[Oskari-user] http to https
Mäkinen Sami (MML)
sami.makinen at maanmittauslaitos.fi
Thu Nov 8 07:22:25 PST 2018
Hi,
"How to install https correctly" is a bit tricky question to answer as there are many ways to handle it and some extra things that can be considered for "going the extra mile". In all our instances we've offloaded TLS to some external (non-Oskari) software like nginx or F5. We have sample nginx configs available on GitHub (https://github.com/oskariorg/sample-configs/blob/master/nginx/), but they don't include the https-part as you would need to have the certificate for your instance to go along with it. Fortunately nginx has awesome documentation how to accomplish this: http://nginx.org/en/docs/http/configuring_https_servers.html
There's a bunch of stuff to know about the subject like which protocols and ciphers to support and these change when time goes by. Do you want to use ?HSTS, OCSP Stapling and what not. Here's some links regarding nginx:
- https://linode.com/docs/web-servers/nginx/tls-deployment-best-practices-for-nginx/
- https://www.owasp.org/index.php/SCG_WS_nginx
And that's just for nginx. Apache httpd, haproxy or F5 are also ways to handle this. Also you can run Oskari in a Tomcat environment or some other Java servlet container which changes things as well :)
But basically to get started with Jetty running Oskari you should toggle the "forwarded" functionality on by uncommenting some xml here: https://github.com/oskariorg/sample-configs/blob/master/jetty/jetty-8.1.16-oskari/etc/jetty.xml#L41-L43 and configure something like nginx in front of it to handle TLS. We are passing some X-Forwarded-headers from nginx to Jetty so redirects are handled properly: https://github.com/oskariorg/sample-configs/blob/master/nginx/conf.d/default.conf#L52-L58. You should also check that the value of oskari.domain in oskari-ext.properties points to the https://peltodata.fi <- note _https_. Looks like http://peltodata.fi<https://peltodata.fi> gives the landing page and <https://peltodata.fi/> https://peltodata.f<http://peltodata.f>i gives the geoportal on your site.
For maplayers you need to register them using the https-address for the service. If the services don't support https you don't really have a choice but to use "forceProxy".
Hope this helps and ask away with follow-ups :)
Sami
________________________________
Lähettäjä: Oskari-user <oskari-user-bounces at lists.osgeo.org> käyttäjän puolestaPetri Linna <petri.linna at tut.fi>
Lähetetty: 8. marraskuuta 2018 12:54
Vastaanottaja: oskari-user at lists.osgeo.org
Aihe: [Oskari-user] http to https
Hi
My question associate with how to install https correctly? I mean, which all settings-files we need to do changes?
If I log in or out from oskari or geoserver, it jumps to http. Layers' data it tries to get from http. In oskari we putted to each layers "{"forceProxy":true}" and now browser not complain any more that data sources are not safety.
Our service is www.peltodata.fi
Terveisin, Petri Linna
---
Tampereen teknillinen yliopisto
PL300, 28100 PORI
work: +358 408262720
www.tut.fi/pori<http://www.tut.fi/pori>
@petrilinna
Droonit maa- ja metsätaloudessa 29-30.11.2018:
http://drones2018.utu.fi/
Tampereen yliopisto ja Tampereen teknillinen yliopisto yhdistyvät 1.1.2019 uudeksi Tampereen yliopisto -nimiseksi säätiöyliopistoksi. Yhdessä Tampereen ammattikorkeakoulun kanssa ne muodostavat uuden korkeakouluyhteisön, jonka osaamiskärjet ovat tekniikka, terveys ja yhteiskunta.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/oskari-user/attachments/20181108/95fb9eb5/attachment.html>
More information about the Oskari-user
mailing list