How to set up a local HTTPS server on Mac with nginx and Cloudflare

Prerequisites

Your Mac has IPv6 address, test it at https://test-ipv6.com.
You own a domain name that hosted on Cloudflare.

Step 1: install nginx

Make sure you have homebrew installed, and to install nginx, run:

brew install nginx

Then start nginx with:

nginx

And run

open http://localhost:8080

To verify that nginx is up and running.

Step 2: add nginx configuration

Open the nginx config directory:

code /usr/local/etc/nginx

Create 2 new directories servers and certs (if not exists) and create a new config file 8000.example.com.conf in servers (full path /usr/local/etc/nginx/servers/example.com.conf):

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  ssl_certificate         /usr/local/etc/nginx/certs/example.com.cert.pem;
  ssl_certificate_key     /usr/local/etc/nginx/certs/example.com.key.pem;

  server_name 8000.example.com;

  location / {
    proxy_pass http://localhost:8000;

    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
  }
}

Replace example.com with your domain name, and 8000 with your local HTTP service port.

Step 3: add DNS record and generate origin certificate on Cloudflare

Run ifconfig in terminal to get your IPv6 address.

You may get 2 IPv6 addresses, with "secured" and "temporary" respectively. While you can read more about the difference here: https://apple.stackexchange.com/a/371661, but in short, you can copy the "secured" one to be used in the next step.

Go to dash.cloudflare.com, and on the "DNS" tab, create a new AAAA DNS record named 8888, with the IPv6 address you got in the previous step, and keep the "Proxy status" as "Proxied".

Navigate to the "SSL/TLS" tab, make sure the encryption mode is "Full (strict)", read more about the full mode here: https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes#full

Finally, go to the "Origin Server" sub-tab, and click on the "Create Certificate" button.

Here I suggest you to select the "Certificate Validity" to be a shorter period (not the default 15 years), so later in the certificate list you can easily find the one created for local nginx server.

Step 4: Apply the certificate to nginx

Copy the "Origin Certificate" and "Private Key" to the /usr/local/etc/nginx/certs directory into new files example.com.cert.pem and example.com.key.pem respectively. Be aware that the "Private Key" won't be visible or downloadable later, so make sure you save it before you close the page.

And to reload the nginx with the new certificate, run:

nginx -s reload

Step 5: Firewall and router configuration

Make sure your Mac firewall is either off or allow port 443.
Make sure IPv6 of your Mac and port 443 is allowed on your router settings (if you have one), example:

Step 6: Test the local HTTPS server

Finally, you can start your local service on port 8000 and access it with HTTPS url https://8000.example.com.