Re: [Koha] Enabling https only using SSL
Thanks for your inputs and response! Could you please provide a sample virtualhost file by providing a working copy or by referring to the template available from https://github.com/Koha-Community/Koha/blob/master/debian/templates/apache-s... ? On Sun, May 12, 2019 at 7:26 PM Coehoorn, Joel <jcoehoorn@york.edu> wrote:
You must change the *:80 at the top to *:443. You will also want to copy the original virtualhost section, before adding the sslengine settings, and change it to redirect to the https url.
On Sun, May 12, 2019, 5:18 AM TechOut Solutions < techoutsolutions00@gmail.com> wrote:
Hi Joel,
I couldn't find the four entries of virtual hosts but I did the following by searching for similar problems but others are using letsencrypt certificates.
# OPAC <VirtualHost *:80> Include /etc/koha/apache-shared.conf # Include /etc/koha/apache-shared-disable.conf Include /etc/koha/apache-shared-opac.conf
ServerName ssb SetEnv KOHA_CONF "/etc/koha/sites/ssb/koha-conf.xml" SetEnv MEMCACHED_SERVERS "" SetEnv MEMCACHED_NAMESPACE "" AssignUserID ssb-koha ssb-koha
ErrorLog /var/log/koha/ssb/opac-error.log # TransferLog /var/log/koha/ssb/opac-access.log # RewriteLog /var/log/koha/ssb/opac-rewrite.log SSLEngine on SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1 SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" SSLHonorCipherOrder on SSLCompression off
SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/apache.key </VirtualHost>
I couldn't make the https protocol to load the OPAC using the above configuration. Do I need to use the letsencrypt certificate for it to work?
Thanks!
On Sun, May 12, 2019 at 10:43 AM Coehoorn, Joel <jcoehoorn@york.edu> wrote:
I'm not at a place where I can check, but if you look at your Apache site .conf file, there will likely be 4 virtual host entries: an http and https option for both the opac and staff client. You can remove most everything from inside the http entries and replace them with Redirect directives which point to the correct https urls.
On Sat, May 11, 2019, 11:41 PM TechOut Solutions < techoutsolutions00@gmail.com> wrote:
Hi there,
I am trying to setup Koha OPAC and Staff-Client using https protocol only using SSL and want to disable http access to Koha. I'd appreciate if I could get the sample apache virtualhost site configuration to achieve the result. Thank you.
Regards, Nirvana _______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha
Hey Nirvana, I think you are looking for something like this, substituting a valid domainname in the right places. Doug # OPAC <VirtualHost *:80> Include /etc/koha/apache-shared.conf # Include /etc/koha/apache-shared-disable.conf Include /etc/koha/apache-shared-opac.conf ServerName ssb Redirect permanent "/" "https://yourdomainname" #***** This redirects from http to https ***** SetEnv KOHA_CONF "/etc/koha/sites/ssb/koha-conf.xml" SetEnv MEMCACHED_SERVERS "" SetEnv MEMCACHED_NAMESPACE "" AssignUserID ssb-koha ssb-koha ErrorLog /var/log/koha/ssb/opac-error.log # TransferLog /var/log/koha/ssb/opac-access.log # RewriteLog /var/log/koha/ssb/opac-rewrite.log </VirtualHost> <IfModule mod_ssl.c> #***** This checks for ssl module on Debian ***** # OPAC <VirtualHost *:443> #***** Note port 443 here ***** Include /etc/koha/apache-shared.conf # Include /etc/koha/apache-shared-disable.conf Include /etc/koha/apache-shared-opac.conf ServerName ssb ServerAlias yourdomainname #***** same as above ***** SetEnv KOHA_CONF "/etc/koha/sites/ssb/koha-conf.xml" SetEnv MEMCACHED_SERVERS "" SetEnv MEMCACHED_NAMESPACE "" AssignUserID ssb-koha ssb-koha ErrorLog /var/log/koha/ssb/opac-error.log # TransferLog /var/log/koha/ssb/opac-access.log # RewriteLog /var/log/koha/ssb/opac-rewrite.log SSLEngine on SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1 SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" SSLHonorCipherOrder on SSLCompression off SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/apache.key </VirtualHost> </IfModule> -----Original Message----- From: Koha [mailto:koha-bounces@lists.katipo.co.nz] On Behalf Of TechOut Solutions Sent: Sunday, May 12, 2019 11:39 AM To: Joel Coehoorn <joel.coehoorn@york.edu> Cc: Koha General Mailing-List <koha@lists.katipo.co.nz> Subject: Re: [Koha] Enabling https only using SSL Thanks for your inputs and response! Could you please provide a sample virtualhost file by providing a working copy or by referring to the template available from https://github.com/Koha-Community/Koha/blob/master/debian/templates/apache-s... ? On Sun, May 12, 2019 at 7:26 PM Coehoorn, Joel <jcoehoorn@york.edu> wrote:
You must change the *:80 at the top to *:443. You will also want to copy the original virtualhost section, before adding the sslengine settings, and change it to redirect to the https url.
On Sun, May 12, 2019, 5:18 AM TechOut Solutions < techoutsolutions00@gmail.com> wrote:
Hi Joel,
I couldn't find the four entries of virtual hosts but I did the following by searching for similar problems but others are using letsencrypt certificates.
# OPAC <VirtualHost *:80> Include /etc/koha/apache-shared.conf # Include /etc/koha/apache-shared-disable.conf Include /etc/koha/apache-shared-opac.conf
ServerName ssb SetEnv KOHA_CONF "/etc/koha/sites/ssb/koha-conf.xml" SetEnv MEMCACHED_SERVERS "" SetEnv MEMCACHED_NAMESPACE "" AssignUserID ssb-koha ssb-koha
ErrorLog /var/log/koha/ssb/opac-error.log # TransferLog /var/log/koha/ssb/opac-access.log # RewriteLog /var/log/koha/ssb/opac-rewrite.log SSLEngine on SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1 SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" SSLHonorCipherOrder on SSLCompression off
SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/apache.key </VirtualHost>
I couldn't make the https protocol to load the OPAC using the above configuration. Do I need to use the letsencrypt certificate for it to work?
Thanks!
On Sun, May 12, 2019 at 10:43 AM Coehoorn, Joel <jcoehoorn@york.edu> wrote:
I'm not at a place where I can check, but if you look at your Apache site .conf file, there will likely be 4 virtual host entries: an http and https option for both the opac and staff client. You can remove most everything from inside the http entries and replace them with Redirect directives which point to the correct https urls.
On Sat, May 11, 2019, 11:41 PM TechOut Solutions < techoutsolutions00@gmail.com> wrote:
Hi there,
I am trying to setup Koha OPAC and Staff-Client using https protocol only using SSL and want to disable http access to Koha. I'd appreciate if I could get the sample apache virtualhost site configuration to achieve the result. Thank you.
Regards, Nirvana _______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha
Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha
Thanks a lot, Doug, for your input! I really appreciate that. I am afraid that the Koha being hosted on DigitalOcean doesn't have a domain assigned to it and Koha is accessed using IP address. But still, I will try the configuration and will let you know the result. On Tue, May 14, 2019 at 2:17 AM Doug Dearden <dearden@sarsf.org> wrote:
Hey Nirvana,
I think you are looking for something like this, substituting a valid domainname in the right places.
Doug
# OPAC <VirtualHost *:80> Include /etc/koha/apache-shared.conf # Include /etc/koha/apache-shared-disable.conf Include /etc/koha/apache-shared-opac.conf
ServerName ssb Redirect permanent "/" "https://yourdomainname" #***** This redirects from http to https ***** SetEnv KOHA_CONF "/etc/koha/sites/ssb/koha-conf.xml" SetEnv MEMCACHED_SERVERS "" SetEnv MEMCACHED_NAMESPACE "" AssignUserID ssb-koha ssb-koha
ErrorLog /var/log/koha/ssb/opac-error.log # TransferLog /var/log/koha/ssb/opac-access.log # RewriteLog /var/log/koha/ssb/opac-rewrite.log </VirtualHost>
<IfModule mod_ssl.c> #***** This checks for ssl module on Debian ***** # OPAC <VirtualHost *:443> #***** Note port 443 here ***** Include /etc/koha/apache-shared.conf # Include /etc/koha/apache-shared-disable.conf Include /etc/koha/apache-shared-opac.conf
ServerName ssb ServerAlias yourdomainname #***** same as above ***** SetEnv KOHA_CONF "/etc/koha/sites/ssb/koha-conf.xml" SetEnv MEMCACHED_SERVERS "" SetEnv MEMCACHED_NAMESPACE "" AssignUserID ssb-koha ssb-koha
ErrorLog /var/log/koha/ssb/opac-error.log # TransferLog /var/log/koha/ssb/opac-access.log # RewriteLog /var/log/koha/ssb/opac-rewrite.log SSLEngine on SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1 SSLCipherSuite
"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" SSLHonorCipherOrder on SSLCompression off
SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/apache.key </VirtualHost> </IfModule>
-----Original Message----- From: Koha [mailto:koha-bounces@lists.katipo.co.nz] On Behalf Of TechOut Solutions Sent: Sunday, May 12, 2019 11:39 AM To: Joel Coehoorn <joel.coehoorn@york.edu> Cc: Koha General Mailing-List <koha@lists.katipo.co.nz> Subject: Re: [Koha] Enabling https only using SSL
Thanks for your inputs and response! Could you please provide a sample virtualhost file by providing a working copy or by referring to the template available from
https://github.com/Koha-Community/Koha/blob/master/debian/templates/apache-s... ?
On Sun, May 12, 2019 at 7:26 PM Coehoorn, Joel <jcoehoorn@york.edu> wrote:
You must change the *:80 at the top to *:443. You will also want to copy the original virtualhost section, before adding the sslengine settings, and change it to redirect to the https url.
On Sun, May 12, 2019, 5:18 AM TechOut Solutions < techoutsolutions00@gmail.com> wrote:
Hi Joel,
I couldn't find the four entries of virtual hosts but I did the following by searching for similar problems but others are using letsencrypt certificates.
# OPAC <VirtualHost *:80> Include /etc/koha/apache-shared.conf # Include /etc/koha/apache-shared-disable.conf Include /etc/koha/apache-shared-opac.conf
ServerName ssb SetEnv KOHA_CONF "/etc/koha/sites/ssb/koha-conf.xml" SetEnv MEMCACHED_SERVERS "" SetEnv MEMCACHED_NAMESPACE "" AssignUserID ssb-koha ssb-koha
ErrorLog /var/log/koha/ssb/opac-error.log # TransferLog /var/log/koha/ssb/opac-access.log # RewriteLog /var/log/koha/ssb/opac-rewrite.log SSLEngine on SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1 SSLCipherSuite
"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
SSLHonorCipherOrder on SSLCompression off
SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/apache.key </VirtualHost>
I couldn't make the https protocol to load the OPAC using the above configuration. Do I need to use the letsencrypt certificate for it to work?
Thanks!
On Sun, May 12, 2019 at 10:43 AM Coehoorn, Joel <jcoehoorn@york.edu> wrote:
I'm not at a place where I can check, but if you look at your Apache site .conf file, there will likely be 4 virtual host entries: an http and https option for both the opac and staff client. You can remove most everything from inside the http entries and replace them with Redirect directives which point to the correct https urls.
On Sat, May 11, 2019, 11:41 PM TechOut Solutions < techoutsolutions00@gmail.com> wrote:
Hi there,
I am trying to setup Koha OPAC and Staff-Client using https protocol only using SSL and want to disable http access to Koha. I'd appreciate if I could get the sample apache virtualhost site configuration to achieve the result. Thank you.
Regards, Nirvana _______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha
Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha
participants (2)
-
Doug Dearden -
TechOut Solutions