Using SSH Tunnels to make up for lack of HTTPS on LAN

If you've been running local models/apps across more than one machine for any length of time, you've probably noticed that everything is served over plain HTTP, whether its the backend llm apis, the front end sites, or whatever other stuff you've tossed in: most of it is HTTP-only out of the box, no TLS option anywhere in sight. On one machine thats usually fine since its all loopback, but the second you spread apps across a few different computers (which some of us do), every prompt and every response starts crossing your LAN in plaintext.

Is plaintext on your own LAN a huge deal? Honestly... a lot of folks would say it's probably low risk. But the moment you've got guests, other people's phones, or random IoT junk sharing that network, your prompts and the models responses flying around in the clear are more exposure than you'd probably be comfortable with if you sat down and thought about it.

So, with that said- I figured Id write up how I've dealt with that, because the most direct answer (certs) is annoying enough on a local network that I think a lot of folks just dont bother. This is a lot easier, especially on something like a mac where you can make sure it kicks off automatically via launchd.