David Cook
ce90d65603
This patch adds some commented Elasticsearch security configuration, which shows how to use username/password with HTTPS. Test plan: 0. Apply patch 1. cp debian/templates/koha-conf-site.xml.in /etc/koha/koha-conf-site.xml.in 2. koha-create --create-db test 3. vi /etc/koha/sites/test/koha-conf.xml 4. Note that the comments for userinfo and use_https are in the koha-conf.xml Signed-off-by: Magnus Enger <magnus@libriotech.no> Works as advertised. Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
306 lines
13 KiB
XML
306 lines
13 KiB
XML
|
|
<yazgfs>
|
|
<!-- [scheme:]host[:port][/databaseName] -->
|
|
<!-- scheme: tcp, ssl, unix, http, sru -->
|
|
<!-- can run all servers on tcp, but the unix socket is faster -->
|
|
|
|
<listen id="biblioserver" >unix:__ZEBRA_RUN_DIR__/bibliosocket</listen>
|
|
<listen id="authorityserver" >unix:__ZEBRA_RUN_DIR__/authoritysocket</listen>
|
|
|
|
<!-- Uncomment the following entry if you want to run the public Z39.50 server.
|
|
Also uncomment the <server> and <serverinfo> sections for id 'publicserver'
|
|
under PUBLICSERVER'S BIBLIOGRAPHIC RECORDS title-->
|
|
<!--
|
|
<listen id="publicserver" >tcp:@:__ZEBRA_SRU_BIBLIOS_PORT__</listen>
|
|
-->
|
|
|
|
<!-- BIBLIOGRAPHIC RECORDS -->
|
|
<server id="biblioserver" listenref="biblioserver">
|
|
<directory>__ZEBRA_DATA_DIR__/biblios</directory>
|
|
<config>__ZEBRA_CONF_DIR__/__ZEBRA_BIB_CFG__</config>
|
|
<cql2rpn>__ZEBRA_CONF_DIR__/pqf.properties</cql2rpn>
|
|
<xi:include href="__KOHA_CONF_DIR__/zebradb/__BIB_RETRIEVAL_CFG__" xmlns:xi="http://www.w3.org/2001/XInclude"/>
|
|
<xi:include href="__KOHA_CONF_DIR__/zebradb/explain-biblios.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
|
|
</server>
|
|
<serverinfo id="biblioserver">
|
|
<ccl2rpn>__ZEBRA_CONF_DIR__/ccl.properties</ccl2rpn>
|
|
<user>__ZEBRA_USER__</user>
|
|
<password>__ZEBRA_PASS__</password>
|
|
</serverinfo>
|
|
|
|
<!-- AUTHORITY RECORDS -->
|
|
<server id="authorityserver" listenref="authorityserver" >
|
|
<directory>__ZEBRA_DATA_DIR__/authorities</directory>
|
|
<config>__ZEBRA_CONF_DIR__/__ZEBRA_AUTH_CFG__</config>
|
|
<cql2rpn>__ZEBRA_CONF_DIR__/pqf.properties</cql2rpn>
|
|
<xi:include href="__KOHA_CONF_DIR__/zebradb/__AUTH_RETRIEVAL_CFG__" xmlns:xi="http://www.w3.org/2001/XInclude"/>
|
|
<xi:include href="__KOHA_CONF_DIR__/zebradb/explain-authorities.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
|
|
</server>
|
|
<serverinfo id="authorityserver">
|
|
<ccl2rpn>__ZEBRA_CONF_DIR__/ccl.properties</ccl2rpn>
|
|
<user>__ZEBRA_USER__</user>
|
|
<password>__ZEBRA_PASS__</password>
|
|
</serverinfo>
|
|
|
|
<!-- PUBLICSERVER'S BIBLIOGRAPHIC RECORDS -->
|
|
<!--
|
|
<server id="publicserver" listenref="publicserver">
|
|
<directory>__ZEBRA_DATA_DIR__/biblios</directory>
|
|
<config>__ZEBRA_CONF_DIR__/__ZEBRA_BIB_CFG__</config>
|
|
<cql2rpn>__ZEBRA_CONF_DIR__/pqf.properties</cql2rpn>
|
|
<xi:include href="__KOHA_CONF_DIR__/zebradb/__BIB_RETRIEVAL_CFG__" xmlns:xi="http://www.w3.org/2001/XInclude"/>
|
|
<xi:include href="__KOHA_CONF_DIR__/zebradb/explain-biblios.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
|
|
</server>
|
|
<serverinfo id="publicserver">
|
|
<ccl2rpn>__ZEBRA_CONF_DIR__/ccl.properties</ccl2rpn>
|
|
<user>__ZEBRA_USER__</user>
|
|
<password>__ZEBRA_PASS__</password>
|
|
</serverinfo>
|
|
-->
|
|
|
|
<!-- ADDITIONAL KOHA CONFIGURATION DIRECTIVE -->
|
|
<!-- db_scheme should follow the DBD driver name -->
|
|
<!-- the DBD drivers supported by Koha are mysql and Pg -->
|
|
<!-- port info: mysql:3306 Pg:5432 (5433 on Debian) -->
|
|
<config>
|
|
<db_scheme>__DB_TYPE__</db_scheme>
|
|
<database>__DB_NAME__</database>
|
|
<hostname>__DB_HOST__</hostname>
|
|
<port>__DB_PORT__</port>
|
|
<user>__DB_USER__</user>
|
|
<pass>__DB_PASS__</pass>
|
|
<tls>__DB_USE_TLS__</tls>
|
|
<ca>__DB_TLS_CA_CERTIFICATE__</ca>
|
|
<cert>__DB_TLS_CLIENT_CERTIFICATE__</cert>
|
|
<key>__DB_TLS_CLIENT_KEY__</key>
|
|
<biblioserver>biblios</biblioserver>
|
|
<biblioservershadow>1</biblioservershadow>
|
|
<authorityserver>authorities</authorityserver>
|
|
<authorityservershadow>1</authorityservershadow>
|
|
<pluginsdir>__PLUGINS_DIR__</pluginsdir> <!-- This entry can be repeated to use multiple directories -->
|
|
<enable_plugins>0</enable_plugins>
|
|
<upload_path></upload_path>
|
|
<tmp_path></tmp_path>
|
|
<intranetdir>__INTRANET_CGI_DIR__</intranetdir>
|
|
<opacdir>__OPAC_CGI_DIR__/opac</opacdir>
|
|
<opachtdocs>__OPAC_TMPL_DIR__</opachtdocs>
|
|
<intrahtdocs>__INTRANET_TMPL_DIR__</intrahtdocs>
|
|
<includes>__INTRANET_TMPL_DIR__/prog/en/includes/</includes>
|
|
<logdir>__LOG_DIR__</logdir>
|
|
<docdir>__DOC_DIR__</docdir>
|
|
<backupdir>__BACKUP_DIR__</backupdir>
|
|
<!-- URL of the mana KB server -->
|
|
<!-- alternative value http://mana-test.koha-community.org to query the test server -->
|
|
<mana_config>https://mana-kb.koha-community.org</mana_config>
|
|
<!-- Enable the two following to allow superlibrarians to download
|
|
database and configuration dumps (respectively) from the Export
|
|
tool -->
|
|
<backup_db_via_tools>0</backup_db_via_tools>
|
|
<backup_conf_via_tools>0</backup_conf_via_tools>
|
|
<!-- Uncomment the following line if you are not using packages and need to schedule reports through the web interface. supportdir should contain cronjobs/runreport.pl -->
|
|
<!--
|
|
<supportdir>__SCRIPT_NONDEV_DIR__</supportdir>
|
|
-->
|
|
<install_log>__MISC_DIR__/koha-install-log</install_log>
|
|
<useldapserver>0</useldapserver><!-- see C4::Auth_with_ldap for extra configs you must add if you want to turn this on -->
|
|
<useshibboleth>0</useshibboleth><!-- see C4::Auth_with_shibboleth for extra configs you must do to turn this on -->
|
|
<zebra_lockdir>__ZEBRA_LOCK_DIR__</zebra_lockdir>
|
|
<lockdir>__LOCK_DIR__</lockdir>
|
|
<use_zebra_facets>1</use_zebra_facets>
|
|
<zebra_max_record_size>1024</zebra_max_record_size>
|
|
<zebra_connection_timeout>30</zebra_connection_timeout>
|
|
<log4perl_conf>__KOHA_CONF_DIR__/log4perl.conf</log4perl_conf>
|
|
<!-- Uncomment/edit next setting if you want to adjust zebra log levels.
|
|
Default is: none,fatal,warn.
|
|
You can also include: debug,log,malloc,all,request.
|
|
Use a comma-separated list of levels to include. -->
|
|
<!-- <zebra_loglevels>none,fatal,warn</zebra_loglevels> -->
|
|
<memcached_servers>__MEMCACHED_SERVERS__</memcached_servers>
|
|
<memcached_namespace>__MEMCACHED_NAMESPACE__</memcached_namespace>
|
|
<template_cache_dir>__TEMPLATE_CACHE_DIR__</template_cache_dir>
|
|
|
|
<!-- Secret passphrase used by Mojolicious for signed cookies -->
|
|
<api_secret_passphrase>CHANGEME</api_secret_passphrase>
|
|
|
|
<!-- default report results limit is 999,999. uncomment this and set a different number to override that limit.
|
|
<report_results_limit>999999</report_results_limit>
|
|
-->
|
|
|
|
<!-- Accessible directory from the staff client, uncomment the following line and define a valid path to let the intranet user access it-->
|
|
<!--
|
|
<access_dirs>
|
|
<access_dir></access_dir>
|
|
<access_dir></access_dir>
|
|
</access_dirs>
|
|
-->
|
|
|
|
<!-- true type font mapping accoding to type from $font_types in C4/Creators/Lib.pm -->
|
|
<ttf>
|
|
<font type="TR" >__FONT_DIR__/DejaVuSerif.ttf</font>
|
|
<font type="TB" >__FONT_DIR__/DejaVuSerif-Bold.ttf</font>
|
|
<font type="TI" >__FONT_DIR__/DejaVuSerif-Italic.ttf</font>
|
|
<font type="TBI">__FONT_DIR__/DejaVuSerif-BoldItalic.ttf</font>
|
|
<font type="C" >__FONT_DIR__/DejaVuSansMono.ttf</font>
|
|
<font type="CB" >__FONT_DIR__/DejaVuSansMono-Bold.ttf</font>
|
|
<font type="CO" >__FONT_DIR__/DejaVuSansMono-Oblique.ttf</font>
|
|
<font type="CBO">__FONT_DIR__/DejaVuSansMono-BoldOblique.ttf</font>
|
|
<font type="H" >__FONT_DIR__/DejaVuSans.ttf</font>
|
|
<font type="HO" >__FONT_DIR__/DejaVuSans-Oblique.ttf</font>
|
|
<font type="HB" >__FONT_DIR__/DejaVuSans-Bold.ttf</font>
|
|
<font type="HBO">__FONT_DIR__/DejaVuSans-BoldOblique.ttf</font>
|
|
</ttf>
|
|
|
|
<!-- Path to the config file for SMS::Send -->
|
|
<sms_send_config>__KOHA_CONF_DIR__/sms_send/</sms_send_config>
|
|
|
|
<!-- Configuration for Plack -->
|
|
<plack_max_requests>50</plack_max_requests>
|
|
<plack_workers>2</plack_workers>
|
|
|
|
<!-- Configuration for X-Forwarded-For -->
|
|
<!--
|
|
<koha_trusted_proxies>1.2.3.4 2.3.4.5 3.4.5.6</koha_trusted_proxies>
|
|
-->
|
|
|
|
<!-- Elasticsearch Configuration -->
|
|
<elasticsearch>
|
|
<server>__ELASTICSEARCH_SERVERS__</server>
|
|
<index_name>__ELASTICSEARCH_INDEX_____DB_NAME__</index_name>
|
|
|
|
<!-- If you are using authentication, you will also need to use HTTPS. Uncomment and tweak the following for your ES setup. -->
|
|
<!-- NOTE: instead of userinfo, you can alternatively provide the username and password in URL in the server element -->
|
|
<!--
|
|
<userinfo>elastic:CHANGEME</userinfo>
|
|
<use_https>1</use_https>
|
|
-->
|
|
|
|
<!-- See https://metacpan.org/pod/Search::Elasticsearch#cxn_pool -->
|
|
<cxn_pool>Static</cxn_pool>
|
|
<!-- See https://metacpan.org/pod/Search::Elasticsearch#trace_to -->
|
|
<!-- <trace_to>Stderr</trace_to> -->
|
|
<!-- You can specify the maximum chunk size for records when batch processing in Koha, default is 5000 -->
|
|
<!-- <chunk_size>5000</chunk_size> -->
|
|
</elasticsearch>
|
|
<!-- Uncomment the following line if you want to override the Elasticsearch default index settings -->
|
|
<!-- <elasticsearch_index_config>__KOHA_CONF_DIR__/searchengine/elasticsearch/index_config.yaml</elasticsearch_index_config> -->
|
|
<!-- Uncomment the following line if you want to override the Elasticsearch default field settings -->
|
|
<!-- <elasticsearch_field_config>__KOHA_CONF_DIR__/searchengine/elasticsearch/field_config.yaml</elasticsearch_field_config> -->
|
|
<!-- Uncomment the following line if you want to override the Elasticsearch index default settings.
|
|
Note that any changes made to the mappings file only take effect if you reset the mappings in
|
|
by visiting /cgi-bin/koha/admin/searchengine/elasticsearch/mappings.pl?op=reset&i_know_what_i_am_doing=1&reset_fields=1.
|
|
Resetting mappings will override any changes made in the Search engine configuration UI.
|
|
-->
|
|
<!-- <elasticsearch_index_mappings>__KOHA_CONF_DIR__/searchengine/elasticsearch/mappings.yaml</elasticsearch_index_mappings> -->
|
|
|
|
<interlibrary_loans>
|
|
<!-- Path to where Illbackends are located on the system
|
|
- This setting should normally not be touched -->
|
|
<backend_directory>__PERL_MODULE_DIR__/Koha/Illbackends</backend_directory>
|
|
<!-- At least one <branch> block is required. -->
|
|
<branch>
|
|
<!-- The code of this branch -->
|
|
<code>CPL</code>
|
|
<!-- An optional prefix for all ILL request IDs for this branch -->
|
|
<prefix>ILL</prefix>
|
|
</branch>
|
|
<!-- How should we treat staff comments?
|
|
- hide: don't show in OPAC
|
|
- show: show in OPAC -->
|
|
<staff_request_comments>hide</staff_request_comments>
|
|
<!-- How should we treat the reply_date field?
|
|
- hide: don't show this field in the UI
|
|
- any other string: show, with this label -->
|
|
<reply_date>hide</reply_date>
|
|
<!-- Where should digital ILLs be sent?
|
|
- borrower: send it straight to the borrower email
|
|
- branch: send the ILL to the branch email -->
|
|
<digital_recipient>branch</digital_recipient>
|
|
</interlibrary_loans>
|
|
|
|
<!-- The timezone setting can let you force the timezone for this
|
|
instance to be something other then the local timezone of the
|
|
server. e.g. Antarctica/South_Pole -->
|
|
<timezone></timezone>
|
|
|
|
<!-- This is the bcrypt settings used to generated anonymized content -->
|
|
<bcrypt_settings>__BCRYPT_SETTINGS__</bcrypt_settings>
|
|
|
|
<!-- Encryption key for crypted password or sensitive data -->
|
|
<encryption_key>__ENCRYPTION_KEY__</encryption_key>
|
|
|
|
<!-- flag for development purposes
|
|
dev_install is used to adjust some paths specific to dev installations
|
|
strict_sql_modes should not be used in a production environment
|
|
developers use it to catch bugs related to strict SQL modes -->
|
|
<dev_install>0</dev_install>
|
|
<strict_sql_modes>0</strict_sql_modes>
|
|
<plugins_restricted>1</plugins_restricted>
|
|
<plugins_restart>1</plugins_restart>
|
|
<plugin_repos>
|
|
<repo>
|
|
<name>ByWater Solutions</name>
|
|
<org_name>bywatersolutions</org_name>
|
|
<service>github</service>
|
|
</repo>
|
|
<repo>
|
|
<name>Theke Solutions</name>
|
|
<org_name>thekesolutions</org_name>
|
|
<service>gitlab</service>
|
|
</repo>
|
|
<repo>
|
|
<name>PTFS Europe</name>
|
|
<org_name>PTFS-Europe</org_name>
|
|
<service>github</service>
|
|
</repo>
|
|
</plugin_repos>
|
|
|
|
<koha_xslt_security>
|
|
<!-- Uncomment the following entry ONLY when you explicitly want the XSLT
|
|
parser to expand entities like <!ENTITY secret SYSTEM "/etc/secrets">.
|
|
This is unsafe and therefore NOT recommended!
|
|
<expand_entities_unsafe>1</expand_entities_unsafe>
|
|
-->
|
|
</koha_xslt_security>
|
|
|
|
<smtp_server>
|
|
<host>__SMTP_HOST__</host>
|
|
<port>__SMTP_PORT__</port>
|
|
<timeout>__SMTP_TIMEOUT__</timeout>
|
|
<ssl_mode>__SMTP_SSL_MODE__</ssl_mode>
|
|
<user_name>__SMTP_USER_NAME__</user_name>
|
|
<password>__SMTP_PASSWORD__</password>
|
|
<debug>__SMTP_DEBUG__</debug>
|
|
</smtp_server>
|
|
|
|
<message_broker>
|
|
<hostname>localhost</hostname>
|
|
<port>61613</port>
|
|
<username>guest</username>
|
|
<password>guest</password>
|
|
<vhost></vhost>
|
|
</message_broker>
|
|
|
|
<background_jobs_worker>
|
|
<!-- Max simultaneous processes per worker -->
|
|
<max_processes>1</max_processes>
|
|
</background_jobs_worker>
|
|
|
|
<do_not_remove_cookie>catalogue_editor_\d+</do_not_remove_cookie>
|
|
<!-- Uncomment lines like hereunder to not clear cookies at logout:
|
|
The cookie name is case sensitive.
|
|
NOTE: You may use regex constructions like the example above.
|
|
<do_not_remove_cookie>KohaOpacLanguage</do_not_remove_cookie>
|
|
-->
|
|
|
|
<message_domain_limits>
|
|
<!-- Two types are supported: a regular limit and a grouped limit that refers to a regular limit -->
|
|
<!-- <domain><name>DOMAIN_NAME</name><limit>NUMBER</limit><unit>{NUMBER}{m[inutes]|h[ours]|d[ays]}</unit></domain> -->
|
|
<!-- <domain><name>OTHER_DOMAIN_NAME</name><belongs_to>DOMAIN_NAME</belongs_to></domain> -->
|
|
<!-- Like: <domain><name>outlook.com</name><limit>30</limit><unit>1m</unit></domain> -->
|
|
<!-- Like: <domain><name>hotmail.com</name><belongs_to>outlook.com</belongs_to></domain> -->
|
|
</message_domain_limits>
|
|
|
|
<mfa_range>1</mfa_range><!-- Number of 30 second iterations to allow for MFA code checking -->
|
|
|
|
</config>
|
|
</yazgfs>
|