This guide sets up an HTTPS reverse proxy so that clients requiring HTTPS (e.g., Claude for PowerPoint plugin) can connect to WindsurfAPI.
- Node.js v18+
- WindsurfAPI running on
http://localhost:3003 - macOS (instructions use Homebrew; adapt for Linux)
brew install mkcertsudo mkcert -installThis adds a locally-trusted root CA to your system keychain.
Replace YOUR_LAN_IP with your actual LAN IP (find it with ipconfig getifaddr en0):
cd /path/to/WindsurfAPI
mkcert localhost 127.0.0.1 YOUR_LAN_IPExample:
mkcert localhost 127.0.0.1 192.168.50.7This creates two files (e.g., localhost+2.pem and localhost+2-key.pem). These are gitignored.
Edit https-proxy.js and update the cert/key filenames to match the generated files:
key: readFileSync('./localhost+2-key.pem'),
cert: readFileSync('./localhost+2.pem'),node https-proxy.jsOutput:
HTTPS proxy (HTTP/2 + HTTP/1.1) on https://0.0.0.0:3443 → http://127.0.0.1:3003
Local: https://localhost:3443
LAN: https://192.168.50.7:3443
| Client | Base URL |
|---|---|
| Same machine | https://localhost:3443 |
| Other PC on same Wi-Fi | https://YOUR_LAN_IP:3443 |
The other PC needs to trust your local CA:
- Find your CA cert:
mkcert -CAROOT
- Copy
rootCA.pemfrom that folder to the other PC. - Install it in the other PC's trust store:
- Windows: Double-click → Install Certificate → Local Machine → Trusted Root Certification Authorities
- macOS:
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain rootCA.pem
Turn off the firewall or allow Node:
System Settings → Network → Firewall → Off
- Ensure WindsurfAPI is running on port 3003:
curl http://localhost:3003/health - Ensure the HTTPS proxy is running on port 3443:
curl https://localhost:3443/health - Check the proxy terminal for request logs
HTTPS_PORT=8443 TARGET_PORT=3003 node https-proxy.jsAdd to your .env for cascade reuse optimization (single-user Claude Code):
CASCADE_REUSE_BY_CALLER=1
CASCADE_POOL_MAX=1