Skip to main content


In late January Facebook finally added support for HTTPS, allowing users to browse the site securely. HTTPS provides a combination of the HTTP and SSL protocols, enabling encrypted communication between a user's computer and a web server. Using HTTPS to access the site - though undoubtedly slower - protects users from sniffing attacks on public networks. Sniffing attacks have become a real problem in the last year with the introduction of free, open-source tools like Firesheep. PC World has even published a how-to guide to using the tool to hijack Facebook. So the feature is long overdue.

For Facebook applications the burden of supporting HTTPS falls on these applications' developers, not Facebook, since applications are hosted on external web servers that must also support the protocol for HTTPS to work. Part of the problem is the extra cost: SSL requires the use of a signed certificate which usually must be purchased from a recognized certificate authority - a cost many don't want to pay. Secondly, setting up HTTPS on a server is not as simple as one might think.

Thus the topic of this post.

We've had issues recently with the problem ourselves. We develop and test our Facebook applications on Windows 7 x64 locally using the Apache web server, pushing to a number of cloud-based Linux servers for production. Setting up SSL on Apache is different on Windows and there's several steps involved in the process (and one gotcha.)


Here's how to do it:


    1. Make sure you have an ssl version of apache installed. Go here for the latest downloads. Make sure to choose a version that supports SSL. You'll need to uninstall and reinstall if you have a version installed that does not, but Apache is good about keeping your configuration files during the process.
    2. Get a digital certificate (or create your own). I'll skip the details of this process because a simple Google search will give you all the info you need.
    3. Place the certificate's .crt and .key files into the "C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf" directory.
    4. Edit your Apache "C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\http.conf" configuration file to:
      • remove '#' from '# LoadModule ssl_module modules/' <-- this enables secure socket support in Apache
      • remove '#' from '# Include conf/extra/httpd-ssl.conf' <-- this loads the HTTPS/SSL config file
    5. Edit or create the "C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\extras\httpd-ssl.conf" file
      • Anywhere that has the apache "logs" directory, remove the (x86) from "Program Files" to fix the annoying error for Apache on 64-bit Windows systems. so "C:/Program Files (x86)/Apache Software Foundation/Apache2.2/logs/ssl_scache(512000)" becomes "C:/Program Files/Apache Software Foundation/Apache2.2/logs/ssl_scache(512000)". You can leave the rest of them alone.
      • update with crt - SSLCertificateFile "C:/Program Files (x86)/Apache Software Foundation/Apache2.2/conf/<yourcertificate>.crt"
      • update with key - SSLCertificateKeyFile "C:/Program Files (x86)/Apache Software Foundation/Apache2.2/conf/<yourcertificate>.key"
    6. Create a the following path in windows - "C:/Program Files/Apache Software Foundation/Apache2.2" if it does not exist and then execute the 'mklink' command in a command shell to create the junction to fix the 64 bit issue in #4 above -
So from command line, run:
mklink /j "c:\program files\Apache Software Foundation/Apache2.2/logs" "C:\Program Files (x86)\Apache Software Foundation\Apache2.2\logs"
  1. Restart apache
  2. That should do it. To test if HTTPS is working, try hitting your local server using https://localhost. Check your access.log and error.log for problems.
And here's the gotcha. Make SURE that you disable Skype's ability to use port 443 (the port used by HTTPS by default) or it will block incoming HTTPS requests to your local server. This is maddening! Open up the Skype UI and open the advanced options dialog (Tools | Options | Advanced Options). Make sure to uncheck the checkbox labeled, "Use port 80 and 443 as alternatives for incoming connections". 


Post by Cappy Popp
Mar 25, 2011