MacOS – Configuring SSL with Apache under Lion

apachemacosssl

Following on from my previous question (which I answered myself),

Configuring OS X 10.7 Lion Server to serve Rails Apps via Apache

…I'm now looking to set up SSL.

Again, I have the config working fine under Snow Leopard, but I want to set this up on a new i7 Mac Mini, so running Snow Leopard isn't an option.

I'm using the named virtual host kludge described in the link answer above, but I've been unable to get SSL working.

The Snow Leopard config I'm basing my Lion config is included below.

Tips on configuring the equivalent under Lion would be very much appreciated. Thanks.

<VirtualHost 10.0.1.1:80>
  ServerName bonk.example.com

  Redirect / https://bonk.example.com/

</VirtualHost>

<VirtualHost 10.0.1.1:443>
    ServerName bonk.example.com
    DocumentRoot "/Rails/deployed/bonk/current/public"
    RackEnv example_production
    RailsEnv example_production
    <Directory "/Rails/deployed/bonk/current/public">
      Order allow,deny
      Allow from all
      Options FollowSymLinks
    </Directory>

  SSLEngine on
  SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
  SSLOptions +FakeBasicAuth +ExportCertData +StdEnvVars +StrictRequire
  SSLCertificateFile /private/etc/apache2/server.crt
  SSLCertificateKeyFile /private/etc/apache2/server.key
  SSLCertificateChainFile /private/etc/apache2/ca.crt
  SetEnvIf User-Agent &quot;.*MSIE.*&quot; nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

  RequestHeader set X-Forwarded-Proto "https"

</VirtualHost>

Best Answer

Generate a host key

First, make a home for the new SSL files. I use /etc/apache2/ssl. Open up a terminal window, cd to the new directory and issue the following command to create a host key file.

sudo ssh-keygen -f host.key

Generate a certificate request file

This command create a certificate request file. A certificate request file contains information about your organization that will be used in the SSL certificate.

sudo openssl req -new -key host.key -out request.csr

Create the SSL certificate

Create a self signed SSL certificate using the request file.

sudo openssl x509 -req -days 365 -in request.csr -signkey host.key -out server.crt

Configure Apache

Create a backup of /etc/apache2/httpd.conf.

Append the contents of /etc/apache2/extra/httpd-ssl.conf to /etc/apache2/httpd.conf.

In /etc/apache2/httpd.conf, make sure the loading of SSL is enabled (remove the #)

LoadModule ssl_module libexec/apache2/mod_ssl.so

Also, edit SSL section to use the new certificate.

SSLEngine on
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/host.key

Check the config and restart Apache to try the new certificate.

sudo apachectl configtest
sudo apachectl restart

Thanks to the House of Ding and Matt Langtree for providing much of this solution.

Related Solutions

MacOS – Configuring OS X 10.7 Lion Server to serve Rails Apps via Apache

I've done some experimentation in order to answer my own question...

Firstly, I've only gotten the virtual named host kludge working with Passenger, not the new Lion scheme, but hey, it's a start...

Firstly, follow the Apple temporary fix, as linked in the question.

Then, the following works for me to support two virtual named hosts, implemented using Passenger and Rails. I derived this by taking the Lion virtual host example, and merging in my Snow Leopard config.

Disclaimer this works, but needs improvement. I've not got SSL working yet.

Add the following in a file named 0000_any_80_.conf

## Example Virtual Host Configuration

<VirtualHost *:80>
    ServerName bongle.example.com
    ServerAlias bungle.example.com
    ServerAdmin bongle@example.com
    RackEnv bongle_production
    RailsEnv bongle_production

    DocumentRoot "/Users/Nigel/Rails/bungle/public"
    CustomLog "/var/log/apache2/access_log" combinedvhost
    ErrorLog "/var/log/apache2/error_log"

    <IfModule mod_ssl.c>
        SSLEngine Off
        SSLCipherSuite "ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM"
        SSLProtocol -ALL +SSLv3 +TLSv1
        SSLProxyEngine On
        SSLProxyProtocol -ALL +SSLv3 +TLSv1
    </IfModule>

    <Directory "/Users/Nigel/Rails/bungle/public">
        Options All +MultiViews -ExecCGI -Indexes
        AllowOverride None
        <IfModule mod_dav.c>
            DAV Off
        </IfModule>
    </Directory>

</VirtualHost> 

<VirtualHost *:80>
    ServerName burble.anothersite.com
    ServerAlias www.anothersite.com
    ServerAdmin bongle@anothersite.com
    RackEnv burble_production
    RailsEnv burble_production

    DocumentRoot "/Users/Nigel/Rails/burble/public"
    CustomLog "/var/log/apache2/access_log" combinedvhost
    ErrorLog "/var/log/apache2/error_log"

    <IfModule mod_ssl.c>
        SSLEngine Off
        SSLCipherSuite "ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM"
        SSLProtocol -ALL +SSLv3 +TLSv1
        SSLProxyEngine On
        SSLProxyProtocol -ALL +SSLv3 +TLSv1
    </IfModule>

    <Directory "/Users/Nigel/Rails/school/public">
        Options All +MultiViews -ExecCGI -Indexes
        AllowOverride None
        <IfModule mod_dav.c>
            DAV Off
        </IfModule>
    </Directory>

</VirtualHost>

Additional contributions to improve this are welcome.

MacOS – How to set a recognized Apache DocumentRoot under Lion

Things do doublecheck:

1. File permissions

The specified path for the new document root should allow at least read access for the Apache user, which is _www by default. You probably want to chmod 755 /Users/jonathan/mirror if the file permissions are too restrictive. What are the actual file permissions on the directory and files?

2. Virtual hosts

When you enable name based virtual hosts, the document root in the main config is ignored. Instead the root for the matching hostname will be used, and if none match it will default to the first virtual host.