On FreeBSD, there are a few gotchas to work with Apache + SSL + Piston.
Here are my findings:
- Enabling SSL in Apache 2.0
As most SSL-related functions are enclosed in <IfDefine SSL> blocks, adding
apache2_enable="YES" apache2_flags="-D SSL"
to /etc/rc.conf will enable them.
- Disabling _default_ SSL Virtualhost
There’s a _default_ virtalenv defined in the ssl.conf file, and activated at the same time as the rest of the SSL config.
I didn’t find a “clean” way to disable it, and it was conflicting with my own virtualhost, so I encapsulated if between <IfDefine SSLVH> tags and it did the trick 🙂
- Generating SSL keys
I followed a guide found on google (in French). Extremely useful.
Copied them to /usr/local/etc/apache2/ssl.key/ and /usr/local/etc/apache2/ssl.crt/
- Updating my virtualhosts to fetch HTTPS requests
As I disabled the _default_ virtualhost, I needed to make a copy of my existing (port 80) virtualhost, and merge it with what was defined in the _default_ one.
<VirtualHost *:443>
ServerName servername.com
SSLEngine On
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
SSLCertificateKeyFile /usr/local/etc/apache2/ssl.key/server.key
SSLCertificateFile /usr/local/etc/apache2/ssl.crt/server.crt
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
<FilesMatch "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</FilesMatch>
usr/local/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /var/log/httpd-ssl_request.log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
[...]
</VirtualHost>
- Open port 443 on the firewall
Almost forgot this one 🙂
Eric Gazoni's Blog 