[Koha] ssl for koha login

Mason James mtj at kohaaloha.com
Wed Jun 6 15:45:40 NZST 2018 


On 5/06/18 2:18 pm, Alvaro Cornejo wrote:
> Hi
>
> I´m trying to setup a ssl connection to Koha  (using letsEncrypt certs ) so
> my users, admin and opac can have a secure connection.
>
> I´ve folllowed letsEncrypt & certbot instrucctions but neither opac nor
> admin pages work.
>
> I´ve tried directing connections manually and configuring apache for
> redirect unsuccessfully.
>
> Any hints on this?
>
> This is mostly to avoid the upcoming chrome config where it will display an
> unsafe site warning to any site requiring login that does not use ssl
>
> Regards,
>
> Alvaro
> _______________________________________________
> Koha mailing list  http://koha-community.org
> Koha at lists.katipo.co.nz
> https://lists.katipo.co.nz/mailman/listinfo/koha

hi Alvaro

here's an apache config that has worked well for me

it has some extra magic to improve it's SSL score

the config now gets an 'A+' on the following site...
 https://www.ssllabs.com/ssltest

i'll aim to add this to the Koha wiki

cheers, Mason



root at deb8:/etc/apache2/sites-available# cat  demo.conf
# ------------------------------
# OPAC
<VirtualHost *:80>

<IfVersion >= 2.4>
   Define instance "demo"
  </IfVersion>

   Include /etc/koha/apache-shared.conf
#  Include /etc/koha/apache-shared-disable.conf
   Include /etc/koha/apache-shared-opac.conf

   ServerName demo.foo.org
  
   SetEnv KOHA_CONF "/etc/koha/sites/demo/koha-conf.xml"
   AssignUserID demo-koha demo-koha


  RewriteEngine On
  RewriteCond %{HTTPS} off
  RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

   ErrorLog    /var/log/koha/demo/opac-error.log
#  TransferLog /var/log/koha/demo/opac-access_log
#  RewriteLog  /var/log/koha/demo/opac-rewrite.log

</VirtualHost>

# ------------------------------
<VirtualHost *:443>

<IfVersion >= 2.4>
   Define instance "demo"
  </IfVersion>

   Include /etc/koha/apache-shared.conf
#  Include /etc/koha/apache-shared-disable.conf
  Include /etc/koha/apache-shared-opac-plack.conf
   Include /etc/koha/apache-shared-opac.conf

   ServerName demo.foo.org
  
   SetEnv KOHA_CONF "/etc/koha/sites/demo/koha-conf.xml"
   AssignUserID demo-koha demo-koha

   ErrorLog    /var/log/koha/demo/opac-error.log
#  TransferLog /var/log/koha/demo/opac-access_log
#  RewriteLog  /var/log/koha/demo/opac-rewrite.log


# SSL config here!
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/demo.foo.org/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/demo.foo.org/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/demo.foo.org/fullchain.pem

 SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
 SSLProtocol All -SSLv2 -SSLv3
 SSLHonorCipherOrder On

 Header always set Strict-Transport-Security "max-age=17280000; preload"
 Header always set Content-Security-Policy "upgrade-insecure-requests"

</VirtualHost>

# ------------------------------
# Intranet / redirect to https
<VirtualHost *:80>

<IfVersion >= 2.4>
   Define instance "demo"
  </IfVersion>

   Include /etc/koha/apache-shared.conf
#  Include /etc/koha/apache-shared-disable.conf
   Include /etc/koha/apache-shared-intranet.conf

   ServerName demo-admin.foo.org

  RewriteEngine On
  RewriteCond %{HTTPS} off
  RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

   ErrorLog    /var/log/koha/demo/intranet-error.log
#  TransferLog /var/log/koha/demo/intranet-access_log
#  RewriteLog  /var/log/koha/demo/intranet-rewrite.log

</VirtualHost>

# ------------------------------
<VirtualHost *:443>

<IfVersion >= 2.4>
   Define instance "demo"
  </IfVersion>

   Include /etc/koha/apache-shared.conf
#  Include /etc/koha/apache-shared-disable.conf
  Include /etc/koha/apache-shared-intranet-plack.conf
   Include /etc/koha/apache-shared-intranet.conf

   ServerName demo-admin.foo.org

   SetEnv KOHA_CONF "/etc/koha/sites/demo/koha-conf.xml"
   AssignUserID demo-koha demo-koha

   ErrorLog    /var/log/koha/demo/intranet-error.log
#  TransferLog /var/log/koha/demo/intranet-access_log
#  RewriteLog  /var/log/koha/demo/intranet-rewrite.log

# SSL config here!
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/demo.foo.org/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/demo.foo.org/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/demo.foo.org/fullchain.pem

 Header always set Strict-Transport-Security "max-age=17280000; preload"
 Header always set Content-Security-Policy "upgrade-insecure-requests"

</VirtualHost>

More information about the Koha mailing list