Adding HTTPS support Error

[Steli Vali]

Hi,

I am testing DSpace 7, and I want to enable https. Unfortunately the instructions online are not so detailed and I am confused.

I am using dspace.server.url = " http//my-repo.com:8009/server " instead of "http://localhost:8080/server" in the local.cfg file.

I have installed the Apache2 Proxy and the additional modules, and in /etc/apache2/sites-enabled, I have created a file called mySsl.conf, with the following configuration:

<IfModule mod_ssl.c>
        <VirtualHost _default_:443>
                ServerAdmin webmaster@localhost

                DocumentRoot /var/www/html

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined

                #   SSL Engine Switch:
                #   Enable/Disable SSL for this virtual host.
                SSLEngine on

                #   A self-signed (snakeoil) certificate can be created by installing
                #   the ssl-cert package. See
                #   /usr/share/doc/apache2/README.Debian.gz for more info.
                #   If both key and certificate are stored in the same file, only the
                #   SSLCertificateFile directive is needed.
                SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
                SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

                ProxyPass /server ajp://my-repo.com:8009/server
                ProxyPassReverse /server ajp://my-repo.com:80009/server

...

When I try to access the backend via https://my-repo.com:443/server, I get an error.

Am I missing something? It is my first time when I need to configure https and I dont know how this works exactly.

Thank you!

Best regards,

Steli

[Mark H. Wood]

On Mon, Aug 09, 2021 at 08:21:01AM -0700, Steli Vali wrote:
> I am testing DSpace 7, and I want to enable https. Unfortunately the
> instructions online are not so detailed and I am confused.
> I am using dspace.server.url = " http//my-repo.com:8009/server " instead of
> "http://localhost:8080/server" in the local.cfg file.

8009 is the AJP port. That's only for the proxy link between Apache
HTTPD and Tomcat. HTTP won't work there, and you should have that port
firewalled from end users anyway. (I have my proxy links set up on
'localhost' (127.0.0.1 or ::1) just to make certain that they cannot
leak out of the server.)

Try 'https://my-repo.com/server'.

> I have installed the Apache2 Proxy and the additional modules, and in
> /etc/apache2/sites-enabled, I have created a file called mySsl.conf, with
> the following configuration:
>
> <IfModule mod_ssl.c>
> <VirtualHost _default_:443>
> ServerAdmin webmaster@localhost
>
> DocumentRoot /var/www/html
>
> ErrorLog ${APACHE_LOG_DIR}/error.log
> CustomLog ${APACHE_LOG_DIR}/access.log combined
>
> # SSL Engine Switch:
> # Enable/Disable SSL for this virtual host.
> SSLEngine on
>
> # A self-signed (snakeoil) certificate can be created by
> installing
> # the ssl-cert package. See
> # /usr/share/doc/apache2/README.Debian.gz for more info.
> # If both key and certificate are stored in the same
> file, only the
> # SSLCertificateFile directive is needed.
> SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
> SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
>
> ProxyPass /server ajp://my-repo.com:8009/server
> ProxyPassReverse /server ajp://my-repo.com:80009/server

Oops! Too many zeroes. ----------------------------------------^

> ...
>
> When I try to access the backend via https://my-repo.com:443/server, I get
> an error.

What error is that? Details will be helpful.

--
Mark H. Wood
Lead Technology Analyst

University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu

[Steli Vali]

Hi Mark,

thank you for the helpful reply.

I did as you mentioned, and changed ProxyPass related settings to localhost.

I also implement the same configuration for the frontend. The end result looks like this:

<VirtualHost *:443>

     

                ServerName https://www.my-repo.com:443

                ErrorLog ${APACHE_LOG_DIR}/error.log

                CustomLog ${APACHE_LOG_DIR}/access.log combined

                SSLEngine on

                SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem

                SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

                # via mod_proxy_http

                #for backend

                ProxyPass /server http://localhost:8080/server

                ProxyPassReverse /server http://localhost:8080/server

                #for frontend

                ProxyPass / http://localhost:4000/

                ProxyPassReverse / http://localhost:4000/

                #required for proxy_http, to respond from http://localhost with https://

                RequestHeader set X-Forwarded-Proto https

...

</VirtualHost>

I can access the frontend via https://my-repo.com/ and my backend via https://my-repo.com/server.

The problem that I see now has to do with the frontend. It seems to not connect to the backend. 

It shows the loading bar, and stays like this.

The local.cfg file is set like this:

dspace.server.url = https://my-repo.com:443/server

dspace.ui.url = https://my-repo.com

Furthermore, the environment.prod.ts is configured as follows:

ui:{

    ssl: false,

    host: 'localhost',

    port: 4000,

    nameSpace: '/'

},

rest:{

      ssl: true,

      host: 'repotest.ub.fau.de',

      port: 443,

      nameSpace: '/server'

}

In the Browser -> Network, I have a get request with a 404, with the following details:

scheme

https

host

my-repo.com

filename

/main-es2015.37e9cb1fafd9d2217dee.js

Address

xxx.xx.xx.xx

Status404

Not found

VersionHTTP/1.1

Transferred443 B (0 B size)

Referrer Policystrict-origin-when-cross-origin

Cache-Control

max-age=60

Connection

Keep-Alive

Content-Encoding

gzip

Content-Type

text/html; charset=utf-8

Date

Wed, 11 Aug 2021 11:36:00 GMT

ETag

W/"927b-A6c6GsaLYFd/J6Lq8aarXS2hZgk"

Keep-Alive

timeout=5, max=100

Server

Apache/2.4.41 (Ubuntu)

Transfer-Encoding

chunked

Vary

Accept-Encoding

X-Powered-By

Express

X-RateLimit-Limit

500

X-RateLimit-Remaining

495

X-RateLimit-Reset

1628681819

Accept

*/*

Accept-Encoding

gzip, deflate, br

Accept-Language

en-US,en;q=0.5

Cache-Control

no-cache

Connection

keep-alive

Cookie

klaro-anonymous=%7B%22authentication%22%3Atrue%2C%22preferences%22%3Atrue%2C%22acknowledgement%22%3Atrue%2C%22google-analytics%22%3Atrue%7D

Host

my-repo.com

Pragma

no-cache

Referer

https://my-repo.com/

Sec-Fetch-Dest

script

Sec-Fetch-Mode

cors

Sec-Fetch-Site

same-origin

User-Agent

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0

For the certificates, I used the default Linux certificates. 

What could be wrong with the frontend that it cant access the backend? Maybe I should configure the Virtual Host somehow different?

Thank you

Best regards,

Valianos