[Archivesspace_Users_Group] installing wildcard SSL cert, redirect http to https

[Cook, Robert]

Brain,

For our deployment, we have F5 load-balancers. I configured an F5 virtual server object, that listens on port 443 (SSL/HTTPS) for the public interface and additional virtual servers for each respective port for each interface Staff, Backend, Solr. I elected to use 443 for the public interface for ease of use for customers using AS.

https://<AS_URL>/
vs
http:// <AS_URL>:8081/

The F5 NATs the “Client” connection to the “AS server”, with the connection between the “F5” and the “AS server” still being unencrypted (F5 acting as a HTTPS proxy).

I modified the config.rb to configure the application to use a different set of ports for the F5 connections to the server, while the client connections to the F5 use AS default ports (with the exception of 443 for the public interface), then I wrote a HTTP URI rewrite rule (called an iRule in F5 land) to re-write HTTP requests as HTTPS while maintaining the original requested URI string.

The path is:
Client <-- HTTPS --> F5 <-- HTTP --> AS Server

For the traffic between the F5 and the AS Server, the server is postured on our network in a way that we aren’t concerned about unencrypted traffic on the wire.

Referring back to AS documentation; if you use the Apache or some other method, you can install the proxy application on the same host as the AS server, and unencrypted traffic is never put onto the wire or leaves the server hosting the AS application, which is always preferred.

Thanks,
-Robbie

Robert Cook
Systems Engineer
Dept. of Technology Services
Seattle Public Schools
E: rocook at seattleschools.org<mailto:rocook at seattleschools.org>
P: 206-252-0352 (Forwards to my cellphone)

From: archivesspace_users_group-bounces at lyralists.lyrasis.org [mailto:archivesspace_users_group-bounces at lyralists.lyrasis.org] On Behalf Of Jason Loeffler
Sent: Wednesday, December 13, 2017 12:38 PM
To: Archivesspace Users Group <archivesspace_users_group at lyralists.lyrasis.org>
Subject: Re: [Archivesspace_Users_Group] installing wildcard SSL cert, redirect http to https

WARNING: The sender of this email could not be validated and may not match the person in the "From" field. This might be a fake e-mail
Brian,

There is limited documentation in the README_HTTPS.md file.

<goog_1397951669>
https://github.com/archivesspace/archivesspace/blob/bf7849472b0fcb91961c91764f757681670dc204/README_HTTPS.md

The technical documentation team has plans for enhancing this documentation in 2018. You might reach out to one of its members if you're having trouble with the configuration.

https://archivesspace.atlassian.net/wiki/spaces/AC/pages/141197319/Tech+Docs+Workplan+for+2017-2018

Regards, Jason

Jason Loeffler
Technology Consultant | The American Academy in Rome
Minor Science | Application Development & Metadata Strategy
Brooklyn, New York
jason at minorscience.com<mailto:jason at minorscience.com>
(347) 405-0826
minorscience (Skype)


On Tue, Dec 12, 2017 at 3:57 PM, Brian Slenk <slenkb at hope.edu<mailto:slenkb at hope.edu>> wrote:
Hello,

I have a new installation of an archives space server.   Is there a way with the Apache Solr web server to add an SSL wildcard certificate, and then redirect http to https for the the public interface ?  I am not finding documentation if this is possible.

Brian


_______________________________________________
Archivesspace_Users_Group mailing list
Archivesspace_Users_Group at lyralists.lyrasis.org<mailto:Archivesspace_Users_Group at lyralists.lyrasis.org>
http://lyralists.lyrasis.org/mailman/listinfo/archivesspace_users_group

CAUTION: This email originated from outside of the organization. Please don't click links, open attachments, or reply with confidential details unless you are certain you know the sender and are expecting the content.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lyralists.lyrasis.org/pipermail/archivesspace_users_group/attachments/20171213/d7742c9b/attachment.html>