0

Enabling SSL (HTTPS) for Publicly Accessible Digital Repositories

Share
Dspace Advanced SSL Integration

Minimum Requirements

  1. Install Debian 11 (Follow the Steps in ………………… Page)
  2. Install Dspace 7.6.1 (Click Here to Install Dspace 7.6.1 on Debian 11)
  3. Obtain a domain or a sub domain from your system administrator (in my case I use anoop.kila.ac.in as my domain)
  4. Ask your system administrator to point that domain to your static ip where dspace is installed. In case if you installed the dspace in a local server at your institution ask your system administrator to point the domain to the static ip available at your institution and then ask him to point all hit coming to that static ip from your newly created domain may redirect to your Local server ip address where dspace is installed
  5. Execute the bellow steps in the local server to make the web site in https

Setup Apache2 as Reverse Proxy

To configure Apache2 as a reverse proxy on Debian 11, you’ll need to enable the necessary modules and set up a virtual host configuration

Install and enable apache2
sudo apt install apache2 -y
sudo systemctl enable apache2
sudo systemctl start apache2

verify whether apache works properly on port 80
Try to open http://your-ip-address using your web browser

Enable required modes in Apache2
sudo a2enmod proxy_http ssl headers rewrite
systemctl restart apache2

We are Going to use Let’s Encrypt, a free, automated, and open certificate authority brought to you by the nonprofit Internet Security Research Group (ISRG). to make our Website Https
Use Certbot to configure SSL in your Server (Steps are for Debian 11)
sudo apt update -y
sudo apt install snapd -y
sudo snap install core
sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
sudo certbot certonly --apache

After the last step it will ask for an email id for future communication you can give your library email id here and press enter

Then it will ask for terms and conditions and EFF Subscription type Y and Press Enter for Both

Then it will ask for a domain name you can give your domain name here and press enter( in my case anoop.kila.ac.in, www.anoop.kila.ac.in are the domains) if you are adding more domain please enter a coma and a space between the additional domains


It will create the certificate for the specified domain and you can see the certificate path on the screen . pl note the path. We need the path in our future configuration

Test the automatic renewal
The Certbot packages on your system come with a cron job or systemd timer that will renew your certificates automatically before they expire. You will not need to run Certbot again, unless you change your configuration. You can test automatic renewal for your certificates by running this command:
sudo certbot renew --dry-run

Restart apache2 Service
sudo systemctl restart apache2

After The Above configuration verify that the domain is works fine with https
Browse : https://your-domain-name

Creating a Virtual Host in apache2 configuration to enable Apache2 as a reverse proxy for dspace in Debian 11 . Execute the bellow command

nano /etc/apache2/sites-available/dspace.conf

the above command will open a blank file . copy the bellow lines to that file and edit the content marked in red colour with your actual data and save it

<VirtualHost *:80>
     ServerName anoop.kila.ac.in
ServerAlias www.anoop.kila.ac.in
ServerAdmin admin@kila.ac.in
     #automatic redirection from http to https
      Redirect / https://anoop.kila.ac.in:4000
RewriteEngine on
#RewriteCond %{SERVER_NAME} =anoop.kila.ac.in
#RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<VirtualHost *:443>
     ServerName anoop.kila.ac.in
ServerAlias www.anoop.kila.ac.in
ServerAdmin admin@kila.ac.in
     LogLevel warn
     ErrorLog ${APACHE_LOG_DIR}/anoop.kila.ac.in.error.log
     CustomLog ${APACHE_LOG_DIR}/anoop.kila.ac.in.access.log combined
     ProxyRequests on
     SSLEngine on
     SSLProxyEngine on

SSLCompression off
     SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
     SSLHonorCipherOrder          off
     SSLSessionTickets off
     ProxyPreserveHost             on
     RequestHeader     set X-Forwarded-Proto https

   <Proxy *>
       AddDefaultCharset Off
       Require all granted
   </Proxy>

# PROXY for backend. Keep only localhost here! not insert your domain name!
     ProxyPass       /server http://localhost:8080/server
     ProxyPassReverse /server http://localhost:8080/server

      # PROXY for frontend. Keep only localhost here! not insert your domain >
     ProxyPass / http://localhost:4000/
     ProxyPassReverse / http://localhost:4000/
#The Bellow SSL Configuration is for Certbot. Pl replace the Path using your actual path which we noted while creating ssl 
#This Page is Created by Anoop P A, Technical Assistant, KILA, Kerala, anoop@kila.ac.in
     SSLCertificateFile /etc/letsencrypt/live/anoop.kila.ac.in/fullchain.pem
     SSLCertificateKeyFile /etc/letsencrypt/live/anoop.kila.ac.in/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/anoop.kila.ac.in/chain.pem
     Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

Next we need to Disable Default and unwanted Virtual hosts files of Apache. Don’t disable koha virtual host file if you plan to install koha and dspace in same server
To check available virtual hosts in your server, use the below command
ls /etc/apache2/sites-available/

Disable the Unwanted Virtual Hosts
sudo a2dissite 000-default.conf
sudo a2dissite 000-default-le-ssl.conf
sudo a2dissite default-ssl.conf

Enable Dspace Virtual host
sudo a2ensite dspace.conf

Restart apache2
systemctl restart apache2

Now we need to do some changes in dspace configuration

Edit the Backend configuration
sudo nano /dspace/config/local.cfg

Edit the Bello Line marked in blue with your actual data and remove the data marked in red, change the address from http to https which is marked in green

dspace.server.url = http://your-domain-name:8080/server
dspace.ui.url = http://anoop.kila.ac.in:4000

OLD screenshot before changing

Screenshot After Change

Edit the Front-End Production Configuration File
nano /home/dspace/dspace-angular-dspace-7.6.1/config/config.prod.yml

it will open a file in text editor in which change your ui host name from ip address to localhost and rest api ssl status from false to true and port address from 8080 to 443

File Before Change

File After Change

Now the Last steps
Stop the Frontend via pm2
pm2 stop /home/dspace/dspace-angular-dspace-7.6.1/dspace-ui.json

Start the front again using pm2
pm2 start /home/dspace/dspace-angular-dspace-7.6.1/dspace-ui.json

Restart apache2
systemctl restart apache2

Restart tomcat9
systemctl restart tomcat9

Now Browse the Pages with HTTPS

https://anoop.kila.ac.in/server/oai/request?verb=Identify

https://anoop.kila.ac.in/server/#/server/api

https://anoop.kila.ac.in/

Tags:

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Comments

No comments to show.