[Koha] Enabling SSL for Koha staff view

Mizst Audens mizstik at gmail.com
Sat May 14 03:24:49 NZST 2011 

In some situations it does work (a little mysteriously IMO). For example, I
have these in my private home server and it does work correctly (verified
extensively):

<VirtualHost *:443>
DocumentRoot /var/www
ServerName app1.home.mysite.com
SSLCertificateFile app1cert.crt
... (other SSL directives)

and:

<VirtualHost _default_:443>
DocumentRoot /var/www
ServerName home.mysite.com
SSLCertificateFile homecert.crt
... (other SSL directives)

It works correctly for both app1.home.mysite.com and home.mysite.com. And
app1 does not work when I remove the *:443 virtualhost.

Furthermore, SSL will most certainly work, even in principle, if you use one
wildcard subdomain certificate in conjunction with multiple virtualhosts.
What you cannot do is put two SSL directives in one virtualhost, in which
case the second is ignored.

However, in the original topic, the server in question used IP:Port to
identify the virtualhosts so he could not use this technique.

--Mizst


On Fri, May 13, 2011 at 6:40 PM, Randall Rowe
<r.rowe at lincolnlibraries.org>wrote:

> Direct from Apache.org SSL FAQ<http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html>
>
> Why is it not possible to use Name-Based Virtual Hosting to identify
> different SSL virtual hosts?
>
> Name-Based Virtual Hosting is a very popular method of identifying
> different virtual hosts. It allows you to use the same IP address and the
> same port number for many different sites. When people move on to SSL, it
> seems natural to assume that the same method can be used to have lots of
> different SSL virtual hosts on the same server.
>
> It comes as rather a shock to learn that it is impossible.
>
> The reason is that the SSL protocol is a separate layer which encapsulates
> the HTTP protocol. So the SSL session is a separate transaction, that takes
> place before the HTTP session has begun. The server receives an SSL request
> on IP address X and port Y (usually 443). Since the SSL request does not
> contain any Host: field, the server has no way to decide which SSL virtual
> host to use. Usually, it will just use the first one it finds, which matches
> the port and IP address specified.
>
> You can, of course, use Name-Based Virtual Hosting to identify many non-SSL
> virtual hosts (all on port 80, for example) and then have a single SSL
> virtual host (on port 443). But if you do this, you must make sure to put
> the non-SSL port number on the NameVirtualHost directive, e.g.
>
> NameVirtualHost 192.168.1.1:80
>
> Other workaround solutions include:
>
> Using separate IP addresses for different SSL hosts. Using different port
> numbers for different SSL hosts.
>
>
> Randy Rowe
> Lincoln City Libraries I.T.
>
>
>
>
> -----Original Message-----
> From: "Martin Renvoize" <martin.renvoize at ptfs-europe.com>
> Sent 5/13/2011 3:33:09 AM
> To: "Mizst Audens" <mizstik at gmail.com>
> Cc: koha at lists.katipo.co.nz
> Subject: Re: [Koha] Enabling SSL for Koha staff view
>
>
> You could however,
>
>  Use Name based Virtualhosts (like kohaapoc.yourlibrary.com and
> kohastaff.yourlibrary.com) and run both on port 443 for secure.  To do
> this you'll either need two certificates (one for each domain) or a SAN
> shared certificate with both domain names in it.
>
>  An example http.conf might look like (assuming the
> two certificate approach);
>
>  ## OPAC Default Access
> <VirtualHost 127.0.1.1:80>
>    DocumentRoot /home/koha/kohaclone/koha-tmpl
>    ServerName kohalibrary.halton.gov.uk
>     . . .
>  </VirtualHost>
>
>  ## OPAC Secure
> <VirtualHost 127.0.1.1:443>
>    DocumentRoot /home/koha/kohaclone/koha-tmpl
>    ServerName kohalibrary.halton.gov.uk
>     . . .
>
>  # SSL Setup
> # CA Root and Intermediate Certificates
>    SSLEngine On
>    SSLCACertificatePath /etc/apache2/ssl/certs/
>    SSLCACertificateFile /etc/apache2/ssl/certs/gs_combined_ca.crt
>
>     SSLCertificateFile /etc/apache2/ssl/certs/kohalibrary.crt
>    SSLCertificateKeyFile /etc/apache2/ssl/certs/kohalibrary.key
>
>  </VirtualHost>
>
>  ## Intranet Secure
> <VirtualHost 109.75.173.120:443>
>    DocumentRoot /home/koha/kohaclone/koha-tmpl
>    ServerName kohastaff.halton.gov.uk
>     . . .
>  # SSL Setup
> # CA Root and Intermediate Certificates
>    SSLEngine On
>    SSLCACertificatePath /etc/apache2/ssl/certs/
>    SSLCACertificateFile /etc/apache2/ssl/certs/gs_combined_ca.crt
>
>     SSLCertificateFile /etc/apache2/ssl/certs/kohastaff.crt
>    SSLCertificateKeyFile /etc/apache2/ssl/certs/kohastaff.key
> </VirtualHost>
>
>
>
> 2011/5/8 Mizst Audens <mizstik at gmail.com>
>
>> No, it's not possible due to the limitation of the architecture. A port
>> can serve only http or https but not both at the same time.
>>
>>  The transparency of http/https in normal websites is due to the
>> standardization of port 80 and 443. (port 80 runs http, and port 443 runs
>> https, so each port only runs one type of connection) When you don't use
>> these standard ports, you will need to specify the correct combination of
>> protocol and port in order to reach a service.
>>
>>  --Mizst
>>
>>
>> On Sun, May 8, 2011 at 12:33 PM, Altaf Mahmud <altaf.mahmud at gmail.com>wrote:
>>
>>> Is it possible to use port 8080 for both purposes (HTTP and HTTPS)?
>>> Actually, I just wanted to secure port 8080, can I do that?
>>>
>>> Thanks a lot!
>>>
>>>
>>> On Sat, May 7, 2011 at 8:34 PM, Mizst Audens <mizstik at gmail.com> wrote:
>>>
>>>> You must create another virtual host at another port (for example, 8081)
>>>> for the staff area and enable SSL for that virtual host, and it will require
>>>> another SSL certificate. Your staff will need to use (example)
>>>> https://127.0.1.1:8081 if they want to use SSL, and
>>>> http://127.0.1.1:8080 if they don't want to use SSL.
>>>>
>>>>  Note that https://127.0.1.1 is in fact an alias for
>>>> https://127.0.1.1:443. You already used 443 for the OPAC, so you'll
>>>> need another port for the staff.
>>>>
>>>>  --Mizst
>>>>
>>>>
>>>>   2011/5/7 Altaf Mahmud <altaf.mahmud at gmail.com>
>>>>
>>>>>   Hello,
>>>>>
>>>>> I'm trying to implement SSL in my Koha server running on Debian 6.0
>>>>> (squeeze). I've implemented it for my OPAC view, I've created another file
>>>>> 'koha-ssl' in ../apache2/sites-available/ directory and enabled it. I've
>>>>> edited ../apache2/sites-available/koha like following:
>>>>>
>>>>> NameVirtualHost *:80
>>>>> <VirtualHost 127.0.1.1:80>
>>>>>
>>>>>     .....
>>>>>     .....
>>>>>
>>>>> </VirtualHost>
>>>>>
>>>>> And ../apache2/sites-available/koha-ssl like following:
>>>>>
>>>>> NameVirtualHost *:443
>>>>> <VirtualHost 127.0.1.1:443>
>>>>>     .....
>>>>>
>>>>>    SSLEngine On
>>>>>    SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
>>>>>    SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
>>>>>
>>>>>     .....
>>>>> </VirtualHost>
>>>>>
>>>>> Now https://127.0.1.1/ is showing the OPAC. But I can't figure it out
>>>>> how to implement it for staff-view <VirtualHost 127.0.1.1:8080>
>>>>> Request for port 80 is redirecting to port 443, how can I do that for
>>>>> port 8080? In fact, I don't have any prior idea on doing this; a descriptive
>>>>> suggestion is appropriate for me.
>>>>>
>>>>> Thanks.
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Altaf Mahmud
>>>>> System Programmer
>>>>> Ayesha Abed Library
>>>>> BRAC University
>>>>> Bangladesh.
>>>>>
>>>>>
>>>>>  _______________________________________________
>>>>> Koha mailing list  http://koha-community.org
>>>>> Koha at lists.katipo.co.nz
>>>>> http://lists.katipo.co.nz/mailman/listinfo/koha
>>>>>
>>>>>
>>>>
>>>
>>>
>>> --
>>> Altaf Mahmud
>>> System Programmer
>>> Ayesha Abed Library
>>> BRAC University
>>> Bangladesh.
>>>
>>>
>>
>> _______________________________________________
>> Koha mailing list  http://koha-community.org
>> Koha at lists.katipo.co.nz
>> http://lists.katipo.co.nz/mailman/listinfo/koha
>>
>>
>
>
> --
> Martin Renvoize
> Software Developer, PTFS Europe Ltd
> Content Management and Library Solutions
> martin.renvoize at ptfs-europe.com
> skype: Martin Renvoize
>
>  http://www.ptfs-europe.com
>
>  _______________________________________________
> Koha mailing list  http://koha-community.orgKoha@lists.katipo.co.nzhttp://lists.katipo.co.nz/mailman/listinfo/koha
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.katipo.co.nz/pipermail/koha/attachments/20110513/1b64c5d6/attachment-0001.htm

More information about the Koha mailing list