Can login credentials to openemr be compromised via http since no encryption occurs?
If so, should we redirect http on the webserver to https?
It also seems that port 80 is necessary for ssl updates…so any advice greatly appreciated.
Can login credentials to openemr be compromised via http since no encryption occurs?
If so, should we redirect http on the webserver to https?
It also seems that port 80 is necessary for ssl updates…so any advice greatly appreciated.
You’re certainly welcome to redirect – adjust the httpd.conf in the OpenEMR container and restart as you require, adding your certificates (if necessary) and your SSL certificates.
Paul:
Later today I will post the exact code you need to do this and the instructions on how to edit the files.
In future versions of OpenEMR, we are going to put this code in by default, but commented out.
Then all you’ll need to do is uncomment it (remove the hash character at the beginning of a few lines) and you’ll be good to go.
Not sure what the inference is in the last reply but…its just an honest question.
I admit, im not so savvy with docker and getting into the containers to do command line work.
I hope all is well though, I have figured out before how to redirect http to https. The only thing holding me back is that I have to figure out how to get a command line working in the container to edit the config file.
If I may piggyback onto this previous question, although I’m not sure if my situation is an exact parallel:
I am fairly new user (and a clinician, one-person shop, not an experienced Linux user) using the Cloud Express version. Thus far I’ve managed security group rules simply using the AWS website as interface, rather than through SSH.
So when I saw Chrome ver. 72 was giving me a “Not Secure” message in my address bar while logged into my instance, I figured that meant I was unwisely connecting via HTTP. The only solution I could think of was to delete the HTTP rule from Security Group inbound rules. My hope or assumption was that the instance would automatically start directing through HTTPS instead. But the result is I lose my connection to the instance entirely (“didn’t send any data/err_empty_response”).
Is there a way of directing through HTTPS through the AWS dashboard? Or are there instructions for the better-informed I might follow?
Thank you,
Peter
Paul, my deepest apologies. Code is here in this file. Check out lines 57-59. Requests to Port 80 are redirected to Port 443.
Not exactly sure Peter. Do you want to set up a call next week (sry it can’t be sooner) and we can diagnose the issue?
It’s either an issue with your Apache configuration on the server, or your Security Groups in AWS most likely.
if you can get into the apache docker through ssh, openemr-devops/packages/express at master · openemr/openemr-devops · GitHub, you can edit /etc/apache2/httpd.conf
and add this
<VirtualHost *:80>
Redirect permanent / https://mysite.example.com/
</VirtualHost>
then restart the docker
Stephen, Thanks for this hint. Still a little over my experience level, and actually having trouble accessing through SSH right now… Clearly I will need to skill up in this, going forward. Hoping to grab phone time as Dan suggested.
thx
Peter
Would also like to add this line:
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
This tells the browser, assuming there is an SSL cert on the site, to always use SSL forever on the site moving forward. If user goes to another browser or empties their cache, will stop working until they visit again and get the header added once more, but also good technique.