[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[EP-tech] mixed-content warnings

Hi Tomasz,

Mixed content warnings is something, I have been trying to improve in 
recent version of EPrints, so new installs should not suffer these 
problems.?? However, upgrades will still be problematic.? This is 
because old templates, citations, workflows and even CSS and Javascript 
files may have http URLs in them. This means you really need to go 
through all these files and seek out http URLs.

The main problem I have found is the use http_url or http_cgiurl in 
templates citations and even workflows.? These should ideally use 
rel_path and rel_cgipath instead but as this does not give your the full 
URL it might be better to use base_url and perl_url instead.? However, 
to make sure that these are https not http, you will need to make sure 
you have either no or an up to date version of 20_baseurls.pl in your 
archive's cfg/cfg.d/ (assuming you are running 3.4.1+, which it sounds 
like you are).? This is because of a change made for 3.4.1 to ensure 
that base_url and perl_url get configured as https if $c->{securehost} 
is defined.

It is worth grepping across all of your archive's cfg directory for the 
string "http:" to route out any hardcoded http URLs.

One of the things I did in recent versions of EPrints is provide a way 
of reconfiguring 10_core.pl to better/more intuitive enable HTTPS 
everywhere [1].? This ensures all http URL requests are redirected to 
https without needing to have picked up the HSTS header, which require 
visiting an https URL at least once (and therefore does not work for 
stateless bots).? If you deploy HTTPS everywhere, as well as running 
generate_apacheconf and reloading the webserver, you will need to make 
sure all browse views and abstract pages are regenerated.

As you comment in your email below, you are worried about unsetting 
$c->{host} as it may break things.? I am aware of one issue with this in 
3.4.3 core code [2].? However, this is a fairly straightforward fix and 
is only a problem if your have multiple languages enabled for your 
repository.? If you use the Repository Links Bazaar plugin [3], that 
will also require a similar fix.? I think there may be one or two other 
Bazaar plugins that use $c->{host} but I cannot remember what they are 
off the top of my head.

If you look at perl_lib/EPrints/URL.pm line 129 [4] you should see the line:

if ( EPrints::Utils::is_set( $session->config( "securehost" ) ) && ( 
$opts{scheme} eq "https" || !EPrints::Utils::is_set( $session->config( 
"host" ) )

If you have HTTPS everywhere configuration enabled this should ensure 
HTTPS URLs are always used for things like the thumbnail URLs you 
describe having a problem with.? However, if you are not using HTTPS 
everywhere configuration you will still get http URLs for thumbnails and 
similar.? I would therefore recommending enabling this and I will see if 
I can track down the Bazaar plugins that may be affected by $c->{host} 
being undefined.

The problem with EPrints is it has gone through various iterations of 


2. HTTP for public pages and HTTPS for back-end admin pages.

3. HTTPS for all pages

This means as the code has evolved over time how to configure the 
appropriate URLs in various situation has got progressively more 
complicated, as way of supporting these different approaches for HTTPS 
have been incorporated into ePrints over the year.? I go in to a bit of 
detail about this in the EPrints 3.4.3 release page [5].? I still don't 
think this is perfect, as there is the potential requirements in Bazaar 
plugins or bespoke archive code/configuration that require $c->{host} to 
be defined. However, after a lot of consideration, the changes I made 
for 3.4.3 tried to make the best compromise between fixing the mixed 
content warnings, simplifying URLs config variables and their use and 
not seriously breaking existing repositories when they are upgraded.


David Newman

[1] https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.eprints.org%2Fw%2FSimplified_HTTPS_Configuration&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C355ec7272f1f49c7062808d9c678c247%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637759044214480906%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=cJ1CwqJkv6fWL9%2FXmArWx5vcMhxIiHWIlP4ckLRuFWo%3D&reserved=0

[2] https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Feprints%2Feprints3.4%2Fissues%2F118&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C355ec7272f1f49c7062808d9c678c247%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637759044214480906%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=MHQQBMqsaJ6uHo5Zq38edh%2BOv3MfSVTmdWg6g7%2Fr9b8%3D&reserved=0

[3] https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fbazaar.eprints.org%2F379%2F&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C355ec7272f1f49c7062808d9c678c247%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637759044214480906%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=gnuqOnS3uZ77ylDIku%2BM3B7sZhldJFVsMdnW6uFF49E%3D&reserved=0


[5] https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.eprints.org%2Fw%2FEPrints_3.4.3%23Configuration_URLs_and_Paths&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C355ec7272f1f49c7062808d9c678c247%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637759044214480906%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=2g9lHC8Yrx2znRdvxokGFxexdxckgg4H%2B8L70pCwVss%3D&reserved=0

On 23/12/2021 23:12, Tomasz Neugebauer via Eprints-tech wrote:
> *CAUTION:* This e-mail originated outside the University of Southampton.
> I thought? that I resolved all of the "mixed content" warnings on our 
> repository a while back, but after a recent upgrade from 3.3.12 to 
> 3.4.3, I noticed that I have some mixed content warnings again, 
> specifically on the thumbnails on the abstract pages.? I might have 
> missed some of these warning before, though, so this might not be a 
> new issue after the upgrade.
> Because I have HSTS headers, the browser redirects those those 
> requests to HTTPS, but I would like to fix it.? Both the SRC and the 
> HREF of the thumbnails for PDFs are referenced as HTTP instead of 
> HTTPS.? The only thing that fixed it during my testing was if I was to 
> remove (comment out) " the $c->{host}line/ariable in 10_core.pl
> That resolves the issue, but I'm worried to apply this change because 
> I don't know if something else might rely on that variable.
> I spent a good part of a day trying to follow the code, and I know 
> that the {scheme} variable in URL.pm doesn't get properly set to https 
> in the case of the thumbnails, but the code is so confusing when it 
> comes to the thumbnail URLs that I can't figure out why.? I do have a 
> suspicion that there is a bug in the core code somewhere, but perhaps 
> it is something in our own configuration.
> I know this issue is not new to this list, in fact, I wrote the first 
> drafts of the HSTS page on the Wiki 
> (https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.eprints.org%2Fw%2FHTTPS-only_and_HSTS&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C355ec7272f1f49c7062808d9c678c247%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637759044214490850%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=H8%2Fcm5vjgrubiTE3tDl%2BODXx5ZCCtVua0O9GHSybUs4%3D&reserved=0 
> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.eprints.org%2Fw%2FHTTPS-only_and_HSTS&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C355ec7272f1f49c7062808d9c678c247%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637759044214490850%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=H8%2Fcm5vjgrubiTE3tDl%2BODXx5ZCCtVua0O9GHSybUs4%3D&amp;reserved=0>), 
> but looking through the updated page there and any recent exchanges 
> that relate to this didn't help me figure it out.
> Let me know if you have any ideas?
> Best wishes,
> Tomasz
> *** Options:http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
> *** Archive:https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.eprints.org%2Ftech.php%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C355ec7272f1f49c7062808d9c678c247%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637759044214490850%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=N5E3xk1gp791pizs6%2BXfGqtJQSnjhXF5ftvu5wKHmIM%3D&amp;reserved=0
> *** EPrints community wiki:https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwiki.eprints.org%2F&amp;data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C355ec7272f1f49c7062808d9c678c247%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637759044214490850%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=pKvEkcTNEk9ew6fsfJ9H8S91OT21N%2BR3GjCxLJdhJw0%3D&amp;reserved=0

This email has been checked for viruses by AVG.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/eprints-tech/attachments/20211224/8a37b282/attachment-0001.html