EPrints Technical Mailing List Archive

See the EPrints wiki for instructions on how to join this mailing list and related information.

Message: #06794


< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First

Re: [EP-tech] SSL (HTTPS) only for an EPrints repository


Hi Tomasz,

In the non-secure virtual host, the following line will redirect all traffic.

This will redirect clients that don't honour the HSTS headers, as well as pointing clients in the right direction in the first place.

Whilst testing, you might want to leave out the 'permanent' part.

 

<VirtualHost *:80>

...

   Redirect permanent / https://your.repo/

</VirtualHost>

 

Matthew,

I'm guesing you have something similar somewhere in you :80 vhost?

If not, and the HSTS headers are only sent for the :443 vhost, how does the initial redirect work?

 

Cheers,

John

 

 

From: eprints-tech-bounces@ecs.soton.ac.uk [mailto:eprints-tech-bounces@ecs.soton.ac.uk] On Behalf Of Matthew Kerwin
Sent: 25 August 2017 00:59
To: eprints-tech@ecs.soton.ac.uk
Subject: Re: [EP-tech] SSL (HTTPS) only for an EPrints repository

 


On 25 August 2017 at 06:30, Tomasz Neugebauer <Tomasz.Neugebauer@concordia.ca> wrote:
> Thank you, Matthew!  We have HTTPS working, with the apache config, but the
> repository allows users to access “browse/abstract” pages with HTTP as well.
> Since we have a search box in our header, Chrome will soon start warning
> that inputting any text on an HTTP connection is not secure.
>
>
> I was looking at this Google page which recommends HSTS as well:
> https://support.google.com/webmasters/answer/6073543?hl=en&ref_topic=6001951
>
> I think that is what we need to implement, I’m just not sure how to do that
> yet.
>
> I noticed that when I try to access a QUT ePrints page with HTTP, it
> switches over to HTTPS, for example, going here :
> http://eprints.qut.edu.au/view/thesis/phd/ , you end up
> https://eprints.qut.edu.au/view/thesis/phd/
>
> Does that mean that QUT ePrints is supporting HSTS?
>

Yep, if you look at the response for a HTTPS request you'll see a header like:

~~~
Strict-Transport-Security: max-age=2419200
~~~

I'm not sure how other sites have their .confs organised, but we have in /etc/httpd/conf.d/ a core 'eprints.conf' which sets up the modperl environment (PerlModule,PerlSwitches,etc.), and then repo-specific configs which we keep in version control.

The one for QUT ePrints looks like this:

~~~
# <VirtualHost :80/> is generated by bin/generate_apacheconf
Include /opt/eprints3/cfg/apache/quteprints.conf

<VirtualHost MailScanner warning: numerical links are often malicious: MailScanner warning: numerical links are often malicious: 131.181.186.218:443>
  ServerName ...
  # ...etc...

  SSLCertificateFile ...

  # ...etc...

  # EPrints configuration created by bin/generate_apacheconf
  PerlTransHandler +EPrints::Apache::Rewrite
  Include /opt/eprints3/cfg/apache_ssl/quteprints.conf

  # Include additional archive-specific configuration
  Include /opt/eprints3/archives/quteprints/cfg/apachevhost_ssl.conf

  # All future navigation to the site should be to https://
  # Times: 31536000 = 365 days
  #         2419200 = 28 days
  Header set Strict-Transport-Security "max-age=2419200"
</VirtualHost>

~~~

It's a pretty broad stroke, but it gets it done.

HTH
--
  Matthew Kerwin
  http://matthew.kerwin.net.au/