I've been wanting to set up my Mac Mini (running OS X 10.5.2) as an SSL secured reverse proxy to a bit of kit on my network. However, all the instructions I've found are aimed at older versions of OS X and/or older versions of Apache. I had been using OrenoSP on my old Windows-based system, but couldn't find a comparable yet free equivalent for the Mac. As Apache 2.2.x is included with Leopard, I decided to investigate that route.
The following instructions are shamelessly cobbled together from various bits of documentation, web sites, and forums.
DISLAIMER: I'm an Apache and OS X beginner, so this may not be the best way or most secure way to do this. It does, however, provide an SSL secured reverse proxy. But the illusion of security can be worse than no security at all, so please bear this in mind. If any commenters wish to point out ways of improving this, it would be much appreciated.
[robg adds: This is a long involved hint, and hopefully I didn't mess up anything in the editing. I have not tested it myself.]
Apple provides a guide for setting up SSL on Apache, but it's aimed at older versions of OS X. I have used the instructions on that guide to build the certificates and copied the basics below, although full details are at the link above.
$ mkdir ~/Desktop/KeyGen
$ cd ~/Desktop/KeyGen
$ openssl genrsa -des3 -out server.key 1024
You will be asked for a passphrase in the creation of this key. Do not forget this passphrase!
$ openssl req -new -key server.key -out server.csr
In the entry for Common Name, enter your server name as it will appear in your httpd.conf file.
$ openssl genrsa -des3 -out ca.key 1024
You'll be asked for a passphrase, which, again, you should not forget.
$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt
You'll be asked for the passphrase for the key you just made. When you are asked for your Common Name, you want to enter your name, not the server name.
$ chmod +x sign.sh
./sign.sh server.csr
Answer y to any questions.
$ sudo mkdir /etc/apache2/ssl.key
$ sudo cp -r * /etc/apache2/ssl.key/
$ cd /etc/apache2/ssl.key
$ sudo cp server.key server.key.original
$ sudo openssl rsa -in server.key.original -out server.key
You should now have the certificates you require. Firstly, I wanted my site to be password protected, so I created a user account that is allowed to access the web page using the command below:
sudo htpasswd -c passwords_file username
Where passwords_file is the name of the file you wish users to be stored in, and username is the name of the user you want to use to connect to your website.
$ sudo apachectl stop
$ cd /etc/apache2
$ sudo cp httpd.conf httpd.conf.backup
Edit httpd.conf (use your favourite editor; I've used vi in the example below), and make the changes described below:
ProxyRequests Off
Order deny,allow
AuthType Basic
AuthName "Restricted Files"
AuthUserFile passwords_file
Require username
ProxyPass / http://internal_IP
ProxyPassReverse / http://internal_IP$ sudo cp extra/httpd-ssl.conf extra/httpd-ssl.conf.backup
Edit httpd-ssl.conf using your favourite editor; I've used vi in the example below:
Mac OS X Hints
http://hints.macworld.com/article.php?story=20080304022413775