Secure Sockets Layer (SSL) is a cryptographic protocol that provides secure communications on the internet. It uses two keys to encrypt data: a public key and a private key. URLs that require an SSL connection start with https:// insead of http:// and operate on port 443 instead of 80 by default. SSL increases security as it makes it impossible for someone intercepting the stream of data to decode any information from it.
SecuritySpy does not have built-in support for SSL, however Mac OS X comes with Apache, a fully-featured and powerful web server, that can be used to set up the secure communication between the internet and SecuritySpy. In this way, Apache will be acting as a secure “reverse proxy” web server for SecuritySpy. This post describes how to set this up.
These instructions describe how to set up SSL using “self-signed” certificates. This allows you to get everything up and running, however for a proper installation you should ideally obtain a certificate from a Certificate Authority (such as Verisign or Thawte). A Certificate Authority is a trusted entity that confirms to whomever is connecting to your web server that you are who you say you are. This is only really applicable for web servers available to the general public, and a self-signed certificate is appropriate for when the server will be accessed by you or your employees or agents, as in this case there is no doubt about the server’s authenticity.
Although we have made every effort to make this guide easy to follow, this is a complex setup that requires use of the Terminal and editing of Apache configuration files, so is not for the novice user. This guide assumes that you have already set up the web server feature of SecuritySpy and are familiar with concepts such as dynamic DNS, port forwarding, and IP addressing on local networks.
For editing the configuration files, we highly recommend TextMate – this is a flexible and user-friendly editor that will make editing these files easy. You will also need to use the Terminal application, which is in your Utilities folder within your Applications folder.
These instructions are suitable for Mac OS X versions 10.5 through 10.8.
Step 1: Create a Certificate Authority (CA) certificate
In Terminal, type (or copy-and-paste) the following commands, each followed by a return:
openssl genrsa -des3 -out ca.key 1024
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
These commands create a myssl folder in your Documents folder, a RSA key file, and a Certificate Authority certificate. You will be asked for some details about you (as the certificate authority), and for a passphrase – use something simple and memorable; it doesn’t have to be secure.
The Terminal output for this step will look something like this:
Step 2: Generate a private key for the web server
In Terminal, enter the following commands, each followed by a return:
openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr
This creates a server key file. It will ask for some details about you (as the server administrator). The vital thing here is, when it askes you to enter the Common Name, you must enter the host name (or IP address) of your server as a client would connect to it over the internet. For example, if you have a Dynamic DNS name set up for accessing your server over the internet called myserver.viewcam.me, this is what you enter here. It may also ask you for a challenge password and optional company name - just leave these blank.
The Terminal output for this step will look something like this:
Step 3: Sign the server key with your CA certificate
You need to download the latest mod_ssl, locate the sign.sh file from the pkg.contrib folder, and place it in your ~/Documents/myssl folder.
Back in the Terminal, enter:
chmod +x sign.sh
You will be asked for the passphrase for the ca.key file that you created above. For the questions Sign the certificate? and commit?, type y and enter.
Step 4: Remove the passphrase requirement from the server key file
This step is required so that Apache can read the private key without you having to manually start Apache from the command line with the passphrase every time you need to enable the web server. In Terminal, enter:
cp server.key server.key.original
openssl rsa -in server.key.original -out server.key
You will be asked for the passphrase that you initially specified for the server.key file.
Step 5: Configure the Apache web server for SSL
Now we have all the files needed to enable SSL in Apache. In the Finder, choose Go to folder from the Go menu and type /etc/apache2/ – this is where all the Apache configuration files reside:
Firstly, copy the server.crt and server.key files from ~/Documents/myssl/ into this folder.
Next, open the httpd.conf file in TextMate (before doing this it is good practice to create a backup of this file before making any changes, in case you need to revert to it). These are the changes you need to make to this file:
• Locate the ServerName parameter and set it to the external host name (or IP address) of your server. Remove any # character from the start of the line
• Locate the line Include /private/etc/apache2/extra/httpd-ssl.conf and remove any # character from the start of this line
• Locate the line LoadModule ssl_module libexec/apache2/mod_ssl.so and remove any # character from the start of this line (Mac OS X 10.7 and above)
• Save the file (TextMate will ask if you want to overwrite the existing file, which you do)
Finally, open the httpd-ssl.conf file within the extra directory (again you should make a backup first). Make the following changes:
• Locate the ServerName parameter and set it to the external host name (or IP address) of your server, and remove any # character from the start of the line
• Locate the SSLCertificateFile parameter and set it to “/private/etc/apache2/server.crt” (with quotes), and remove any # character from the start of this line
• Locate the SSLCertificateKeyFile parameter and set it to “/private/etc/apache2/server.key” (with quotes), and remove any # character from the start of this line
• Scroll to the bottom of the file, and just above the “</VirtualHost>” tag, add these two lines:
RewriteRule ^/(.*) http://127.0.0.1:8000/$1 [P]
• Save the file
Step 6: Test it
Everything is now set up. Go to System Preferences, click on Sharing, and enable Web Sharing – this starts the Apache web server. If web sharing was already enabled, you need to disable it and then enable it again to restart the web server (if it does not start, check the Console for errors – probably there is some mistake in the configuration files you edited above). Make sure SecuritySpy is open, and then open Safari and enter:
Note that this URL starts with https and not http. The IP address 127.0.0.1 is what is called the “loopback” address that refers to “this computer”. You should get a warning about the certificate being invalid because of a host name mismatch. This is because the address that you are using to access the server (127.0.0.1) is different from the address that you specified in the server certificate. This error will not occur when accessing the web server from the internet using the proper host name (although the client will get a warning that the certificate was signed by an unknown authority). Simply click the Continue button to ignore the warning and enter the secure site. You should see the SecuritySpy web interface with a padlock to the left of the address bar (or the top right of the Safari window, depending on your version of Safari), indicating a secure connection.
Step 7: Set up port forwarding
The final step is to set up port forwarding in your router to the computer on port 443 – this is the port used by HTTPS. Then you will be able to access SecuritySpy securely from the internet.