Add ngrok for developing locally with HTTPS

[hugomoran159]

Description

Change the documentation for developing locally with HTTPS to use ngrok.

Rationale

The existing documentation no longer works as described.

Implementation

ngrok allows a user to connect localhost to the internet for testing applications and APIs

1. Install ngrok

• brew install ngrok/ngrok/ngrok or
• npm install -g ngrok

2. Register for account - get AUTH_TOKEN

3. ngrok config add-authtoken <AUTH_TOKEN>

4. ngrok http localhost:8000 - get URL

5. In config/settings/local.py

• add ngrok domain to ALLOWED_HOSTS

• ALLOWED_HOSTS = ["localhost", "0.0.0.0", "127.0.0.1", ".ngrok-free.app"]

• add HTTPS configuration

• CSRF_TRUSTED_ORIGINS = ['https://*.ngrok-free.app']

• SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')

• SESSION_COOKIE_SECURE = True

• CSRF_COOKIE_SECURE = True

ngrok URL should now serve localhost

[foarsitter]

Just curious, why do people want to develop locally with https?

[hugomoran159]

I needed to use the quickbooks production api to pull transaction data for my company. It required https otherwise it only let you use sandbox accounts which don't have any of the real data. I think a few other APIs also require https.

[browniebroke]

The existing documentation no longer works as described.

Yes, it's been like this almost since it was added (https://github.com/cookiecutter/cookiecutter-django/issues/2840). Having it in a docs was a mistake, we should either support it as first party or not. The current docs might be a good exteranl blog post, but I have no interest in maintaining it.

We had a PR sent to "fix" them #3111 but sadly it's included a lot of changes which are too out of scope...

[AksAman]

Just curious, why do people want to develop locally with https?

1. Few social auth providers only support https callback urls.
2. While working with payment gateways, most of them need a publicly accessibly https endpoint for webhooks.

[AksAman]

Though in my opinion, prefer using cloudflare tunnels as it's free and provides custom subdomain using your dns records. Makes it easier than ngrok where the subdomain keep changing on every run (on the free plan).

[foarsitter]

https://webhook.site/ can do a XHR Redirect to your localhost

Though in my opinion, prefer using cloudflare tunnels as it's free and provides custom subdomain using your dns records. Makes it easier than ngrok where the subdomain keep changing on every run (on the free plan).

Imho is the point not which tunnel to use (ngrok or cloudflare) but the configuration required for letting django accept https in combination with local development and stuff like csrf.

[Afrowave]

The existing documentation no longer works as described.

Yes, it's been like this almost since it was added (#2840). Having it in a docs was a mistake, we should either support it as first party or not. The current docs might be a good exteranl blog post, but I have no interest in maintaining it.

We had a PR sent to "fix" them #3111 but sadly it's included a lot of changes which are too out of scope...

I am sorry @browniebroke and fellow Djangonista,

I recently updated my local HTTPS set up with a mind to clean up the docs. I hope to do that until everyone is happy. I have some free time to this.

My plan is to remove the current instructions, write an blog post on my site with all the options available to Cookiecutter Django for a local HTTPS environment and link the article to the docs.

The other option is to make it a first class option. This means adding it to the project setup as an option and have it working from the get go.

What do you guys think?

[foarsitter]

If we can add https to local development that works out of the box, I think having it as a first class option would make sense. Nobody is deploying to production without https anymore these days. Having a development environment with https involved would make sense.