Hi, On Thu, May 30, 2013 at 3:07 PM, Michael Hafen <[email protected]> wrote: > I understand that forcing https in the software is a good security measure. > I'm just asking that it be controlled by a system preference, or be made an > optional section in the apache config file in consideration of those who > would like to avoid the overhead added by https.
I'm not sure I necessarily buy that the computational overhead for SSL is a major factor nowadays for anything but the most ancient of hardware. I grant that load balancers speaking to HTTPS backends can have configuration issues that are sometimes more easily addressed by letting the backends speak HTTP. Regardless, I do think that the Apache virtualhost configuration would be the right place to do an SSL-only configuration, either as a default or just a commented-out recommendation. Koha's CGI scripts don't need to enforce it. Regards, Galen -- Galen Charlton Manager of Implementation Equinox Software, Inc. / The Open Source Experts email: [email protected] direct: +1 770-709-5581 cell: +1 404-984-4366 skype: gmcharlt web: http://www.esilibrary.com/ Supporting Koha and Evergreen: http://koha-community.org & http://evergreen-ils.org _______________________________________________ Koha-devel mailing list [email protected] http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
