EPrints Technical Mailing List Archive
See the EPrints wiki for instructions on how to join this mailing list and related information.
Message: #06793
< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First
Re: [EP-tech] SSL (HTTPS) only for an EPrints repository
- To: eprints-tech@ecs.soton.ac.uk
- Subject: Re: [EP-tech] SSL (HTTPS) only for an EPrints repository
- From: Matthew Kerwin <matthew@kerwin.net.au>
- Date: Fri, 25 Aug 2017 09:59:21 +1000
On 25 August 2017 at 06:30, Tomasz Neugebauer <Tomasz.Neugebauer@concordia.ca> wrote:
> Thank you, Matthew! We have HTTPS working, with the apache config, but the
> repository allows users to access “browse/abstract” pages with HTTP as well.
> Since we have a search box in our header, Chrome will soon start warning
> that inputting any text on an HTTP connection is not secure.
>
>
> I was looking at this Google page which recommends HSTS as well:
> https://support.google.com/webmasters/answer/6073543?hl=en&ref_topic=6001951
>
> I think that is what we need to implement, I’m just not sure how to do that
> yet.
>
> I noticed that when I try to access a QUT ePrints page with HTTP, it
> switches over to HTTPS, for example, going here :
> http://eprints.qut.edu.au/view/thesis/phd/ , you end up
> https://eprints.qut.edu.au/view/thesis/phd/
>
> Does that mean that QUT ePrints is supporting HSTS?
>
Yep, if you look at the response for a HTTPS request you'll see a header like:
~~~
Strict-Transport-Security: max-age=2419200
~~~
I'm not sure how other sites have their .confs organised, but we have in /etc/httpd/conf.d/ a core 'eprints.conf' which sets up the modperl environment (PerlModule,PerlSwitches,etc.), and then repo-specific configs which we keep in version control.
The one for QUT ePrints looks like this:
~~~
# <VirtualHost :80/> is generated by bin/generate_apacheconf
Include /opt/eprints3/cfg/apache/quteprints.conf
<VirtualHost MailScanner warning: numerical links are often malicious: 131.181.186.218:443>
ServerName ...
# ...etc...
SSLCertificateFile ...
# ...etc...
# EPrints configuration created by bin/generate_apacheconf
PerlTransHandler +EPrints::Apache::Rewrite
Include /opt/eprints3/cfg/apache_ssl/quteprints.conf
# Include additional archive-specific configuration
Include /opt/eprints3/archives/quteprints/cfg/apachevhost_ssl.conf
# All future navigation to the site should be to https://
# Times: 31536000 = 365 days
# 2419200 = 28 days
Header set Strict-Transport-Security "max-age=2419200"
</VirtualHost>
~~~
It's a pretty broad stroke, but it gets it done.
HTH
--
Matthew Kerwin
http://matthew.kerwin.net.au/
# EPrints configuration created by bin/generate_apacheconf
PerlTransHandler +EPrints::Apache::Rewrite
Include /opt/eprints3/cfg/apache_ssl/quteprints.conf
# Include additional archive-specific configuration
Include /opt/eprints3/archives/quteprints/cfg/apachevhost_ssl.conf
# All future navigation to the site should be to https://
# Times: 31536000 = 365 days
# 2419200 = 28 days
Header set Strict-Transport-Security "max-age=2419200"
</VirtualHost>
~~~
It's a pretty broad stroke, but it gets it done.
HTH
--
Matthew Kerwin
http://matthew.kerwin.net.au/
- References:
- [EP-tech] SSL (HTTPS) only for an EPrints repository
- From: Tomasz Neugebauer <Tomasz.Neugebauer@concordia.ca>
- Re: [EP-tech] SSL (HTTPS) only for an EPrints repository
- From: Matthew Kerwin <matthew@kerwin.net.au>
- Re: [EP-tech] SSL (HTTPS) only for an EPrints repository
- From: Tomasz Neugebauer <Tomasz.Neugebauer@concordia.ca>
- [EP-tech] SSL (HTTPS) only for an EPrints repository
- Prev by Date: Re: [EP-tech] SSL (HTTPS) only for an EPrints repository
- Next by Date: Re: [EP-tech] SSL (HTTPS) only for an EPrints repository
- Previous by thread: Re: [EP-tech] SSL (HTTPS) only for an EPrints repository
- Next by thread: Re: [EP-tech] SSL (HTTPS) only for an EPrints repository
- Index(es):