[Koha] Enabling https only using SSL

Doug Dearden dearden at sarsf.org
Tue May 14 08:32:37 NZST 2019


Hey Nirvana,

I think you are looking for something like this, substituting a valid domainname in the right places.

Doug


# OPAC
 <VirtualHost *:80>
    Include /etc/koha/apache-shared.conf
 #  Include /etc/koha/apache-shared-disable.conf
    Include /etc/koha/apache-shared-opac.conf

    ServerName ssb
    Redirect permanent "/" "https://yourdomainname"      #***** This redirects from http to https *****
    SetEnv KOHA_CONF "/etc/koha/sites/ssb/koha-conf.xml"
    SetEnv MEMCACHED_SERVERS ""
    SetEnv MEMCACHED_NAMESPACE ""
    AssignUserID ssb-koha ssb-koha

    ErrorLog    /var/log/koha/ssb/opac-error.log
 #  TransferLog /var/log/koha/ssb/opac-access.log
 #  RewriteLog  /var/log/koha/ssb/opac-rewrite.log
</VirtualHost>

<IfModule mod_ssl.c>  #***** This checks for ssl module on Debian *****
 # OPAC
 <VirtualHost *:443>     #***** Note port 443 here *****
    Include /etc/koha/apache-shared.conf
 #  Include /etc/koha/apache-shared-disable.conf
    Include /etc/koha/apache-shared-opac.conf

    ServerName ssb
    ServerAlias yourdomainname   #*****  same as above *****
    SetEnv KOHA_CONF "/etc/koha/sites/ssb/koha-conf.xml"
    SetEnv MEMCACHED_SERVERS ""
    SetEnv MEMCACHED_NAMESPACE ""
    AssignUserID ssb-koha ssb-koha

    ErrorLog    /var/log/koha/ssb/opac-error.log
 #  TransferLog /var/log/koha/ssb/opac-access.log
 #  RewriteLog  /var/log/koha/ssb/opac-rewrite.log
    SSLEngine on
    SSLProtocol  +TLSv1.2 +TLSv1.1 +TLSv1
    SSLCipherSuite
 "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
    SSLHonorCipherOrder     on
    SSLCompression          off

    SSLCertificateFile /etc/apache2/ssl/apache.crt
   SSLCertificateKeyFile /etc/apache2/ssl/apache.key
 </VirtualHost>
</IfModule>

-----Original Message-----
From: Koha [mailto:koha-bounces at lists.katipo.co.nz] On Behalf Of TechOut Solutions
Sent: Sunday, May 12, 2019 11:39 AM
To: Joel Coehoorn <joel.coehoorn at york.edu>
Cc: Koha General Mailing-List <koha at lists.katipo.co.nz>
Subject: Re: [Koha] Enabling https only using SSL

Thanks for your inputs and response! Could you please provide a sample
virtualhost file by providing a working copy or by referring to the
template available from
https://github.com/Koha-Community/Koha/blob/master/debian/templates/apache-site-https.conf.in
?

On Sun, May 12, 2019 at 7:26 PM Coehoorn, Joel <jcoehoorn at york.edu> wrote:

> You must change the *:80 at the top to *:443. You will also want to copy
> the original virtualhost section, before adding the sslengine settings, and
> change it to redirect to the https url.
>
> On Sun, May 12, 2019, 5:18 AM TechOut Solutions <
> techoutsolutions00 at gmail.com> wrote:
>
>> Hi Joel,
>>
>> I couldn't find the four entries of virtual hosts but I did the following
>> by searching for similar problems but others are using letsencrypt
>> certificates.
>>
>> # OPAC
>> <VirtualHost *:80>
>>    Include /etc/koha/apache-shared.conf
>> #  Include /etc/koha/apache-shared-disable.conf
>>    Include /etc/koha/apache-shared-opac.conf
>>
>>    ServerName ssb
>>    SetEnv KOHA_CONF "/etc/koha/sites/ssb/koha-conf.xml"
>>    SetEnv MEMCACHED_SERVERS ""
>>    SetEnv MEMCACHED_NAMESPACE ""
>>    AssignUserID ssb-koha ssb-koha
>>
>>    ErrorLog    /var/log/koha/ssb/opac-error.log
>> #  TransferLog /var/log/koha/ssb/opac-access.log
>> #  RewriteLog  /var/log/koha/ssb/opac-rewrite.log
>>    SSLEngine on
>>    SSLProtocol  +TLSv1.2 +TLSv1.1 +TLSv1
>>    SSLCipherSuite
>> "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
>>    SSLHonorCipherOrder     on
>>    SSLCompression          off
>>
>>    SSLCertificateFile /etc/apache2/ssl/apache.crt
>>    SSLCertificateKeyFile /etc/apache2/ssl/apache.key
>> </VirtualHost>
>>
>> I couldn't make the https protocol to load the OPAC using the above
>> configuration. Do I need to use the letsencrypt certificate for it to work?
>>
>> Thanks!
>>
>> On Sun, May 12, 2019 at 10:43 AM Coehoorn, Joel <jcoehoorn at york.edu>
>> wrote:
>>
>>> I'm not at a place where I can check, but if you look at your Apache
>>> site .conf file, there will likely be 4 virtual host entries: an http
>>> and https option for both the opac and staff client. You can remove most
>>> everything from inside the http entries and replace them with Redirect
>>> directives which point to the correct https urls.
>>>
>>> On Sat, May 11, 2019, 11:41 PM TechOut Solutions <
>>> techoutsolutions00 at gmail.com> wrote:
>>>
>>>> Hi there,
>>>>
>>>> I am trying to setup Koha OPAC and Staff-Client using https protocol
>>>> only
>>>> using SSL and want to disable http access to Koha. I'd appreciate if I
>>>> could get the sample apache virtualhost site configuration to achieve
>>>> the
>>>> result. Thank you.
>>>>
>>>> Regards,
>>>> Nirvana
>>>> _______________________________________________
>>>> Koha mailing list  http://koha-community.org
>>>> Koha at lists.katipo.co.nz
>>>> https://lists.katipo.co.nz/mailman/listinfo/koha
>>>>
>>>
_______________________________________________
Koha mailing list  http://koha-community.org
Koha at lists.katipo.co.nz
https://lists.katipo.co.nz/mailman/listinfo/koha


More information about the Koha mailing list