[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[EP-tech] Re: repos with a mix of HTTP and HTTPS

For those interested in this topic, it turns out that
EPrints::Apache::apache_secure_conf generates a <Location "$https_root"/>
block which includes the EPrints_ArchiveID variable. However if $https_root
ne $http_root, there is no equivalent block (or EPrints_ArchiveID variable)
for the "$http_root" location. So HTTPS requests to locations under
$http_root (but not $https_root) are not handled by EPrints.


I've logged this as https://github.com/eprints/eprints/issues/366 and will
start exploring the fix (straight-forward) and potential implications (not
so straight-forward.)




Matthew Kerwin  |  QUT Library eServices  |
<mailto:matthew.kerwin at qut.edu.au> matthew.kerwin at qut.edu.au


From: eprints-tech-bounces at ecs.soton.ac.uk
[mailto:eprints-tech-bounces at ecs.soton.ac.uk] On Behalf Of Matthew Kerwin
Sent: Monday, 23 November 2015 12:34
To: eprints-tech at ecs.soton.ac.uk
Subject: [EP-tech] repos with a mix of HTTP and HTTPS


Hi EPrintsers, I have a query about serving a repository with a mix of HTTP
and HTTPS.


Currently our two repositories have a pretty standard setup: the bulk of the
site is served over plaintext HTTP, including untrusted session cookies.
Secure/administrative functions are served over HTTPS.


We want to reconfigure the server to use HTTPS for the entire site (for
various reasons, Google search rankings high amongst them.) However we want
to retain the option of plaintext HTTP access so that some less modern
external indexers and crawlers can continue to do their thing.


I should point out that our primary repository predates EPrints 3.2, and
likely includes a bunch of legacy features and obscure customisations, so
what I'm describing may be available out of the box with a fresh install but
lost to us personally. However if not, does anybody have any experience
doing what I've described?


Do you have any pointers on what to en/disable in config, or what to tweak
(and where) to make the entire site HTTPS-by-default while retaining the
option for standard HTTP browsing of "insecure" content?




Matthew Kerwin  |  Senior Web Developer  |
<https://wiki.qut.edu.au/display/lib/Digital+Repository+Team> Applications &
Development Team  |  Library eServices  |  Queensland University of
Technology  |  Level 3, R Block, Kelvin Grove  |
<mailto:matthew.kerwin at qut.edu.au> matthew.kerwin at qut.edu.au  |  CRICOS No


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/eprints-tech/attachments/20151130/6a72070c/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4845 bytes
Desc: not available
Url : http://mailman.ecs.soton.ac.uk/pipermail/eprints-tech/attachments/20151130/6a72070c/attachment-0001.bin