Thanks Chris! I think we're going to add a second interface to the server and limit access to the staff client that way. We did want to avoid the Apache rules and I think that does it. I think you're right about https and 3rd party services. My worry stems a comment on this list a while ago, but I think most if not all ours should have https available. Another library confirmed that Syndetics does. Thanks again! On Tue, Mar 15, 2016 at 1:00 PM, Chris Cormack <chrisc@catalyst.net.nz> wrote:
* Chad Roseburg (croseburg@ncrl.org) wrote:
We would like to secure our Koha installation and would like to know what you've done and your experiences.
We use some 3rd party tools like Syndetics, Overdrive ...etc. How does https impact the use of these tools? Were you able to find a workaround?
All of our hosted clients are on https. So far there are no issues with any of the 3rd party tools. What you may run into is mixed content warnings if any of hte content you fetch is from none https sites.
We'd like to restrict IP access at the network level -- not using Koha.
If
you've done this, how did you accomplish this? We are using different hostnames for OPAC and Staff Client rather than ports 80 and 8080 so can not make policies based on ports.
Restricting access to the staff client? You can't really do that at the network level if they are the same IP and same Port.
Easiest way is to have the staff client on a different IP number.
Otherwise just using Apache Deny and Allow rules will block them pretty easily
Chris
Thank you!
-- Chad Roseburg Asst. Director / IT Automation Dept. North Central Regional Library _______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha
-- Chris Cormack Catalyst IT Ltd. +64 4 803 2238 PO Box 11-053, Manners St, Wellington 6142, New Zealand
-- Chad Roseburg Asst. Director / IT Automation Dept. North Central Regional Library