RSS feedCreating a HTTPS secured site is simple even for virtual domains, it only requires a small change to your Apache configuration and the creation of a SSL certificate. You can always buy a certificate but for our simple solution we will create our own.
You need to startup a Terminal and issue the following commands:
sudo openssl req -keyout privkey.pem -newkey rsa:2048 \
-nodes -x509 -days 365 -out certificate.pem
Answer the questions that appear as well as you can:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:your.securewebserver.tld
Email Address []:you@yourdomain.tld
The most important one is the ‘Common Name’, make sure that that is the same as the secure webserver name. The problem here is that if you want to use it for completely different domain names the end user will get a warning in his browser that it can’t match the certificate with the domain name. This certificate will be valid for a year (365 days).
Myself I use *.richard5.net and use subdomains (like mail.richard5.net and admin.richard5.net) to accommodate all my secure virtual needs.
This action should have created two files called ‘certificate.pem‘ and ‘privkey.pem‘.
Next we need to change our Apache configuration file called ‘/etc/httpd/httpd.conf‘
Make sure the following lines are uncommented:
Include /etc/httpd/extra/httpd-ssl.conf
Change the following lines in the configuration file ‘/etc/httpd/extra/httpd-ssl.conf‘.
SSLCertificateKeyFile “/etc/httpd/server.key”
into
SSLCertificateKeyFile “/etc/httpd/privkey.pem”
That’s it, now you can change any virtual domain into a HTTPS domain. If you want to change www.site1.com from the previous page into a secure HTTPS virtual server you just need to change the configuration for the site from the original:
DocumentRoot /Library/WebServer/Documents/site1.com
ServerName www.site1.com
ServerAdmin webmaster@site1.com
ErrorLog logs/site1.com.error_log
CustomLog logs/site1.com.access_log combined
</VirtualHost>
Into the secure version:
DocumentRoot /Library/WebServer/Documents/site1.com
SSLEngine on
ServerName www.site1.com
ServerAdmin webmaster@site1.com
ErrorLog logs/site1.com.error_log
CustomLog logs/site1.com.access_log combined
</VirtualHost>
Please note, this is a simple way to achieve security for personal domains. If the Common name from the creation of the certificate does not match the domain name in the browser the end user will get a warning from the browser stating that it can’t match the certificate with the domain. If the user however accepts this warning he/she will still have a secure connection over SSL. You can only get this working “officially” if all your virtual domains have a different ip-address which is usually impossible (or very expensive) when running a server from your home broadband connection.
Next step: Starting Apache at boot on Leopard or
Starting Apache at boot on Tiger
6:20 am
One important note to this: You can only use one certificate for your entire apache server – you cannot, for example set up https://www.example1.com and https://www.example2.com and have different certificates for them. Apache (any version) will ignore all but the first SSLCertificateFile and SSLCertificateKeyFile directives it encounters.
If you set up multiple virtual hosts with SSL, visitors to all but the one named in the certificate itself will get the warning about a possible security issue with the domain not matching the certificate (It’s not actually a problem – the connection is still encrypted, but users may not like seeing the warning).
The reason for this is that the SSL connection (say, with OpenSSL as on the Mac) has to be established BEFORE apache can process the request, since the request is sent encrypted. This means that the certificate is sent first, then the SSL negotiation takes place, then apache processes the request and finds the virtual host.
This is well documented at apache.org and several other sites (I’ll find links if you want….just ask…).
It’s not really a big problem ( I do this as Richard suggested and it works fine – and most of my users don’t care about the warnings), but I found it useful to know….especially after I spent several hours trying to fix the warnings!
I hope that helps someone….
4:33 pm
One other thing I should add here is that if you set up multiple virtual hosts with SSL enabled, you will get warning messages in the log when you start/restart apache. Apache still handles the vhosts correctly and encrypts the connection – it just complains about it.
5:20 pm
I noticed when I did this that the httpd.conf file has the following just before the block:
# Secure (SSL/TLS) connections
# Include /etc/httpd/extra/httpd-ssl.conf
By uncommenting the second line and dealing with the settings in the file /etc/httpd/extra/httpd_ssl.conf, SSL worked just fine and it also isolates the settings for SSL. While I don’t have any need for a virtual host, this seems to work nicely.
Just a thunk….
12:28 pm
Why you are using /etc/httpd… isn’t this an apache2 config? shouldn’t it be /etc/apache2?
With the diy setup, the Apache install on /usr/sbin is still there. Where do you set which apache is going to run on start? Maybe I haven’t dug deep enough… I’m guessing it’s a launchd thing.
8:59 pm
Sam in /etc/apache2 is the original configuration I didn’t want to touch that. Same with the actual binaries, the diy install is in /usr/local just to not interfere with the original installation which might be overwritten by a update.
If you want to start the original use the sharing pane in the system preference, otherwise use the launchd script from the site
2:53 am
Hi Richard question I dont have this line in my httpd.conf file:
LoadModule ssl_module modules/mod_ssl.so
So I cant uncomment it. How do I go about enabaling ssl_mod? Thanks in advance.
6:33 am
@Roberto, maybe during the compile fase there was an error with SSL and the module didn’t compile. Check the config.log for errors on SSL and check if the module is available in the modules directory. If it is there just put the line in httpd.conf.