Mat Witts edited this page Aug 31, 2016 · 5 revisions
Clone this wiki locally

Setting up CKAN with SSL

Debugging Checklist

  1. Have you set ckan.site_url = "" in /etc/ckan/production.ini?
  2. Have you set proxy_set_header X-Forwarded-Proto $scheme; in the Nginx config file?

Apache configuration

Install mod_rpaf. This will show Apache logs with the actual IP address of the visitor than the IP address of the proxy.

sudo apt-get install libapache2-mod-rpaf

Use the following configuration in /etc/apache2/sites-available/ckan.conf

WSGISocketPrefix /var/run/wsgi

    WSGIScriptAlias / /etc/ckan/default/apache.wsgi

    # pass authorization info on (needed for rest api)
    WSGIPassAuthorization On

    # Deploy as a daemon (avoids conflicts between CKAN instances)
    WSGIDaemonProcess ckan_default display-name=ckan_default processes=2 threads=15

    WSGIProcessGroup ckan_default

    # Add this to avoid Apache show error: 
    # "AH01630: client denied by server configuration: /etc/ckan/default/apache.wsgi" 
    <Directory /etc/ckan/default>
    Options All
    AllowOverride All
    Require all granted

    ErrorLog /var/log/apache2/ckan_default.error.log
    CustomLog /var/log/apache2/ckan_default.custom.log combined

    <IfModule mod_rpaf.c>
        RPAFenable On
        RPAFsethostname On

Nginx configuration

Use the following Nginx configuration. TODO: This configuration needs to be updated for the latest standard from Mozilla SSL Config Generator

proxy_cache_path /tmp/nginx_cache levels=1:2 keys_zone=cache:30m max_size=250m;
proxy_temp_path /tmp/nginx_proxy 1 2;

server {
    listen 80 default;
    return 301 https://$server_name$request_uri;

server {
    listen 443 ssl;
    client_max_body_size 100M;
    ssl on;
    ssl_certificate      ssl/;
    ssl_certificate_key  ssl/;
    ssl_protocols        TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
    keepalive_timeout    60;
    ssl_session_cache    shared:SSL:10m;
    ssl_session_timeout  10m;
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

    location / {
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $host;
        proxy_cache cache;
        proxy_cache_bypass $cookie_auth_tkt;
        proxy_no_cache $cookie_auth_tkt;
        proxy_cache_valid 30m;
        proxy_cache_key $host$scheme$proxy_host$request_uri;
        proxy_set_header X-Forwarded-Proto $scheme;

        # In emergency comment out line to force caching
        # proxy_ignore_headers X-Accel-Expires Expires Cache-Control;


(Optional) WWW to non-WWW SSL redirects

server {
    listen 80 default;
    return 301$request_uri;

server {
    listen 443 ssl;

CKAN Configuration Change

Change ckan.site_url in /etc/ckan/production.ini to