EPrints Technical Mailing List Archive
Message: #08818
< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First
Re: [EP-tech] mixed-content warnings
- To: David R Newman <drn@ecs.soton.ac.uk>, "eprints-tech@ecs.soton.ac.uk" <eprints-tech@ecs.soton.ac.uk>
- Subject: Re: [EP-tech] mixed-content warnings
- From: Tomasz Neugebauer <Tomasz.Neugebauer@concordia.ca>
- Date: Thu, 6 Jan 2022 22:49:14 +0000
CAUTION: This e-mail originated outside the University of Southampton.
I did some grep on our configuration files, and found the following instances:
$c->{datacitedoi}{repoid} = $c->{host};
DataCite DOI minting, from the Bazaar, but in configuration file, so simply overwrote with "$c->{securehost}" in our local cfg/cfg.d/z_datacitedoi.pl
$c->{cookie_domain}
= $c->{host};
Not sure what to do with
this one? Should I change that or do something about it, given that {host} is now undefined?
Processor Referrer
$self->{host} = $self->{session}->config( "host" );
Not sure if this would no longer work now that "host" is undef?
Also, not an issue on our repo, but config file on irstats2 has this (optional code, commented out by default and on our repo):
my
$hostname = $session->config( 'host' ) or return 0;
Tomasz
________________________________________________
Tomasz Neugebauer
Tel. / Tél. 514-848-2424 ext. / poste 7738
Mailing address / adresse postale: 1455 De Maisonneuve Blvd. W., LB-540-03, Montreal, Quebec H3G 1M8 library.concordia.ca From: Tomasz Neugebauer <Tomasz.Neugebauer@concordia.ca>
Sent: Thursday, January 6, 2022 3:34 PM To: David R Newman <drn@ecs.soton.ac.uk>; eprints-tech@ecs.soton.ac.uk <eprints-tech@ecs.soton.ac.uk> Subject: Re: [EP-tech] mixed-content warnings
Hi David,
Thank you for the detailed explanation and all of your work on this.
I did not know if unsetting {host} variable is the recommended way going forward, hence I hesitated, but given that our repository is HTTPS-only with HSTS , running
on 3.4.3, unsetting the {host} to undefined seems like the best way forward. I will do that that. As I wrote, I did notice that this solves the issue on the testing server, it's just that I didn't know if that is a setting that is "supported". These wiki
help pages have the {host} set in the examples:
and I was also unaware of this page:
Let's add a link to the "Simplified HTTPS Configuration" page from some of these others?
I did track down the same line that you referenced (perl_lib/EPrints/URL.pm) while troubleshooting, so it is reassuring that I was on the right track:
if ( EPrints::Utils::is_set( $session->config( "securehost" ) ) && ( $opts{scheme} eq "https" || !EPrints::Utils::is_set( $session->config( "host" ) )"
I will search through our configuration files to make sure that "host" variable isn't used for something without a fallback, but I think that I will not find that. I was more worried about breaking
something in the core by unsetting that {host} variable, so your message was very helpful.
Best wishes,
Tomasz
________________________________________________
Tomasz Neugebauer
Tel. / Tél. 514-848-2424 ext. / poste 7738
Mailing address / adresse postale: 1455 De Maisonneuve Blvd. W., LB-540-03, Montreal, Quebec H3G 1M8 library.concordia.ca From: David R Newman <drn@ecs.soton.ac.uk>
Sent: Thursday, December 23, 2021 8:00 PM To: eprints-tech@ecs.soton.ac.uk <eprints-tech@ecs.soton.ac.uk>; Tomasz Neugebauer <Tomasz.Neugebauer@concordia.ca> Subject: Re: [EP-tech] mixed-content warnings Attention This email originates from outside the concordia.ca domain. // Ce courriel provient de l'exterieur du domaine de concordia.ca
Hi Tomasz,
Mixed content warnings is something, I have been trying to improve in recent version of EPrints, so new installs should not suffer these problems. However, upgrades will still be problematic. This is because old templates, citations, workflows and even CSS and _javascript_ files may have http URLs in them. This means you really need to go through all these files and seek out http URLs.
The main problem I have found is the use http_url or http_cgiurl in templates citations and even workflows. These should ideally use rel_path and rel_cgipath instead but as this does not give your the full URL it
might be better to use base_url and perl_url instead. However, to make sure that these are https not http, you will need to make sure you have either no or an up to date version of 20_baseurls.pl in your archive's cfg/cfg.d/ (assuming you are running 3.4.1+,
which it sounds like you are). This is because of a change made for 3.4.1 to ensure that base_url and perl_url get configured as https if $c->{securehost} is defined.
It is worth grepping across all of your archive's cfg directory for the string "http:" to route out any hardcoded http URLs.
One of the things I did in recent versions of EPrints is provide a way of reconfiguring 10_core.pl to better/more intuitive enable HTTPS everywhere [1]. This ensures all http URL requests are redirected to https
without needing to have picked up the HSTS header, which require visiting an https URL at least once (and therefore does not work for stateless bots). If you deploy HTTPS everywhere, as well as running generate_apacheconf and reloading the webserver, you
will need to make sure all browse views and abstract pages are regenerated.
As you comment in your email below, you are worried about unsetting $c->{host} as it may break things. I am aware of one issue with this in 3.4.3 core code [2]. However, this is a fairly straightforward fix and
is only a problem if your have multiple languages enabled for your repository. If you use the Repository Links Bazaar plugin [3], that will also require a similar fix. I think there may be one or two other Bazaar plugins that use $c->{host} but I cannot
remember what they are off the top of my head.
if ( EPrints::Utils::is_set( $session->config( "securehost" ) ) && ( $opts{scheme} eq "https" || !EPrints::Utils::is_set( $session->config( "host" ) )
If you have HTTPS everywhere configuration enabled this should ensure HTTPS URLs are always used for things like the thumbnail URLs you describe having a problem with. However, if you are not using HTTPS everywhere configuration you will still get http URLs for thumbnails and similar. I would therefore recommending enabling this and I will see if I can track down the Bazaar plugins that may be affected by $c->{host} being undefined.
The problem with EPrints is it has gone through various iterations of HTTP/HTTPS use:
1. No HTTPS 2. HTTP for public pages and HTTPS for back-end admin pages. 3. HTTPS for all pages
This means as the code has evolved over time how to configure the appropriate URLs in various situation has got progressively more complicated, as way of supporting these different approaches for HTTPS have been
incorporated into ePrints over the year. I go in to a bit of detail about this in the EPrints 3.4.3 release page [5]. I still don't think this is perfect, as there is the potential requirements in Bazaar plugins or bespoke archive code/configuration that
require $c->{host} to be defined. However, after a lot of consideration, the changes I made for 3.4.3 tried to make the best compromise between fixing the mixed content warnings, simplifying URLs config variables and their use and not seriously breaking existing
repositories when they are upgraded.
Regards
David Newman
[1] https://wiki.eprints.org/w/Simplified_HTTPS_Configuration [2] https://github.com/eprints/eprints3.4/issues/118 [3]
http://bazaar.eprints.org/379/ [4] https://github.com/eprints/eprints3.4/blob/master/perl_lib/EPrints/URL.pm#L129 [5] https://wiki.eprints.org/w/EPrints_3.4.3#Configuration_URLs_and_Paths
On 23/12/2021 23:12, Tomasz Neugebauer via Eprints-tech wrote:
|
- Follow-Ups:
- Re: [EP-tech] mixed-content warnings
- From: Tomasz Neugebauer <Tomasz.Neugebauer@concordia.ca>
- Re: [EP-tech] mixed-content warnings
- References:
- [EP-tech] mixed-content warnings
- From: Tomasz Neugebauer <Tomasz.Neugebauer@concordia.ca>
- Re: [EP-tech] mixed-content warnings
- From: Tomasz Neugebauer <Tomasz.Neugebauer@concordia.ca>
- Re: [EP-tech] mixed-content warnings
- From: Tomasz Neugebauer <Tomasz.Neugebauer@concordia.ca>
- [EP-tech] mixed-content warnings
- Prev by Date: Re: [EP-tech] mixed-content warnings
- Next by Date: Re: [EP-tech] mixed-content warnings
- Previous by thread: [EP-tech] Sort view with creators_name and corp_creators
- Index(es):