EPrints Technical Mailing List Archive
See the EPrints wiki for instructions on how to join this mailing list and related information.
Message: #06869
< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First
Re: [EP-tech] SSL (HTTPS) only for an EPrints repository
- To: "eprints-tech@ecs.soton.ac.uk" <eprints-tech@ecs.soton.ac.uk>
- Subject: Re: [EP-tech] SSL (HTTPS) only for an EPrints repository
- From: Tomasz Neugebauer <Tomasz.Neugebauer@concordia.ca>
- Date: Wed, 27 Sep 2017 16:31:49 +0000
I was asked to add this information to the wiki, so I have added a new page here: https://wiki.eprints.org/w/HTTPS-only_and_HSTS Please feel free to modify/add/delete as needed. Best wishes, Tomasz From: eprints-tech-bounces@ecs.soton.ac.uk [mailto:eprints-tech-bounces@ecs.soton.ac.uk]
On Behalf Of Tomasz Neugebauer Thanks to Matthew and John for your help. I thought I would report back to the list about this, now that I got all of this working on our repository: ·
HSTS Headers on HTTPS ·
Fixed “Mixed Content” warnings/errors ·
All ‘internal’ links point to HTTPS locations ·
301 Redirects from HTTP to HTTPS That follows the best practice specified here, by Google:
https://support.google.com/webmasters/answer/6073543?hl=en&ref_topic=6001951 To make that happen, I had to do the following: 1.
Changes to /cfg.d/10_core.pl: Initialize the following two variables to be the https URL (i.e.,
https://spectrum.library.concordia.ca)
$c->{http_url} $c->{http_cgiurl} $c->{base_url} 2.
Changes to /cfg/lang/en/templates/default.xml, and /cfg/lang/en/static .XPAGE files
·
Remove any hard coded links to HTTP
·
We have Google Search included here as XPAGE files calling on the Google API which I needed to switch to HTTPS 3.
Add a new include apache-ssl CONF file to /repoid/cfg/ that has the HSTS header:
·
Header set Strict-Transport-Security "max-age=15780000"
·
Include this file from the core apache declaration. I consulted this page (thanks to Justin):
https://wiki.eprints.org/w/Setting_up_HTTPS_using_Let%27s_Encrypt
, which was helpful in making me realize I need a new conf file. A new file was required because /bin/generate_apacheconf (https://wiki.eprints.org/w/API:bin/generate_apacheconf)
overwrites any of the conf files that were already being included, and I was trying to avoid modifying this script. 4.
Modify the default port 80 response in the apache config to redirect all port 80 (HTTP) requests to port 443 (HTTPS), using the same redirect suggested
by John. I ended up doing this in one of the conf files that is generated by /bin/generate_apacheconf, which means that I will have to re-apply
this redirect if/when I need to re-run this script. This is not ideal, but it was the simplest solution I could find, given the structure of the files generated by /generate_apacheconf. I think that this script (generate_apacheconf) should have some new
flags, something like “--sslonly” and “--hsts” , which would generate the correct apache config files for a repository that follows the Google best practice of HTTPS-only with HSTS.
To summarize how HSTS works, if a browser (Chrome, Firefix, IE) sees the HSTS header in the response, and there are no certificate errors or mixed content warnings
or anything (if it is green), then the next time a user of that browser requests the HTTP page of that site, the browser will modify the request to a HTTPS request and will not issue the HTTP request. The browser will remember that setting for as
long as you specify “max-age” to be. This means that even with HSTS, it is still possible to request and receive content over HTTP. To close that down, a server redirect is necessary, so those browsers that haven’t seen the HSTS header in the past that happen
to try to go to HTTP will get that initial redirect to HTTPS. Let me know if you have any thoughts or ideas to share about any of that; I hope this information ends up being helpful for others. Tomasz ________________________________________________
Tomasz Neugebauer
Tel. / Tél. 514-848-2424 ext. / poste 7738
Mailing address / adresse postale: 1455 De Maisonneuve Blvd. W., LB-540-03, Montreal, Quebec H3G 1M8
http://library.concordia.ca From:
eprints-tech-bounces@ecs.soton.ac.uk
[mailto:eprints-tech-bounces@ecs.soton.ac.uk]
On Behalf Of John Salter Hi Tomasz, In the non-secure virtual host, the following line will redirect all traffic. This will redirect clients that don't honour the HSTS headers, as well as pointing clients in the right direction in the
first place. Whilst testing, you might want to leave out the 'permanent' part. <VirtualHost *:80> ... Redirect permanent /
https://your.repo/ </VirtualHost> Matthew, I'm guesing you have something similar somewhere in you :80 vhost? If not, and the HSTS headers are only sent for the :443 vhost, how does the initial redirect work? Cheers, John From:
eprints-tech-bounces@ecs.soton.ac.uk
[mailto:eprints-tech-bounces@ecs.soton.ac.uk]
On Behalf Of Matthew Kerwin
# ...etc... |
- References:
- [EP-tech] SSL (HTTPS) only for an EPrints repository
- From: Tomasz Neugebauer <Tomasz.Neugebauer@concordia.ca>
- Re: [EP-tech] SSL (HTTPS) only for an EPrints repository
- From: Matthew Kerwin <matthew@kerwin.net.au>
- Re: [EP-tech] SSL (HTTPS) only for an EPrints repository
- From: Tomasz Neugebauer <Tomasz.Neugebauer@concordia.ca>
- Re: [EP-tech] SSL (HTTPS) only for an EPrints repository
- From: Matthew Kerwin <matthew@kerwin.net.au>
- Re: [EP-tech] SSL (HTTPS) only for an EPrints repository
- From: John Salter <J.Salter@leeds.ac.uk>
- Re: [EP-tech] SSL (HTTPS) only for an EPrints repository
- From: Tomasz Neugebauer <Tomasz.Neugebauer@concordia.ca>
- [EP-tech] SSL (HTTPS) only for an EPrints repository
- Prev by Date: Re: [EP-tech] Black overlay covers half of the webpage
- Next by Date: Re: [EP-tech] Document Security and Login
- Previous by thread: Re: [EP-tech] SSL (HTTPS) only for an EPrints repository
- Next by thread: Re: [EP-tech] SSL (HTTPS) only for an EPrints repository
- Index(es):