feat: add TLS support to live reload proxy

[a-h]

Closes #1329

[BillBuilt]

Sorry for the late response - I just got time to try this out.

I'm having trouble getting it to work.

go get -tool github.com/a-h/templ/cmd/templ@65ad2f160800179f520d5a14b8ac2a691e4355dd    

go tool templ generate \
		--watch \
		--proxy="https://localhost:8080" \
		--proxy-tls-crt="/path/to/localhost.pem" \
		--proxy-tls-key="/path/to/localhost-key.pem" \
		--cmd='go run .'

Produces this in the log output so I am assuming it is loading the certs?

(✓) Post-generation event received, processing... [ needsRestart=true needsBrowserReload=true ]
(✓) Executing command [ command=go run . ]
(✓) Proxying [ from=https://127.0.0.1:7331 to=https://localhost:8080 ] <<<<<<<< this line
2026/02/24 12:55:00 INFO AppEndpoints initialized count=42
2026/02/24 12:55:00 INFO main start
2026/02/24 12:55:00 INFO configuring logger

However when I go to https://localhost:7331 (or https://127.0.0.1:7331) I get the following error (using Brave)

The certs were made for localhost using mkcert, and work fine for localhost:8080 and have for many months.

Thank you for taking the time to work on this!

[BillBuilt]

Also, I had to use full abs paths to the cert/key files. This makes it complicated when using tools like Just or Task in a shared environment. I tried using ~/ hoping it would resolve but it did not. Would it be possible to add these flags via ENV vars as well?

[BillBuilt]

I tried making a brand new cert

mkcert localhost 127.0.0.1 ::1

But encountered the same error.

:8080 is secure

[BillBuilt]

I tried to push to this PR but couldn't. I was able to get this working - here is the change I made:

cmd/templ/generatecmd/cmd.go:391

go func() {
		var err error <<<<
		cmd.Log.Info("Proxying", slog.String("from", p.URL), slog.String("to", p.Target.String()))
		server := &http.Server{
			Addr:    fmt.Sprintf("%s:%d", cmd.Args.ProxyBind, cmd.Args.ProxyPort),
			Handler: p,
		}
		// Configure TLS if certificates are provided.
		if cmd.Args.ProxyTLSCrt != "" && cmd.Args.ProxyTLSKey != "" {
			cert, err := tls.LoadX509KeyPair(cmd.Args.ProxyTLSCrt, cmd.Args.ProxyTLSKey)
			if err != nil {
				cmd.Log.Error("Failed to load TLS certificates", slog.Any("error", err))
				return
			}
			server.TLSConfig = &tls.Config{Certificates: []tls.Certificate{cert}}
			err = server.ListenAndServeTLS("", "") <<<<
		} else { <<<<
			err = server.ListenAndServe() <<<<
		}
		if err != nil { <<<<
			cmd.Log.Error("Proxy failed", slog.Any("error", err))
		}
	}()

[a-h]

Ah, good point re: ListenTLS.

Instead of using ~, which I think is shell specific, perhaps you could use $HOME?

echo "$HOME/test"
/Users/adrian/test

There's nothing in the code that makes it use absolute paths, relative paths like subdir/file.txt should work OK, but I wouldn't expect it to do shell expansion.

[BillBuilt]

perhaps you could use $HOME

That works... Everything, so far, seems to be working as expected. Thank you!

go tool templ generate \
		--watch \
		--proxy="https://localhost:8080" \
		--proxy-tls-crt="$HOME/localhost+2.pem" \
		--proxy-tls-key="$HOME/localhost+2-key.pem" \
		--cmd='go run .'