EPrints Technical Mailing List Archive

Message: #06792

Re: [EP-tech] SSL (HTTPS) only for an EPrints repository

To: "eprints-tech@ecs.soton.ac.uk" <eprints-tech@ecs.soton.ac.uk>
Subject: Re: [EP-tech] SSL (HTTPS) only for an EPrints repository
From: Tomasz Neugebauer <Tomasz.Neugebauer@concordia.ca>
Date: Thu, 24 Aug 2017 20:30:11 +0000

Thank you, Matthew! We have HTTPS working, with the apache config, but the repository allows users to access “browse/abstract” pages with HTTP as well. Since we have a search box in our header, Chrome will soon start warning that inputting any text on an HTTP connection is not secure.

I was looking at this Google page which recommends HSTS as well: https://support.google.com/webmasters/answer/6073543?hl=en&ref_topic=6001951

I think that is what we need to implement, I’m just not sure how to do that yet.

I noticed that when I try to access a QUT ePrints page with HTTP, it switches over to HTTPS, for example, going here : http://eprints.qut.edu.au/view/thesis/phd/ , you end up https://eprints.qut.edu.au/view/thesis/phd/

Does that mean that QUT ePrints is supporting HSTS?

Tomasz

From: eprints-tech-bounces@ecs.soton.ac.uk [mailto:eprints-tech-bounces@ecs.soton.ac.uk] On Behalf Of Matthew Kerwin
Sent: August-22-17 6:36 PM
To: eprints-tech@ecs.soton.ac.uk
Subject: Re: [EP-tech] SSL (HTTPS) only for an EPrints repository

On 23 Aug. 2017 6:57 am, "Tomasz Neugebauer" <Tomasz.Neugebauer@concordia.ca> wrote:

Google is sending out alerts that it will soon begin to show security warnings in Chrome for any web site that is not SSL (HTTPS).

Our EPrints repository (running 3.3.12) switches over to HTTPS when the user authenticates, but the browse pages are available through HTTP as well.

What is the best way to get EPrints to redirect everything to HTTPS?

I think I remember this question coming up on the list before, but I can’t seem to find any references.

Thanks!

Tomasz

All I remember is that I had to change how eprints generates the Apache config so it added a <Location> chunk for the non-secure root (i.e. "/") inside the :443 VirtualHost, which defined the eprints archive environment variable.

Our repo allows both http and https access, though; if you're going https-everywhere you'll probably have different concerns.

Cheers

Matthew Kerwin

References:
- [EP-tech] SSL (HTTPS) only for an EPrints repository
  - From: Tomasz Neugebauer <Tomasz.Neugebauer@concordia.ca>
- Re: [EP-tech] SSL (HTTPS) only for an EPrints repository
  - From: Matthew Kerwin <matthew@kerwin.net.au>

Prev by Date: [EP-tech] Fixity Check and EPrints - Digital Preservation
Next by Date: Re: [EP-tech] SSL (HTTPS) only for an EPrints repository
Previous by thread: Re: [EP-tech] SSL (HTTPS) only for an EPrints repository
Next by thread: Re: [EP-tech] SSL (HTTPS) only for an EPrints repository
Index(es):
- Date
- Thread