Brian Love
Angular + TypeScript Developer in Denver, CO

Enable HTTPS in Apache on Mac Yosemite

Reading time ~4 minutes

In this post we’ll be using HTTP with Apache on OS X Yosemite. In a previous post I showed you how to create a self-signed certificate. If you followed along then you created the following files in the /etc/apache2/ssl folder:

  • local.example.com.crt
  • local.example.com.key

Now, we are going to go through the steps necessary to set up HTTPS on our local Apache web server:

  • Load mod_ssl extension
  • Include ssl config file
  • Modify ssl config file, adding our new virtual host bound to port 443
  • Optionally specify new testing domain in our hosts file
  • Test and restart Apache

Why?

First, let’s answer a simple question: “Why?” In an effort to support HTTPS Everywhere we are migrating our website to use HTTPS. In later blog posts I will show how we will perform the migration to HTTPS.

The real reason for using HTTPS is to secure the web. The risks to users and privacy are at the highest levels today, and I suspect that the risks will only increase, while our users will increasingly expect the protection of their privacy.

Load mod_ssl

OK, now that we know why we are doing this, let’s dive it. First, simply uncomment the following line in the httpd.conf file. To modify the httpd.conf file we will use nano text editor. I also recommend using Textmate, and then you can just replace “nano” with “mate” in the following commands.

My httpd.conf file is located at: /etc/apache2/httpd.conf

$ cd /etc/apache2/
$ sudo nano httpd.conf

Find the following line and uncomment it. Just in case you are not sure, comments have a leading pound/hash symbol ( # ) – just remove it.

Load mod_ssl

Include httpd-ssl.conf File

While we still have the httpd.conf file open, we also need to uncomment the line that includes the httpd-ssl.conf file.

Include https-ssl.conf File

Add VirtualHost to httpd-ssl.conf

The last step is to configure a new virtual host that is bound to port 443 (HTTPS). There is already a sample <VirtualHost> record in the httpd-ssl.conf file. I suggest you first remove it, or comment it all out, so that you can just paste in the necessary code at the bottom of the file.

My httpd-ssl.conf file is located at: /etc/apache2/conf/httpd-ssl.conf

You will need to open the file using nano:

$ cd /etc/apache2/extra
$ sudo nano httpd-ssl.conf

Declare VirtualHost

The first step is to declare a new virtual host using the <VirtualHost> directive.

<VirtualHost *:443>

General Virtual Host Settings

Next, within the <VirtualHost> directive, we will declare some basic host settings:

  • DocumentRoot: absolute path to the webroot for the site
  • ServerName: the fully qualified domain name (FQDN)
  • ErrorLog: location of the error log
  • CustomLog: location of the access log

Enable SSL

To enable the SSL engine in Apache we simply add set the setting to “on”.

 #SSL Engine Switch
SSLEngine on

Specify certificate and private key

Using the paths as I described at the beginning, we will tell the SSL engine the location of the certificate request file (csr) and the private host key (.key).

`#Server Certificate:
SSLCertificateFile "/private/etc/apache2/ssl/local.example.com.crt"

#Server Private Key:
SSLCertificateKeyFile "/private/etc/apache2/ssl/local.example.com.key"

SSL Engine Options

There are lots of options that you can (and should if you are setting up a production server) configure for the SSL Engine, including the supported ciphers and the ordering of the ciphers used. If you have been following any recent security news, you have probably heard of the POODLE security flaw that uses a SSL 3.0 fallback vulnerability. To prevent any risk on a production server you must configure your server to use the latest version of TLS (1.3 as of this writing), and remove the support for teh older SSL version 2.0 and 3.0 protocols.

Protocols and ciphers – oh my!

If you are confused about all of the protocols, ciphers, prioritization logic, etc. Then I would recommend that you read the Mozilla article on Server Side security and TLS. They offer some best practice configurations for production environments and various web servers; including: IIS, Apache and Nginx.

For our local development server we are not going to worry about the protocols/ciphers and just simply add the following options.

#SSL Engine Options:
<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/Library/WebServer/CGI-Executables">
    SSLOptions +StdEnvVars
</Directory>

Complete Virtual Host

Last, we need to close the <VirtualHost> directive. Our complete virtual host in the httpd-ssl.conf file should look like this:

<VirtualHost *:443>
    #General setup for the virtual host
    DocumentRoot "/www/local.example.com/www"
    ServerName local.example.com
    ErrorLog "/private/var/log/apache2/local.example.com-error_log"
    CustomLog "/private/var/log/apache2/local.example.com-access_log" common

    #SSL Engine Switch:
    SSLEngine on

    #Server Certificate:
    SSLCertificateFile "/private/etc/apache2/ssl/local.example.com.crt"

    #Server Private Key:
    SSLCertificateKeyFile "/private/etc/apache2/ssl/local.example.com.key"

    #SSL Engine Options:
    <FilesMatch "\.(cgi|shtml|phtml|php)$">
        SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory "/Library/WebServer/CGI-Executables">
        SSLOptions +StdEnvVars
    </Directory>
</VirtualHost>

Hosts file

In case this is a new website, you should also modify your hosts file to direct the domain name to your local Apache web server. If you already had the domain configured in your hosts file, then you can skip this step.

The hosts file is located at: /etc/hosts

Note that the file does not have an extension. Let’s open this up in nano.

$ cd /etc
$ sudo nano hosts

Then, add a new line for your website. I am using local.example.com.

127.0.0.1    local.example.com

Hosts File

Test Configuration and Restart Apache

The last step is to test our new configuration, and assuming everything is good, restart the Apache web server.

$ sudo apachectl -t
$ sudo apachectl restart

Test and Restart Apache

All done. You are now serving your website over HTTPS using Apache.

Brian Love

Hi, I'm Brian. I am interested in TypeScript, Angular and Node.js. I'm married to my best friend Bonnie, I live in Denver and I ski (a lot).