I was asked to add this information to the wiki, so I have added a new page here:

 

https://wiki.eprints.org/w/HTTPS-only_and_HSTS

 

Please feel free to modify/add/delete as needed.

 

Best wishes,

Tomasz

 

 

 

Thanks to Matthew and John for your help.

 

I thought I would report back to the list about this, now that I got all of this working on our repository:

 

·         HSTS Headers on HTTPS

·         Fixed “Mixed Content” warnings/errors

·         All ‘internal’ links point to HTTPS locations

·         301 Redirects from HTTP to HTTPS

 

That follows the best practice specified here, by Google: https://support.google.com/webmasters/answer/6073543?hl=en&ref_topic=6001951

 

To make that happen, I had to do the following:

 

1.       Changes to /cfg.d/10_core.pl:

 

Initialize the following two variables to be the https URL (i.e., https://spectrum.library.concordia.ca)

 

$c->{http_url}

$c->{http_cgiurl}

$c->{base_url}

 

2.       Changes to /cfg/lang/en/templates/default.xml, and /cfg/lang/en/static .XPAGE files

 

·         Remove any hard coded links to HTTP

·         We have Google Search included here as XPAGE files calling on the Google API which I needed to switch to HTTPS

 

3.       Add a new include apache-ssl CONF file to /repoid/cfg/ that has the HSTS header:

 

·         Header set Strict-Transport-Security "max-age=15780000"

 

·         Include this file from the core apache declaration.

 

I consulted this page (thanks to Justin): https://wiki.eprints.org/w/Setting_up_HTTPS_using_Let%27s_Encrypt , which was helpful in making me realize I need a new conf file.  A new file was required because /bin/generate_apacheconf (https://wiki.eprints.org/w/API:bin/generate_apacheconf) overwrites any of the conf files that were already being included, and I was trying to avoid modifying this script.

 

 

4.       Modify the default port 80 response in the apache config to redirect all port 80 (HTTP) requests to port 443 (HTTPS), using the same redirect suggested by John.

 

I ended up doing this in one of the conf files that is generated by /bin/generate_apacheconf, which means that I will have to re-apply this redirect if/when I need to re-run this script.  This is not ideal, but it was the simplest solution I could find, given the structure of the files generated by /generate_apacheconf.   I think that this script (generate_apacheconf) should have some new flags, something like “--sslonly” and “--hsts” , which would generate the correct apache config files for a repository that follows the Google best practice of HTTPS-only with HSTS. 

 

 

To summarize how HSTS works, if a browser (Chrome, Firefix, IE) sees the HSTS header in the response, and there are no certificate errors or mixed content warnings or anything (if it is green), then the next time a user of that browser requests the HTTP page of that site, the browser will modify the request to a HTTPS request and will not issue the HTTP request.   The browser will remember that setting for as long as you specify “max-age” to be.  This means that even with HSTS, it is still possible to request and receive content over HTTP.  To close that down, a server redirect is necessary, so those browsers that haven’t seen the HSTS header in the past that happen to try to go to HTTP will get that initial redirect to HTTPS.

 

Let me know if you have any thoughts or ideas to share about any of that; I hope this information ends up being helpful for others.

 

Tomasz

 

 

 

________________________________________________

Tomasz Neugebauer
Digital Projects & Systems Development Librarian / Bibliothécaire des Projets Numériques & Développement de Systèmes
Library / Bibliothèque
Concordia University / Université Concordia

Tel. / Tél. 514-848-2424 ext. / poste 7738
Email / courriel: tomasz.neugebauer@concordia.ca

Mailing address / adresse postale: 1455 De Maisonneuve Blvd. W., LB-540-03, Montreal, Quebec H3G 1M8
Street address / adresse municipale: 1400 De Maisonneuve Blvd. W., LB-540-03, Montreal, Quebec H3G 1M8

http://library.concordia.ca
http://www.concordia.ca/faculty/tomasz-neugebauer.html

 

 

 

 

 

 

 

 

 

Hi Tomasz,

In the non-secure virtual host, the following line will redirect all traffic.

This will redirect clients that don't honour the HSTS headers, as well as pointing clients in the right direction in the first place.

Whilst testing, you might want to leave out the 'permanent' part.

 

<VirtualHost *:80>

...

   Redirect permanent / https://your.repo/

</VirtualHost>

 

Matthew,

I'm guesing you have something similar somewhere in you :80 vhost?

If not, and the HSTS headers are only sent for the :443 vhost, how does the initial redirect work?

 

Cheers,

John

 

 

From: eprints-tech-bounces@ecs.soton.ac.uk [mailto:eprints-tech-bounces@ecs.soton.ac.uk] On Behalf Of Matthew Kerwin
Sent: 25 August 2017 00:59
To: eprints-tech@ecs.soton.ac.uk
Subject: Re: [EP-tech] SSL (HTTPS) only for an EPrints repository