[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[EP-tech] SSL (HTTPS) only for an EPrints repository



Thanks to Matthew and John for your help.

I thought I would report back to the list about this, now that I got all of this working on our repository:


?         HSTS Headers on HTTPS

?         Fixed ?Mixed Content? warnings/errors

?         All ?internal? links point to HTTPS locations

?         301 Redirects from HTTP to HTTPS

That follows the best practice specified here, by Google: https://support.google.com/webmasters/answer/6073543?hl=en&ref_topic=6001951

To make that happen, I had to do the following:


1.       Changes to /cfg.d/10_core.pl:

Initialize the following two variables to be the https URL (i.e., https://spectrum.library.concordia.ca)

$c->{http_url}
$c->{http_cgiurl}
$c->{base_url}


2.       Changes to /cfg/lang/en/templates/default.xml, and /cfg/lang/en/static .XPAGE files


?         Remove any hard coded links to HTTP

?         We have Google Search included here as XPAGE files calling on the Google API which I needed to switch to HTTPS


3.       Add a new include apache-ssl CONF file to /repoid/cfg/ that has the HSTS header:


?         Header set Strict-Transport-Security "max-age=15780000"



?         Include this file from the core apache declaration.

I consulted this page (thanks to Justin): https://wiki.eprints.org/w/Setting_up_HTTPS_using_Let%27s_Encrypt , which was helpful in making me realize I need a new conf file.  A new file was required because /bin/generate_apacheconf (https://wiki.eprints.org/w/API:bin/generate_apacheconf) overwrites any of the conf files that were already being included, and I was trying to avoid modifying this script.



4.       Modify the default port 80 response in the apache config to redirect all port 80 (HTTP) requests to port 443 (HTTPS), using the same redirect suggested by John.

I ended up doing this in one of the conf files that is generated by /bin/generate_apacheconf, which means that I will have to re-apply this redirect if/when I need to re-run this script.  This is not ideal, but it was the simplest solution I could find, given the structure of the files generated by /generate_apacheconf.   I think that this script (generate_apacheconf) should have some new flags, something like ?--sslonly? and ?--hsts? , which would generate the correct apache config files for a repository that follows the Google best practice of HTTPS-only with HSTS.


To summarize how HSTS works, if a browser (Chrome, Firefix, IE) sees the HSTS header in the response, and there are no certificate errors or mixed content warnings or anything (if it is green), then the next time a user of that browser requests the HTTP page of that site, the browser will modify the request to a HTTPS request and will not issue the HTTP request.   The browser will remember that setting for as long as you specify ?max-age? to be.  This means that even with HSTS, it is still possible to request and receive content over HTTP.  To close that down, a server redirect is necessary, so those browsers that haven?t seen the HSTS header in the past that happen to try to go to HTTP will get that initial redirect to HTTPS.

Let me know if you have any thoughts or ideas to share about any of that; I hope this information ends up being helpful for others.

Tomasz



________________________________________________
Tomasz Neugebauer
Digital Projects & Systems Development Librarian / Biblioth?caire des Projets Num?riques & D?veloppement de Syst?mes
Library / Biblioth?que
Concordia University / Universit? Concordia
Tel. / T?l. 514-848-2424 ext. / poste 7738
Email / courriel: tomasz.neugebauer at concordia.ca<mailto:tomasz.neugebauer at concordia.ca>
Mailing address / adresse postale: 1455 De Maisonneuve Blvd. W., LB-540-03, Montreal, Quebec H3G 1M8
Street address / adresse municipale: 1400 De Maisonneuve Blvd. W., LB-540-03, Montreal, Quebec H3G 1M8
http://library.concordia.ca<http://library.concordia.ca/>
http://www.concordia.ca/faculty/tomasz-neugebauer.html









From: eprints-tech-bounces at ecs.soton.ac.uk [mailto:eprints-tech-bounces at ecs.soton.ac.uk] On Behalf Of John Salter
Sent: August-25-17 4:35 AM
To: eprints-tech at ecs.soton.ac.uk
Subject: Re: [EP-tech] SSL (HTTPS) only for an EPrints repository

Hi Tomasz,
In the non-secure virtual host, the following line will redirect all traffic.
This will redirect clients that don't honour the HSTS headers, as well as pointing clients in the right direction in the first place.
Whilst testing, you might want to leave out the 'permanent' part.

<VirtualHost *:80>
...
   Redirect permanent / https://your.repo/
</VirtualHost>

Matthew,
I'm guesing you have something similar somewhere in you :80 vhost?
If not, and the HSTS headers are only sent for the :443 vhost, how does the initial redirect work?

Cheers,
John


From: eprints-tech-bounces at ecs.soton.ac.uk<mailto:eprints-tech-bounces at ecs.soton.ac.uk> [mailto:eprints-tech-bounces at ecs.soton.ac.uk] On Behalf Of Matthew Kerwin
Sent: 25 August 2017 00:59
To: eprints-tech at ecs.soton.ac.uk<mailto:eprints-tech at ecs.soton.ac.uk>
Subject: Re: [EP-tech] SSL (HTTPS) only for an EPrints repository


On 25 August 2017 at 06:30, Tomasz Neugebauer <Tomasz.Neugebauer at concordia.ca<mailto:Tomasz.Neugebauer at concordia.ca>> wrote:
> Thank you, Matthew!  We have HTTPS working, with the apache config, but the
> repository allows users to access ?browse/abstract? pages with HTTP as well.
> Since we have a search box in our header, Chrome will soon start warning
> that inputting any text on an HTTP connection is not secure.
>
>
> I was looking at this Google page which recommends HSTS as well:
> https://support.google.com/webmasters/answer/6073543?hl=en&ref_topic=6001951
>
> I think that is what we need to implement, I?m just not sure how to do that
> yet.
>
> I noticed that when I try to access a QUT ePrints page with HTTP, it
> switches over to HTTPS, for example, going here :
> http://eprints.qut.edu.au/view/thesis/phd/ , you end up
> https://eprints.qut.edu.au/view/thesis/phd/
>
> Does that mean that QUT ePrints is supporting HSTS?
>

Yep, if you look at the response for a HTTPS request you'll see a header like:

~~~
Strict-Transport-Security: max-age=2419200
~~~

I'm not sure how other sites have their .confs organised, but we have in /etc/httpd/conf.d/ a core 'eprints.conf' which sets up the modperl environment (PerlModule,PerlSwitches,etc.), and then repo-specific configs which we keep in version control.

The one for QUT ePrints looks like this:

~~~
# <VirtualHost :80/> is generated by bin/generate_apacheconf
Include /opt/eprints3/cfg/apache/quteprints.conf

<VirtualHost [IP]:443>
  ServerName ...
  # ...etc...

  SSLCertificateFile ...
  # ...etc...

  # EPrints configuration created by bin/generate_apacheconf
  PerlTransHandler +EPrints::Apache::Rewrite
  Include /opt/eprints3/cfg/apache_ssl/quteprints.conf

  # Include additional archive-specific configuration
  Include /opt/eprints3/archives/quteprints/cfg/apachevhost_ssl.conf

  # All future navigation to the site should be to https://
  # Times: 31536000 = 365 days
  #         2419200 = 28 days
  Header set Strict-Transport-Security "max-age=2419200"
</VirtualHost>
~~~

It's a pretty broad stroke, but it gets it done.

HTH
--
  Matthew Kerwin
  http://matthew.kerwin.net.au/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/eprints-tech/attachments/20170926/4b4b1047/attachment-0001.html