Re: [Dspace-tech] Turning SSL on with self-signed certificate breaks solr functionality
On Thu, Apr 9, 2015 at 5:10 PM, Chris Gray wrote: > We're using DSpace 5.1 and when we turn on SSL as per the instructions > in the installation documentation then browsing and RSS feeds break. > > Looking at the localhost access logs it looks like requests to solr on > 127.0.0.1 return a 302 status rather than 200. > If you're forcing HTTPS and redirects are causing problems, why don't you configure DSpace to talk to Solr via HTTPS? server=https://localhost:8080/solr/statistics in [dspace]/config/modules/ solr-statistics.cfg. solr.url=https://localhost:8080/solr/oai in [dspace]/config/modules/oai.cfg and search.server=https://localhost:8080/solr/search in [dspace]/config/modules/ discovery.cfg All of these can be changed at once at build time by changing solr.server=https://localhost:8080/solr in [dspace-source]/build.properties > Using wget from the command line I'm told I need to add the > --no-check-certificate parameter. > All works as expected here, tools like wget and curl want you to explicitly acknowledge that you want to skip certificate chain validation. If you're using these often, make an alias: alias wget='wget --no-check-certificate' > Is there a way to have tomcat7 force 8080 traffic to 8443 only for the > hostname and public IP address and not for localhost and 127.0.0.1? > I just did some research and I don't think Tomcat can do this on its own. 1) You can only have a single in configuration per Tomcat instance as it's the application (Tomcat) as a whole which binds to an IP/port 2) isn't helpful here, either 3) you can't (which forces the redirect) twice with the same port number Since you're using 8080, this probably means you're running a web server as a frontend to Tomcat, you could take care of it there as Stuart suggests. Another solution would be to have another Connector on another port number which doesn't force the redirect to HTTPS. While you can't disallow non-localhost access to this in Tomcat (due to 1) above), you could restrict it using iptables or other methods. Regards, ~~helix84 Compulsory reading: DSpace Mailing List Etiquette https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette -- BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF___ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
Re: [Dspace-tech] Turning SSL on with self-signed certificate breaks solr functionality
We do HTTPS by putting apache HTTPD in front of tomcat. Tomcat works in pure-HTTP (but is not accessible from the network) and HTTPD proxies tomcat on HTTP and HTTPS as necessary. cheers stuart -- I have a new phone number: 04 463 5692 https://www.facebook.com/VUWLibrary / https://www.facebook.com/TKMPC From: Chris Gray Sent: Friday, 10 April 2015 3:10 a.m. To: dspace-tech@lists.sourceforge.net Subject: [Dspace-tech] Turning SSL on with self-signed certificate breaks solr functionality We're using DSpace 5.1 and when we turn on SSL as per the instructions in the installation documentation then browsing and RSS feeds break. Looking at the localhost access logs it looks like requests to solr on 127.0.0.1 return a 302 status rather than 200. Using wget from the command line I'm told I need to add the --no-check-certificate parameter. Is there a way to have tomcat7 force 8080 traffic to 8443 only for the hostname and public IP address and not for localhost and 127.0.0.1? Chris -- BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF ___ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette -- BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF ___ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
[Dspace-tech] Turning SSL on with self-signed certificate breaks solr functionality
We're using DSpace 5.1 and when we turn on SSL as per the instructions in the installation documentation then browsing and RSS feeds break. Looking at the localhost access logs it looks like requests to solr on 127.0.0.1 return a 302 status rather than 200. Using wget from the command line I'm told I need to add the --no-check-certificate parameter. Is there a way to have tomcat7 force 8080 traffic to 8443 only for the hostname and public IP address and not for localhost and 127.0.0.1? Chris -- BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF ___ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette