Return to site

Server Web For Mac

broken image



How to create a secure (HTTPS) OS X webserver | 34 comments | Create New Account

Mac mini cloud servers on-demand. Your Mac in the Cloud. With MacWeb.com, use a Mac from any location and any platform. Your dedicated Mac is always in the cloud. Powered by Mac mini. The 2020 configurations will blow your mind with maxi possibilities. We also offer volume options in. Mac OS X Server 10.5 (Leopard Server) RADIUS Server. Leopard Server includes FreeRADIUS for network authentication. It ships with support for wireless access. Mac OS X Server version 10.5 ‘Leopard' was the first version to ship with Ruby on Rails, the server-side.

Click here to return to the 'How to create a secure (HTTPS) OS X webserver' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.

See, when my friends said to me, 'Why would you buy a Mac? You're already seriously guru-istic in both Windows AND Linux! Why bother?', I'd answer: 'Cause real geeks never stop learnin'!'
This is an excellently written article, and looks so much more complete and thorough than the Apache-SSL Howtos I've seen for Linux. They're so poorly written that I gave up trying to get SSL working on Apache fairly quickly. It wasn't something I REALLY needed, just something to play with. With your article, I saw three points where I made mistakes immediately.
Nicely done and thanks!
---
Answering the age-old question: which is more painful, going to work or gouging your eye out with a spoon?
www.workorspoon.com

Thanks.
The biggest problem I had found with the Linux-based tutorials was that none of them were written with the OS X file hierarchy in mind. Sure, you can delve into the dark hidden corners of the /folder structure, but I wanted to put things in context with /Users/username as much as possible so that a year from now, you can go back and easily figure out what was done.
Out of curiosity, what points did you get wrong?
Cheers.

Um, offhand, the biggest problems were the creation of a cert authority and/or self-signing the cert. Also, the removal of the password from the cert. The howtos made this look a ton more complex than you did. I didn't feel like bothering with that much work for a minor pet project.
I'm going to use this tonight to see if I can get it working on my Linux box. I still use Apache, but primarily as a reverse-proxy to my internal network. I'm using SSL_Proxy to encrypt packets, but would prefer to just use Apache and be done with it. SSL_Proxy was setup in 5 minutes (including download and compile time), this makes it look like Apache should be as quick!
---
Answering the age-old question: which is more painful, going to work or gouging your eye out with a spoon?
www.workorspoon.com

I tried to follow this hint and once I was done and I restarted apache via sudo apachectl graceful I got the following error:
configuration broken, ignoring restart
/usr/sbin/apachectl graceful: (run 'apachectl configtest' for details)
Running configtest gives the following:
Processing config directory: /private/etc/httpd/users/*.conf
Processing config file: /private/etc/httpd/users/laubennd.conf
Processing config file: /private/etc/httpd/users/neil.conf
Processing config file: /private/etc/httpd/users/neill2.conf
Processing config file: /private/etc/httpd/users/ssl.conf
Syntax error on line 15 of /private/etc/httpd/users/ssl.conf:
SSLCipherSuite takes one argument, Colon-delimited list of permitted SSL Ciphers (`XXX:..:XXX' - see manual)
which tells me t hat the SSLCipherSuite is incorrect . . . I've double checked that I copied/pasted it exactly as in the hint.
Any ideas why it isn't working right?

Good hint - nice & clear. In case anyone needs another set of insructions, the one I used when setting up ssl was this one :
http://developer.apple.com/internet/serverside/modssl.html
which was also pretty clear and easy to follow (although providing this alternative reminds me of the old adage, about someone who has 2 clocks never knowing the exact time.. :-)
cheers
m

Don't most browsers choke on self-signed certificates?

Web

I can only speak for Safari on OS X and Internet Explorer on XP: they don't exactly 'choke' as much as 'hiccough'. On a per-session basis, I get prompted with a warning message about the certs, but once I accept this, I can load pages just fine.
Since I am pretty much the only surfer of my pages (I have mine secured with mod-auth, too), I don't mind the minor inconvenience. If others were surfing, I might go ahead and get a real domain name and use one of the cert authorities.
On a side note- I would prefer to use mod-digest instead, but IE really chokes on some of my PHP pages then. Since I am using SSL, am I correct that that covers my mod-auth also? In other words, eventhough the password is sent in the clear, it's sent in the clear THROUGH SLL, so it's encrypted, right?

Yes, it is sent over the encrypted link, so it isn't clear-text. Digest authentication is flawed, anyway, so you really need SSL even when you use it.

No. Most offer you the option of importing the cert into your personal store. With IE, simply choose 'View Certificate' when the warning pops up, there's an 'Install Certificate' option within there. For Mozilla, it'll ask if you always want to accept that certificate. IIRC, Safari works similarly. The only time you should ever have a problem again is when the cert changes, which should only be when you change it..or someone else.. ;-)
---
Answering the age-old question: which is more painful, going to work or gouging your eye out with a spoon?
www.workorspoon.com

Indeed, very nicely done.
---
--
Everything Mac - http://everythingmac.org

Since I work out of a home office a lot, I often put files for clients to access from the network at home. This added bit of security gives those skittish clients a little extra peace of mind.
Nice job!

This hint is great. It's just begging for a nice user-friendly GUI tool to wrap up the functionality, though! anyone?
---
In /dev/null, no one can hear you scream

Paragon ntfs for mac os x paragon ntfs for mac os x 10.10. I was planning on writing one over break in cocoa.

Take a look at SimpleCA at http://users.skynet.be/ballet/joris/SimpleCA/. which uses Tcl/Tk and runs on Linux and Windows. You should be able to get it going on OSX if you install Tcl/Tk.
Being able to create client certificates is very handy and should be part of any similar app for OSX.
-m
The original hint had: I would suggest the following instead: This setting will disable SSL version 2 (which has seciruty problems) as well as weak ciphers (LOW, EXP).
Having +eNULL is particulary discouraged since NULL ciphers are ciphers offering no encryption! The setting in the original hint doesn't seem to enable NULL ciphers on a server I tested it on but looks dangerous to me.
Great hint BTW.
-m

Thanks for the tweak on the CipherSuite; I was pulling from a .conf file on a Linux box that I have access to and didn't fine-comb through all the details.
Again, the initial goal of writing this hint was to help folks get their teeth around on how to get SSL up and running on their own OS X boxes; fine tuning for performance, security, or other customized tweaks is left for the braver souls to learn and share!

Hi
Great info on SSL - i've also implemented the 'better' cipher,
Also I think that the info in this link: http://developer.apple.com/internet/serverside/modssl.html could be of interest to all.
Quote from above article:
'You'll be asked for some information when you start this. Most of it is pretty self explanatory, but one item, in particular, is not. Here's what you'll be asked for:
Country Name (2 letter code) [AU]: (enter your country code here)
State or Province Name (full name) [Some-State]: (Enter your state here)
Locality Name (eg, city) []: (enter your city here)
Organization Name (eg, company) [Internet Widgits Pty Ltd]: (enter something here)
Organizational Unit Name (eg, section) []: (enter something here)
Common Name (eg, YOUR name) []: (this is the important one)
Email Address []: (your e-mail address)
The entry for 'Common Name' is the one that seems like it should be one thing, but is, in fact, another. For this entry, you want to enter your 'Server Name' as it appears in your httpd.conf (which you'll be modifying soon). As this is just a development environment, you can enter 127.0.0.1, which is the default IP for 'localhost'. Now, keep in mind that using 127.0.0.1 is not the same as using 'localhost'. The strings either match, or they don't â€' Unix is like that.'
..
..
'First, you need to comment out the 'Port' directive by placing a '#' in front of the line.
Port 80 should be changed to #Port 80. You will need to add the following just below where the Port directive was:
## SSL Support
##
## When we also provide SSL we have to listen to the
## standard HTTP port (see above) and to the HTTPS port
##

Listen 443
Listen 80

Adding these lines tells the server to be aware of traffic on port 80 (the standard HTTP port) and port 443 (the HTTPS port). This allows your SSL aware Apache installation to serve non-secure documents on port 80, while it is serving secure documents on 443.'
- Might be trivial to some but crucial none the less :-)
- Michael

Web Server For Mac

Thanks for the article! One question.. anyone know the trick to get this to work for apache2 from fink? I did /sw/sbin/apachectl start and apache starts find, but nothing is listening on the https port. Tried nmap too and nothin is there. Did have to take out the AddModule since that is gone in apache2, but what else do I have to do to enable mod ssl?

Nice how-to . I'd elide the cert generation a bit, and just use the single command-line invocation below:
openssl req -days 720 -new -keyout .key -out $.crt -nodes -x509
(where you replace the string '' with the name of the web server, e.g. the name that's in the https:// url.)
The -days string will make it so the cert doesn't expire for 2 years, which I find reasonable for a personal https:// webserver.
The command will produce two files:
your.host.name.crt
your.host.name.key
Place those in a safe location, make sure the key is readable only by root, and reference the full path in Apache . you're set.

Help: How to create a secure (HTTPS) OS X webserver

Thanks!! This is a GREAT hint.
Of course, I've done this (and similar suggestions from other sources, and I still can't get my Mac to serve https.
I am trying to set up a secure (https) server on the same domain as my non-secure server. In otehr words: I want http://www.domain.com to be a regular http server and https://www.domain.com to be a secure https server.
I have tried this (assume the missing brackets, please):
VirtualHost *:80
     DocumentRoot /Library/WebServer/Documents
     ErrorLog /private/var/log/httpd/error_log
/VirtualHost
VirtualHost *:443
    DocumentRoot /Library/WebServer/Secure
    ErrorLog /private/var/log/httpd/error_log2
    SSLEngine on   Â
/VirtualHost
in my httpd.conf file (with the SSLCertificateFile and SSLCertificateKey directives coming earlier in the file (I tried to include them in the virtualhost container, but Apache said no..and would not start)
I also tried the ssl.conf file suggested here, and I tried adding the directives in the ssl.conf file to the httpd.conf file.
Apache started with no hiccups each time.
The mod_ssl is loaded and added
But when I try to access www.domain.com which points to my Mac (10.3.7 client, NOT server)I do fine with the http:// connection (on port 80), but when I try an https:// connection (even if I specify :443) it tells me it cannot find the server.
Ports 80 and 443 are open (personal web sharing is on and I manually opened 443) in Sharing Preferences, and I have routed them to my Mac through my Airport Extreme Base Station's port mapping.
Any suggestions would me very much appreciated!
Thanks!!!

I have three questions:
1) Everything seemed to work untill I noticed that the result of Step 4 showed that the certificate was ONLY valid for 360 days (1 year), and not as entered in step 3; 3650 days (10 years). I have tried several times and I keep getting the same result. Anybody have a clue and advise?
2) When I get this all installed, will ALL pages served by the Mac Os X Apache server be run as SSL (https://blabla)?
3) Can people choose to see the same pages as normal non-ssl encrypted (http://blabla), depending on if they use the 's' after http in the url?
Your guide seems pretty simple compared to the documentation I have seen elseware for ssl implementation in Apache/mac osx. Looking forward to seeing working!
regards,
Davidw

Notes from newbie:
was trying to do above. all worked fine when i did local access via 127.0.0.1 but when i tried using external address it didn't work.
i'm assuming you have to manually add port 443 to sharing firewall (in addition to 80 & 427).
when i tried to add this via the SystemPreferences GUI, it wouldn't allow me to edit so i had to hack the Library/Preferences/..firewall.plist file manually.
anyone know why? anyways, hope this may be helpful to the next person.

You should be able to add new ports to the firewall configuration in System Preferences by going to Sharing and pick the Firewall tab there. There's a New button there -- this produces a list of protocols, but you can select Other and enter a range of ports.

Checking/enabling the 'Personal Web Sharing' box in the 'Sharing' preference panel covers ports 80, 427, and 443 already -- at least in Mac OS X 10.4.8

Can people choose to see the same pages as normal non-ssl encrypted (http://blabla) ..

People can try to access your secure site with http://your site.com; however, you can keep them out with a little simple PHP code at the top of your secure site web pages:
$port=$_SERVER['SERVER_PORT'];
if($port<>'443') :
// insecure site code goes here
exit();
endif ;

Flash player 11 for mac os. Flash Player version 10.1.102.64 is the last version available to PPC Mac users.

I had a similar problem and found at least a workaround if not the specific cause. Prior to this step, edit the /System/Library/OpenSSL/openssl.cnf file and change:
default_days = 365
to
default_days = 3650
Then the cert will reflect 10 years. I'm guessing the config file options take precendent over command line flags.

There is another reply regarding the expiry date that suggests changing the default_days in the OpenSSL config file; that can't hurt, but didn't do it for me. I had to edit sign.sh from the mod_ssl package and change default_days there as well. Using sign.sh is part of the instructions from http://developer.apple.com/internet/serverside/modssl.html

Excellent instructions, but things break down at the signing stage. I received:
Using configuration from /System/Library/OpenSSL/openssl.cnf
Error opening CA private key ./demoCA/private/cakey.pem
3627:error:02001002:system library:fopen:No such file or directory:bss_file.c:278:fopen('./demoCA/private/cakey.pem','r')
3627:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:280:
unable to load CA private key
Signed certificate is in newcert.pem
I retraced my steps - What went wrong?
Cheers

Revisited the this hint to set things up for a secure webserver in 10.4 (Tiger); read through the comments to get some of the updated comments made by users:

amongst others but it's nice to see that it still works!

Web Server For Mac

Sorry, I closely followed the instructions on a Tiger 10.4 xserve (my fault!).
Should have used the Apple certified document first place:
http://developer.apple.com/internet/serverside/modssl.html
thanks anyway.
In the final section, the lines: aren't necessary unless you're also doing client-certification (where clients are also issued with certificates to allow the web server to verify client identities).

I used this guide very successfully on Tiger. Thanks for the article.
Unfortunately, Leopard uses Apache 2, which seems to operate differently as SSL serving no longer works as before.
Is there any chance of an update to bring us all up to scratch?
Thanks, again!

Thank you for the post! Very useful.
For Mac OS 10.5.8, please check this post for additional information:
http://hints.macworld.com/article.php?story=20080628074917113
and please note that 'cacert.pem' is in the 'demoCA' folder.

BTW: here's where to do this with Snow Leopard and Lion OS 10.6 10.7+ , although this is for creating self signed certificates only, not as your own CA (certificate authority):
Configure SSL on Lion's Apachehttp://apple.stackexchange.com/questions/25434/configuring-ssl-with-apache-under-lion
..otherwise, the above instructions generate the following error on Lion's apache:
bash-3.2# /System/Library/OpenSSL/misc/CA.pl -signreq Using configuration from /System/Library/OpenSSL/openssl.cnf
Error opening CA private key ./demoCA/private/cakey.pem 16021:error:02001002:system library:fopen:No such file or directory:/SourceCache/OpenSSL098/OpenSSL098-44/src/crypto/bio/bss_file.c:356:fopen('./demoCA/private/cakey.pem','r') 16021:error:20074002:BIO routines:FILE_CTRL:system lib:/SourceCache/OpenSSL098/OpenSSL098-44/src/crypto/bio/bss_file.c:358: unable to load CA private key Signed certificate is in newcert.pem

(the signed certificate it claims that it makes after all of those errors is, in fact, not valid nor legitimate. it has no functionality and is neither signed nor certified.




broken image