HTTPS for containers
Web services running in OrbStack are accessible via HTTPS by their orb.local domain names. No setup is required; OrbStack automatically sets up a reverse proxy with a local CA and TLS certificates for each domain.
This removes the need to generate, install, and trust self-signed certificates manually and configure a reverse proxy for each service, which can easily take hours.
Simply visit https://orb.local to get started in under 5 seconds. OrbStack will automatically ask to install the certificate on first use.
Between containers
OrbStack automatically adds the OrbStack root CA certificate to containers, so you can use orb.local
domains between containers seamlessly without disabling certificate verification.
To disable this behavior, set the dev.orbstack.add-ca-certificates
label to false
.
Firefox
If you're on Firefox 119 or older, certificates added to the macOS system keychain are ignored by default, so OrbStack's certificate won't be trusted. To fix this:
- Visit about:config
- Dismiss the warning ("Accept the Risk") if necessary
- Set
security.enterprise_roots.enabled
totrue
No restart is necessary for the setting to take effect.
Security
OrbStack's HTTPS implementation is one of the most secure ways to develop locally. Due to the sensitive nature of the root CA, private keys are only stored in encrypted keychain storage and in memory. Keys are never stored unencrypted on disk, unlike most alternatives.
Redirect port 443
If you want to run your own HTTPS server without using our proxy, listen on port 443
or 8443
.
Alternatively, you can use the https-port
label to redirect port 443 to any port:
docker run --rm -l dev.orbstack.https-port=8443 nginx
docker run --rm -l dev.orbstack.https-port=8443 nginx
Or with Compose:
services:
nginx:
image: nginx
labels:
- dev.orbstack.https-port=8443
services:
nginx:
image: nginx
labels:
- dev.orbstack.https-port=8443