Setting Up SecuritySpy Over SSL

UPDATE 4 JUNE 2014: SecuritySpy now has built-in support for HTTPS, so the setup described below is no longer needed for setting up SecuritySpy over SSL (although it may still be useful for generating SSL keys, certificates and certificate signing requests for other purposes). See the Web Server Settings section in the SecuritySpy user manual for information about the built-in HTTPS feature.

Secure Sockets Layer (SSL) is a cryptographic protocol that provides secure communications on the internet. It uses two keys to encrypt data: a public key and a private key. URLs that require an SSL connection start with https:// insead of http:// and operate on port 443 instead of 80 by default. SSL increases security as it makes it impossible for someone intercepting the stream of data to decode any information from it.

SecuritySpy does not have built-in support for SSL, however Mac OS X comes with Apache, a fully-featured and powerful web server, that can be used to set up the secure communication between the internet and SecuritySpy. In this way, Apache will be acting as a secure “reverse proxy” web server for SecuritySpy. This post describes how to set this up.

These instructions describe how to set up SSL using “self-signed” certificates. This allows you to get everything up and running, however for a proper installation you should ideally obtain a certificate from a Certificate Authority (such as Verisign or Thawte). A Certificate Authority is a trusted entity that confirms to whomever is connecting to your web server that you are who you say you are. This is only really applicable for web servers available to the general public, and a self-signed certificate is appropriate for when the server will be accessed by you or your employees or agents, as in this case there is no doubt about the server’s authenticity.

Although we have made every effort to make this guide easy to follow, this is a complex setup that requires use of the Terminal and editing of Apache configuration files, so is not for the novice user. This guide assumes that you have already set up the web server feature of SecuritySpy and are familiar with concepts such as dynamic DNS, port forwarding, and IP addressing on local networks.

For editing the configuration files, we highly recommend TextMate – this is a flexible and user-friendly editor that will make editing these files easy. You will also need to use the Terminal application, which is in your Utilities folder within your Applications folder.

These instructions are suitable for Mac OS X versions 10.5 through 10.8.

Step 1: Create a Certificate Authority (CA) certificate

In Terminal, type (or copy-and-paste) the following commands, each followed by a return:

mkdir ~/Documents/myssl
cd ~/Documents/myssl
openssl genrsa -des3 -out ca.key 1024
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

These commands create a myssl folder in your Documents folder, a RSA key file, and a Certificate Authority certificate. You will be asked for some details about you (as the certificate authority), and for a passphrase – use something simple and memorable; it doesn’t have to be secure.

The Terminal output for this step will look something like this:

Create Certificate Authority Certificate

Step 2: Generate a private key for the web server

In Terminal, enter the following commands, each followed by a return:

openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr

This creates a server key file.  It will ask for some details about you (as the server administrator). The vital thing here is, when it asks you to enter the Common Name, you must enter the host name (or IP address) of your server as a client would connect to it over the internet. For example, if you have a Dynamic DNS name set up for accessing your server over the internet called myserver.viewcam.me, this is what you enter here. It may also ask you for a challenge password and optional company name - just leave these blank.

The Terminal output for this step will look something like this:

Create Private Key

Step 3: Sign the server key with your CA certificate

You need to download this file called sign.sh, and place it in your ~/Documents/myssl folder.

Back in the Terminal, enter:

chmod +x sign.sh
./sign.sh server.csr

You will be asked for the passphrase for the ca.key file that you created above. For the questions Sign the certificate? and commit?, type y and enter.

Step 4: Remove the passphrase requirement from the server key file

This step is required so that Apache can read the private key without you having to manually start Apache from the command line with the passphrase every time you need to enable the web server. In Terminal, enter:

cp server.key server.key.original
openssl rsa -in server.key.original -out server.key

You will be asked for the passphrase that you initially specified for the server.key file.

Step 5: Configure the Apache web server for SSL

Now we have all the files needed to enable SSL in Apache. In the Finder, choose Go to folder from the Go menu and type /etc/apache2/ – this is where all the Apache configuration files reside:

Go To Folder

Firstly, copy the server.crt and server.key files from ~/Documents/myssl/ into this folder.

Next, open the httpd.conf file in TextMate (before doing this it is good practice to create a backup of this file before making any changes, in case you need to revert to it). These are the changes you need to make to this file:

• Locate the ServerName parameter and set it to the external host name (or IP address) of your server. Remove any # character from the start of the line

• Locate the line Include /private/etc/apache2/extra/httpd-ssl.conf and remove any # character from the start of this line

• Locate the line LoadModule ssl_module libexec/apache2/mod_ssl.so and remove any # character from the start of this line (Mac OS X 10.7 and above)

• Save the file (TextMate will ask if you want to overwrite the existing file, which you do)

Finally, open the httpd-ssl.conf file within the extra directory (again you should make a backup first). Make the following changes:

• Locate the ServerName parameter and set it to the external host name (or IP address) of your server, and remove any # character from the start of the line

• Locate the SSLCertificateFile parameter and set it to “/private/etc/apache2/server.crt” (with quotes), and remove any # character from the start of this line

• Locate the SSLCertificateKeyFile parameter and set it to “/private/etc/apache2/server.key” (with quotes), and remove any # character from the start of this line

• Scroll to the bottom of the file, and just above the “</VirtualHost>” tag, add these two lines:

RewriteEngine On
RewriteRule ^/(.*) http://127.0.0.1:8000/$1 [P]

• Save the file

Step 6: Test it

Everything is now set up. Go to System Preferences, click on Sharing, and enable Web Sharing –  this starts the Apache web server. If web sharing was already enabled, you need to disable it and then enable it again to restart the web server (if it does not start, check the Console for errors – probably there is some mistake in the configuration files you edited above). Make sure SecuritySpy is open, and then open Safari and enter:

https://127.0.0.1/

Note that this URL starts with https and not http. The IP address 127.0.0.1 is what is called the “loopback” address that refers to “this computer”. You should get a warning about the certificate being invalid because of a host name mismatch. This is because the address that you are using to access the server (127.0.0.1) is different from the address that you specified in the server certificate. This error will not occur when accessing the web server from the internet using the proper host name (although the client will get a warning that the certificate was signed by an unknown authority). Simply click the Continue button to ignore the warning and enter the secure site. You should see the SecuritySpy web interface with a padlock to the left of the address bar (or the top right of the Safari window, depending on your version of Safari), indicating a secure connection.

Step 7: Set up port forwarding

The final step is to set up port forwarding in your router to the computer on port 443 – this is the port used by HTTPS. Then you will be able to access SecuritySpy securely from the internet.

Tagged , , , , ,

7 thoughts on “Setting Up SecuritySpy Over SSL

  1. Nunuv Yurbiz says:

    This is great, and I have it all working, but you should update this and include information about what to do when things don’t work.

    Web Sharing is no longer an option in Preferences. Instead, you should enable Apache by entering, in Terminal:

    sudo apachectl start

    If it was already running, then it needs to be restarted for changes to take effect, by entering:

    sudo apachectl restart

    If you find that things are not working, even just simply trying to load up the regular web server on ‘localhost’ (or http://127.0.0.1), then check to see if Apache is actually listening by entering:

    sudo lsof -iTCP:80 -sTCP:LISTEN

    You should see entries for Apache (normally _www) listening.

    If not, then start up Apache with it set to display information about any errors:

    sudo bash -x /usr/sbin/apachectl -k start

    Httpd.conf loads up https-userdir.conf which loads up .conf. I had a syntax error in .conf that was causing Apache to immediately quit upon launch.

  2. Nunuv Yurbiz says:

    Last sentence above got munched upon submission. It should be:

    Httpd.conf loads up httpd-userdir.conf which loads up [user].conf. I had a syntax error in [user].conf that was causing Apache to immediately quit upon launch.

  3. ibicus says:

    the http://www.modssl.org/ don’t responde, how I to complete a installation of SSL (?) Then I have a mac mini with Mac OS X 10.4 server where is apache2 folder?
    Thanks

  4. Nunuv Yurbiz says:

    Note that upgrading to OS X 10.9 (Mavericks) resets your Apache configuration, so you must re-do the edits to the httpd.conf file. (The previous file is saved as https.conf.pre-update – it might work to copy that over the new file but that also might create problems if Mavericks updated other parts of the file.) Now only if Ben Software had better pricing for us hobbyists not actually protecting anything…. :)

  5. Eric Cunningham says:

    I set this the SSL using Mavericks, which has moved file locations around. I also decided to use the OSX Server.app to setup the SSL. Here are the steps (actually somewhat simpler) from that process.

    1. Mavericks removed turning on the webserver in System Preferences (sharing options). I used Server and turned on websites. Yes – this could all be done via the command line, wanted to see if this could be done this way.

    2. This will automatically create a site at port 80 and an SSL version at port 443 with an auto generated self-signed certificate.

    3. Create a new set from the list (click the + button to add). In the SSL certificate option, I just selected the auto generated self-signed certificate mentioned above. You could use your own here as well.

    4. I found I had to select an unused Port for doing it this way. I selected 8000 (currently had securityspy running at 3000 on the machine).

    5. Everything else I just selected default settings.

    6. Now go to /Library/Server/Web/Config/apache2/sites. There will be several files ending with .conf. Look for the one containing your new website name (or IP address) and has the port # as part of the name. I run an internal DNS and named my machine securityspy.home.c-the-world.org. Therefore the file I was looking for was: 0000_any_8000_securityspy.home.c-the-world.org.conf

    7. Open the file to edit it (as root of course) and follow the posted directions of putting the RewriteRules above as stated above.

    - Yeah – there are probably issues of editing an auto created file. I played with Server.app and made changes to the website entry. Altered the contents of the file, but did not replace my edits.

    • bensoftware says:

      Hi Eric, many thanks for posting this information. I’m sorry you have spent time on this because we have just released SecuritySpy version 3.4 with built-in support for HTTPS. You can read more about the new features in the SecuritySpy User Manual.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>