[Koha] Enabling https only using SSL

TechOut Solutions techoutsolutions00 at gmail.com
Wed May 15 22:55:08 NZST 2019 

Thanks a lot, Doug, for your input! I really appreciate that. I am afraid
that the Koha being hosted on DigitalOcean doesn't have a domain assigned
to it and Koha is accessed using IP address.  But still, I will try the
configuration and will let you know the result.

On Tue, May 14, 2019 at 2:17 AM Doug Dearden <dearden at sarsf.org> wrote:

> Hey Nirvana,
>
> I think you are looking for something like this, substituting a valid
> domainname in the right places.
>
> Doug
>
>
> # OPAC
>  <VirtualHost *:80>
>     Include /etc/koha/apache-shared.conf
>  #  Include /etc/koha/apache-shared-disable.conf
>     Include /etc/koha/apache-shared-opac.conf
>
>     ServerName ssb
>     Redirect permanent "/" "https://yourdomainname"      #***** This
> redirects from http to https *****
>     SetEnv KOHA_CONF "/etc/koha/sites/ssb/koha-conf.xml"
>     SetEnv MEMCACHED_SERVERS ""
>     SetEnv MEMCACHED_NAMESPACE ""
>     AssignUserID ssb-koha ssb-koha
>
>     ErrorLog    /var/log/koha/ssb/opac-error.log
>  #  TransferLog /var/log/koha/ssb/opac-access.log
>  #  RewriteLog  /var/log/koha/ssb/opac-rewrite.log
> </VirtualHost>
>
> <IfModule mod_ssl.c>  #***** This checks for ssl module on Debian *****
>  # OPAC
>  <VirtualHost *:443>     #***** Note port 443 here *****
>     Include /etc/koha/apache-shared.conf
>  #  Include /etc/koha/apache-shared-disable.conf
>     Include /etc/koha/apache-shared-opac.conf
>
>     ServerName ssb
>     ServerAlias yourdomainname   #*****  same as above *****
>     SetEnv KOHA_CONF "/etc/koha/sites/ssb/koha-conf.xml"
>     SetEnv MEMCACHED_SERVERS ""
>     SetEnv MEMCACHED_NAMESPACE ""
>     AssignUserID ssb-koha ssb-koha
>
>     ErrorLog    /var/log/koha/ssb/opac-error.log
>  #  TransferLog /var/log/koha/ssb/opac-access.log
>  #  RewriteLog  /var/log/koha/ssb/opac-rewrite.log
>     SSLEngine on
>     SSLProtocol  +TLSv1.2 +TLSv1.1 +TLSv1
>     SSLCipherSuite
>
>  "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
>     SSLHonorCipherOrder     on
>     SSLCompression          off
>
>     SSLCertificateFile /etc/apache2/ssl/apache.crt
>    SSLCertificateKeyFile /etc/apache2/ssl/apache.key
>  </VirtualHost>
> </IfModule>
>
> -----Original Message-----
> From: Koha [mailto:koha-bounces at lists.katipo.co.nz] On Behalf Of TechOut
> Solutions
> Sent: Sunday, May 12, 2019 11:39 AM
> To: Joel Coehoorn <joel.coehoorn at york.edu>
> Cc: Koha General Mailing-List <koha at lists.katipo.co.nz>
> Subject: Re: [Koha] Enabling https only using SSL
>
> Thanks for your inputs and response! Could you please provide a sample
> virtualhost file by providing a working copy or by referring to the
> template available from
>
> https://github.com/Koha-Community/Koha/blob/master/debian/templates/apache-site-https.conf.in
> ?
>
> On Sun, May 12, 2019 at 7:26 PM Coehoorn, Joel <jcoehoorn at york.edu> wrote:
>
> > You must change the *:80 at the top to *:443. You will also want to copy
> > the original virtualhost section, before adding the sslengine settings,
> and
> > change it to redirect to the https url.
> >
> > On Sun, May 12, 2019, 5:18 AM TechOut Solutions <
> > techoutsolutions00 at gmail.com> wrote:
> >
> >> Hi Joel,
> >>
> >> I couldn't find the four entries of virtual hosts but I did the
> following
> >> by searching for similar problems but others are using letsencrypt
> >> certificates.
> >>
> >> # OPAC
> >> <VirtualHost *:80>
> >>    Include /etc/koha/apache-shared.conf
> >> #  Include /etc/koha/apache-shared-disable.conf
> >>    Include /etc/koha/apache-shared-opac.conf
> >>
> >>    ServerName ssb
> >>    SetEnv KOHA_CONF "/etc/koha/sites/ssb/koha-conf.xml"
> >>    SetEnv MEMCACHED_SERVERS ""
> >>    SetEnv MEMCACHED_NAMESPACE ""
> >>    AssignUserID ssb-koha ssb-koha
> >>
> >>    ErrorLog    /var/log/koha/ssb/opac-error.log
> >> #  TransferLog /var/log/koha/ssb/opac-access.log
> >> #  RewriteLog  /var/log/koha/ssb/opac-rewrite.log
> >>    SSLEngine on
> >>    SSLProtocol  +TLSv1.2 +TLSv1.1 +TLSv1
> >>    SSLCipherSuite
> >>
> "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
> >>    SSLHonorCipherOrder     on
> >>    SSLCompression          off
> >>
> >>    SSLCertificateFile /etc/apache2/ssl/apache.crt
> >>    SSLCertificateKeyFile /etc/apache2/ssl/apache.key
> >> </VirtualHost>
> >>
> >> I couldn't make the https protocol to load the OPAC using the above
> >> configuration. Do I need to use the letsencrypt certificate for it to
> work?
> >>
> >> Thanks!
> >>
> >> On Sun, May 12, 2019 at 10:43 AM Coehoorn, Joel <jcoehoorn at york.edu>
> >> wrote:
> >>
> >>> I'm not at a place where I can check, but if you look at your Apache
> >>> site .conf file, there will likely be 4 virtual host entries: an http
> >>> and https option for both the opac and staff client. You can remove
> most
> >>> everything from inside the http entries and replace them with Redirect
> >>> directives which point to the correct https urls.
> >>>
> >>> On Sat, May 11, 2019, 11:41 PM TechOut Solutions <
> >>> techoutsolutions00 at gmail.com> wrote:
> >>>
> >>>> Hi there,
> >>>>
> >>>> I am trying to setup Koha OPAC and Staff-Client using https protocol
> >>>> only
> >>>> using SSL and want to disable http access to Koha. I'd appreciate if I
> >>>> could get the sample apache virtualhost site configuration to achieve
> >>>> the
> >>>> result. Thank you.
> >>>>
> >>>> Regards,
> >>>> Nirvana
> >>>> _______________________________________________
> >>>> Koha mailing list  http://koha-community.org
> >>>> Koha at lists.katipo.co.nz
> >>>> https://lists.katipo.co.nz/mailman/listinfo/koha
> >>>>
> >>>
> _______________________________________________
> Koha mailing list  http://koha-community.org
> Koha at lists.katipo.co.nz
> https://lists.katipo.co.nz/mailman/listinfo/koha
>

More information about the Koha mailing list