how to add https support?

[Phillip jan]

Hi! I am having issues with the backend installation, particularly step 16. I don't know how to setup a virtualhost using https/port443 proxy to proxy all requests to apache and how to create an ssl certificate. I am new to deploying a website in production environment. Can someone help me? thanks in advance.

[Mark H. Wood]

The details will depend on your operating system. Is this on Linux or
Windows? If Linux, what distribution (Ubuntu, Red Hat, etc.) and
version?

Some general notes:

o Virtual hosting and proxying are two separate issues. The proxy
connection will run within the virtual host.

o Proxying between Tomcat and HTTPD can be done using HTTP or AJP.
You need to choose one. The two services must both be configured
to agree on the details of their connection.

o Do you want to create a self-signed certificate, or obtain a
certificate from a certificate authority? Self-signed certificates
are easier and quicker to create, but will not be trusted by
browsers. They are useful for testing, or in closed environments.
A commercial or corporate certificate should be automatically
trusted within the scope of the authority which signed it. To make
your repository generally available, you will most likely want a
commercial certificate.

o It may be best to get these things working one at a time.
That is: first set up the virtual host and test that you can get
service from it with a simple static page. Then set up the proxy
connection and test that you can get service from DSpace. Then add
the certificate and set up HTTPS.

--
Mark H. Wood
Lead Technology Analyst

University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu

[Phillip jan]

Hi! I am running on windows 10.

[Phillip jan]

Hi, can you help me? I cannot get service from DSpace by reverse proxying apache to tomcat. It only shows the static page in  "${SRVROOT}/htdocs".

this is my httpd-vhosts.conf (this .conf file is alread included in my httpd.conf):

<VirtualHost *:80>

    ProxyPreserveHost On

    ServerName repository-uecal.com

    ProxyPass /server ajp://localhost:8009/server

    ProxyPassReverse /server ajp://localhost:8009/server

</VirtualHost>

[federico....@gmail.com]

Hi Jan,

Try using mok_jk instead of reverse proxying.  Its simpler and works better.

Your apache ssl config should look like this (for jspui):

    <VirtualHost *:443>

.........

        RedirectMatch ^/$ /jspui

        JkMount /jspui* ajp13_worker

        JkMount /oai* ajp13_worker

        JkMount /swordv2* ajp13_worker

.............

After enabling mok_jk and configuring the worker in workers.properties.

Regards

[Phillip jan]

Hi, Federico!

Thanks for the response! Unfortunately, I am using DSpace 7.x, I don't think it uses jspui anymore. Also I do not have an SSL certificate yet, I just want to configure my apache to proxy requests to tomcat via reverse proxying with ajp or HTTP on port 80 without a certificate. 

[Eric Montague]

I am running on Windows 19 Server.
Using the mod_proxy instead of ajp, works for me.
I also do not  use ProxyPreserveHost 

Something like this might work for you.

<VirtualHost *:80>

    ServerName myserver.com
    ServerAlias www.myserver.com

    ProxyPass /server http://localhost:8080/server
    ProxyPassReverse /server http://localhost:8080/server

</VirtualHost>

This should redirect myserver.com/server to http://localhost:8080/server.

If you want to redirect myserver.com to http://localhost:8080/server.
I think you would have to use

    ProxyPass / http://localhost:8080/server
    ProxyPassReverse / http://localhost:8080/server

But I'm not sure what you are trying to accomplish.
The subject line says 'how to add https support'.
But later in the thread you say you just want to 'proxy requests to tomcat via reverse proxying'

- eric

--
All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx
---
You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/1a34d9dd-311d-4378-b0cb-447a9fbc10edn%40googlegroups.com.

[Phillip jan]

It now works for me. thanks for this. apparently, I'm only accessing the URL "repository-uecal.com" instead of "repository-uecal.com/server". I am just a newbie at setting up apache.

[Phillip jan]

Now, I am back to this issue with HTTPS. I cannot seem to generate a certificate with let's encrypt using certbot. It returns this, 

[Phillip jan]

Hello! Is there a tutorial on how to generate an SSL certificate on windows I am using apache httpd? I've done the virtual hosting and was able to proxy to apache tomcat. However, I do not know how to get an SSL certificate using let's encrypt for my domain name that I bought on GoDaddy.

[euler]

Hi,

I used this guide on how to setup Let's Encrypt SSL certificate on Windows: https://www.snel.com/support/install-lets-encrypt-with-apache-on-windows-server-2019/

Hope this helps.

euler

[Phillip jan]

Hello, Euler!

Thank you for this, I am following the instructions and I seem to be in the right path. However, I got stuck on step 5: Issue certificate. I just don't know how to verify that I bought and own the domain name on godaddy. Do you have an idea as to how I could verify that I own this domain? Thanks.

[euler]

Hi Phillip,

For the verification, did you choose [http-01] Serve verification files on (network) path? In your virtual host conf, create this rule:

ProxyPass /.well-known !

right above the:

ProxyPass /server ajp://localhost:8009/server
ProxyPassReverse /server ajp://localhost:8009/server

This is to ensure that when Let's Encrypt tries to access that URL, it will not proxy to your dspace instance. Make sure to create this folder first under the htdocs directory. Based on my experience when using Let's Encrypt, it will try to upload a verification file to the path /.well-known so it is important that this path is accessible to the public.

Hope this helps,

euler

[Phillip jan]

Yes, it asked for a path. I don't know what I should input into it. What path should I include here? thanks!!

 

[Mohammad S. AlMutairi]

On Wednesday, March 9, 2022 at 1:47:31 PM UTC+3 phillip...@gmail.com wrote:

Yes, it asked for a path. I don't know what I should input into it. What path should I include here? thanks!!

httpd.conf path is what you suppose to write as a path there ( It needs to fetch the ServerName value from the config file ) but it won't work because the installation script will fail to reach your server from the outside to verify you are the real owner of repository-uecal.com. Why? because from what I see from here port 80 and 443 on repository-uecal.com is blocked by a firewall. For this to work you have to have an A record in the Authoritative DNS for repository-uecal.com pointing to the IP address of your Windows 2019 server and also you have to have port 80 and 443 opened in the firewall/firewalls and both ports are publicly accessible once these are set you can proceed with the lengthy and messy tutorial you were following or you can just install https://dl.eff.org/certbot-beta-installer-win32.exe, stop the apache server and execute this command  ( certbot certonly -n --standalone -d  repository-uecal.com   --agree-tos --email your-email-here ) to generate the certificate and it's key and place them for you as you see them below.

Successfully received certificate.
Certificate is saved at: C:\Certbot\live\repository-uecal.com\fullchain.pem
Key is saved at:         C:\Certbot\live\repository-uecal.com\privkey.pem
This certificate expires on 2022-06-07.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

What you need to add into the apache SSL config file after the certificate and it's key is saved in your server:

SSLCertificateFile "C:\Certbot\live\repository-uecal.com\fullchain.pem"

SSLCertificateKeyFile "C:\Certbot\live\repository-uecal.com\privkey.pem"

Good luck

[Phillip jan]

I directed my A address to my ipv4 through my domain name's dns manager (godaddy) and opened port 80 and 443 on firewall to domain, private, and public, i did it to both inbound and outbounds. I still get this error, 

I am using Apache + Windows 10 + Certbot + Let's Encrypt.

[Mohammad S. AlMutairi]

If this is a home office network make sure 124.107.184.212 does match what you get when you visit  https://whatismyipaddress.com afterwards just redirect traffic coming from the internet to port 80 and 443 on 124.107.184.212 to go to the private IP address of the Windows Workstation you installed DSpace on and it should work for you. ( You should find these settings in the Home Router - See the screenshot attached for hints )

[Phillip jan]

Hi!

Thank you for this. The reason why I can't make an SSL certificate using Certbot is that I haven't port forwarded my public IP to my private IP. However, I'm afraid because according to the internet there will be a vulnerability issue with port forwarding, is there a solution that can resolve or lessen these vulnerabilities?

[Mohammad S. AlMutairi]

It's debatable but a bad idea in general unless you doing it for testing purposes and temporarily. It's much safer to get a ( Linux - NO Windows ) server in one of the public clouds and run dspace on it for whatever purpose you intend to run it for.

Good luck

[Phillip jan]

Hi!

Apparently,  my ISP uses a CGNAT setup. This makes port forwarding impossible in my case, are there some alternatives on how to get SSL certificates from let's encrypt?

[Mohammad S. AlMutairi]

It's Impractical but you still can make the domain verification somewhere else on any publicly accessible server that you control if you point your domain to that server IP address and ran the same previous command. You then need to copy the generated 90 days valid certificates to your Windows 10 workstation!.

It's better to go for a self signed certificate instead.

[Phillip jan]

Is it a good idea to just use cloudflare? are there like any drawbacks?

[Phillip jan]

Is triny ngrok a good alternative? I do not know how to generate an ssl certificate file through ngrok, because I think ssl is already provided once i tunnel with it.