swig505.com

SSL With Name-based Virtual Hosts for Local Development

The default Apache install on Mac's Leopard (10.5) uses the industry standard mod_ssl. Unfortunately, mod_ssl needs one IP address per secure virtual host since SSL operates on a layer above HTTP (and therefore can't identify the ServerName until after the secure connection is made). However, GnuTLS is SNI-capable — thus all of your secure virtual hosts can use the same IP and port! Anyway, I'm not going to go into depth here since there are other places you can read up on the details; rather, I'm just going to show you how to install it on Leopard since a bit of Googling turned up nothing.

Quick Note: These instructions assume you are running Apache in 32-bit mode even though the default on Leopard is 64-bit. For information on how to switch to 32-bit, see this article.

1) Install GnuTLS — I had to update macports to install GnuTLS, but YMMV

sudo port selfupdate

sudo port install gnutls

2) Download and install mod_gnutls manually — it's a single apache shared module, so I wouldn't even bother with Macports:

wget http://www.outoforder.cc/downloads/mod_gnutls/mod_gnutls-0.5.5.tar.bz2

tar -xjvf mod_gnutls-0.5.5.tar.bz2

cd mod_gnutls-0.5.5

./configure

make

sudo make install

3) Create the following extra config for Apache:

sudo vim /private/etc/apache2/extra/httpd-gnutls.conf

Listen 443

LoadModule gnutls_module libexec/apache2/mod_gnutls.so

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

GnuTLSCache dbm "/private/var/run/ssl_scache"
GnuTLSCacheTimeout 300

4) Comment out the SSL include in your /private/etc/apache2/httpd.conf and include the GnuTLS config you just created:

...
# Secure (SSL/TLS) connections
# Include /private/etc/apache2/extra/httpd-ssl.conf
Include /private/etc/apache2/extra/httpd-gnutls.conf
...

5) Now, add your SSL-based virtual hosts to /private/etc/apache2/extra/httpd-vhosts.conf. Here is an example:

<VirtualHost *:443>
  ServerName mysite.local
  DocumentRoot "/Users/bsmith/Projects/mysite/public"
  RailsEnv development

  GnuTLSEnable on
  GnuTLSPriorities NORMAL
  GnuTLSCertificateFile /etc/apache2/certs/mysite.local.crt
  GnuTLSKeyFile /etc/apache2/certs/mysite.local.key

  <Directory "/Users/bsmith/Projects/mysite/public">
    Order allow,deny
    Allow from all
  </Directory>
</VirtualHost>

That's it! Now you can add as many virtual hosts with SSL as you want. Gone are the days of having to update your apache config every time you switch between projects... freedom!

blog comments powered by Disqus