10.5: Set up OS X as an SSL-secured reverse proxy

Mar 11, '08 07:30:00AM

Contributed by: ianf

I've been wanting to set up my Mac Mini (running OS X 10.5.2) as an SSL secured reverse proxy to a bit of kit on my network. However, all the instructions I've found are aimed at older versions of OS X and/or older versions of Apache. I had been using OrenoSP on my old Windows-based system, but couldn't find a comparable yet free equivalent for the Mac. As Apache 2.2.x is included with Leopard, I decided to investigate that route.

The following instructions are shamelessly cobbled together from various bits of documentation, web sites, and forums.

DISLAIMER: I'm an Apache and OS X beginner, so this may not be the best way or most secure way to do this. It does, however, provide an SSL secured reverse proxy. But the illusion of security can be worse than no security at all, so please bear this in mind. If any commenters wish to point out ways of improving this, it would be much appreciated.

[robg adds: This is a long involved hint, and hopefully I didn't mess up anything in the editing. I have not tested it myself.]

Apple provides a guide for setting up SSL on Apache, but it's aimed at older versions of OS X. I have used the instructions on that guide to build the certificates and copied the basics below, although full details are at the link above.

$ mkdir ~/Desktop/KeyGen
$ cd ~/Desktop/KeyGen
$ openssl genrsa -des3 -out server.key 1024
You will be asked for a passphrase in the creation of this key. Do not forget this passphrase!
$ openssl req -new -key server.key -out server.csr
In the entry for Common Name, enter your server name as it will appear in your httpd.conf file.
$ openssl genrsa -des3 -out ca.key 1024
You'll be asked for a passphrase, which, again, you should not forget.
$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt
You'll be asked for the passphrase for the key you just made. When you are asked for your Common Name, you want to enter your name, not the server name.

Download latest mod_ssl; extract sign.sh from the pkg.contrib folder in the mod_ssl download tar file, and place it in ~/Desktop/KeyGen/. Then...
$ chmod +x sign.sh
./sign.sh server.csr
Answer y to any questions.
$ sudo mkdir /etc/apache2/ssl.key
$ sudo cp -r * /etc/apache2/ssl.key/
$ cd /etc/apache2/ssl.key
$ sudo cp server.key server.key.original
$ sudo openssl rsa -in server.key.original -out server.key
You should now have the certificates you require. Firstly, I wanted my site to be password protected, so I created a user account that is allowed to access the web page using the command below:
sudo htpasswd -c passwords_file username
Where passwords_file is the name of the file you wish users to be stored in, and username is the name of the user you want to use to connect to your website.

Now we can set up the general Apache configuration, though first stopping the Apache service and backing up the original config file:
$ sudo apachectl stop
$ cd /etc/apache2
$ sudo cp httpd.conf httpd.conf.backup
Edit httpd.conf (use your favourite editor; I've used vi in the example below), and make the changes described below: Save your changes and exit the editor.

Now we can set up the SSL configuration, first backing up the original config file:
$ sudo cp extra/httpd-ssl.conf extra/httpd-ssl.conf.backup
Edit httpd-ssl.conf using your favourite editor; I've used vi in the example below: Save your changes and quit the editor. Now restart Apache with sudo apachectl start.

Now load a browser and point it at https://external_ip_or_domain_name, and you should be shown a login prompt. Enter your details as used in the htpasswd command, and your internal system should be displayed. The browser should indicate that the site is being accessed in a secure manner (padlocks, yellow address bar, etc). You may receive some messages about the certificates that have been used; I believe that this is due them being created by yourself and not an officially recognised Certification Authority.

Hope someone finds this useful...

Comments (11)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20080304022413775