On 5/06/18 2:18 pm, Alvaro Cornejo wrote: > Hi > > I´m trying to setup a ssl connection to Koha (using letsEncrypt certs ) so > my users, admin and opac can have a secure connection. > > I´ve folllowed letsEncrypt & certbot instrucctions but neither opac nor > admin pages work. > > I´ve tried directing connections manually and configuring apache for > redirect unsuccessfully. > > Any hints on this? > > This is mostly to avoid the upcoming chrome config where it will display an > unsafe site warning to any site requiring login that does not use ssl > > Regards, > > Alvaro > _______________________________________________ > Koha mailing list http://koha-community.org > [email protected] > https://lists.katipo.co.nz/mailman/listinfo/koha
hi Alvaro here's an apache config that has worked well for me it has some extra magic to improve it's SSL score the config now gets an 'A+' on the following site... https://www.ssllabs.com/ssltest i'll aim to add this to the Koha wiki cheers, Mason root@deb8:/etc/apache2/sites-available# cat demo.conf # ------------------------------ # OPAC <VirtualHost *:80> <IfVersion >= 2.4> Define instance "demo" </IfVersion> Include /etc/koha/apache-shared.conf # Include /etc/koha/apache-shared-disable.conf Include /etc/koha/apache-shared-opac.conf ServerName demo.foo.org SetEnv KOHA_CONF "/etc/koha/sites/demo/koha-conf.xml" AssignUserID demo-koha demo-koha RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} ErrorLog /var/log/koha/demo/opac-error.log # TransferLog /var/log/koha/demo/opac-access_log # RewriteLog /var/log/koha/demo/opac-rewrite.log </VirtualHost> # ------------------------------ <VirtualHost *:443> <IfVersion >= 2.4> Define instance "demo" </IfVersion> Include /etc/koha/apache-shared.conf # Include /etc/koha/apache-shared-disable.conf Include /etc/koha/apache-shared-opac-plack.conf Include /etc/koha/apache-shared-opac.conf ServerName demo.foo.org SetEnv KOHA_CONF "/etc/koha/sites/demo/koha-conf.xml" AssignUserID demo-koha demo-koha ErrorLog /var/log/koha/demo/opac-error.log # TransferLog /var/log/koha/demo/opac-access_log # RewriteLog /var/log/koha/demo/opac-rewrite.log # SSL config here! SSLEngine on SSLCertificateFile /etc/letsencrypt/live/demo.foo.org/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/demo.foo.org/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/demo.foo.org/fullchain.pem SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLProtocol All -SSLv2 -SSLv3 SSLHonorCipherOrder On Header always set Strict-Transport-Security "max-age=17280000; preload" Header always set Content-Security-Policy "upgrade-insecure-requests" </VirtualHost> # ------------------------------ # Intranet / redirect to https <VirtualHost *:80> <IfVersion >= 2.4> Define instance "demo" </IfVersion> Include /etc/koha/apache-shared.conf # Include /etc/koha/apache-shared-disable.conf Include /etc/koha/apache-shared-intranet.conf ServerName demo-admin.foo.org RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} ErrorLog /var/log/koha/demo/intranet-error.log # TransferLog /var/log/koha/demo/intranet-access_log # RewriteLog /var/log/koha/demo/intranet-rewrite.log </VirtualHost> # ------------------------------ <VirtualHost *:443> <IfVersion >= 2.4> Define instance "demo" </IfVersion> Include /etc/koha/apache-shared.conf # Include /etc/koha/apache-shared-disable.conf Include /etc/koha/apache-shared-intranet-plack.conf Include /etc/koha/apache-shared-intranet.conf ServerName demo-admin.foo.org SetEnv KOHA_CONF "/etc/koha/sites/demo/koha-conf.xml" AssignUserID demo-koha demo-koha ErrorLog /var/log/koha/demo/intranet-error.log # TransferLog /var/log/koha/demo/intranet-access_log # RewriteLog /var/log/koha/demo/intranet-rewrite.log # SSL config here! SSLEngine on SSLCertificateFile /etc/letsencrypt/live/demo.foo.org/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/demo.foo.org/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/demo.foo.org/fullchain.pem Header always set Strict-Transport-Security "max-age=17280000; preload" Header always set Content-Security-Policy "upgrade-insecure-requests" </VirtualHost> _______________________________________________ Koha mailing list http://koha-community.org [email protected] https://lists.katipo.co.nz/mailman/listinfo/koha

