[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[EP-tech] SSL (HTTPS) only for an EPrints repository
Thanks again, Matthew for sharing your solution.
It seems very straightforward, the only thing is that I will have to configure our apache to understand the Header command first ?
Have a great weekend,
From: eprints-tech-bounces at ecs.soton.ac.uk [mailto:eprints-tech-bounces at ecs.soton.ac.uk] On Behalf Of Matthew Kerwin
Sent: August-24-17 7:59 PM
To: eprints-tech at ecs.soton.ac.uk
Subject: Re: [EP-tech] SSL (HTTPS) only for an EPrints repository
On 25 August 2017 at 06:30, Tomasz Neugebauer <Tomasz.Neugebauer at concordia.ca<mailto:Tomasz.Neugebauer at concordia.ca>> wrote:
> Thank you, Matthew! We have HTTPS working, with the apache config, but the
> repository allows users to access ?browse/abstract? pages with HTTP as well.
> Since we have a search box in our header, Chrome will soon start warning
> that inputting any text on an HTTP connection is not secure.
> I was looking at this Google page which recommends HSTS as well:
> I think that is what we need to implement, I?m just not sure how to do that
> I noticed that when I try to access a QUT ePrints page with HTTP, it
> switches over to HTTPS, for example, going here :
> http://eprints.qut.edu.au/view/thesis/phd/ , you end up
> Does that mean that QUT ePrints is supporting HSTS?
Yep, if you look at the response for a HTTPS request you'll see a header like:
I'm not sure how other sites have their .confs organised, but we have in /etc/httpd/conf.d/ a core 'eprints.conf' which sets up the modperl environment (PerlModule,PerlSwitches,etc.), and then repo-specific configs which we keep in version control.
The one for QUT ePrints looks like this:
# <VirtualHost :80/> is generated by bin/generate_apacheconf
<VirtualHost MailScanner warning: numerical links are often malicious: 184.108.40.206:443<http://220.127.116.11:443>>
# EPrints configuration created by bin/generate_apacheconf
# Include additional archive-specific configuration
# All future navigation to the site should be to https://
# Times: 31536000 = 365 days
# 2419200 = 28 days
Header set Strict-Transport-Security "max-age=2419200"
It's a pretty broad stroke, but it gets it done.
-------------- next part --------------
An HTML attachment was scrubbed...