This article explains why the BT Home Hub routers appears unable to access SSL/TLS (https) websites on your internal home network. It may interest users in the UK, where the Home Hub is a popular router/ADSL modem.
Hosting your own website(s) at home is pretty easy these days. You have a small server running Apache, and configure your router to forward port 80 to it. For SSL sites, you forward port 443. That’s about it.
Home Web Site
If you have a BT Home Hub (a Home Hub model 1,2,3,4 or 5), you may have noticed that you can’t access https (SSL) sites from within the home network. Try surfing to
and the browser just seems to hang before eventually timing out. However, it works fine from outside, eg from your office or a friend’s house. It even works from a smart phone (provided the phone is not on your own house wireless network).
Substituting your external IP address does not work either, eg. 188.8.131.52. It just fails in the same way as above:
In fact the only way to reach this site from your home network is to use the internal IP address of the web server, something like:
https://192.168.1.90 - it works !
No NAT Loopback
It’s because the BT Home Hub does not do “NAT loopback” for port 443, the SSL port. It’s not a bug, but a security feature. Surfing to https://<domainname> or https://<external ip address> goes straight to the Hub’s firewall, and isn’t allowed to return into the home network, which it would need to do for a successful connection.
NAT Loopback is also called “hairpinning” by network types. And it is a strict no-no.
Incidentally, for non-SSL traffic, the Home Hub is happy to hairpin it. Non-SSL sites (eg. http://your.domain.name) will work on the same URL from anywhere – inside or outside your home network.
Unfortunately there is no easy fix. Just a couple of workarounds:
(a) Keep two separate browser bookmarks for your SSL site. One points to the regular address, and can be used from the Internet, eg. https://your.domain.name and the other uses the local network IP address instead, eg. to https://192.168.1.90. The first will work only from the Internet, the second will work only from inside your home network. Probably the easiest.
(b) Make adjustments to the /etc/hosts file on your PC, creating sensible alias names for the alternate URLs. Windows has a hosts file too but I can’t remember where it is kept. Works better if your server internal ip (192.168.1.90 in the example above) is static and not DHCP controlled.
I would recommend option (a).