Eric Gazoni's Blog

Daily thoughts for computer scientists

Month: November, 2010

SSL Secured Piston Webservice

On FreeBSD, there are a few gotchas to work with Apache + SSL + Piston.

Here are my findings:

  • Enabling SSL in Apache 2.0

As most SSL-related functions are enclosed in <IfDefine SSL> blocks, adding

apache2_enable=&quot;YES&quot;
apache2_flags=&quot;-D SSL&quot;

to /etc/rc.conf will enable them.

  • Disabling _default_ SSL Virtualhost

There’s a _default_ virtalenv defined in the ssl.conf file, and activated at the same time as the rest of the SSL config.

I didn’t find a “clean” way to disable it, and it was conflicting with my own virtualhost, so I encapsulated if between <IfDefine SSLVH> tags and it did the trick ๐Ÿ™‚

  • Generating SSL keys

I followed a guide found on google (in French). Extremely useful.

Copied them to /usr/local/etc/apache2/ssl.key/ and /usr/local/etc/apache2/ssl.crt/

  • Updating my virtualhosts to fetch HTTPS requests

As I disabled the _default_ virtualhost, I needed to make a copy of my existing (port 80) virtualhost, and merge it with what was defined in the _default_ one.

&lt;VirtualHost *:443&gt;

  ServerName servername.com

  SSLEngine On
  SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

  SSLCertificateKeyFile /usr/local/etc/apache2/ssl.key/server.key
  SSLCertificateFile /usr/local/etc/apache2/ssl.crt/server.crt

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
&lt;FilesMatch &quot;.(cgi|shtml|phtml|php3?)$&quot;&gt;
    SSLOptions +StdEnvVars
&lt;/FilesMatch&gt;
usr/local/www/cgi-bin&quot;&gt;
    SSLOptions +StdEnvVars
&lt;/Directory&gt;

SetEnvIf User-Agent &quot;.*MSIE.*&quot; 
         nokeepalive ssl-unclean-shutdown 
         downgrade-1.0 force-response-1.0

CustomLog /var/log/httpd-ssl_request.log 
          &quot;%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x &quot;%r&quot; %b&quot;

[...]
&lt;/VirtualHost&gt;
  • Open port 443 on the firewall

Almost forgot this one ๐Ÿ™‚

Piston + HTTP Authentication + mod_FastCGI

I’ve spent much more time than necessary on this issue, so if it can help someone, I’m posting a working config for Django Piston + Apache’s mod_fastcgi + HTTP Basic Authentication.

Works with :

  • Apache 2.0.63
  • Django 1.2.3
  • Piston 0.2.2

I’ve updated the default config file found on the official Django website:

FastCGIExternalServer /project/dir/mysite.fcgi -socket /project/dir/mysite.sock -pass-header Authorization

&lt;VirtualHost 123.456.78.9&gt;
ServerName servername.com
DocumentRoot /project/dir
Alias /media /project/dir/media
RewriteEngine On
RewriteRule ^/(media.*)$ /$1 [QSA,L,PT]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^/(.*)$ /mysite.fcgi/$1 [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},QSA,L]
&lt;/VirtualHost&gt;

tl;dr: -pass-header Authorization and [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},QSA,L]