Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.5: Set up OS X as an SSL-secured reverse proxy Internet
I've been wanting to set up my Mac Mini (running OS X 10.5.2) as an SSL secured reverse proxy to a bit of kit on my network. However, all the instructions I've found are aimed at older versions of OS X and/or older versions of Apache. I had been using OrenoSP on my old Windows-based system, but couldn't find a comparable yet free equivalent for the Mac. As Apache 2.2.x is included with Leopard, I decided to investigate that route.

The following instructions are shamelessly cobbled together from various bits of documentation, web sites, and forums.

DISLAIMER: I'm an Apache and OS X beginner, so this may not be the best way or most secure way to do this. It does, however, provide an SSL secured reverse proxy. But the illusion of security can be worse than no security at all, so please bear this in mind. If any commenters wish to point out ways of improving this, it would be much appreciated.

[robg adds: This is a long involved hint, and hopefully I didn't mess up anything in the editing. I have not tested it myself.]

Apple provides a guide for setting up SSL on Apache, but it's aimed at older versions of OS X. I have used the instructions on that guide to build the certificates and copied the basics below, although full details are at the link above.
$ mkdir ~/Desktop/KeyGen
$ cd ~/Desktop/KeyGen
$ openssl genrsa -des3 -out server.key 1024
You will be asked for a passphrase in the creation of this key. Do not forget this passphrase!
$ openssl req -new -key server.key -out server.csr
In the entry for Common Name, enter your server name as it will appear in your httpd.conf file.
$ openssl genrsa -des3 -out ca.key 1024
You'll be asked for a passphrase, which, again, you should not forget.
$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt
You'll be asked for the passphrase for the key you just made. When you are asked for your Common Name, you want to enter your name, not the server name.

Download latest mod_ssl; extract sign.sh from the pkg.contrib folder in the mod_ssl download tar file, and place it in ~/Desktop/KeyGen/. Then...
$ chmod +x sign.sh
./sign.sh server.csr
Answer y to any questions.
$ sudo mkdir /etc/apache2/ssl.key
$ sudo cp -r * /etc/apache2/ssl.key/
$ cd /etc/apache2/ssl.key
$ sudo cp server.key server.key.original
$ sudo openssl rsa -in server.key.original -out server.key
You should now have the certificates you require. Firstly, I wanted my site to be password protected, so I created a user account that is allowed to access the web page using the command below:
sudo htpasswd -c passwords_file username
Where passwords_file is the name of the file you wish users to be stored in, and username is the name of the user you want to use to connect to your website.

Now we can set up the general Apache configuration, though first stopping the Apache service and backing up the original config file:
$ sudo apachectl stop
$ cd /etc/apache2
$ sudo cp httpd.conf httpd.conf.backup
Edit httpd.conf (use your favourite editor; I've used vi in the example below), and make the changes described below:
  • Locate and comment out Listen 80 by placing a # at the beginning: #Listen 80.
  • Change ServerAdmin to a relevent email address for yourself: ServerAdmin admin@mydomain.com
  • Uncomment the httpd-ssl.conf Include line: Include /private/etc/apache2/extra/httpd-ssl.conf
  • Add the following lines to the end of the file; replace passwords_file and username with the details used in the htpasswd command above. Replace internal_IP with the IP address of the machine on your LAN you wish to proxy to. If you're not concerned about password protection, the lines beginning AuthType, AuthName, AuthUserFile and Require can be removed and the following added in their place: Allow from all. Here's the code to add:
    ProxyRequests Off
    
       Order deny,allow
       AuthType Basic
       AuthName "Restricted Files"
       AuthUserFile passwords_file
       Require username 
    
    ProxyPass / http://internal_IP
    ProxyPassReverse / http://internal_IP
Save your changes and exit the editor.

Now we can set up the SSL configuration, first backing up the original config file:
$ sudo cp extra/httpd-ssl.conf extra/httpd-ssl.conf.backup
Edit httpd-ssl.conf using your favourite editor; I've used vi in the example below:
  • Replace www.example.com in ServerName with the External IP address or domain name of your network: ServerName www.mydomain.com:443.
  • Change ServerAdmin to a relevent email address for yourself: ServerAdmin admin@mydomain.com.
  • Uncomment SSLCertificateFile and add ssl.key to its path: SSLCertificateFile "/private/etc/apache2/ssl.key/server.crt"
  • Uncomment SSLCertificateKeyFile and add ssl.key to its path: SSLCertificateKeyFile "/private/etc/apache2/ssl.key/server.key"
Save your changes and quit the editor. Now restart Apache with sudo apachectl start.

Now load a browser and point it at https://external_ip_or_domain_name, and you should be shown a login prompt. Enter your details as used in the htpasswd command, and your internal system should be displayed. The browser should indicate that the site is being accessed in a secure manner (padlocks, yellow address bar, etc). You may receive some messages about the certificates that have been used; I believe that this is due them being created by yourself and not an officially recognised Certification Authority.

Hope someone finds this useful...
    •    
  • Currently 1.50 / 5
  You rated: 1 / 5 (8 votes cast)
 
[20,576 views]  

10.5: Set up OS X as an SSL-secured reverse proxy | 11 comments | Create New Account
Click here to return to the '10.5: Set up OS X as an SSL-secured reverse proxy' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.5: Set up OS X as an SSL-secured reverse proxy
Authored by: pecosbill on Mar 11, '08 11:52:36AM
If you do put a server admin email address, use a "public" one that you don't care about. It will be spammed, most likely. (It's a convenience for your users and not mandatory to my knowledge.)

Also, you may want to change the listen port for secure connections. I cannot recall where it's set. By putting a high port number, there's a slight reduction in risk. You would then connect via https://mydomain.tld:33333/ where 33333 is the port you specify. Max value is 65535. You probably will have to open the firewall for that port, too. Not sure how to do that with the new one in Leo.

---
Pecos Bill

[ Reply to This | # ]

10.5: Set up OS X as an SSL-secured reverse proxy
Authored by: amusingfool on Mar 11, '08 02:15:57PM
side note, the default port for HTTPS is 443 (check /etc/services when you can't remember this sort of thing).

Getting to the real point, though, I guess I'm not quite sure what the point is. Is it just to get it listening to https? If so, this is a nice summary of all the steps.

Is it to have some login-protected pages, with secure access? If so, you could do things a bit more simply (with a bit of added flexibility). Just set the web server to listen to a port that isn't available externally (assume, for the sake of argument, 8080). Then enable ssh access to the box. When you want to get to the site, do
ssh myname@external-address -L 9999:hostname:8080
(9999 is a local port number, hostname is a name that is recognized on the remote box, so it could be a local name, and 8080 is the port to which you want to tunnel)
Then point your browser at http://localhost:9999/ et voila.
A side benefit to this is that you can use a certificate for signing in (remembering that ssh-agent is your friend :).

[ Reply to This | # ]
10.5: Set up OS X as an SSL-secured reverse proxy
Authored by: ianf on Mar 11, '08 04:06:05PM
Hi, I'm the anonymous author of the hint, just thought I'd expand on the above based on one of the comments;
Getting to the real point, though, I guess I'm not quite sure what the point is. Is it just to get it listening to https? If so, this is a nice summary of all the steps.
The purpose of the hint is to allow secured remote access to a device located on an internal network using the Mac as a proxy to that device, so that the device itself isn't directly exposed to the real world. In my case it's a TiVo running its own unsecured web server/interface. Using the above instructions (and forwarding port 443 to the Mac) I'm able to securely access the TiVo's web interface without exposing its own port 80 directly to the web, while at the same time ensuring that all traffic to and from it is encrypted, which in this case, I'll admit, is perhaps overkill ;-).
Is it to have some login-protected pages, with secure access? If so, you could do things a bit more simply (with a bit of added flexibility). Just set the web server to listen to a port that isn't available externally (assume, for the sake of argument, 8080). Then enable ssh access to the box. When you want to get to the site, do ssh myname@external-address -L 9999:hostname:8080 (9999 is a local port number, hostname is a name that is recognized on the remote box, so it could be a local name, and 8080 is the port to which you want to tunnel) Then point your browser at http://localhost:9999/ et voila.
Useful hint, I currently do something similar to allow me to securely VNC remotely to my mac, but hadn't thought of using it in that way.

Cheers,
IanF

[ Reply to This | # ]
10.5: Set up OS X as an SSL-secured reverse proxy
Authored by: amusingfool on Mar 12, '08 10:50:25AM

If that's the goal, set up the tunnel like I mentioned, and set the target to be the TiVo's server and port, rather than another port on the "accessible" web server.



[ Reply to This | # ]
10.5: Set up OS X as an SSL-secured reverse proxy
Authored by: ianf on Mar 12, '08 12:10:42PM

Hi, thanks for your reply, however I think I may be missing something obvious.

The TiVo doesn't run an SSL server, so I can't forward a port on the router directly to it, if that's what you're suggesting. Or are you saying that the command you suggested will connect to my mac and tell it to forward the connection onto the TiVo? If so that's dead clever and I didn't know it could be done :-)

Cheers,
Ian



[ Reply to This | # ]
10.5: Set up OS X as an SSL-secured reverse proxy
Authored by: amusingfool on Mar 12, '08 01:29:28PM
Sorry... Glossed over some details... The short is that it doesn't matter if the TiVo's web interface is https or not (except that if it was, you'd need to change the URL I mentioned in my first reply to https://localhost:9999/ ).

In more detail, this establishes an SSL tunnel from your (work? travelling laptop?) machine to the internet-facing web server. So it's encrypted while travelling over the public internet, but the communication between that web server and the TiVo (over your home network) is unencrypted. So this is actually an ideal situation.

Again getting back to that hypothetical HTTPS-enabled TiVo, that would mean that the channel would be doubly-encrypted on the first leg, and singly-encrypted on your home network.

As a side note, this can also be used as a strategy for browsing on a censored internet connection (say, over the Denver airport's WiFi). Just make that tunnel something like -L 9999:boingboing.net:80

And if you really want to get fancy (like, by establishing a dozen tunnels at once (possible, but rather cumbersome, over the command line)), take a look at the man page for the SSL config file (do 'man 5 config' from the command line, for those not familiar with man)

[ Reply to This | # ]
10.5: Set up OS X as an SSL-secured reverse proxy
Authored by: ianf on Mar 13, '08 02:54:17AM
In more detail, this establishes an SSL tunnel from your (work? travelling laptop?) machine to the internet-facing web server. So it's encrypted while travelling over the public internet, but the communication between that web server and the TiVo (over your home network) is unencrypted. So this is actually an ideal situation.
Well, I've just had a quick play with this and it works just as you say. Somehow I've managed to miss this fantastic bit off ssl/ssh functionality!

In short, it means rather than setting up a reverse-proxy alongside SSL, SSL itself can be used to bounce from your proxy machine to any bit of kit that's listening on the network!
Obviously it's more convenient to not have to manually set up the client side SSL connection every time you want to connect to the device on your LAN (which my method offers) but the simplicity of your method combined with the added security of the server only being available when you've manually set up a connection could be VERY handy. Thanks very much for opening my eyes to this :-)

Cheers,
Ian

[ Reply to This | # ]
10.5: Set up OS X as an SSL-secured reverse proxy
Authored by: bodosom on Mar 16, '08 03:22:28PM

Isn't running OpenVPN a broader solution to this (and any similar) problem. In any case that's how I get to my home network including my TiVos.



[ Reply to This | # ]
10.5: Set up OS X as an SSL-secured reverse proxy
Authored by: ianf on Mar 19, '08 03:46:55AM

Hi, Thanks for the comment, and yes it is one way this could be tackled. However, for my scenario I don't want to have to have a VPN client on the remote system. I may be attempting to access the TiVo from work or a web-cafe where local policy doesn't allow installing additional software. Or I may even want to access it from my mobile phone which wouldn't be able to run a VPN client.

Cheers,
Ian



[ Reply to This | # ]
10.5: Set up OS X as an SSL-secured reverse proxy
Authored by: cbansal on Mar 23, '08 05:36:52PM

Hi,

A good document. However I am facing an issue in my http.conf file. I did add the lines as given without the password thing in there as I am not using it right now. But I am confused and it comes as an error too while I restart my apache, (I am using 10.4 OSX and all your steps fit comfortably on it), the last lines since they are not in any include tag or something of that sort, the apahce machine throws an error, "order not allowed here"

I am newbie in this field and am trying to host my ruby on rails application on apache with secure server. please help.

I would really appreciate if you could post help here as well as to my email: chirag.bansal@gmail.com

thanks



[ Reply to This | # ]
10.5: Set up OS X as an SSL-secured reverse proxy
Authored by: ianf on Mar 27, '08 03:47:42AM
Hi,

I'm not sure I can be of much help, but a lot of the guide was built using the URL below;

http://www.apachetutor.org/admin/reverseproxies

I'm assuming that you mean that the ProxyPass and ProxyPassReverse lines are causing a problem. In the URL it mentions (and shows a few examples of) placing them in Virtual Host tags or Location tags, you may want to experiment with that and see if you have any success.

Cheers,

Ian

[ Reply to This | # ]