SSL

Mat Witts edited this page Aug 31, 2016 · 5 revisions
Clone this wiki locally

Setting up CKAN with SSL

Debugging Checklist

  1. Have you set ckan.site_url = "https://myinstance.com" in /etc/ckan/production.ini?
  2. Have you set proxy_set_header X-Forwarded-Proto $scheme; in the Nginx config file?

Apache configuration

Install mod_rpaf. This will show Apache logs with the actual IP address of the visitor than the IP address of the proxy.

sudo apt-get install libapache2-mod-rpaf

Use the following configuration in /etc/apache2/sites-available/ckan.conf

WSGISocketPrefix /var/run/wsgi
<VirtualHost 127.0.0.1:8080>

    ServerName myinstance.ckan.net
    ServerAlias www.myinstance.ckan.net
    WSGIScriptAlias / /etc/ckan/default/apache.wsgi

    # pass authorization info on (needed for rest api)
    WSGIPassAuthorization On

    # Deploy as a daemon (avoids conflicts between CKAN instances)
    WSGIDaemonProcess ckan_default display-name=ckan_default processes=2 threads=15

    WSGIProcessGroup ckan_default

    # Add this to avoid Apache show error: 
    # "AH01630: client denied by server configuration: /etc/ckan/default/apache.wsgi" 
    <Directory /etc/ckan/default>
    Options All
    AllowOverride All
    Require all granted
    </Directory>

    ErrorLog /var/log/apache2/ckan_default.error.log
    CustomLog /var/log/apache2/ckan_default.custom.log combined

    <IfModule mod_rpaf.c>
        RPAFenable On
        RPAFsethostname On
        RPAFproxy_ips 127.0.0.1
    </IfModule>
</VirtualHost>

Nginx configuration

Use the following Nginx configuration. TODO: This configuration needs to be updated for the latest standard from Mozilla SSL Config Generator

proxy_cache_path /tmp/nginx_cache levels=1:2 keys_zone=cache:30m max_size=250m;
proxy_temp_path /tmp/nginx_proxy 1 2;

server {
    listen 80 default;
    server_name myintance.ckan.net;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl;
    client_max_body_size 100M;
    ssl on;
    ssl_certificate      ssl/myinstance.ckan.net.crt;
    ssl_certificate_key  ssl/myinstance.ckan.net.key;
    ssl_protocols        TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
    keepalive_timeout    60;
    ssl_session_cache    shared:SSL:10m;
    ssl_session_timeout  10m;
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

    location / {
        proxy_pass http://127.0.0.1:8080/;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $host;
        proxy_cache cache;
        proxy_cache_bypass $cookie_auth_tkt;
        proxy_no_cache $cookie_auth_tkt;
        proxy_cache_valid 30m;
        proxy_cache_key $host$scheme$proxy_host$request_uri;
        proxy_set_header X-Forwarded-Proto $scheme;

        # In emergency comment out line to force caching
        # proxy_ignore_headers X-Accel-Expires Expires Cache-Control;
    }

}

(Optional) WWW to non-WWW SSL redirects

server {
    listen 80 default;
    server_name www.myintance.ckan.net
    return 301 https://myintance.ckan.net$request_uri;
}

server {
    listen 443 ssl;
    server_name www.myintance.ckan.net;

CKAN Configuration Change

Change ckan.site_url in /etc/ckan/production.ini to https://myintance.ckan.net.