SSL Secured Piston Webservice

On FreeBSD, there are a few gotchas to work with Apache + SSL + Piston.

Here are my findings:

  • Enabling SSL in Apache 2.0

As most SSL-related functions are enclosed in <IfDefine SSL> blocks, adding

apache2_enable="YES"
apache2_flags="-D SSL"

to /etc/rc.conf will enable them.

  • Disabling _default_ SSL Virtualhost

There’s a _default_ virtalenv defined in the ssl.conf file, and activated at the same time as the rest of the SSL config.

I didn’t find a “clean” way to disable it, and it was conflicting with my own virtualhost, so I encapsulated if between <IfDefine SSLVH> tags and it did the trick 🙂

  • Generating SSL keys

I followed a guide found on google (in French). Extremely useful.

Copied them to /usr/local/etc/apache2/ssl.key/ and /usr/local/etc/apache2/ssl.crt/

  • Updating my virtualhosts to fetch HTTPS requests

As I disabled the _default_ virtualhost, I needed to make a copy of my existing (port 80) virtualhost, and merge it with what was defined in the _default_ one.

<VirtualHost *:443>

  ServerName servername.com

  SSLEngine On
  SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

  SSLCertificateKeyFile /usr/local/etc/apache2/ssl.key/server.key
  SSLCertificateFile /usr/local/etc/apache2/ssl.crt/server.crt

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
<FilesMatch "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</FilesMatch>
usr/local/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

CustomLog /var/log/httpd-ssl_request.log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

[...]
</VirtualHost>
  • Open port 443 on the firewall

Almost forgot this one 🙂

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s