SSL Secured Piston Webservice

by Eric Gazoni

On FreeBSD, there are a few gotchas to work with Apache + SSL + Piston.

Here are my findings:

  • Enabling SSL in Apache 2.0

As most SSL-related functions are enclosed in <IfDefine SSL> blocks, adding

apache2_enable=&quot;YES&quot;
apache2_flags=&quot;-D SSL&quot;

to /etc/rc.conf will enable them.

  • Disabling _default_ SSL Virtualhost

There’s a _default_ virtalenv defined in the ssl.conf file, and activated at the same time as the rest of the SSL config.

I didn’t find a “clean” way to disable it, and it was conflicting with my own virtualhost, so I encapsulated if between <IfDefine SSLVH> tags and it did the trick 🙂

  • Generating SSL keys

I followed a guide found on google (in French). Extremely useful.

Copied them to /usr/local/etc/apache2/ssl.key/ and /usr/local/etc/apache2/ssl.crt/

  • Updating my virtualhosts to fetch HTTPS requests

As I disabled the _default_ virtualhost, I needed to make a copy of my existing (port 80) virtualhost, and merge it with what was defined in the _default_ one.

&lt;VirtualHost *:443&gt;

  ServerName servername.com

  SSLEngine On
  SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

  SSLCertificateKeyFile /usr/local/etc/apache2/ssl.key/server.key
  SSLCertificateFile /usr/local/etc/apache2/ssl.crt/server.crt

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
&lt;FilesMatch &quot;.(cgi|shtml|phtml|php3?)$&quot;&gt;
    SSLOptions +StdEnvVars
&lt;/FilesMatch&gt;
usr/local/www/cgi-bin&quot;&gt;
    SSLOptions +StdEnvVars
&lt;/Directory&gt;

SetEnvIf User-Agent &quot;.*MSIE.*&quot; 
         nokeepalive ssl-unclean-shutdown 
         downgrade-1.0 force-response-1.0

CustomLog /var/log/httpd-ssl_request.log 
          &quot;%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x &quot;%r&quot; %b&quot;

[...]
&lt;/VirtualHost&gt;
  • Open port 443 on the firewall

Almost forgot this one 🙂