2015年12月13日 星期日

OS X 10.11 El Capitan Apache Setup: SSL

cover getting your site setup with SSL support


It is often important to be able to test your local site setup under SSL (e.g. There are a few steps that are needed to accomplish this with your 'OS X 10.11 El Capitan'-based Apache setup. The first step is to make some modifications to your httpd.conf. Because it's a system file, you will need to use sudo again:
$ sudo nano /etc/apache2/httpd.conf
In this file you should uncomment both the socache_shmcb_modulessl_module, and also the include for the httpd-ssl.conf by removing the leading # symbol on those lines:
LoadModule socache_shmcb_module libexec/apache2/
LoadModule ssl_module libexec/apache2/
Include /private/etc/apache2/extra/httpd-ssl.conf
After saving this file, you should then open up your/etc/apache2/extra/httpd-vhosts.conf.
$ sudo nano /etc/apache2/extra/httpd-vhosts.conf
Here you can create a VirtualHost entry for each virtual host that you wish to provide SSL support for.
<VirtualHost *:443>
    DocumentRoot "/Users/your_user/Sites"
    ServerName localhost
    SSLEngine on
    SSLCertificateFile "/private/etc/apache2/server.crt"
    SSLCertificateKeyFile "/private/etc/apache2/server.key"
In this example we have created the VirtualHost for localhost, but it could be any of your existing or even a new VirtualHost.


To get this all to work with Apache, we need to create a self-signed certificate that we have already referenced in the VirtualHost definition.
The following commands will often prompt you for information regarding the certificates. For local development you can just hit return to accept the default values.
First generate a key:
$ cd /etc/apache2
$ sudo ssh-keygen -f server.key
Then generate a certificate signing request:
$ sudo openssl req -new -key server.key -out server.csr
Using this CSR, generate the certificate:
$ sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
The convert the key to a no-phrase key:
$ sudo openssl rsa -in server.key -out server.key
Then all you need to do now is double check your Apache configuration syntax:
$ sudo apachectl configtest
If all goes well, restart Apache:
$ sudo apachectl -k restart
Now simply point your browser at https://localhost. If you are prompted about aself-signed certificate, in Chrome you can hit the Advanced option on that page and proceed while in Firefox you need to expand the I Understand the Risks and add as exception. This is due to the fact that the self-signed certificates are not signed by any authority and for this reasons the browsers add warnings about it. Although, since you are the one who created the certificate, you understand it's safe to accept it.


Ratings and Recommendations by outbrain