10.0.0.1.nip.io resolves to 10.0.0.1. No setup, no /etc/hosts edits, no local DNS server. You just use the hostname. There's a whole category of free services that work this way, and most developers know one name (nip.io) and assume there's nothing else. There's quite a bit else. This page is a map.
/etc/hosts on every machine and device in your test environment.app.10-0-0-1.nip.io) instead of localhost:3000.The core category. You encode an IPv4 (and in some cases IPv6) address in the hostname; the service resolves it back out. Useful for local-network IPs, not just loopback.
sslip.io IPv6 — the one I'd default to now. It's what powers nip.io behind the scenes. Supports IPv4 and IPv6, both dot and dash separators, and can white-label to your own domain. sslip.io
nip.io — most people know this one. Still works; now backed by sslip.io, which changed how it parses addresses (see gotchas). Supports dot, dash, and hex notation. nip.io
traefik.me — designed to pair with Traefik and Docker. Bare subdomains (no IP in the name) default to 127.0.0.1, which is convenient for local configs. DNS only, like nip.io. traefik.me
ip.addr.tools IPv6 — supports IPv4 and IPv6 with both dot and dash separators. notes on ip.addr.tools
backname.io newer — same concept, written in Go. Show HN thread
Simpler. Only useful when you need loopback. Two of them bundle a TLS certificate, which is their whole selling point.
localtest.me, lvh.me, vcap.me, lacolhost.com — all resolve (including any subdomain) to 127.0.0.1. No certificate. Pick any; they're interchangeable for loopback use.
localhost.direct cert included — resolves to 127.0.0.1 AND ships a wildcard TLS certificate for *.localhost.direct. Plug-and-play local HTTPS with zero cert setup. get.localhost.direct
l0pb.me / l0pb.dev cert included — resolves to 127.0.0.1; a Let's Encrypt wildcard for *.l0pb.me and *.l0pb.dev is available. l0pb.me
For when you don't want to depend on a public third party.
hipio self-hosted — a standalone wildcard-DNS server; notably doesn't need PowerDNS. You run it against your own domain. elastic/hipio on GitHub
localtls self-hosted cert included — Python DNS server that also handles TLS. Resolves dash-encoded addresses like 192-168-0-1.yourdomain.net and provides a valid certificate for them. The only self-hosted option that bundles the whole stack. localtls on GitHub
xip.io dead — the original service that inspired the whole category, created by Sam Stephenson (of 37signals). It's effectively dead and unreliable now. I'm listing it here so you recognize it in old tutorials and know not to depend on it.
| service | any IP? | IPv6 | separators | bundled TLS cert | self-hosted | notes |
|---|---|---|---|---|---|---|
| sslip.io | yes | yes | dot, dash | no | no | now powers nip.io; white-label option |
| nip.io | yes | via sslip.io | dot, dash, hex | no | no | left-to-right parsing now (see gotchas) |
| traefik.me | yes | — | dot, dash | no | no | bare subdomain → 127.0.0.1; Traefik-oriented |
| ip.addr.tools | yes | yes | dot, dash | no | no | |
| backname.io | yes | — | — | no | no | Go-based; newer |
| localtest.me / lvh.me / vcap.me / lacolhost.com | loopback only | — | — | no | no | 127.0.0.1 only |
| localhost.direct | loopback only | — | — | yes (*.localhost.direct) | no | cert bundled; zero setup |
| l0pb.me / l0pb.dev | loopback only | — | — | yes (Let's Encrypt) | no | cert bundled; loopback only |
| hipio | yes | — | — | no | yes | no PowerDNS dependency |
| localtls | yes | — | dash | yes (self-issued) | yes | Python; DNS + TLS in one |
Dashes in the table mean "not clearly documented" — I'd rather leave a cell blank than guess.
This is where most write-ups go wrong. Let me be precise.
No free service gives you both: arbitrary IP resolution AND a ready-made downloadable certificate. There's a real reason for this. A downloadable wildcard cert means publishing its private key, which is then available to anyone who wants to impersonate you. sslip.io learned this the hard way years ago when it briefly published a wildcard cert and had to revoke it immediately.
Many people read "traefik.me" as a counterexample because it's associated with TLS-heavy Docker setups. I believe this is a mix-up. traefik.me is a DNS-only service, same as nip.io. It doesn't provide, host, or serve any certificate. Both its website and its GitHub repo confirm: DNS only.
What you can do instead, if you need HTTPS for an arbitrary local IP: get your own per-hostname cert from Let's Encrypt via the HTTP-01 challenge. You pick a hostname like app.10-0-0-1.sslip.io, your server answers the challenge at that name, Let's Encrypt verifies you control it, and you get a valid cert. The cert is private to you; nobody else has its key.
The dash form of the hostname (10-0-0-1.sslip.io rather than 10.0.0.1.sslip.io) is what makes this straightforward. A dash-encoded address is a single DNS label, so it looks like an ordinary subdomain to Let's Encrypt and to everything else in the chain. The dotted form spreads across multiple labels, which can complicate certificate issuance.
What about the myth that certs from nip.io/sslip.io are invalid? That claim traces back to the 2015 incident where sslip.io briefly published its own wildcard cert's private key. That cert was revoked within a week. Per-hostname certs you get today via the HTTP-01 challenge are private and valid. If you see a browser or a tool warning about "nip.io certificates" specifically, the warning is stale.
If you just need loopback HTTPS with no work: use localhost.direct or l0pb.me. They ship the cert. The tradeoff is that they only resolve to 127.0.0.1, so you can't use them to reach a separate machine on your LAN.
nip.io was originally built and maintained by Roopinder Singh, who has since passed away. The service is now hosted by the sslip.io team, which is good because it means nip.io isn't going anywhere. But the hosting change came with a behavior change: parsing direction flipped.
Old behavior (right to left): 1.127.0.0.1.nip.io resolved to 127.0.0.1 (the rightmost valid IP).
New behavior (left to right): 1.127.0.0.1.nip.io resolves to 1.127.0.0 (the first four octets).
For the common case where the IP is the leftmost part of the hostname (e.g. 10.0.0.1.nip.io), nothing changes. But if you have old configs or tutorials that rely on having things to the left of the IP — worth checking.
Many routers, corporate DNS resolvers, and forwarders refuse to resolve public DNS names that point to private or local IP ranges. This is an anti-rebinding measure meant to prevent malicious sites from talking to your local network. When it's active, none of these services will work for local IPs, because the response — "this public name resolves to 192.168.x.x" — gets dropped.
This isn't a bug in any particular service. It's a property of your network or browser. If 10.0.0.1.nip.io silently doesn't resolve, DNS rebinding protection is the first thing to check.
If you find an old tutorial recommending xip.io (created by Sam Stephenson of 37signals), it was the original that inspired this whole category. It's unreliable now. Anything pointing to it should be updated to sslip.io or one of the others.