EPrints Technical Mailing List Archive

See the EPrints wiki for instructions on how to join this mailing list and related information.

Message: #07146


< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First

Re: [EP-tech] HTTPS multiple archives


Hi Jimmy,
I think you need two VHost definitions.
Both will link to the same certificate etc., but the ArchiveID will be different.

<VirtualHost *:443>
ServerName aaa.domain.com
### some other options
SSLEngine on
SSLCertificateFile /path/to/wildcard.domain.com.crt
SSLCertificateKeyFile /path/to/wildcard.domain.com.key
SSLCertificateChainFile /path/to/wildcard.domain.com-chain.crt
SSLProtocol All -SSLv2 -SSLv3
<Location "">
PerlSetVar EPrints_ArchiveID ARCHIVEID_AAA
PerlSetVar EPrints_Secure yes
Options +ExecCGI
# more options
</Location>
PerlTransHandler +EPrints::Apache::Rewrite
</VirtualHost>

<VirtualHost *:443>
ServerName bbb.domain.com
### some other options
SSLEngine on
SSLCertificateFile /path/to/wildcard.domain.com.crt
SSLCertificateKeyFile /path/to/wildcard.domain.com.key
SSLCertificateChainFile /path/to/wildcard.domain.com-chain.crt
SSLProtocol All -SSLv2 -SSLv3
<Location "">
PerlSetVar EPrints_ArchiveID ARCHIVEID_BBB
PerlSetVar EPrints_Secure yes
Options +ExecCGI
# more options
</Location>
PerlTransHandler +EPrints::Apache::Rewrite
</VirtualHost>

Cheers,
John

-----Original Message-----
From: eprints-tech-bounces@ecs.soton.ac.uk [mailto:eprints-tech-bounces@ecs.soton.ac.uk] On Behalf Of Jimmy Girard-Nault
Sent: 09 February 2018 13:39
To: eprints-tech@ecs.soton.ac.uk
Subject: Re: [EP-tech] HTTPS multiple archives

Hi and thanks for your reply.

I've got the option b) Two sub-domains... I have the file apache_ssl.conf which contains one line:  Include /eprints3/cfg/apache_ssl/*.conf.
Then in  /eprints3/cfg/apache_ssl/ I have a config file for the two sub-domains which looks like: 

<Location "">
    PerlSetVar EPrints_ArchiveID repoid
    PerlSetVar EPrints_Secure yes

    Options +ExecCGI
    <IfModule mod_authz_core.c>
       Require all granted
    </IfModule>
    <IfModule !mod_authz_core.c>
       Order allow,deny
       Allow from all
    </IfModule>
  </Location>

I think this is where the issue comes from as the two archives loads both files and set the same PerlSetVar EPrints_ArchiveID repoid?

Thanks.

Jimmy Girard-Nault, M. Sc.
Chargé de projet informatique et technologique
Service des technologies de l'information 
Local P2-8190 
Université du Québec à Chicoutimi
555, boul. de l'Université
Chicoutimi (Québec) G7H 2B1

418 545-5011, poste 2217
jimmy_girard-nault@uqac.ca

-----Message d'origine-----
De : eprints-tech-bounces@ecs.soton.ac.uk [mailto:eprints-tech-bounces@ecs.soton.ac.uk] De la part de John Salter
Envoyé : 9 février 2018 04:59
À : eprints-tech@ecs.soton.ac.uk
Objet : Re: [EP-tech] HTTPS multiple archives

Hi Jimmy,

I think you need one of the following:
a) Two IP addresses - one for each site - signed with 'traditional' certificates
b) Two sub-domains e.g. http://antispam.uqac.ca:32224/?dmVyPTEuMDAxJiY4OWNhOTcxOTNiMjIxMzE2Yj01QTdENzFGRV81NzI3M185MjM4XzEmJmM5MjlmODEyNDA5MTVjND0xMjIyJiZ1cmw9YWFhJTJFZG9tYWluJTJFY29t and http://antispam.uqac.ca:32224/?dmVyPTEuMDAxJiY4YWM5OTQxOTNiMjIxMzE2Yj01QTdENzFGRV81NzI3M185MjM4XzEmJmM5MjlmODEyNDA5MTZjNz0xMjIyJiZ1cmw9YmJiJTJFZG9tYWluJTJFY29t - signed with a wildcard certificate for *.domain.com
c) A certificate that uses SNI (Server Name Indication), which lists each of the domains used.

We use option c, and have config as below - which reference a certificate that has both domains as Subject Alternate Names.
The 'Lets Encrypt' service is useful here - especially on dev/staging machines. See: http://antispam.uqac.ca:32224/?dmVyPTEuMDAxJiY5Y2Q4ZDg1ODJkMmE1MTAwZj01QTdENzFGRV81NzI3M185MjM4XzEmJmFhZmQ0OTYzZjBkMWFjMj0xMjIyJiZ1cmw9aHR0cHMlM0ElMkYlMkZ3aWtpJTJFZXByaW50cyUyRW9yZyUyRnclMkZTZXR0aW5nJTVGdXAlNUZIVFRQUyU1RnVzaW5nJTVGTGV0JTI1MjdzJTVGRW5jcnlwdA== 

Let me know how you get on!
Cheers,
John

<VirtualHost *:443>
  ServerName http://antispam.uqac.ca:32224/?dmVyPTEuMDAxJiY4OWNhOTcxOTNiMjIxMzE2Yj01QTdENzFGRV81NzI3M185MjM4XzEmJmM5MjlmODEyNDA5MTVjND0xMjIyJiZ1cmw9YWFhJTJFZG9tYWluJTJFY29t
  ServerAdmin J.Salter@leeds.ac.uk
... 

  ## SSL directives
  SSLEngine on
  SSLCertificateFile      "/path/to/certificate.cert"
  SSLCertificateKeyFile   "/path/to/key.key"
  SSLCertificateChainFile "/path/to/chain.crt"
  SSLCACertificatePath    "/path/to/cert"
  SSLProtocol             #options as required

<Location "">
  PerlSetVar EPrints_ArchiveID ARCHIVEID_AAA
  PerlSetVar EPrints_Secure yes
  Options +ExecCGI
  Order allow,deny
  Allow from all
</Location>
PerlTransHandler +EPrints::Apache::Rewrite </VirtualHost>

For the second domain

<VirtualHost *:443>
  ServerName http://antispam.uqac.ca:32224/?dmVyPTEuMDAxJiY4YWM5OTQxOTNiMjIxMzE2Yj01QTdENzFGRV81NzI3M185MjM4XzEmJmM5MjlmODEyNDA5MTZjNz0xMjIyJiZ1cmw9YmJiJTJFZG9tYWluJTJFY29t

### all the same stuff as above - SSL directives etc.

<Location "">
  PerlSetVar EPrints_ArchiveID ARCHIVEID_BBB
  PerlSetVar EPrints_Secure yes
  Options +ExecCGI
  Order allow,deny
  Allow from all
</Location>
PerlTransHandler +EPrints::Apache::Rewrite </VirtualHost>


-----Original Message-----
From: eprints-tech-bounces@ecs.soton.ac.uk [mailto:eprints-tech-bounces@ecs.soton.ac.uk] On Behalf Of Yuri
Sent: 09 February 2018 07:09
To: eprints-tech@ecs.soton.ac.uk
Subject: Re: [EP-tech] HTTPS multiple archives

Can you post your config? Anyway, multiple https on the same apache means you've to use different ip because of the certificate.

Il 08/02/2018 17:49, Jimmy Girard-Nault ha scritto:
>
> Hi all,
>
> I'm facing an issue when I try to configure HTTPS (I've been following 
> this tuto : 
> http://antispam.uqac.ca:32224/?dmVyPTEuMDAxJiY5Y2Q4ZDg1ODJkMmE1MTAwZj0
> 1QTdENzFGRV81NzI3M185MjM4XzEmJmFiNGRlOTUxNDEwMWJmYT0xMjIyJiZ1cmw9aHR0c
> HMlM0ElMkYlMkZ3aWtpJTJFZXByaW50cyUyRW9yZyUyRnclMkZIb3clNUZ0byU1RnVzZSU
> 1RkVQcmludHMlNUZ3aXRoJTVGSFRUUFMlMjklMkU=
>
> First of all, when I had only one archive, everything was working fine.
>
> The issue came when I added another archive : when I try to reach the 
> first one with its URL, it shows up the other recently added archive.
> So now both https urls shows up the same archive.
>
> Does anyone have already experienced this ? Do you need more details 
> from my config? I'm using Eprints 3.3.15
>
> Thanks in advance,
>
> Regards
>
> **
>
> *Jimmy*
>
>
>
> *** Options: 
> http://antispam.uqac.ca:32224/?dmVyPTEuMDAxJiZjNmQ4OTk0MzMwMjM1MDE2Yj0
> 1QTdENzFGRV81NzI3M185MjM4XzEmJjZkMmM0ODk2NDA5MTVjYz0xMjIyJiZ1cmw9aHR0c
> CUzQSUyRiUyRm1haWxtYW4lMkVlY3MlMkVzb3RvbiUyRWFjJTJFdWslMkZtYWlsbWFuJTJ
> GbGlzdGluZm8lMkZlcHJpbnRzLXRlY2g=
> *** Archive: 
> http://antispam.uqac.ca:32224/?dmVyPTEuMDAxJiY4MGRmODI0NzY1NjI1MTAwYT0
> 1QTdENzFGRV81NzI3M185MjM4XzEmJjI4YjlmODczYjE2MWRjYj0xMjIyJiZ1cmw9aHR0c
> CUzQSUyRiUyRnd3dyUyRWVwcmludHMlMkVvcmclMkZ0ZWNoJTJFcGhwJTJG
> *** EPrints community wiki: 
> http://antispam.uqac.ca:32224/?dmVyPTEuMDAxJiY4MGRmODI0NzY1NjI1MTAwYj0
> 1QTdENzFGRV81NzI3M185MjM4XzEmJmM5N2Q4Y2MyZTE0MDZjYz0xMjIyJiZ1cmw9aHR0c
> CUzQSUyRiUyRndpa2klMkVlcHJpbnRzJTJFb3JnJTJG
> *** EPrints developers Forum: 
> http://antispam.uqac.ca:32224/?dmVyPTEuMDAxJiY4MGRmODI0NzY1NjI1MTExYj0
> 1QTdENzFGRV81NzI3M185MjM4XzEmJmE4ZWM0OGY2NTAxMDRkNz0xMjIyJiZ1cmw9aHR0c
> CUzQSUyRiUyRmZvcnVtJTJFZXByaW50cyUyRW9yZyUyRg==


*** Options: http://antispam.uqac.ca:32224/?dmVyPTEuMDAxJiZjNmQ4OTk0MzMwMjM1MDE2Yj01QTdENzFGRV81NzI3M185MjM4XzEmJjZkMmM0ODk2NDA5MTVjYz0xMjIyJiZ1cmw9aHR0cCUzQSUyRiUyRm1haWxtYW4lMkVlY3MlMkVzb3RvbiUyRWFjJTJFdWslMkZtYWlsbWFuJTJGbGlzdGluZm8lMkZlcHJpbnRzLXRlY2g=
*** Archive: http://antispam.uqac.ca:32224/?dmVyPTEuMDAxJiY4MGRmODI0NzY1NjI1MTAwYT01QTdENzFGRV81NzI3M185MjM4XzEmJjI4YjlmODczYjE2MWRjYj0xMjIyJiZ1cmw9aHR0cCUzQSUyRiUyRnd3dyUyRWVwcmludHMlMkVvcmclMkZ0ZWNoJTJFcGhwJTJG
*** EPrints community wiki: http://antispam.uqac.ca:32224/?dmVyPTEuMDAxJiY4MGRmODI0NzY1NjI1MTAwYj01QTdENzFGRV81NzI3M185MjM4XzEmJmM5N2Q4Y2MyZTE0MDZjYz0xMjIyJiZ1cmw9aHR0cCUzQSUyRiUyRndpa2klMkVlcHJpbnRzJTJFb3JnJTJG
*** EPrints developers Forum: http://antispam.uqac.ca:32224/?dmVyPTEuMDAxJiY4MGRmODI0NzY1NjI1MTExYj01QTdENzFGRV81NzI3M185MjM4XzEmJmE4ZWM0OGY2NTAxMDRkNz0xMjIyJiZ1cmw9aHR0cCUzQSUyRiUyRmZvcnVtJTJFZXByaW50cyUyRW9yZyUyRg==

*** Options: http://antispam.uqac.ca:32224/?dmVyPTEuMDAxJiZjNmQ4OTk0MzMwMjM1MDE2Yj01QTdENzFGRV81NzI3M185MjM4XzEmJjZkMmM0ODk2NDA5MTVjYz0xMjIyJiZ1cmw9aHR0cCUzQSUyRiUyRm1haWxtYW4lMkVlY3MlMkVzb3RvbiUyRWFjJTJFdWslMkZtYWlsbWFuJTJGbGlzdGluZm8lMkZlcHJpbnRzLXRlY2g=
*** Archive: http://antispam.uqac.ca:32224/?dmVyPTEuMDAxJiY4MGRmODI0NzY1NjI1MTAwYT01QTdENzFGRV81NzI3M185MjM4XzEmJjI4YjlmODczYjE2MWRjYj0xMjIyJiZ1cmw9aHR0cCUzQSUyRiUyRnd3dyUyRWVwcmludHMlMkVvcmclMkZ0ZWNoJTJFcGhwJTJG
*** EPrints community wiki: http://antispam.uqac.ca:32224/?dmVyPTEuMDAxJiY4MGRmODI0NzY1NjI1MTAwYj01QTdENzFGRV81NzI3M185MjM4XzEmJmM5N2Q4Y2MyZTE0MDZjYz0xMjIyJiZ1cmw9aHR0cCUzQSUyRiUyRndpa2klMkVlcHJpbnRzJTJFb3JnJTJG
*** EPrints developers Forum: http://antispam.uqac.ca:32224/?dmVyPTEuMDAxJiY4MGRmODI0NzY1NjI1MTExYj01QTdENzFGRV81NzI3M185MjM4XzEmJmE4ZWM0OGY2NTAxMDRkNz0xMjIyJiZ1cmw9aHR0cCUzQSUyRiUyRmZvcnVtJTJFZXByaW50cyUyRW9yZyUyRg==

*** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
*** Archive: http://www.eprints.org/tech.php/
*** EPrints community wiki: http://wiki.eprints.org/
*** EPrints developers Forum: http://forum.eprints.org/