Enable HTTPS using Apache httpd
Using Nginx as reverse proxy for Opencast is the preferred way of running Opencast. Refer to the Nginx guide for configuration instructions for that type of setup.
This guide will help you to configure httpd to act as HTTP(S) proxy for Opencast.
Opencast Configuration
Make sure to use https
as protocol for org.opencastproject.server.url
in etc/custom.properties
.
org.opencastproject.server.url=https://example.opencast.org
No other configuration is required. Do not enable TLS in Opencast. Listen to local connections only. Both are the default settings.
Minimal Set-up
Note that this guide does not give any security advice but is meant to provide a minimal working example which works well with Opencast.
The following configuration is an example for /etc/httpd/conf.d/opencast.conf
.
Note that depending on your distributions packaging, often conf.d
or sites-enabled
directories are used.
Adjust the file path accordingly.
Explanations for the configuration directives are provided inline. Please make sure to replace example.opencast.org
with your node's domain name.
The main goals of this set-up are:
- Always redirect to HTTPS
- Proxy to Opencast and take care of TLS
- Avoid caching
<VirtualHost *:80>
ServerName example.opencast.org
RewriteEngine on
RewriteRule ^/(.*)$ https://example.opencast.org/$1 [NC]
</VirtualHost>
<VirtualHost *:443>
ServerName example.opencast.org
# Enable TLS
SSLEngine on
SSLProxyEngine on
SSLCertificateFile /etc/ssl/certs/oc-cert.crt
SSLCertificateKeyFile /etc/ssl/private/oc-key.key
SSLCertificateChainFile /etc/ssl/certs/oc-chain.crt
# Make sure Opencast knows about HTTPS being used
RequestHeader set X-Forwarded-SSL "on"
RequestHeader set X-Forwarded-Proto "https"
# Make sure to serve cookies only via secure connections.
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
# Depending on your integration, you may also want to allow cookies
# to be used on other sites. In that case, use this instead:
#Header edit Set-Cookie ^(.*)$ $1; HttpOnly; Secure; SameSite=None
# Proxy requests to Opencast
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://example.opencast.org
</VirtualHost>