BT Home Hub Cannot Access SSL Website

This article explains why the BT Home Hub routers appears unable to access SSL/TLS (https) websites on your internal home network.  It may interest users in the UK, where the Home Hub is a popular router/ADSL modem.

Hosting your own website(s) at home is pretty easy these days.  You have a small server running Apache, and configure your router to forward port 80 to it.  For SSL sites, you forward port 443.  That’s about it.

Home Web Site

If you have a BT Home Hub (a Home Hub model 1,2,3,4 or 5), you may have noticed that you can’t access https (SSL) sites from within the home network. Try surfing to

https://your.domain.name

and the browser just seems to hang before eventually timing out.  However, it works fine from outside, eg from your office or a friend’s house.  It even works from a smart phone (provided the phone is not on your own house wireless network).

Substituting your external IP address does not work either, eg. 123.123.123.123. It just fails in the same way as above:

https://123.123.123.123

Workaround

In fact the only way to reach this site from your home network is to use the internal IP address of the web server, something like:

https://192.168.1.90  - it works !

No NAT Loopback

It’s because the BT Home Hub does not do “NAT loopback” for port 443, the SSL port.  It’s not a bug, but a security feature.  Surfing to https://<domainname> or https://<external ip address> goes straight to the Hub’s firewall, and isn’t allowed to return into the home network, which it would need to do for a successful connection.

NAT Loopback is also called “hairpinning” by network types.  And it is a strict no-no.

Incidentally, for non-SSL traffic, the Home Hub is happy to hairpin it. Non-SSL sites (eg. http://your.domain.name) will work on the same URL from anywhere – inside or outside your home network.

Bookmark it

Unfortunately there is no easy fix.  Just a couple of workarounds:

(a) Keep two separate browser bookmarks for your SSL site. One points to the regular address, and can be used from the Internet, eg. https://your.domain.name and the other uses the local network IP address instead, eg. to https://192.168.1.90. The first will work only from the Internet, the second will work only from inside your home network.  Probably the easiest.

and/or:

(b) Make adjustments to the /etc/hosts file on your PC, creating sensible alias names for the alternate URLs.  Windows has a hosts file too but I can’t remember where it is kept.  Works better if your server internal ip (192.168.1.90 in the example above) is static and not DHCP controlled.

I would recommend option (a).

4 thoughts on “BT Home Hub Cannot Access SSL Website

  1. Excellent info. I had this very problem. Really makes it hard when setting up an SSL site at home. I couldn’t work out what I had done wrong when the page wasn’t displaying in a browser. Worked fine on my works computer. Had a suspicion it was loopback. Will set up the SSL again on my site and give option (a) a try.

    Thanks again,

    Dave

  2. Thanks, I thought it was some kind of DNS problem for ages before coming across this “hairpinning” restriction thing. Glad it helped.

  3. Hi. Thanks for this. My problem is that I use Alexa and my skill’s Service Endpoint is within my network. On the Amazon Developer site I cannot put in my full domain because it doesn’t work (i presume for the reasons mentioned above) and my local IP address doesn’t work either because I presume it’s resolved from Amazon and not my Dot. So, at the moment, Alexa is slightly less useful….. 🙁 Unless anyone comes up with a new idea? Cheers, Don

    • Hi Don. I a not sure what Alexa is, or “Service Endpoint” or “Amazon Developer”. so can’t help much. However, since writing the above article I have noticed that BT now DOES allow https hairpinning. Whether this is a change in BT policy, or a update to the router I am not certain, but to repeat: https hairpinning now does seem to work, making the whole article above rather out of date.

Leave a Reply

Your email address will not be published. Required fields are marked *