Skip to content

Starting CKAN over HTTPs using Apache

Jump to bottom
Álvaro Arranz edited this page Feb 8, 2018 · 12 revisions

CKAN uses Nginx and Apache2 by default. However, in this case you will learn how to deploy a CKAN over HTTPs using only an Apache server (Nginx is only used as a cache server, so do not worry). To do so, first of all you have to stop the Nginx server:

$ sudo service nginx stop

Take into account that the nginx service will start every time you reboot your machine. If you want to avoid this, please execute the following command:

$ sudo update-rc.d -f nginx remove

Once that the Nginx server is stopped, we should modify the Apache configuration. First, modify the file /etc/apache2/ports.conf and replace the following two lines:

NameVirtualHost *:8080
Listen 8080

by these other ones:

# CKAN
NameVirtualHost *:443
Listen 443

Then, we have to modify the site configuration. To do so, open the file /etc/apache2/sites-available/ckan_default and replace its content by the following one:

WSGISocketPrefix /var/run/wsgi
<VirtualHost 0.0.0.0:443>

    ServerName <SERVER_NAME>
    ServerAlias <SERVER_ALIAS>
    WSGIScriptAlias / /etc/ckan/default/apache.wsgi

    # pass authorization info on (needed for rest api)
    WSGIPassAuthorization On

    # Deploy as a daemon (avoids conflicts between CKAN instances)
    WSGIDaemonProcess ckan_default display-name=ckan_default processes=2 threads=15

    WSGIProcessGroup ckan_default

    ErrorLog /var/log/apache2/ckan_default.error.log
    CustomLog /var/log/apache2/ckan_default.custom.log combined

    SSLEngine On
    SSLCertificateFile <PATH_TO_YOUR_CERTIFICATE_FILE>
    SSLCertificateKeyFile <PATH_TO_YOUR_KEY_FILE>

    SSLProtocol             all -SSLv2
    SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK
    SSLHonorCipherOrder     on
    SSLCompression          off


</VirtualHost>

Optionally, you can create a second server listening on the port 80 (HTTP) to redirect users automatically to the secure version. To achieve this, add the following content to the file /etc/apache2/ports.conf:

NameVirtualHost *:80
Listen 80

and the next lines to the file /etc/apache2/sites-available/ckan_default:

# Redirection to the secure version
<VirtualHost 0.0.0.0:80>
    ServerName <SERVER_NAME>
    Redirect permanent / https://<SERVER_NAME>/
</VirtualHost>

Finally, run these commands:

$ sudo a2enmod ssl
$ sudo service apache2 restart

Now you should be able to access your CKAN instance by accessing https://YOUR_HOST

  1. Activating & Installing the plugin
  2. Starting CKAN over HTTPs
  3. Starting CKAN over HTTPs using Apache
  4. Starting CKAN over HTTPs using Nginx
  5. Starting CKAN over HTTPs using Apache and Nginx
  6. How it works?
Clone this wiki locally