shiningthrough

Setting up an SSL enabled Apache development server using Phusion Passenger on OS X Snow Leopard

05 December 2010

Want to have a secure https:// url for an application you are creating? I have compiled a list of concise steps to get you there as quickly as possible. If you want more details on each step, check out the references.

Prerequisites

Firstly create a directory where we can work.

mkdir ~/Desktop/SSL
cd ~/Desktop/SSL

Create an RSA private key.

openssl genrsa -out server.key 2048

Create a certificate signing request from the private key.

openssl req -new -key server.key -out server.csr

Hit enter for all questions, apart from when you are asked for a "common name", for this enter your application server name, or 127.0.0.1 if your server is running locally.

Now we need to create a certificate authority to sign the key.

Create a key for the certificate authority.

openssl genrsa -out ca.key 2048

Create a self-signed certificate authority certificate using the key we just created.

openssl req -new -x509 -days 365 -key ca.key -out ca.crt

This time when you are prompted for a "common name" enter your name.

Now we need to sign server.key with the server.crt. To do this we need a script from the latest modSSL download. Copy the script "sign.sh" to your SSL directory, and make it executable.

cp sign.sh ~/Desktop/SSL
chmod +x sign.sh

Then we run it against the certificate signing request.

./sign.sh server.csr

Enter "y" for "yes" to the questions you get asked.

Create a new directory under your apache2 directory, and copy in your ca.crt, server.crt and server.key files.

sudo mkdir /etc/apache2/ssl.key
sudo cp ca.crt server.crt server.key /etc/apache2/ssl.key/

Next we need to make a change to http.conf, open it up in your favourite editor.

sudo vi /etc/apache2/httpd.conf

Add the following line, under this existing line: "Listen 80"

Listen 443

Now we add some configuration to the Phusion Passenger preference pane config.

sudo vi /private/etc/apache2/passenger_pane_vhosts/mydomain.local.vhost.conf

Add the following config at the end of the file.

<VirtualHost *:443>
  ServerName myapp.local
  DocumentRoot "/Users/shiningthrough/rails/shiningthrough/public"
  RailsEnv development
  <directory "/Users/shiningthrough/rails/shiningthrough/public">
    Order allow,deny
    Allow from all
  </directory>

  # SSL Configuration
  SSLEngine on
  SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
  SSLOptions +FakeBasicAuth +ExportCertData +StdEnvVars +StrictRequire

  #Self Signed certificates
  SSLCertificateFile /etc/apache2/ssl.key/server.crt
  SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
  SSLCertificateChainFile /etc/apache2/ssl.key/ca.crt

  SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

</VirtualHost>

Restart Apache by unchecking, then checking "Web Sharing" in the Sharing preference pane, under System Preferences. That's it, you should by able to use https:// protocol in your Rails application. Configuring your Rails app to make use of https:// effectively is the topic for another article.

Please note this tutorial is for a development server only, as there are some potential security risks as we have not set passphrase for the keys

References

Comments

Kim G

Awesome! worked perfectly on my mac :)