[Archivesspace_Users_Group] HTTPS for login/staff interface

Tue Nov 19 15:34:59 EST 2013

Hi Cory,

Unfortunately we don't have any specific documentation at the moment about deploying ArchivesSpace using HTTPS, we'll be prioritizing the creation of this documentation in the next few weeks.

Best,

Mark A. Matienzo | mark.matienzo at nyu.edu
Technical Architect, ArchivesSpace
http://archivesspace.org/

On Nov 19, 2013, at 11:10 AM, Cory Nimer <cory_nimer at byu.edu> wrote:

> As we have been getting LDAP set up for our local ArchivesSpace instance, our IT staff have raised a number of questions about the security of the login process, as well as the use of the staff interface. I have included portions of their comments below:
> Forwarded message:
> 
> On Friday, November 15, 2013 at 10:25 AM, David Brownell wrote:
> 
> Subject: RE: archivesspace and ldap and SSL
> 
> archivesspace doesn't proxy nicely so it's nearly impossible to secure. I think it is still possible to proxy if it has its own IP address but DS1 [our web application server] already has 4 and I'm not sure I'm willing to do that for this.  It makes the whole thing less maintainable.
> 
> It needs to be at the path's root because it does things like send you to /login. So I can't have it be /archivesspace (because it doesn't send you to /archivesspace/login).  I have not seen any way to change the path of the thing, so that I can have it live on /archivesspace/blah.  Do you know of a way to change that?  I messed with the config.rb frontend_url but it's NOT a URL, it's only looking at the host and port.  Not the path!
> 
> That said, I can work on LDAP authentication, but without a means of a secure connection, I don't want to do that and expose peoples password in plaintext.
> 
> What are your thoughts? 
> 
> P.S. When I say "context" I mean the stuff after the server.  For example, If I gave a url  -- http://ds1.lib.byu.edu:9080/blah -- /blah would be the context.
>  
> 
> Sent: Monday, November 18, 2013 9:37 AM
>  
> I don’t know of a way to change it so it can live on /archivespace/blah. I think the url structure is pretty well baked in. It sounds like we might need to have a dedicated IP address. It doesn’t necessarily need to live on DS1, if that helps.
> 
> Date: Monday, November 18, 2013 at 9:53:13 AM
> 
> It's really, really important that HTTP-listening applications that accept a password have the ability to do HTTPS.  archivesspace needs to have the ability to listen on HTTPS with the ability to use a signed certificate for the communication.
>  
> Are there configuration options for making the login/staff interface available over HTTPS? Is this something that is expected to change in future versions of the software? And how should we advise our IT staff on setting this up on the server?
>  
> Thanks for your guidance,
>  
> Cory Nimer
> Manuscripts Cataloger/Metadata Specialist
> Brigham Young University
> 1108 HBLL
> (801) 422-6091
>  
> _______________________________________________
> Archivesspace_Users_Group mailing list
> Archivesspace_Users_Group at lyralists.lyrasis.org
> http://lyralists.lyrasis.org/mailman/listinfo/archivesspace_users_group

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lyralists.lyrasis.org/pipermail/archivesspace_users_group/attachments/20131119/3eedc7f5/attachment.html>