The following instructions are shamelessly cobbled together from various bits of documentation, web sites, and forums.
DISLAIMER: I'm an Apache and OS X beginner, so this may not be the best way or most secure way to do this. It does, however, provide an SSL secured reverse proxy. But the illusion of security can be worse than no security at all, so please bear this in mind. If any commenters wish to point out ways of improving this, it would be much appreciated.
[robg adds: This is a long involved hint, and hopefully I didn't mess up anything in the editing. I have not tested it myself.]
Apple provides a guide for setting up SSL on Apache, but it's aimed at older versions of OS X. I have used the instructions on that guide to build the certificates and copied the basics below, although full details are at the link above.
$ mkdir ~/Desktop/KeyGen
$ cd ~/Desktop/KeyGen
$ openssl genrsa -des3 -out server.key 1024
You will be asked for a passphrase in the creation of this key. Do not forget this passphrase!
$ openssl req -new -key server.key -out server.csr
In the entry for Common Name, enter your server name as it will appear in your httpd.conf file.
$ openssl genrsa -des3 -out ca.key 1024
You'll be asked for a passphrase, which, again, you should not forget.
$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt
You'll be asked for the passphrase for the key you just made. When you are asked for your Common Name, you want to enter your name, not the server name.
Download latest mod_ssl; extract sign.sh from the pkg.contrib folder in the mod_ssl download tar file, and place it in ~/Desktop/KeyGen/. Then...
$ chmod +x sign.sh
./sign.sh server.csr
Answer y to any questions.
$ sudo mkdir /etc/apache2/ssl.key
$ sudo cp -r * /etc/apache2/ssl.key/
$ cd /etc/apache2/ssl.key
$ sudo cp server.key server.key.original
$ sudo openssl rsa -in server.key.original -out server.key
You should now have the certificates you require. Firstly, I wanted my site to be password protected, so I created a user account that is allowed to access the web page using the command below:
sudo htpasswd -c passwords_file username
Where passwords_file is the name of the file you wish users to be stored in, and username is the name of the user you want to use to connect to your website.
Now we can set up the general Apache configuration, though first stopping the Apache service and backing up the original config file:
$ sudo apachectl stop
$ cd /etc/apache2
$ sudo cp httpd.conf httpd.conf.backup
Edit httpd.conf (use your favourite editor; I've used vi in the example below), and make the changes described below:
- Locate and comment out Listen 80 by placing a # at the beginning: #Listen 80.
- Change ServerAdmin to a relevent email address for yourself: ServerAdmin admin@mydomain.com
- Uncomment the httpd-ssl.conf Include line: Include /private/etc/apache2/extra/httpd-ssl.conf
- Add the following lines to the end of the file; replace passwords_file and username with the details used in the htpasswd command above. Replace internal_IP with the IP address of the machine on your LAN you wish to proxy to. If you're not concerned about password protection, the lines beginning AuthType, AuthName, AuthUserFile and Require can be removed and the following added in their place: Allow from all. Here's the code to add:
ProxyRequests Off Order deny,allow AuthType Basic AuthName "Restricted Files" AuthUserFile passwords_file Require username ProxyPass / http://internal_IP ProxyPassReverse / http://internal_IP
Now we can set up the SSL configuration, first backing up the original config file:
$ sudo cp extra/httpd-ssl.conf extra/httpd-ssl.conf.backup
Edit httpd-ssl.conf using your favourite editor; I've used vi in the example below:
- Replace www.example.com in ServerName with the External IP address or domain name of your network: ServerName www.mydomain.com:443.
- Change ServerAdmin to a relevent email address for yourself: ServerAdmin admin@mydomain.com.
- Uncomment SSLCertificateFile and add ssl.key to its path: SSLCertificateFile "/private/etc/apache2/ssl.key/server.crt"
- Uncomment SSLCertificateKeyFile and add ssl.key to its path: SSLCertificateKeyFile "/private/etc/apache2/ssl.key/server.key"
Now load a browser and point it at https://external_ip_or_domain_name, and you should be shown a login prompt. Enter your details as used in the htpasswd command, and your internal system should be displayed. The browser should indicate that the site is being accessed in a secure manner (padlocks, yellow address bar, etc). You may receive some messages about the certificates that have been used; I believe that this is due them being created by yourself and not an officially recognised Certification Authority.
Hope someone finds this useful...

