In late January Facebook finally added support for HTTPS, allowing users to browse the site securely. HTTPS provides a combination of the HTTP and SSL protocols, enabling encrypted communication between a user's computer and a web server. Using HTTPS to access the site - though undoubtedly slower - protects users from sniffing attacks on public networks. Sniffing attacks have become a real problem in the last year with the introduction of free, open-source tools like Firesheep. PC World has even published a how-to guide to using the tool to hijack Facebook. So the feature is long overdue.
Thus the topic of this post.
- Make sure you have an ssl version of apache installed. Go here for the latest downloads. Make sure to choose a version that supports SSL. You'll need to uninstall and reinstall if you have a version installed that does not, but Apache is good about keeping your configuration files during the process.
- Get a digital certificate (or create your own). I'll skip the details of this process because a simple Google search will give you all the info you need.
- Place the certificate's .crt and .key files into the "C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf" directory.
- Edit your Apache "C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\http.conf" configuration file to:
- remove '#' from '# LoadModule ssl_module modules/mod_ssl.so' <-- this enables secure socket support in Apache
- remove '#' from '# Include conf/extra/httpd-ssl.conf' <-- this loads the HTTPS/SSL config file
- Edit or create the "C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\extras\httpd-ssl.conf" file
- Anywhere that has the apache "logs" directory, remove the (x86) from "Program Files" to fix the annoying error for Apache on 64-bit Windows systems. so "C:/Program Files (x86)/Apache Software Foundation/Apache2.2/logs/ssl_scache(512000)" becomes "C:/Program Files/Apache Software Foundation/Apache2.2/logs/ssl_scache(512000)". You can leave the rest of them alone.
- update with crt - SSLCertificateFile "C:/Program Files (x86)/Apache Software Foundation/Apache2.2/conf/<yourcertificate>.crt"
- update with key - SSLCertificateKeyFile "C:/Program Files (x86)/Apache Software Foundation/Apache2.2/conf/<yourcertificate>.key"
- Create a the following path in windows - "C:/Program Files/Apache Software Foundation/Apache2.2" if it does not exist and then execute the 'mklink' command in a command shell to create the junction to fix the 64 bit issue in #4 above - http://wiki.apache.org/httpd/SSLSessionCache
- Restart apache
- That should do it. To test if HTTPS is working, try hitting your local server using https://localhost. Check your access.log and error.log for problems.