Skip to content

Starting CKAN over HTTPs using Apache and Nginx

Jump to bottom
Álvaro Arranz edited this page Feb 8, 2018 · 7 revisions

If you like, you can also use Apache and Nginx to start your CKAN instance over HTTPs. The architecture will be the following one:

  • Apache will be listening locally on the port 8080 (HTTP).
  • Nginx will be listening on the port 443 (HTTPs) and will proxy all the request to Apache.

First of all, you have to modify the file /etc/ckan/default/apache.wsgi and replace its content by the following one:

import os
activate_this = os.path.join('/usr/lib/ckan/default/bin/activate_this.py')
execfile(activate_this, dict(__file__=activate_this))

from paste.deploy import loadapp

config_filepath = os.path.join(os.path.dirname(os.path.abspath(__file__)), 'production.ini')
from paste.script.util.logging_config import fileConfig
fileConfig(config_filepath)
_application = loadapp('config:%s' % config_filepath)

def application(environ, start_response):
    environ['wsgi.url_scheme'] = environ.get('HTTP_X_URL_SCHEME', 'http')
    return _application(environ, start_response)

As can be seen, the returned application is manipulated and wsgi.url_scheme is changed according to the header X_URL_SCHEME. This header will be set by the proxy as you will see in the next lines.

Then, modify your Apache ports configuration (/etc/apache2/ports.conf) and replace its content by the following one. This configuration avoids Apache to listen on the port 443 and ensures that CKAN is only accesible locally:

# CKAN
NameVirtualHost 127.0.0.1:8080
Listen 127.0.0.1:8080

# DataPusher
NameVirtualHost *:8800
Listen 8800

It's also needed to change the Apache sites configuration to make CKAN accesible only locally. In order to achieve this, modify the file /etc/apache2/sites-available/ckan_default and replace the following line:

<VirtualHost *:8080>

by this one:

<VirtualHost 127.0.0.1:8080>

Additionally, you have to modify your Nginx sites configuration. Modify the file /etc/nginx/sites-available/ckan and replace its content by the following one. As can be seen, the proxy adds the header X-Url-Scheme to set the protocol:

proxy_cache_path /tmp/nginx_cache levels=1:2 keys_zone=cache:30m max_size=250m;
proxy_temp_path /tmp/nginx_proxy 1 2;

server {

    listen 443;
    ssl on;
    ssl_certificate /etc/apache2/ssl/crt/vhost1.crt;
    ssl_certificate_key /etc/apache2/ssl/key/vhost1.key;

    client_max_body_size 100M;
    location / {
        proxy_pass http://127.0.0.1:8080/;
        proxy_set_header X-Url-Scheme $scheme;
        proxy_set_header Host $host;
        proxy_cache cache;
        proxy_cache_bypass $cookie_auth_tkt;
        proxy_no_cache $cookie_auth_tkt;
        proxy_cache_valid 30m;
        proxy_cache_key $host$scheme$proxy_host$request_uri;
        # In emergency comment out line to force caching
        # proxy_ignore_headers X-Accel-Expires Expires Cache-Control;
    }

}

Optionally, you can create another server listening on the port 80 (HTTP) to redirect the users to the secure version. To do so, add the following content to the file /etc/nginx/sites-available/ckan:

server {
    listen 80;
    server_name <YOUR_SERVER_NAME>;
    rewrite ^ https://$server_name$request_uri? permanent;
}

Finally, you have to restart the services. To do so, execute the following commands:

$ sudo service apache2 restart
$ sudo service nginx reload

Now you should be able to access your CKAN instance by accessing https://YOUR_HOST

  1. Activating & Installing the plugin
  2. Starting CKAN over HTTPs
  3. Starting CKAN over HTTPs using Apache
  4. Starting CKAN over HTTPs using Nginx
  5. Starting CKAN over HTTPs using Apache and Nginx
  6. How it works?
Clone this wiki locally