Drupal login SSL
132 views
Skip to first unread message
BrzI Channel
Mar 11, 2016, 1:10:38 PM3/11/16
to islandora
I need to install a certificate so that my Drupal login for Islandora is encrypted.
Just confirming that this is the required procedure ?
Thanks
Goran
Peter Murray
Mar 11, 2016, 1:48:53 PM3/11/16
to islandora
That set of instructions will work. The HTTPS encryption is being handled by the web server process (e.g. Apache or nginx), and following those instructions will set up the encrypted transaction between the browser and the web server. There will be other things that will need to be done -- making sure that images, JavaScript files, and stylesheets are all referenced using https, for instance -- in order to complete the work. One Islandora-specific thing to keep in mind is to update the URL prefix used to get tiles from the djatoka server for use in the large image solution pack and the paged content models.
Peter
--
Peter Murray
Dev/Ops Lead and Project Manager, Cherry Hill Company
Peter Murray
Dev/Ops Lead and Project Manager, Cherry Hill Company
Blogger, Disruptive Library Technology Jester - http://dltj.org/
BrzI Channel
Mar 11, 2016, 4:07:59 PM3/11/16
to islandora, jes...@dltj.org
Thanks Peter,
do you know if there is any documentation that describes the process ? I have added SSL certificates in the past to both Windows and Linux machines but aside from generating the requests and then assigning certificates there was nothing more needed.
This sounds like it needs an extra layer of work. I would like to get a clearer understanding of what needs to be done before I start.
Thanks
Adon Irani
Mar 12, 2016, 9:29:11 AM3/12/16
to islandora, jes...@dltj.org
Hello Goran,
I don't think there's any change per se.
Adon
But with Drupal I've encountered the problem Peter describes when using custom themes/contrib modules, for instance. Some sites I can set-up the cert on the web server, and voila it's working perfectly. I've got one site that uses an openlayer mapping module and it was hard-coded to work via http. So when I switch to https, i get that mixed content issue - https://www.globalsign.com/en/blog/how-to-fix-mixed-content-warnings-on-your-ssl-site/ Or worse, it doesn't respond to https because the source server i'm pulling map tiles from doesn't support.
Here's a drupal related link (old now) but it describes what could happen: https://www.drupal.org/node/1379762, and another link that describes the mapping tiles issue i've encountered https://blogs.fsfe.org/samtuke/?p=703 [simply for reference if helpful]
That being said, if the modules and themes you're using are well coded you may not have to worry about this extra layer of debug.
Also, do check out https://letsencrypt.org/ -- free SSL certs signing authority. They have to be renewed at great frequency, but it's a big cost savings!
Hope this helps,
Adon
BrzI Channel
Mar 18, 2016, 1:53:04 PM3/18/16
to islandora, jes...@dltj.org
Just one last question :
in my /etc/apache2/sites-enabled/000-default.conf file
In the <VirtualHost *:443> block
Do I need to add:
<Directory /var/www/drupal>
AllowOverride All
Order Allow,Deny
Allow from all
Order Allow,Deny
Allow from all
</Directory>
Thanks
Peter Murray
Mar 18, 2016, 2:08:30 PM3/18/16
to BrzI Channel, islandora
Yes -- you'll need that <Directory> block as well.
For what it's worth -- and this may be more confusing than anything else -- I've attached the template we use for the Apache site configuration file. Note that there are two <VirtualHost> blocks here -- one for port 80 and one for port 443 -- and there is a special condition in place to allow connections to port 80 from localhost to be passed through unforwarded to HTTPS on port 443. We found that was needed to handle djatoka requests. This is a template file, so everything in between '{{' and '}}' is a variable that is substituted when Ansible uploads the template to the server; hopefully the variable names are meaningful. Also of note: there are some lines in the file that proxy through access to the underlying tomcat through Apache with a Basic Authentication requirement.
Peter
BrzI Channel
Mar 18, 2016, 6:47:40 PM3/18/16
to islandora, gi...@shaw.ca, jes...@dltj.org
Hi Peter,
everything is OK. I tested SSL cert against our certificate provider. All checks are green
I also went here : https://www.ssllabs.com/ssltest/
My site got a B score. Getting a rating of A required fixing these two issues:
-This server accepts RC4 cipher, but only with older protocol versions. Grade capped to B.
-The server does not support Forward Secrecy with the reference browsers
I wonder if I should simply copy your SSLCipherSuite settings. I have only disabled SSL2 and SSL3 so far.
Thanks
Adon Irani
Mar 20, 2016, 6:58:45 PM3/20/16
to isla...@googlegroups.com, gi...@shaw.ca, jes...@dltj.org
Hello,
My recommendation would be to fiddle with the various settings till you get it.
I'm using nginx rather than apache, so my settings will be different. But if it's any help, here they are:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
ssl_session_cache shared:SSL:1m;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
and it gives me A+
Of course you can't believe everything you see on the Intranet, but I generally google the response phrases and investigate for error and solution reports. Then I'd test one fix at a time until I can confirm it's working.
Good luck!
Adon
--
For more information about using this group, please read our Listserv Guidelines: http://islandora.ca/content/welcome-islandora-listserv
---
You received this message because you are subscribed to a topic in the Google Groups "islandora" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/islandora/wXexoecHwlE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to islandora+...@googlegroups.com.
Visit this group at https://groups.google.com/group/islandora.
To view this discussion on the web visit https://groups.google.com/d/msgid/islandora/fe966506-5b79-427e-b47c-4016f773f46c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Peter Murray
Mar 21, 2016, 9:30:11 AM3/21/16
to islandora
Getting HTTPS configurations right is a bit of a black art. I recommend using Mozilla's configuration generator:
Kudos for going to SSLLabs.com to test your configuration!
Peter
Richard Shrake
Apr 20, 2017, 11:08:21 AM4/20/17
to islandora, jes...@dltj.org
This thread was incredibly helpful for me - especially Peter's template. For anyone basing settings on that template, please note that line 71 in the 443 virtual host is missing part of the address.
The line
RewriteRule /adore-djatoka/resolver http://localhost:8888/resolver?%1rft_id=http\%3A\%2F\%2Flocalhost\%2F%2 [P]
should be
RewriteRule /adore-djatoka/resolver http://localhost:8888/adore-djatoka/resolver?%1rft_id=http\%3A\%2F\%2Flocalhost\%2F%2 [P]
The line
RewriteRule /adore-djatoka/resolver http://localhost:8888/resolver?%1rft_id=http\%3A\%2F\%2Flocalhost\%2F%2 [P]
should be
RewriteRule /adore-djatoka/resolver http://localhost:8888/adore-djatoka/resolver?%1rft_id=http\%3A\%2F\%2Flocalhost\%2F%2 [P]
Reply all
Reply to author
Forward
0 new messages