[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[EP-tech] SSL (HTTPS) only for an EPrints repository



Hi Tomasz,
In the non-secure virtual host, the following line will redirect all traffic.
This will redirect clients that don't honour the HSTS headers, as well as pointing clients in the right direction in the first place.
Whilst testing, you might want to leave out the 'permanent' part.

<VirtualHost *:80>
...
   Redirect permanent / https://your.repo/
</VirtualHost>

Matthew,
I'm guesing you have something similar somewhere in you :80 vhost?
If not, and the HSTS headers are only sent for the :443 vhost, how does the initial redirect work?

Cheers,
John


From: eprints-tech-bounces at ecs.soton.ac.uk [mailto:eprints-tech-bounces at ecs.soton.ac.uk] On Behalf Of Matthew Kerwin
Sent: 25 August 2017 00:59
To: eprints-tech at ecs.soton.ac.uk
Subject: Re: [EP-tech] SSL (HTTPS) only for an EPrints repository


On 25 August 2017 at 06:30, Tomasz Neugebauer <Tomasz.Neugebauer at concordia.ca<mailto:Tomasz.Neugebauer at concordia.ca>> wrote:
> Thank you, Matthew!  We have HTTPS working, with the apache config, but the
> repository allows users to access ?browse/abstract? pages with HTTP as well.
> Since we have a search box in our header, Chrome will soon start warning
> that inputting any text on an HTTP connection is not secure.
>
>
> I was looking at this Google page which recommends HSTS as well:
> https://support.google.com/webmasters/answer/6073543?hl=en&ref_topic=6001951
>
> I think that is what we need to implement, I?m just not sure how to do that
> yet.
>
> I noticed that when I try to access a QUT ePrints page with HTTP, it
> switches over to HTTPS, for example, going here :
> http://eprints.qut.edu.au/view/thesis/phd/ , you end up
> https://eprints.qut.edu.au/view/thesis/phd/
>
> Does that mean that QUT ePrints is supporting HSTS?
>

Yep, if you look at the response for a HTTPS request you'll see a header like:

~~~
Strict-Transport-Security: max-age=2419200
~~~

I'm not sure how other sites have their .confs organised, but we have in /etc/httpd/conf.d/ a core 'eprints.conf' which sets up the modperl environment (PerlModule,PerlSwitches,etc.), and then repo-specific configs which we keep in version control.

The one for QUT ePrints looks like this:

~~~
# <VirtualHost :80/> is generated by bin/generate_apacheconf
Include /opt/eprints3/cfg/apache/quteprints.conf

<VirtualHost MailScanner warning: numerical links are often malicious: 131.181.186.218:443<http://131.181.186.218:443>>
  ServerName ...
  # ...etc...

  SSLCertificateFile ...
  # ...etc...

  # EPrints configuration created by bin/generate_apacheconf
  PerlTransHandler +EPrints::Apache::Rewrite
  Include /opt/eprints3/cfg/apache_ssl/quteprints.conf

  # Include additional archive-specific configuration
  Include /opt/eprints3/archives/quteprints/cfg/apachevhost_ssl.conf

  # All future navigation to the site should be to https://
  # Times: 31536000 = 365 days
  #         2419200 = 28 days
  Header set Strict-Transport-Security "max-age=2419200"
</VirtualHost>
~~~

It's a pretty broad stroke, but it gets it done.

HTH
--
  Matthew Kerwin
  http://matthew.kerwin.net.au/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/eprints-tech/attachments/20170825/12be912c/attachment-0001.html