On 5/06/18 2:18 pm, Alvaro Cornejo wrote:
Hi
I´m trying to setup a ssl connection to Koha (using letsEncrypt certs ) so my users, admin and opac can have a secure connection.
I´ve folllowed letsEncrypt & certbot instrucctions but neither opac nor admin pages work.
I´ve tried directing connections manually and configuring apache for redirect unsuccessfully.
Any hints on this?
This is mostly to avoid the upcoming chrome config where it will display an unsafe site warning to any site requiring login that does not use ssl
Regards,
Alvaro _______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha
hi Alvaro here's an apache config that has worked well for me it has some extra magic to improve it's SSL score the config now gets an 'A+' on the following site... https://www.ssllabs.com/ssltest i'll aim to add this to the Koha wiki cheers, Mason root@deb8:/etc/apache2/sites-available# cat demo.conf # ------------------------------ # OPAC <VirtualHost *:80> <IfVersion >= 2.4> Define instance "demo" </IfVersion> Include /etc/koha/apache-shared.conf # Include /etc/koha/apache-shared-disable.conf Include /etc/koha/apache-shared-opac.conf ServerName demo.foo.org SetEnv KOHA_CONF "/etc/koha/sites/demo/koha-conf.xml" AssignUserID demo-koha demo-koha RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} ErrorLog /var/log/koha/demo/opac-error.log # TransferLog /var/log/koha/demo/opac-access_log # RewriteLog /var/log/koha/demo/opac-rewrite.log </VirtualHost> # ------------------------------ <VirtualHost *:443> <IfVersion >= 2.4> Define instance "demo" </IfVersion> Include /etc/koha/apache-shared.conf # Include /etc/koha/apache-shared-disable.conf Include /etc/koha/apache-shared-opac-plack.conf Include /etc/koha/apache-shared-opac.conf ServerName demo.foo.org SetEnv KOHA_CONF "/etc/koha/sites/demo/koha-conf.xml" AssignUserID demo-koha demo-koha ErrorLog /var/log/koha/demo/opac-error.log # TransferLog /var/log/koha/demo/opac-access_log # RewriteLog /var/log/koha/demo/opac-rewrite.log # SSL config here! SSLEngine on SSLCertificateFile /etc/letsencrypt/live/demo.foo.org/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/demo.foo.org/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/demo.foo.org/fullchain.pem SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLProtocol All -SSLv2 -SSLv3 SSLHonorCipherOrder On Header always set Strict-Transport-Security "max-age=17280000; preload" Header always set Content-Security-Policy "upgrade-insecure-requests" </VirtualHost> # ------------------------------ # Intranet / redirect to https <VirtualHost *:80> <IfVersion >= 2.4> Define instance "demo" </IfVersion> Include /etc/koha/apache-shared.conf # Include /etc/koha/apache-shared-disable.conf Include /etc/koha/apache-shared-intranet.conf ServerName demo-admin.foo.org RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} ErrorLog /var/log/koha/demo/intranet-error.log # TransferLog /var/log/koha/demo/intranet-access_log # RewriteLog /var/log/koha/demo/intranet-rewrite.log </VirtualHost> # ------------------------------ <VirtualHost *:443> <IfVersion >= 2.4> Define instance "demo" </IfVersion> Include /etc/koha/apache-shared.conf # Include /etc/koha/apache-shared-disable.conf Include /etc/koha/apache-shared-intranet-plack.conf Include /etc/koha/apache-shared-intranet.conf ServerName demo-admin.foo.org SetEnv KOHA_CONF "/etc/koha/sites/demo/koha-conf.xml" AssignUserID demo-koha demo-koha ErrorLog /var/log/koha/demo/intranet-error.log # TransferLog /var/log/koha/demo/intranet-access_log # RewriteLog /var/log/koha/demo/intranet-rewrite.log # SSL config here! SSLEngine on SSLCertificateFile /etc/letsencrypt/live/demo.foo.org/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/demo.foo.org/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/demo.foo.org/fullchain.pem Header always set Strict-Transport-Security "max-age=17280000; preload" Header always set Content-Security-Policy "upgrade-insecure-requests" </VirtualHost>