On FreeBSD, there are a few gotchas to work with Apache + SSL + Piston.
Here are my findings:
- Enabling SSL in Apache 2.0
As most SSL-related functions are enclosed in <IfDefine SSL> blocks, adding
apache2_enable="YES" apache2_flags="-D SSL"
to /etc/rc.conf will enable them.
- Disabling _default_ SSL Virtualhost
There’s a _default_ virtalenv defined in the ssl.conf file, and activated at the same time as the rest of the SSL config.
I didn’t find a “clean” way to disable it, and it was conflicting with my own virtualhost, so I encapsulated if between <IfDefine SSLVH> tags and it did the trick 🙂
- Generating SSL keys
I followed a guide found on google (in French). Extremely useful.
Copied them to /usr/local/etc/apache2/ssl.key/ and /usr/local/etc/apache2/ssl.crt/
- Updating my virtualhosts to fetch HTTPS requests
As I disabled the _default_ virtualhost, I needed to make a copy of my existing (port 80) virtualhost, and merge it with what was defined in the _default_ one.
<VirtualHost *:443> ServerName servername.com SSLEngine On SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire SSLCertificateKeyFile /usr/local/etc/apache2/ssl.key/server.key SSLCertificateFile /usr/local/etc/apache2/ssl.crt/server.crt SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL <FilesMatch "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </FilesMatch> usr/local/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog /var/log/httpd-ssl_request.log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" [...] </VirtualHost>
- Open port 443 on the firewall
Almost forgot this one 🙂