to the macOS system keychain are ignored by default, so OrbStack's certificate won't be trusted. To fix this:

  1. Visit about:config
  2. Dismiss the warning ("Accept the Risk") if necessary
  3. Set security.enterprise_roots.enabled to true

Firefox about:config

No restart is necessary for the setting to take effect.

Security

OrbStack's HTTPS implementation is one of the most secure ways to develop locally. Due to the sensitive nature of the root CA, private keys are only stored in encrypted keychain storage and in memory. Keys are never stored unencrypted on disk, unlike most alternatives.

Redirect port 443

If you want to run your own HTTPS server without using our proxy, listen on port 443 or 8443.

Alternatively, you can use the https-port label to redirect port 443 to any port:

bash
docker run --rm -l dev.orbstack.https-port=8443 nginx
docker run --rm -l dev.orbstack.https-port=8443 nginx

Or with Compose:

yaml
services:
  nginx:
    image: nginx
    labels:
      - dev.orbstack.https-port=8443
services:
  nginx:
    image: nginx
    labels:
      - dev.orbstack.https-port=8443