<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none"><!-- p { margin-top: 0px; margin-bottom: 0px; } @font-face { font-family: "Cambria Math"; } @font-face { font-family: Calibri; } p.MsoNormal, li.MsoNormal, div.MsoNormal { margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; } a:link, span.MsoHyperlink { color: rgb(5, 99, 193); text-decoration: underline; } a:visited, span.MsoHyperlinkFollowed { color: rgb(149, 79, 114); text-decoration: underline; } span.EmailStyle17 { font-family: Calibri, sans-serif; color: windowtext; } .MsoChpDefault { font-family: Calibri, sans-serif; } @page WordSection1 { margin: 72pt; } div.WordSection1 { }--></style>
</head>
<body dir="ltr" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<p>Hi,<br>
</p>
<p><br>
</p>
<p>"How to install https correctly" is a bit tricky question to answer as there are many ways to handle it and some extra things that can be considered for "going the extra mile". <span style="font-size: 12pt;">In all our instances we've offloaded TLS to some
external (non-Oskari) software like nginx or F5. We have sample nginx configs available on GitHub (https://github.com/oskariorg/sample-configs/blob/master/nginx/), but they don't include the https-part as you would need to have the certificate for your instance
to go along with it. Fortunately nginx has awesome documentation how to accomplish this: </span><a href="http://nginx.org/en/docs/http/configuring_https_servers.html" style="font-size: 12pt;" title="http://nginx.org/en/docs/http/configuring_https_servers.html
Ctrl+Seuraa linkkiä napsauttamalla tai napauttamalla">http://nginx.org/en/docs/http/configuring_https_servers.html</a><br>
</p>
<p><br>
</p>
<p style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px;">There's a bunch of stuff to know about the subject like which protocols and ciphers to support and these change when time goes by. Do you want to use HSTS, OCSP Stapling and what
not. Here's some links regarding nginx:<br>
</p>
<p style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px;">- <a href="https://linode.com/docs/web-servers/nginx/tls-deployment-best-practices-for-nginx/">https://linode.com/docs/web-servers/nginx/tls-deployment-best-practices-for-nginx/</a> <br>
</p>
<p style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px;">- <a href="https://www.owasp.org/index.php/SCG_WS_nginx">https://www.owasp.org/index.php/SCG_WS_nginx</a><br>
</p>
<p style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px;"><br>
</p>
<p style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px;">And that's just for nginx. Apache httpd, haproxy or F5 are also ways to handle this. Also you can run Oskari in a Tomcat environment or some other Java servlet container which changes
things as well :)<br>
</p>
<p><br>
</p>
<p>But basically to get started with Jetty running Oskari you should toggle the "forwarded" functionality on by uncommenting some xml here: <a href="https://github.com/oskariorg/sample-configs/blob/master/jetty/jetty-8.1.16-oskari/etc/jetty.xml#L41-L43">https://github.com/oskariorg/sample-configs/blob/master/jetty/jetty-8.1.16-oskari/etc/jetty.xml#L41-L43</a>
and configure something like nginx in front of it to handle TLS. We are passing some X-Forwarded-headers from nginx to Jetty so redirects are handled properly: <a href="https://github.com/oskariorg/sample-configs/blob/master/nginx/conf.d/default.conf#L52-L58">https://github.com/oskariorg/sample-configs/blob/master/nginx/conf.d/default.conf#L52-L58</a>.
You should also check that the value of oskari.domain in oskari-ext.properties points to the
<a href="https://peltodata.fi">https://peltodata.fi</a> <- note _https_. Looks like <a href="https://peltodata.fi">http://peltodata.fi</a> gives the landing page and <a href="https://peltodata.fi/" style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 16px; background-color: rgb(255, 255, 255);"></a><a href="http://peltodata.f">https://peltodata.f</a>i gives
the geoportal on your site.<br>
</p>
<p><br>
</p>
<p>For maplayers you need to register them using the https-address for the service. If the services don't support https you don't really have a choice but to use "forceProxy".<br>
</p>
<p><br>
</p>
<p>Hope this helps and ask away with follow-ups :)<br>
</p>
<p><br>
</p>
<p> Sami<br>
</p>
<p><br>
</p>
<div style="color: rgb(33, 33, 33);">
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>Lähettäjä:</b> Oskari-user <oskari-user-bounces@lists.osgeo.org> käyttäjän puolestaPetri Linna <petri.linna@tut.fi><br>
<b>Lähetetty:</b> 8. marraskuuta 2018 12:54<br>
<b>Vastaanottaja:</b> oskari-user@lists.osgeo.org<br>
<b>Aihe:</b> [Oskari-user] http to https</font>
<div> </div>
</div>
<div>
<div class="WordSection1">
<p class="MsoNormal">Hi</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"><span lang="EN-US">My question associate with how to install https correctly? I mean, which all settings-files we need to do changes?</span></p>
<p class="MsoNormal"><span lang="EN">If I log in or out from oskari or geoserver, it jumps to http. Layers’ data it tries to get from http. In oskari we putted to each layers “{"forceProxy":true}” and now browser not complain any more that data sources are
not safety.</span></p>
<p class="MsoNormal"><span lang="EN"> </span></p>
<p class="MsoNormal"><span lang="EN">Our service is www.peltodata.fi</span><span lang="EN-US"></span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal">Terveisin, Petri Linna<br>
</p>
<p class="MsoNormal">---</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Tampereen teknillinen yliopisto</p>
<p class="MsoNormal"><span lang="EN-US">PL300, 28100 PORI</span></p>
<p class="MsoNormal"><span lang="EN-US">work: +358 408262720</span></p>
<p class="MsoNormal"><a href="http://www.tut.fi/pori"><span lang="EN-US" style="color:blue">www.tut.fi/pori</span></a><span lang="EN-US"></span></p>
<p class="MsoNormal"><span style="">@petrilinna</span></p>
<p class="MsoNormal"><span style=""> </span></p>
<p class="MsoNormal"><span style="">Droonit maa- ja metsätaloudessa 29-30.11.2018:</span></p>
<p class="MsoNormal"><span style=""><a href="http://drones2018.utu.fi/"><span style="color:blue">http://drones2018.utu.fi/</span></a></span></p>
<p class="MsoNormal"><span style=""> </span></p>
<p class="MsoNormal"><span style="">Tampereen yliopisto ja Tampereen teknillinen yliopisto yhdistyvät 1.1.2019 uudeksi Tampereen yliopisto -nimiseksi säätiöyliopistoksi. Yhdessä Tampereen ammattikorkeakoulun kanssa ne muodostavat uuden korkeakouluyhteisön,
jonka osaamiskärjet ovat tekniikka, terveys ja yhteiskunta. </span><span style="font-family:"Arial",sans-serif"></span></p>
<p class="MsoNormal"> </p>
</div>
</div>
</div>
</body>
</html>