Is the goal to have a Koha library system that is not available on the Internet but does have HTTPS over the local network? While I haven't personalized used it, you could look at the DNS-01 challenge with Let's Encrypt: https://letsencrypt.org/docs/challenge-types/. That would give a lot of options. If you didn't want to have any public sites, you could use a third-party hosted DNS provider with an API. You can point public DNS at internal IP addresses. AWS does this all the time for servers. You could look at this for a more specific example: https://blog.heckel.io/2018/08/05/issuing-lets-encrypt-certificates-for-6500... This would be an even cleaner solution. And if you didn't want that IP address public for whatever reason, you could probably do a split DNS so that only local servers see the IP address, but that's going a bit more above and beyond. Ways and ways... David Cook Senior Software Engineer Prosentient Systems Suite 7.03 6a Glen St Milsons Point NSW 2061 Australia Office: 02 9212 0899 Online: 02 8005 0595 -----Original Message----- Message: 1 Date: Sat, 23 Jul 2022 09:01:39 -0400 From: Christos Hayward <christos.hayward@gmail.com> To: koha <koha@lists.katipo.co.nz> Subject: [Koha] One thing I realized Message-ID: <CAE6_B5SnwhSGg=tgTj_aiSgZ3bFEjvJDVK2AnC2gphFQfN4_4A@mail.gmail.com> Content-Type: text/plain; charset="UTF-8" I earlier write that I saw only duct tape-ish ways of getting HTTPS over a LAN. At least one implementation was mentioned, a self-signed certificate that all computers on the LAN would be made to accept. I saw another, arguably cleaner way to get HTTPS over a LAN. Make a website, perhaps a bare stub to minimize surface areas to vulnerabilities, publicly, at https://library.xyz.com. Then cron a copying of the certificates from the public site to a server on the LAN. Then set a local DNS (or, worse, hosts files) to assign library.xyz.com the local network IP of the net. This would seem to sidestep at least some of the security implications for having a library server on the public network. -- Unworthy Br. *Christos Hayward*, author and apologist, and more importantly novice at *St. Demetrios Orthodox Monastery <https://virginiamonks.org/>* (monastery webshop <https://virginiamonks.org/collections/all>). I invite you to visit my *author site* <https://cjshayward.com> (author bio <https://cjshayward.com/author/>, bookshelf <https://cjshayward.com/books/>). One title is Happiness in an Age of Crisis: Ancient Wisdom from the Eastern Orthodox Church <https://cjshayward.com/crisis/>. My most recent posting is a purchasable "How do I love thee?" shirt <https://cjshayward.com/how-do-i-love-thee-shirt/>. ------------------------------ Message: 2 Date: Sat, 23 Jul 2022 16:25:44 -0300 From: Tomas Cohen Arazi <tomascohen@gmail.com> To: Christos Hayward <christos.hayward@gmail.com> Cc: koha <koha@lists.katipo.co.nz> Subject: Re: [Koha] One thing I realized Message-ID: <CABZfb=Xs=qXNu3geXOOdx+NxLAb-8AsMTg1uFkoCvkHMSDmiYg@mail.gmail.com> Content-Type: text/plain; charset="UTF-8" You can have the server on a DMZ and access it through a reverse proxy that does SSL. El sáb, 23 jul 2022 10:02, Christos Hayward <christos.hayward@gmail.com> escribió:
I earlier write that I saw only duct tape-ish ways of getting HTTPS over a LAN. At least one implementation was mentioned, a self-signed certificate that all computers on the LAN would be made to accept.
I saw another, arguably cleaner way to get HTTPS over a LAN. Make a website, perhaps a bare stub to minimize surface areas to vulnerabilities, publicly, at https://library.xyz.com. Then cron a copying of the certificates from the public site to a server on the LAN. Then set a local DNS (or, worse, hosts files) to assign library.xyz.com the local network IP of the net.
This would seem to sidestep at least some of the security implications for having a library server on the public network.
--
Unworthy Br. *Christos Hayward*, author and apologist, and more importantly novice at *St. Demetrios Orthodox Monastery <https://virginiamonks.org/>* (monastery webshop <https://virginiamonks.org/collections/all>).
I invite you to visit my *author site* <https://cjshayward.com> (author bio <https://cjshayward.com/author/>, bookshelf <https://cjshayward.com/books/
). One title is Happiness in an Age of Crisis: Ancient Wisdom from the Eastern Orthodox Church <https://cjshayward.com/crisis/>.
My most recent posting is a purchasable "How do I love thee?" shirt <https://cjshayward.com/how-do-i-love-thee-shirt/>. _______________________________________________
Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz Unsubscribe: https://lists.katipo.co.nz/mailman/listinfo/koha