For those interested in this topic, it turns out that EPrints::Apache::apache_secure_conf generates a <Location "$https_root"/> block which includes the EPrints_ArchiveID variable. However if $https_root ne $http_root, there is no equivalent block (or EPrints_ArchiveID variable) for the "$http_root" location. So HTTPS requests to locations under $http_root (but not $https_root) are not handled by EPrints.

I’ve logged this as https://github.com/eprints/eprints/issues/366 and will start exploring the fix (straight-forward) and potential implications (not so straight-forward.)

Cheers

Hi EPrintsers, I have a query about serving a repository with a mix of HTTP and HTTPS.

Currently our two repositories have a pretty standard setup: the bulk of the site is served over plaintext HTTP, including untrusted session cookies. Secure/administrative functions are served over HTTPS.

We want to reconfigure the server to use HTTPS for the entire site (for various reasons, Google search rankings high amongst them.) However we want to retain the option of plaintext HTTP access so that some less modern external indexers and crawlers can continue to do their thing.

I should point out that our primary repository predates EPrints 3.2, and likely includes a bunch of legacy features and obscure customisations, so what I’m describing may be available out of the box with a fresh install but lost to us personally. However if not, does anybody have any experience doing what I’ve described?

Do you have any pointers on what to en/disable in config, or what to tweak (and where) to make the entire site HTTPS-by-default while retaining the option for standard HTTP browsing of “insecure” content?

Cheers

--

Matthew Kerwin  |  Senior Web Developer  |  Applications & Development Team  |  Library eServices  |  Queensland University of Technology  |  Level 3, R Block, Kelvin Grove  |  matthew.kerwin@qut.edu.au  |  CRICOS No 00213J