SSL Secured Piston Webservice

On FreeBSD, there are a few gotchas to work with Apache + SSL + Piston.

Here are my findings:

  • Enabling SSL in Apache 2.0

As most SSL-related functions are enclosed in <IfDefine SSL> blocks, adding

apache2_flags="-D SSL"

to /etc/rc.conf will enable them.

  • Disabling _default_ SSL Virtualhost

There’s a _default_ virtalenv defined in the ssl.conf file, and activated at the same time as the rest of the SSL config.

I didn’t find a “clean” way to disable it, and it was conflicting with my own virtualhost, so I encapsulated if between <IfDefine SSLVH> tags and it did the trick 🙂

  • Generating SSL keys

I followed a guide found on google (in French). Extremely useful.

Copied them to /usr/local/etc/apache2/ssl.key/ and /usr/local/etc/apache2/ssl.crt/

  • Updating my virtualhosts to fetch HTTPS requests

As I disabled the _default_ virtualhost, I needed to make a copy of my existing (port 80) virtualhost, and merge it with what was defined in the _default_ one.

<VirtualHost *:443>


  SSLEngine On
  SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

  SSLCertificateKeyFile /usr/local/etc/apache2/ssl.key/server.key
  SSLCertificateFile /usr/local/etc/apache2/ssl.crt/server.crt

<FilesMatch "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
    SSLOptions +StdEnvVars

SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

CustomLog /var/log/httpd-ssl_request.log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

  • Open port 443 on the firewall

Almost forgot this one 🙂