EPrints Technical Mailing List Archive

See the EPrints wiki for instructions on how to join this mailing list and related information.

Message: #06795


< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First

Re: [EP-tech] SSL (HTTPS) only for an EPrints repository




On 25 Aug. 2017 18:51, "John Salter" <J.Salter@leeds.ac.uk> wrote:

Hi Tomasz,

In the non-secure virtual host, the following line will redirect all traffic.

This will redirect clients that don't honour the HSTS headers, as well as pointing clients in the right direction in the first place.

Whilst testing, you might want to leave out the 'permanent' part.

 

<VirtualHost *:80>

...

   Redirect permanent / https://your.repo/

</VirtualHost>

 

Matthew,

I'm guesing you have something similar somewhere in you :80 vhost?

If not, and the HSTS headers are only sent for the :443 vhost, how does the initial redirect work?

 

Cheers,

John


I've intentionally allowed existing http requests to continue the old fashioned way, mostly because I don't trust that all the robots that interact with the site would be able to cope with a redirect. 😒

For first-time human traffic we mostly rely on good links -- Google prefers to serve up https links, and most (all?) of the links in the site itself ought to be to https urls. Actually, I believe that the stylesheet and image srcs are also https. So while you might be able to fetch a http page once, it'd be very hard to do so a second time if your browser honours HSTS. 

Cheers
-- 
Matthew Kerwin