Mat Witts edited this page Aug 31, 2016 · 5 revisions

Setting up CKAN with SSL

Debugging Checklist

  1. Have you set ckan.site_url = "https://myinstance.com" in /etc/ckan/production.ini?
  2. Have you set proxy_set_header X-Forwarded-Proto $scheme; in the Nginx config file?

Apache configuration

Install mod_rpaf. This will show Apache logs with the actual IP address of the visitor than the IP address of the proxy.

sudo apt-get install libapache2-mod-rpaf

Use the following configuration in /etc/apache2/sites-available/ckan.conf

WSGISocketPrefix /var/run/wsgi
<VirtualHost 127.0.0.1:8080>

    ServerName myinstance.ckan.net
    ServerAlias www.myinstance.ckan.net
    WSGIScriptAlias / /etc/ckan/default/apache.wsgi

    # pass authorization info on (needed for rest api)
    WSGIPassAuthorization On

    # Deploy as a daemon (avoids conflicts between CKAN instances)
    WSGIDaemonProcess ckan_default display-name=ckan_default processes=2 threads=15

    WSGIProcessGroup ckan_default

    # Add this to avoid Apache show error: 
    # "AH01630: client denied by server configuration: /etc/ckan/default/apache.wsgi" 
    <Directory /etc/ckan/default>
    Options All
    AllowOverride All
    Require all granted
    </Directory>

    ErrorLog /var/log/apache2/ckan_default.error.log
    CustomLog /var/log/apache2/ckan_default.custom.log combined

    <IfModule mod_rpaf.c>
        RPAFenable On
        RPAFsethostname On
        RPAFproxy_ips 127.0.0.1
    </IfModule>
</VirtualHost>

Nginx configuration

Use the following Nginx configuration. TODO: This configuration needs to be updated for the latest standard from Mozilla SSL Config Generator

proxy_cache_path /tmp/nginx_cache levels=1:2 keys_zone=cache:30m max_size=250m;
proxy_temp_path /tmp/nginx_proxy 1 2;

server {
    listen 80 default;
    server_name myintance.ckan.net;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl;
    client_max_body_size 100M;
    ssl on;
    ssl_certificate      ssl/myinstance.ckan.net.crt;
    ssl_certificate_key  ssl/myinstance.ckan.net.key;
    ssl_protocols        TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
    keepalive_timeout    60;
    ssl_session_cache    shared:SSL:10m;
    ssl_session_timeout  10m;
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

    location / {
        proxy_pass http://127.0.0.1:8080/;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $host;
        proxy_cache cache;
        proxy_cache_bypass $cookie_auth_tkt;
        proxy_no_cache $cookie_auth_tkt;
        proxy_cache_valid 30m;
        proxy_cache_key $host$scheme$proxy_host$request_uri;
        proxy_set_header X-Forwarded-Proto $scheme;

        # In emergency comment out line to force caching
        # proxy_ignore_headers X-Accel-Expires Expires Cache-Control;
    }

}

(Optional) WWW to non-WWW SSL redirects

server {
    listen 80 default;
    server_name www.myintance.ckan.net
    return 301 https://myintance.ckan.net$request_uri;
}

server {
    listen 443 ssl;
    server_name www.myintance.ckan.net;

CKAN Configuration Change

Change ckan.site_url in /etc/ckan/production.ini to https://myintance.ckan.net.

Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.