[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[EP-tech] SSL (HTTPS) only for an EPrints repository

Thank you, Matthew!  We have HTTPS working, with the apache config, but the repository allows users to access ?browse/abstract? pages with HTTP as well.  Since we have a search box in our header, Chrome will soon start warning that inputting any text on an HTTP connection is not secure.

I was looking at this Google page which recommends HSTS as well: https://support.google.com/webmasters/answer/6073543?hl=en&ref_topic=6001951
I think that is what we need to implement, I?m just not sure how to do that yet.
I noticed that when I try to access a QUT ePrints page with HTTP, it switches over to HTTPS, for example, going here : http://eprints.qut.edu.au/view/thesis/phd/ , you end up https://eprints.qut.edu.au/view/thesis/phd/
Does that mean that QUT ePrints is supporting HSTS?


From: eprints-tech-bounces at ecs.soton.ac.uk [mailto:eprints-tech-bounces at ecs.soton.ac.uk] On Behalf Of Matthew Kerwin
Sent: August-22-17 6:36 PM
To: eprints-tech at ecs.soton.ac.uk
Subject: Re: [EP-tech] SSL (HTTPS) only for an EPrints repository

On 23 Aug. 2017 6:57 am, "Tomasz Neugebauer" <Tomasz.Neugebauer at concordia.ca<mailto:Tomasz.Neugebauer at concordia.ca>> wrote:
Google is sending out alerts that it will soon begin to show security warnings in Chrome for any web site that is not SSL (HTTPS).
Our EPrints repository (running 3.3.12) switches over to HTTPS when the user authenticates, but the browse pages are available through HTTP as well.
What is the best way to get EPrints to redirect everything to HTTPS?
I think I remember this question coming up on the list before, but I can?t seem to find any references.

All I remember is that I had to change how eprints generates the Apache config so it added a <Location> chunk for the non-secure root (i.e. "/") inside the :443 VirtualHost, which defined the eprints archive environment variable.

Our repo allows both http and https access, though; if you're going https-everywhere you'll probably have different concerns.

Oh, and see also: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security

Matthew Kerwin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/eprints-tech/attachments/20170824/564bd135/attachment-0001.html