Here are the steps for installing Apache2 with SSL support on your local development machine. Several of our applications require HTTPS for certain actions and I’ve been bitten in the past by not testing this in development. So, here’s how to get Apache up and running with SSL.
Compiling and Installing Apache
- Download the latest source distribution (v2.2.15 for me) from: http://httpd.apache.org
- Extract the source:
tar -xvf httpd-2.2.15.tar.gz
- Create an install directory (I put it in
/usr/local): sudo makedir /usr/local/apache2
- Configure the makefile with the following options:
./configure --prefix=/usr/local/apache2 --enable-ssl --enable-setenvif --enable-proxy --enable-headers
- Compile the source code:
make
- Install apache:
sudo make install
- Create your self-signed SSL keys by following this tutorial: http://developer.apple.com/internet/serverside/modssl.html
- Scroll down to the Configuring SSL section and start from there
- You will need to download mod_ssl to get the sign.sh script mentioned in the tutorial but that’s all you need it for. You’ll notice the mod_ssl site says it’s only for Apache 1.3.X. That is because Apache2 has built in SSL support which we enabled in the makefile configuration above so mod_ssl is no longer needed.
- Edit your httpd.conf file:
sudo vi /usr/local/apache2/conf/httpd.conf
- Add the following configuration to the bottom of the file to proxy all HTTP and HTTPS requests to port 3000, i.e., Rails:
- This assumes Rails is running on port 3000 on your machine
- This assumes you put the SSL keys where the tutorial told you to
- The last tag might already be in your
httpd.conf file, if so, no need to repeat it here
# Apache needs to know you want to accept connections over HTTPS
Listen 443
SSLCertificateFile /etc/httpd/ssl.key/server.crt
SSLCertificateKeyFile /etc/httpd/ssl.key/server.key
# Below is optional, but was helpful to me in debugging this setup
CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
<VirtualHost *:80>
ServerName localhost
ServerAlias 127.0.0.1
ProxyPass / <a href="http://localhost:3000/">http://localhost:3000/</a>
ProxyPassReverse / <a href="http://localhost:3000">http://localhost:3000</a>
ProxyPreserveHost on
<VirtualHost *:443>
SSLEngine On
ServerName localhost
ServerAlias 127.0.0.1
ProxyPass / <a href="http://localhost:3000/">http://localhost:3000/</a>
ProxyPassReverse / <a href="http://localhost:3000">http://localhost:3000</a>
ProxyPreserveHost on
RequestHeader set X_FORWARDED_PROTO 'https'
<ifmodule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</ifmodule>
Auto-starting Apache
If you’d like to have apache start automatically whenever your computer starts do the following:
- Create a new plist file for apache with a unique name:
sudo vi /Library/LaunchDaemons/org.apache.httpd
- Put the following in the file (assuming you installed apache in
/usr/local/apache2):
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>KeepAlive</key>
<true />
<key>Label</key>
<string>org.apache.httpd</string>
<key>ProgramArguments</key>
<array>
<string>/usr/local/apache2/bin/apachectl</string>
<string>start</string>
</array>
<key>RunAtLoad</key>
<true />
<key>UserName</key>
<string>root</string>
<key>WorkingDirectory</key>
<string>/usr/local/apache2</string>
</dict>
</plist>
- Test it out with launchd:
sudo launchctl load -w /Library/LaunchDaemons/org.apache.httpd; You should see several instances of httpd running if you do a: ps aux | grep httpd
Testing it out
- Fire up Rails on whatever port you are forwarding your HTTP/HTTPS requests to
- Request an action with HTTP
- Request an action with HTTPS
Possible Problems
I encountered the following cryptic error in FireFox when I was testing out an Apache install on a second dev box:
SEC_ERROR_REUSED_ISSUER_AND_SERIAL
I found out by reading through some forums that each SSL certificate needs to have a unique serial number. Since I had followed the above procedure to install Apache and SSL on both my laptop and the second dev box I already had a certificate with the same serial number stored in my browser (for my local machine) as the one on the second dev box. If you follow the above process the serial number of your certificate will be 01. So to fix this do the following on your new certificate (for me it was the one on the dev box):
sudo openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out server.crt
This simply assigns 02 to the second certificate and keeps FireFox happy. You probably will not encounter this problem unless you are testing SSL on multiple machines like I was but I figured I’d mention it anyways. Note, you can see the serial number of a certificate in FireFox by going to:
Firefox > Preferences > Advanced > View Certificates (button)
Then double click on a certificate of interest. Also note that Chrome did not complain about this but FireFox won’t even let you visit a site with a duplicate serial number.
If you get stuck…
Try one of the following resources that I used to get this up and running:
Ever have Expose freeze up on you? Command-TAB stops working, Spaces stops working, the Dock stops working, show desktop stops working, show windows stops working; you’re trapped! Well, if you happen to have a terminal window open or can launch one, fear not! Simply issue the following command (make sure to use a capital ‘D’) and you’re golden. No restart required!
$ killall Dock
Share and enjoy!
If you receive the “File system formatter failed” error message while trying to partition a large hard drive using Disk Utility in OSX you need to change the partition type to GUID. Click the Options… button at the bottom of the partition list and select the GUID Partition Table:
