EPrints Technical Mailing List Archive

See the EPrints wiki for instructions on how to join this mailing list and related information.

Message: #06792


< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First

Re: [EP-tech] SSL (HTTPS) only for an EPrints repository


Thank you, Matthew!  We have HTTPS working, with the apache config, but the repository allows users to access “browse/abstract” pages with HTTP as well.  Since we have a search box in our header, Chrome will soon start warning that inputting any text on an HTTP connection is not secure.

 

I was looking at this Google page which recommends HSTS as well: https://support.google.com/webmasters/answer/6073543?hl=en&ref_topic=6001951

I think that is what we need to implement, I’m just not sure how to do that yet.

I noticed that when I try to access a QUT ePrints page with HTTP, it switches over to HTTPS, for example, going here : http://eprints.qut.edu.au/view/thesis/phd/ , you end up https://eprints.qut.edu.au/view/thesis/phd/

Does that mean that QUT ePrints is supporting HSTS?

 

Tomasz

 

 

 

 

From: eprints-tech-bounces@ecs.soton.ac.uk [mailto:eprints-tech-bounces@ecs.soton.ac.uk] On Behalf Of Matthew Kerwin
Sent: August-22-17 6:36 PM
To: eprints-tech@ecs.soton.ac.uk
Subject: Re: [EP-tech] SSL (HTTPS) only for an EPrints repository

 

 

 

On 23 Aug. 2017 6:57 am, "Tomasz Neugebauer" <Tomasz.Neugebauer@concordia.ca> wrote:

Google is sending out alerts that it will soon begin to show security warnings in Chrome for any web site that is not SSL (HTTPS).

Our EPrints repository (running 3.3.12) switches over to HTTPS when the user authenticates, but the browse pages are available through HTTP as well.

What is the best way to get EPrints to redirect everything to HTTPS?

I think I remember this question coming up on the list before, but I can’t seem to find any references.

Thanks!

Tomasz

 

All I remember is that I had to change how eprints generates the Apache config so it added a <Location> chunk for the non-secure root (i.e. "/") inside the :443 VirtualHost, which defined the eprints archive environment variable.

 

Our repo allows both http and https access, though; if you're going https-everywhere you'll probably have different concerns.

 

 

Cheers

-- 

Matthew Kerwin