I’m not sure I’m doing a good job of explaining what I’m trying to solve.
The app is for end users. Your mom. You Dad. Your nephew. So whatever solution has to requires zero network configuration. So I guess I’m not understanding the suggestion for split-horizon DNS. If I understand correctly, that would only work if users configured their routers.
This is why I brought up Plex as an example. It has the same issues and it’s something a non techie can setup.
I also don’t understand how the fact that localhost is exempt from restrictions helps. All the devices accessing the server will not be accessing localhost, they’ll be accessing ip-address-of-device. You can imaging the native software is running on some PC as
192.168.0.10 and some smartphone is on
192.168.0.12. That smartphone currently connects by going to
http://192.168.0.10 but it can no longer do that because you can’t HTTPS to an IP address, only to a domain.
You then say users connect at
https://internal.clientid.yourdns.com/ Where does the cerificate for that come from? That’s the issue. One person is
https://192.168.0.10.joe.yourdns.com/ another is
https://10.0.0.12.bob.yourdns.com/ another is
https://192.168.2.200.kim.yourdns.com/. All of those need different certificates because the certificate has to be served from the app and I can’t give everyone the same private certificate.
Am I mis-understanding how your suggestions work?