[Koha] One thing I realized (HTTPS over a LAN)

dcook at prosentient.com.au dcook at prosentient.com.au
Mon Jul 25 12:39:36 NZST 2022 

Is the goal to have a Koha library system that is not available on the Internet but does have HTTPS over the local network? 

While I haven't personalized used it, you could look at the DNS-01 challenge with Let's Encrypt: https://letsencrypt.org/docs/challenge-types/. That would give a lot of options. If you didn't want to have any public sites, you could use a third-party hosted DNS provider with an API. You can point public DNS at internal IP addresses. AWS does this all the time for servers.

You could look at this for a more specific example: https://blog.heckel.io/2018/08/05/issuing-lets-encrypt-certificates-for-65000-internal-servers/ 

This would be an even cleaner solution. 

And if you didn't want that IP address public for whatever reason, you could probably do a split DNS so that only local servers see the IP address, but that's going a bit more above and beyond. 

Ways and ways...

David Cook
Senior Software Engineer
Prosentient Systems
Suite 7.03
6a Glen St
Milsons Point NSW 2061
Australia

Office: 02 9212 0899
Online: 02 8005 0595

-----Original Message-----
Message: 1
Date: Sat, 23 Jul 2022 09:01:39 -0400
From: Christos Hayward <christos.hayward at gmail.com>
To: koha <koha at lists.katipo.co.nz>
Subject: [Koha] One thing I realized
Message-ID:
	<CAE6_B5SnwhSGg=tgTj_aiSgZ3bFEjvJDVK2AnC2gphFQfN4_4A at mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"

I earlier write that I saw only duct tape-ish ways of getting HTTPS over a LAN. At least one implementation was mentioned, a self-signed certificate that all computers on the LAN would be made to accept.

I saw another, arguably cleaner way to get HTTPS over a LAN. Make a website, perhaps a bare stub to minimize surface areas to vulnerabilities, publicly, at https://library.xyz.com. Then cron a copying of the certificates from the public site to a server on the LAN. Then set a local DNS (or, worse, hosts files) to assign library.xyz.com the local network IP of the net.

This would seem to sidestep at least some of the security implications for having a library server on the public network.

-- 

Unworthy Br. *Christos Hayward*, author and apologist, and more importantly novice at *St. Demetrios Orthodox Monastery
<https://virginiamonks.org/>* (monastery webshop <https://virginiamonks.org/collections/all>).

I invite you to visit my *author site* <https://cjshayward.com> (author bio <https://cjshayward.com/author/>, bookshelf <https://cjshayward.com/books/>).
One title is Happiness in an Age of Crisis: Ancient Wisdom from the Eastern Orthodox Church <https://cjshayward.com/crisis/>.

My most recent posting is a purchasable "How do I love thee?" shirt <https://cjshayward.com/how-do-i-love-thee-shirt/>.


------------------------------

Message: 2
Date: Sat, 23 Jul 2022 16:25:44 -0300
From: Tomas Cohen Arazi <tomascohen at gmail.com>
To: Christos Hayward <christos.hayward at gmail.com>
Cc: koha <koha at lists.katipo.co.nz>
Subject: Re: [Koha] One thing I realized
Message-ID:
	<CABZfb=Xs=qXNu3geXOOdx+NxLAb-8AsMTg1uFkoCvkHMSDmiYg at mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"

You can have the server on a DMZ and access it through a reverse proxy that does SSL.

El sáb, 23 jul 2022 10:02, Christos Hayward <christos.hayward at gmail.com>
escribió:

> I earlier write that I saw only duct tape-ish ways of getting HTTPS 
> over a LAN. At least one implementation was mentioned, a self-signed 
> certificate that all computers on the LAN would be made to accept.
>
> I saw another, arguably cleaner way to get HTTPS over a LAN. Make a 
> website, perhaps a bare stub to minimize surface areas to 
> vulnerabilities, publicly, at https://library.xyz.com. Then cron a 
> copying of the certificates from the public site to a server on the 
> LAN. Then set a local DNS (or, worse, hosts files) to assign 
> library.xyz.com the local network IP of the net.
>
> This would seem to sidestep at least some of the security implications 
> for having a library server on the public network.
>
> --
>
> Unworthy Br. *Christos Hayward*, author and apologist, and more 
> importantly novice at *St. Demetrios Orthodox Monastery
> <https://virginiamonks.org/>* (monastery webshop 
> <https://virginiamonks.org/collections/all>).
>
> I invite you to visit my *author site* <https://cjshayward.com> 
> (author bio <https://cjshayward.com/author/>, bookshelf 
> <https://cjshayward.com/books/
> >).
> One title is Happiness in an Age of Crisis: Ancient Wisdom from the 
> Eastern Orthodox Church <https://cjshayward.com/crisis/>.
>
> My most recent posting is a purchasable "How do I love thee?" shirt 
> <https://cjshayward.com/how-do-i-love-thee-shirt/>.
> _______________________________________________
>
> Koha mailing list  http://koha-community.org Koha at lists.katipo.co.nz
> Unsubscribe: https://lists.katipo.co.nz/mailman/listinfo/koha
>

More information about the Koha mailing list