[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[EP-tech] SSL (HTTPS) only for an EPrints repository

On 25 August 2017 at 06:30, Tomasz Neugebauer <
Tomasz.Neugebauer at concordia.ca> wrote:
> Thank you, Matthew!  We have HTTPS working, with the apache config, but
> repository allows users to access ?browse/abstract? pages with HTTP as
> Since we have a search box in our header, Chrome will soon start warning
> that inputting any text on an HTTP connection is not secure.
> I was looking at this Google page which recommends HSTS as well:
> I think that is what we need to implement, I?m just not sure how to do
> yet.
> I noticed that when I try to access a QUT ePrints page with HTTP, it
> switches over to HTTPS, for example, going here :
> http://eprints.qut.edu.au/view/thesis/phd/ , you end up
> https://eprints.qut.edu.au/view/thesis/phd/
> Does that mean that QUT ePrints is supporting HSTS?

Yep, if you look at the response for a HTTPS request you'll see a header

Strict-Transport-Security: max-age=2419200

I'm not sure how other sites have their .confs organised, but we have in
/etc/httpd/conf.d/ a core 'eprints.conf' which sets up the modperl
environment (PerlModule,PerlSwitches,etc.), and then repo-specific configs
which we keep in version control.

The one for QUT ePrints looks like this:

# <VirtualHost :80/> is generated by bin/generate_apacheconf
Include /opt/eprints3/cfg/apache/quteprints.conf

  ServerName ...
  # ...etc...

  SSLCertificateFile ...
  # ...etc...

  # EPrints configuration created by bin/generate_apacheconf
  PerlTransHandler +EPrints::Apache::Rewrite
  Include /opt/eprints3/cfg/apache_ssl/quteprints.conf

  # Include additional archive-specific configuration
  Include /opt/eprints3/archives/quteprints/cfg/apachevhost_ssl.conf

  # All future navigation to the site should be to https://
  # Times: 31536000 = 365 days
  #         2419200 = 28 days
  Header set Strict-Transport-Security "max-age=2419200"

It's a pretty broad stroke, but it gets it done.

  Matthew Kerwin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/eprints-tech/attachments/20170825/89beab28/attachment.html