Minimum Requirements
- Install Debian 11
- Install Dspace 7.6.1 (Click Here to Install Dspace 7.6.1 on Debian 11)
- Obtain a domain or a sub domain from your system administrator (in my case I use anoop.kila.ac.in as my domain)
- Ask your system administrator to point that domain to your static ip where dspace is installed. In case if you installed the dspace in a local server at your institution ask your system administrator to point the domain to the static ip available at your institution and then ask him to point all hit coming to that static ip from your newly created domain may redirect to your Local server ip address where dspace is installed
- Execute the bellow steps in the local server to make the web site in https
Setup Apache2 as Reverse Proxy
To configure Apache2 as a reverse proxy on Debian 11, you’ll need to enable the necessary modules and set up a virtual host configuration
Install and enable apache2sudo apt install apache2 -ysudo systemctl enable apache2sudo systemctl start apache2
verify whether apache works properly on port 80
Try to open http://your-ip-address using your web browser
Enable required modes in Apache2sudo a2enmod proxy_http ssl headers rewritesystemctl restart apache2
We are Going to use Let’s Encrypt, a free, automated, and open certificate authority brought to you by the nonprofit Internet Security Research Group (ISRG). to make our Website Https
Use Certbot to configure SSL in your Server (Steps are for Debian 11)sudo apt update -ysudo apt install snapd -ysudo snap install coresudo snap refresh coresudo snap install --classic certbotsudo ln -s /snap/bin/certbot /usr/bin/certbotsudo certbot certonly --apache
After the last step it will ask for an email id for future communication you can give your library email id here and press enter
Then it will ask for terms and conditions and EFF Subscription type Y and Press Enter for Both
Then it will ask for a domain name you can give your domain name here and press enter( in my case anoop.kila.ac.in, www.anoop.kila.ac.in are the domains) if you are adding more domain please enter a coma and a space between the additional domains
It will create the certificate for the specified domain and you can see the certificate path on the screen . pl note the path. We need the path in our future configuration
Test the automatic renewal
The Certbot packages on your system come with a cron job or systemd timer that will renew your certificates automatically before they expire. You will not need to run Certbot again, unless you change your configuration. You can test automatic renewal for your certificates by running this command:sudo certbot renew --dry-run
Restart apache2 Servicesudo systemctl restart apache2
Creating a Virtual Host in apache2 configuration to enable Apache2 as a reverse proxy for dspace in Debian 11 . Execute the bellow command
nano /etc/apache2/sites-available/dspace.conf
the above command will open a blank file . copy the bellow lines to that file and edit the content marked in red colour with your actual data and save it
<VirtualHost *:80>
ServerName anoop.kila.ac.in
ServerAlias www.anoop.kila.ac.in
ServerAdmin admin@kila.ac.in
#automatic redirection from http to https
Redirect / https://anoop.kila.ac.in:4000
RewriteEngine on
#RewriteCond %{SERVER_NAME} =anoop.kila.ac.in
#RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:443>
ServerName anoop.kila.ac.in
ServerAlias www.anoop.kila.ac.in
ServerAdmin admin@kila.ac.in
LogLevel warn
ErrorLog ${APACHE_LOG_DIR}/anoop.kila.ac.in.error.log
CustomLog ${APACHE_LOG_DIR}/anoop.kila.ac.in.access.log combined
ProxyRequests on
SSLEngine on
SSLProxyEngine on
SSLCompression off
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder off
SSLSessionTickets off
ProxyPreserveHost on
RequestHeader set X-Forwarded-Proto https
<Proxy *>
AddDefaultCharset Off
Require all granted
</Proxy>
# PROXY for backend. Keep only localhost here! not insert your domain name!
ProxyPass /server http://localhost:8080/server
ProxyPassReverse /server http://localhost:8080/server
# PROXY for frontend. Keep only localhost here! not insert your domain >
ProxyPass / http://localhost:4000/
ProxyPassReverse / http://localhost:4000/
#The Bellow SSL Configuration is for Certbot. Pl replace the Path using your actual path which we noted while creating ssl
#This Page is Created by Anoop P A, Technical Assistant, KILA, Kerala, anoop@kila.ac.in
SSLCertificateFile /etc/letsencrypt/live/anoop.kila.ac.in/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/anoop.kila.ac.in/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/anoop.kila.ac.in/chain.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
Next we need to Disable Default and unwanted Virtual hosts files of Apache. Don’t disable koha virtual host file if you plan to install koha and dspace in same server
To check available virtual hosts in your server, use the below commandls /etc/apache2/sites-available/
Disable the Unwanted Virtual Hostssudo a2dissite 000-default.confsudo a2dissite 000-default-le-ssl.confsudo a2dissite default-ssl.conf
Enable Dspace Virtual hostsudo a2ensite dspace.conf
Restart apache2systemctl restart apache2
Now we need to do some changes in dspace configuration
Edit the Backend configurationsudo nano /dspace/config/local.cfg
Edit the Bello Line marked in blue with your actual data and remove the data marked in red, change the address from http to https which is marked in green
dspace.server.url = http://your-domain-name:8080/server
dspace.ui.url = http://anoop.kila.ac.in:4000
OLD screenshot before changing
Screenshot After Change
Edit the Front-End Production Configuration Filenano /home/dspace/dspace-angular-dspace-7.6.1/config/config.prod.yml
it will open a file in text editor in which change your ui host name from ip address to localhost and rest api ssl status from false to true and port address from 8080 to 443
File Before Change
File After Change
Now the Last steps
Stop the Frontend via pm2pm2 stop /home/dspace/dspace-angular-dspace-7.6.1/dspace-ui.json
Start the front again using pm2pm2 start /home/dspace/dspace-angular-dspace-7.6.1/dspace-ui.json
Restart apache2systemctl restart apache2
Restart tomcat9systemctl restart tomcat9
Now Browse the Pages with HTTPS
https://anoop.kila.ac.in/server/oai/request?verb=Identify
https://anoop.kila.ac.in/server/#/server/api
https://anoop.kila.ac.in/
Hello Sir,
I have a question. If I have only a public IP and I have no domain name and SSL certificate, can I configure my DSpace7 with apache2 or nginx for reverse proxy mechanism to access DSpace7 over the internet?
Thank you.
Dear Subrat Kumar Nanda,
Thank you for your message and for referring to the documentation at https://dspace.anoopkakkur.com/enabling-ssl-https-for-publicly-accessible-digital-repositories.
To address your query: If your DSpace installation allows users to log in using a username and password (via the standard web form, e.g., http://your-ip/dspace/password-login), then it is highly recommended—and strongly advised—to use HTTPS. Transmitting login credentials over plain HTTP exposes them in clear text, making them vulnerable to interception through packet sniffing or other forms of network monitoring, which are especially common in university and institutional networks.
This poses a serious security risk—not only for end users, but also for DSpace administrators who have full control over your repository. To mitigate this risk, it is essential to configure HTTPS (SSL/TLS) to encrypt communication and protect sensitive data such as passwords.
DSpace also supports enforcing SSL for all authenticated transactions, ensuring that passwords are only accepted over secure connections.
Therefore, we urge you to avoid using DSpace over plain HTTP, as it is inherently insecure. If obtaining a domain and SSL certificate is currently not feasible, consider using a self-signed SSL certificate as a temporary measure to ensure at least basic encryption.
That said, if you still wish to proceed with accessing DSpace via a public IP without SSL, you may follow the same documentation, skipping the SSL steps. In the reverse proxy configuration (VirtualHost block), you can replace the domain name with your public IP address.
Please note, however, that this method is not recommended and should only be used in non-production or internal environments with no sensitive data or user authentication involved.
How to point public ip to domain
If you’ve just obtained a public IP address (for example, from your VPS or home-server) and want visitors to reach it via your domain name, follow these simple steps: block with ServerName example.com (and ServerAlias http://www.example.com if needed).
1. Log in to your DNS provider
This is typically the registrar where you bought your domain (GoDaddy, Namecheap, Google Domains, etc.), or a dedicated DNS host (Cloudflare, AWS Route 53, DigitalOcean DNS, etc.).
2. Locate your domain’s DNS zone
In the dashboard, find “DNS Management,” “Zone File,” or simply “DNS Records” for your domain.
3. Create (or edit) an A record
o Host/Name:
Use @ to point the root domain (example.com).
Or enter www if you want http://www.example.com.
o Type: A
o Value: Your public IP (e.g. 203.0.113.42)
o TTL: 300–3600 seconds is typical (5–60 minutes). Lower TTL propagates faster but generates more DNS queries.
4. (Optional) Add a CNAME for “www”
If you want both example.com and http://www.example.com to resolve to the same IP, you can:
o Create a CNAME record with Host = www and Value = @ (or example.com).
5. Save your changes
Your DNS host will apply the new record immediately, but it can take up to 24 hours to fully propagate worldwide (usually much faster, often within minutes to a couple of hours).
6. Configure your web server
On the machine listening at that IP:
o Apache: ensure a
o Nginx: set server_name example.com http://www.example.com; in your server { … } block.
o Restart or reload your web-server so it serves the correct site.
7. Open your firewall
Make sure TCP port 80 (HTTP) and/or 443 (HTTPS) are allowed through your server’s firewall (iptables, UFW, firewalld, or cloud-provider security group).
If you’re a librarian, feel free to ask your IT team—they’re already familiar with this process and can get it done for you.
how to map proxmox with public ip and domain name