[Koha] Https and restricting IP access

Tom Misilo misilot at fit.edu
Wed Mar 16 13:07:38 NZDT 2016 

We utilize 2 interfaces on our VM, 1 for a private internal network and 1 for a public network. The private network is accessible via certain subnets on campus, or via our campus VPN. This allows us to restrict who/what has access to different parts of the Koha system.

-----Original Message-----
From: Koha [mailto:koha-bounces at lists.katipo.co.nz] On Behalf Of Chad Roseburg
Sent: Tuesday, March 15, 2016 5:51 PM
To: Chad Roseburg; koha at lists.katipo.co.nz
Subject: Re: [Koha] Https and restricting IP access

Thanks Chris! I think we're going to add a second interface to the server and limit access to the staff client that way. We did want to avoid the Apache rules and I think that does it.

I think you're right about https and 3rd party services. My worry stems a comment on this list a while ago, but I think most if not all ours should have https available.
Another library confirmed that Syndetics does.

Thanks again!

On Tue, Mar 15, 2016 at 1:00 PM, Chris Cormack <chrisc at catalyst.net.nz>
wrote:

> * Chad Roseburg (croseburg at ncrl.org) wrote:
> > We would like to secure our Koha installation and would like to know 
> > what you've done and your experiences.
> >
> > We use some 3rd party tools like Syndetics, Overdrive ...etc. How 
> > does https impact the use of these tools? Were you able to find a workaround?
>
> All of our hosted clients are on https. So far there are no issues 
> with any of the 3rd party tools. What you may run into is mixed 
> content warnings if any of hte content you fetch is from none https sites.
>
> >
> > We'd like to restrict IP access at the network level -- not using Koha.
> If
> > you've done this, how did you accomplish this? We are using 
> > different hostnames for OPAC and Staff Client rather than ports 80 
> > and 8080 so can not make policies based on ports.
> >
>
> Restricting access to the staff client? You can't really do that at 
> the network level if they are the same IP and same Port.
>
> Easiest way is to have the staff client on a different IP number.
>
> Otherwise just using Apache Deny and Allow rules will block them 
> pretty easily
>
> Chris
>
>
> > Thank you!
> >
> >
> > --
> > Chad Roseburg
> > Asst. Director / IT
> > Automation Dept.
> > North Central Regional Library
> > _______________________________________________
> > Koha mailing list  http://koha-community.org Koha at lists.katipo.co.nz 
> > https://lists.katipo.co.nz/mailman/listinfo/koha
>
> --
> Chris Cormack
> Catalyst IT Ltd.
> +64 4 803 2238
> PO Box 11-053, Manners St, Wellington 6142, New Zealand
>



--
Chad Roseburg
Asst. Director / IT
Automation Dept.
North Central Regional Library
_______________________________________________
Koha mailing list  http://koha-community.org Koha at lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha

More information about the Koha mailing list