[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[EP-tech] SSL (HTTPS) only for an EPrints repository

Subject: [EP-tech] SSL (HTTPS) only for an EPrints repository
From: Tomasz.Neugebauer at concordia.ca (Tomasz Neugebauer)
Date: Fri, 1 Sep 2017 20:58:43 +0000
In-reply-to: <EMEW3|e72239f13f67b74fc43444414aff5fedy7O10R14eprints-tech-bounces|ecs.soton.ac.uk|CACweHNAt4bfsZSP4D-rC7zM0xsdCv6hRZuwzfri6vTTUCfgtZw@mail.gmail.com>
References: <724baa32178d465ea17d91b4c885697d@ums-sgw-mbs1.concordia.ca> <EMEW3|29c9178fa63107230fe97af76bb20196y7LLl714eprints-tech-bounces|ecs.soton.ac.uk|724baa32178d465ea17d91b4c885697d@ums-sgw-mbs1.concordia.ca> <CACweHNDH+oKnTp=AhFo1DqFu0VFfBoLC0eGHiMY5KWZLajvLZQ@mail.gmail.com> <efaf620ddb4540e1a97a8865d78e0801@ums-sgw-mbs1.concordia.ca> <EMEW3|581d77ca7d48cd2af538b5acde5ad789y7LNbW14eprints-tech-bounces|ecs.soton.ac.uk|CACweHNDH+oKnTp=AhFo1DqFu0VFfBoLC0eGHiMY5KWZLajvLZQ@mail.gmail.com> <EMEW3|6a7175addea50ceb1091ec2fc72413f8y7NLgh14eprints-tech-bounces|ecs.soton.ac.uk|efaf620ddb4540e1a97a8865d78e0801@ums-sgw-mbs1.concordia.ca> <CACweHNAt4bfsZSP4D-rC7zM0xsdCv6hRZuwzfri6vTTUCfgtZw@mail.gmail.com> <EMEW3|e72239f13f67b74fc43444414aff5fedy7O10R14eprints-tech-bounces|ecs.soton.ac.uk|CACweHNAt4bfsZSP4D-rC7zM0xsdCv6hRZuwzfri6vTTUCfgtZw@mail.gmail.com>

Thanks again, Matthew for sharing your solution.
It seems very straightforward, the only thing is that I will have to configure our apache to understand the Header command first ?
Have a great weekend,
Tomasz


From: eprints-tech-bounces at ecs.soton.ac.uk [mailto:eprints-tech-bounces at ecs.soton.ac.uk] On Behalf Of Matthew Kerwin
Sent: August-24-17 7:59 PM
To: eprints-tech at ecs.soton.ac.uk
Subject: Re: [EP-tech] SSL (HTTPS) only for an EPrints repository


On 25 August 2017 at 06:30, Tomasz Neugebauer <Tomasz.Neugebauer at concordia.ca<mailto:Tomasz.Neugebauer at concordia.ca>> wrote:
> Thank you, Matthew!  We have HTTPS working, with the apache config, but the
> repository allows users to access ?browse/abstract? pages with HTTP as well.
> Since we have a search box in our header, Chrome will soon start warning
> that inputting any text on an HTTP connection is not secure.
>
>
> I was looking at this Google page which recommends HSTS as well:
> https://support.google.com/webmasters/answer/6073543?hl=en&ref_topic=6001951
>
> I think that is what we need to implement, I?m just not sure how to do that
> yet.
>
> I noticed that when I try to access a QUT ePrints page with HTTP, it
> switches over to HTTPS, for example, going here :
> http://eprints.qut.edu.au/view/thesis/phd/ , you end up
> https://eprints.qut.edu.au/view/thesis/phd/
>
> Does that mean that QUT ePrints is supporting HSTS?
>

Yep, if you look at the response for a HTTPS request you'll see a header like:

~~~
Strict-Transport-Security: max-age=2419200
~~~

I'm not sure how other sites have their .confs organised, but we have in /etc/httpd/conf.d/ a core 'eprints.conf' which sets up the modperl environment (PerlModule,PerlSwitches,etc.), and then repo-specific configs which we keep in version control.

The one for QUT ePrints looks like this:

~~~
# <VirtualHost :80/> is generated by bin/generate_apacheconf
Include /opt/eprints3/cfg/apache/quteprints.conf

<VirtualHost MailScanner warning: numerical links are often malicious: 131.181.186.218:443<http://131.181.186.218:443>>
  ServerName ...
  # ...etc...

  SSLCertificateFile ...
  # ...etc...

  # EPrints configuration created by bin/generate_apacheconf
  PerlTransHandler +EPrints::Apache::Rewrite
  Include /opt/eprints3/cfg/apache_ssl/quteprints.conf

  # Include additional archive-specific configuration
  Include /opt/eprints3/archives/quteprints/cfg/apachevhost_ssl.conf

  # All future navigation to the site should be to https://
  # Times: 31536000 = 365 days
  #         2419200 = 28 days
  Header set Strict-Transport-Security "max-age=2419200"
</VirtualHost>
~~~

It's a pretty broad stroke, but it gets it done.

HTH
--
  Matthew Kerwin
  http://matthew.kerwin.net.au/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/eprints-tech/attachments/20170901/303e4bdf/attachment.html

References:
- [EP-tech] SSL (HTTPS) only for an EPrints repository
  - From: Tomasz.Neugebauer at concordia.ca (Tomasz Neugebauer)
- [EP-tech] SSL (HTTPS) only for an EPrints repository
  - From: matthew at kerwin.net.au (Matthew Kerwin)
- [EP-tech] SSL (HTTPS) only for an EPrints repository
  - From: Tomasz.Neugebauer at concordia.ca (Tomasz Neugebauer)
- [EP-tech] SSL (HTTPS) only for an EPrints repository
  - From: matthew at kerwin.net.au (Matthew Kerwin)

Prev by Date: [EP-tech] Mime Types
Next by Date: [EP-tech] Simple search not working
Previous by thread: [EP-tech] SSL (HTTPS) only for an EPrints repository
Next by thread: [EP-tech] Fixity Check and EPrints - Digital Preservation
Index(es):
- Date
- Thread