Deploy Koha: Standard Tier

Deploy Koha Standard tier with automated S3 backups and optional custom domains with free SSL certificates. Perfect for medium-sized libraries.

Overview

Deployment time: ~5 minutes
Best for: Medium libraries Architecture: Single EC2 instance + automated S3 backups + optional SSL

What you’ll get:

Single EC2 instance (t3.medium recommended)
MySQL database running locally
Automated daily S3 backups with retention policies
Optional custom domains (library.yourdomain.com)
Optional free Let’s Encrypt SSL certificates
Professional HTTPS URLs

Advantages over Basic tier:

✓ Automated encrypted S3 backups
✓ Custom domain support
✓ Free SSL/TLS certificates
✓ Automatic certificate renewal

Prerequisites

Before you begin:

AWS account with payment method
AWS Marketplace subscription to KohaSupport Koha ILS Standard tier
Optional: Domain name (for custom URLs with SSL)
Optional: DNS access (to create A records)

Step 1: Launch CloudFormation Template

Delivery Method: Select CloudFormation Template
Software Version: Choose latest version
Region: Select closest AWS region
Click Continue to Launch
Click Launch CloudFormation

Step 2: Configure CloudFormation Stack

Stack Details

Stack name
Enter: koha-standard-library or your library name (e.g. springfield-library)

Parameters

AWS Marketplace

ImageId
Auto-filled from marketplace subscription ✓

Instance Configuration

InstanceType
Choose appropriate instance type based on tier architecture:

Standard tier (ARM64): m8g.medium recommended (2 vCPU, 4 GB RAM)
Alternative (x86): t3.medium (2 vCPU, 4 GB RAM)
Larger libraries: m8g.large (ARM64) or t3.large (x86)

KeyPairName
Optional SSH key pair for traditional SSH access:

Leave blank to use EC2 Instance Connect only (recommended)
Or enter name of an existing EC2 key pair
To find existing keys: EC2 Console → Network & Security → Key Pairs
To create a new key: See Creating SSH Keys below

Note: If left blank, you can use EC2 Instance Connect for browser-based SSH access. The templates configure security groups to allow Instance Connect traffic, but you must manually create an EC2 Instance Connect Endpoint in your VPC. See Setting Up EC2 Instance Connect Endpoint below for instructions.

EBSVolumeSize

Minimum: 20 GB
Recommended: 50 GB or more

InstallLanguages
Optional comma-separated language codes:

Leave blank for English only
Example: es-ES,fr-FR,de-DE,it-IT (Spanish, French, German, Italian)
See Available Translations for complete list of 100+ supported languages

Network Configuration

VpcId - Leave blank
SubnetId - Leave blank

Domain Configuration (Optional)

⚠️ For first deployment, leave these as defaults. Configure domains after deployment.

EnableNameBasedVirtualHost
Default: false
Set to true only after DNS is configured

DomainName
Your domain (e.g., yourlibrary.org)
Required if using custom domains
You must own this domain and control DNS

OpacSubdomain
Default: library
Creates: library.yourlibrary.org
Public catalog URL

StaffSubdomain
Default: libadmin
Creates: libadmin.yourlibrary.org
Staff interface URL

EnableSSL
Default: false
Enable only after DNS records are propagated
Uses free Let’s Encrypt certificates

SSLEmail
Your email for certificate notifications
Required if EnableSSL is true

S3 Backup Configuration

EnableS3Backup
Default: true ✓ Recommended

BackupSchedule
Options: hourly, every-3-hours, every-6-hours, daily, weekly
Default: daily

BackupTime
24-hour format: 23:00 (11 PM)
Choose low-traffic hours

BackupRetentionDays
Default: 365 (1 year)
Range: 30-2555 days
Older backups automatically deleted

Stack Options

Add tags:

Environment: Production
Tier: Standard

Review and Launch

Review all settings
Check ☑ IAM resources acknowledgement
Click Create stack
Wait 15-25 minutes

Step 3: Review and Launch

Review all settings
Check ☑ IAM resources acknowledgement
Click Create stack
Wait 15-25 minutes

Step 4: Retrieve Access Information

Once CREATE_COMPLETE:

CloudFormation Outputs

KohaPublicCatalogURL
http://X.X.X.X:8080 - Public catalog

KohaAdminInterfaceURL
http://X.X.X.X:8443 - Staff interface

ElasticIP
Static IP for DNS configuration
Save this for domain setup

S3BackupBucket
Bucket name for automated backups

KohaAdminCredentialsPath
Parameter Store path for password

Step 5: Retrieve Admin Password

Choose one method:

AWS Console

AWS Systems Manager → Parameter Store
Search for credentials path
Click parameter → Show value

AWS CLI

aws ssm get-parameter \
  --name /koha/koha-standard-library/credentials \
  --with-decryption \
  --query 'Parameter.Value' \
  --output text

EC2 Instance Connect

# Connect to instance
# Then run:
sudo koha-passwd library

Username: koha_library

Step 6: Initial Access

Open KohaAdminInterfaceURL
Log in with credentials
Test functionality
Proceed to post-installation setup

→ Post-Installation Setup Guide

Optional: Configure Custom Domains with SSL

Want professional URLs like https://library.yourlibrary.org? Follow these steps after initial deployment.

Prerequisites

Domain name you own
Access to DNS management
Elastic IP from CloudFormation Outputs

Step 1: Configure DNS

At your DNS provider (Cloudflare, Route 53, etc.):

Create two A records:

Type: A
Name: library
Value: <ElasticIP from Outputs>
TTL: 300

Type: A
Name: libadmin
Value: <ElasticIP from Outputs>
TTL: 300

Step 2: Verify DNS Propagation

Wait 15-30 minutes, then test:

nslookup library.yourlibrary.org
nslookup libadmin.yourlibrary.org

Both should return your Elastic IP.

Step 3: Enable Domains and SSL

Connect via EC2 Instance Connect:

sudo koha-setup-domains \
  --domain yourlibrary.org \
  --opac-subdomain library \
  --staff-subdomain libadmin \
  --enable-ssl \
  --ssl-email admin@yourlibrary.org

This will:

Configure Apache virtual hosts
Request Let’s Encrypt SSL certificates
Set up automatic renewal
Redirect HTTP → HTTPS

Step 4: Verify HTTPS Access

Test your new URLs:

OPAC: https://library.yourlibrary.org
Staff: https://libadmin.yourlibrary.org

Troubleshooting SSL

If SSL setup fails:

# Check logs
sudo tail -f /var/log/letsencrypt/letsencrypt.log
sudo tail -f /var/log/cloud-init-output.log

Common issues:

DNS not propagated → Wait longer
Port 80 blocked → Check security groups
Invalid email → Use valid address

S3 Automated Backups

What Gets Backed Up

Complete MySQL database dump (compressed)
Koha configuration files (/etc/koha/)
Zebra indexes
Custom templates and plugins
System preferences

S3 Bucket Features

Encryption: AES-256 at rest
Versioning: Enabled
Storage Class: Intelligent-Tiering
Lifecycle: Auto-deletes after retention period

Backup File Format

koha-backup-YYYY-MM-DD-HH-MM-SS.tar.gz

Example: koha-backup-2025-12-11-23-00-00.tar.gz

Complete Backup & Recovery Guide

For comprehensive backup procedures, database exports, restore testing, and migration strategies:

→ Koha Tier Migration Guide

Covers:

S3 backup verification
Database backup and restore procedures
Manual backup creation
Disaster recovery procedures
Data migration between tiers
Testing and validation

Monitoring & Maintenance

For comprehensive system monitoring, CloudWatch setup, log analysis, and maintenance schedules:

→ Monitoring & Maintenance Guide

Covers:

System health monitoring
CloudWatch alarms and dashboards
Log locations and analysis
Database performance monitoring
S3 backup verification
Automated health checks
Regular maintenance tasks
Scaling guidance

Security

For detailed security configuration, hardening, encryption, and compliance:

→ Security Best Practices Guide

Covers:

Network security and firewall rules
IAM permissions and roles
SSH key management
Data encryption (EBS, S3, in-transit)
S3 bucket security
Security monitoring and auditing
Compliance (GDPR, PCI DSS)
Incident response

Troubleshooting

For common deployment issues and solutions, see:

→ CloudFormation Troubleshooting Guide

Includes solutions for:

Stack creation failures
Instance access issues
S3 backup problems
SSL certificate issues
Domain configuration
And more…

Creating SSH Keys

If you want to use traditional SSH instead of EC2 Instance Connect:

Create Key Pair in AWS Console

Go to EC2 Console
Navigate to Network & Security → Key Pairs
Click Create key pair
Name: Enter a memorable name (e.g., koha-ssh-key)
Key pair type: Choose RSA
Private key file format:
- .pem for Mac/Linux/Windows (OpenSSH)
- .ppk for PuTTY (Windows)
Click Create key pair
Save the downloaded file securely (you can’t download it again)

Using Your Key

# Mac/Linux
chmod 400 koha-ssh-key.pem
ssh -i koha-ssh-key.pem ubuntu@<instance-ip>

# Windows (PowerShell with OpenSSH)
ssh -i koha-ssh-key.pem ubuntu@<instance-ip>

Important: The key pair must be created in the same AWS region where you’re deploying Koha.

Setting Up EC2 Instance Connect Endpoint

If you didn’t configure a KeyPair and want to use EC2 Instance Connect for browser-based SSH access, you must create an EC2 Instance Connect Endpoint. The CloudFormation templates configure security groups to allow Instance Connect traffic, but do not create the endpoint itself.

Why You Need This

Without endpoint: Cannot use EC2 Instance Connect from AWS Console
With endpoint: Browser-based SSH access from EC2 Console (no key file needed)
Security: Instance Connect endpoints provide secure access to instances in private subnets

Create Instance Connect Endpoint

Go to VPC Console (not EC2 Console)
In left navigation, scroll down to Virtual private cloud section
Click Endpoints
Click Create endpoint
Configure endpoint:
- Name: koha-instance-connect-endpoint
- Service category: Select EC2 Instance Connect Endpoint
- VPC: Select the VPC where your Koha instance is deployed
- Security groups: Select the security group created by CloudFormation (look for stack name in security group name)
- Subnet: Select the subnet where your instance is running
Click Create endpoint
Wait 2-3 minutes for endpoint to become Available

Using Instance Connect After Endpoint Creation

Option 1: AWS Console (Browser-based)

Go to EC2 Console
Select your Koha instance
Click Connect button
Choose EC2 Instance Connect tab
Connection type: Select Connect using EC2 Instance Connect Endpoint
EC2 Instance Connect Endpoint: Select the endpoint you created
Username: Enter ubuntu
Click Connect

Option 2: AWS CLI

# Get your instance ID from EC2 Console or CloudFormation Outputs
aws ec2-instance-connect ssh \
  --connection-type eice \
  --os-user ubuntu \
  --instance-id i-0123456789abcdef0

Note: Replace i-0123456789abcdef0 with your actual instance ID. The CLI automatically selects the appropriate Instance Connect Endpoint in the same VPC.

Cost

Pricing: EC2 Instance Connect Endpoint charges apply per hour
Calculate costs: Use the AWS Pricing Calculator to estimate costs for your region
Alternative: Use SSH keys (free, but requires key management)
Tip: Search for “EC2 Instance Connect Endpoint” in the calculator for current pricing

Troubleshooting

Can’t find Instance Connect Endpoint option:

Ensure you’re in VPC Console, not EC2 Console
Check your AWS region supports EC2 Instance Connect Endpoints
Verify you have permission ec2:CreateInstanceConnectEndpoint

Connection fails:

Verify endpoint status is Available
Confirm endpoint is in same VPC and subnet as instance
Check security group allows Instance Connect traffic (templates configure this automatically)
Ensure instance is running and status checks passed

Upgrade to Enterprise

Need high availability and scalability?

For detailed migration procedures with database backup and restore:

→ Koha Tier Migration Guide

For Enterprise tier deployment:

→ Enterprise Deployment Guide

Enterprise tier adds:

Multi-AZ deployment (2-5 servers)
Aurora Serverless database
Application Load Balancer
Auto-scaling
Zero-downtime updates

Additional Resources

Get Support

Need help?

Email: support@kohasupport.com
Knowledge Base: kohasupport.com/knowledge-base

Last Updated: December 2025