EPrints Technical Mailing List Archive

Message: #09446


< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First

RE: [EP-tech] Mixed Content


CAUTION: This e-mail originated outside the University of Southampton.

Internal

 

Forgot to mention that I did a generate_static and then webrestart but still the secure_auto.js is showing http instead of https

 

From: eprints-tech-request@ecs.soton.ac.uk <eprints-tech-request@ecs.soton.ac.uk> On Behalf Of Maher Abdellatif Ahmad Qahwash
Sent: Monday, October 2, 2023 8:58 PM
To: eprints-tech@ecs.soton.ac.uk; Agung Prasetyo W. <prazetyo@gmail.com>
Subject: RE: [EP-tech] Mixed Content

 

CAUTION: This e-mail originated outside the University of Southampton. CAUTION: This e-mail originated outside the University of Southampton. Internal Hi David Checking the source gives this: var eprints_http_root = "http: //eprints. kfupm. edu. sa";

ZjQcmQRYFpfptBannerStart

Warning: This email has been sent from outside KFUPM. Do not open links or attachments unless you are sure they are safe.

ZjQcmQRYFpfptBannerEnd

CAUTION: This e-mail originated outside the University of Southampton.

CAUTION: This e-mail originated outside the University of Southampton.

Internal

 

Hi David

 

Checking the source gives this:

 

var eprints_http_root = "http://eprints.kfupm.edu.sa";

var eprints_http_cgiroot = "http://eprints.kfupm.edu.sa/cgi%22;

var eprints_oai_archive_id = "eprints.kfupm.edu.sa";

 

So it is showing http instead of https and the eprints_oai_archive_id value is wrong.  It seems these settings are coming from the secure_auto.js file as they are in that file.

 

secure_auto.js settings which are wrong are:

var eprints_http_root = "http://eprints.kfupm.edu.sa";

var eprints_http_cgiroot = "http://eprints.kfupm.edu.sa/cgi%22;

var eprints_oai_archive_id = "eprints.kfupm.edu.sa";

 

auto.js settings which are correct are:

 

var eprints_http_root = "https://eprints.kfupm.edu.sa";

var eprints_http_cgiroot = "https://eprints.kfupm.edu.sa/cgi%22;

var eprints_oai_archive_id = "eprintstest2";

 

We have the following correct settings in the 10_core.pl file:

$c->{http_url} = 'https://eprints.kfupm.edu.sa';

$c->{http_cgiurl} = 'https://eprints.kfupm.edu.sa/cgi';

 

Even if I manually modify the secure_auto.js file with the correct https links and correct archive_id and then restart the webserver still the source is showing http and the wrong archive id.

 

Where are the secure_auto.js settings coming from? I though it is from the 10_core file?

 

Thanks

Maher

 

 

From: eprints-tech-request@ecs.soton.ac.uk <eprints-tech-request@ecs.soton.ac.uk> On Behalf Of David R Newman
Sent: Monday, October 2, 2023 7:45 PM
To: eprints-tech@ecs.soton.ac.uk; Agung Prasetyo W. <prazetyo@gmail.com>
Subject: Re: [EP-tech] Mixed Content

 

Hi Maher, The issue may be that the _javascript_ variables eprints_http_root and eprints_http_cgiroot have not updated. You can check these by viewing the source of: https: //eprints. kfupm. edu. sa/cgi/users/home?screen=EPrint: : Edit&eprintid=142529&stage=files#t

ZjQcmQRYFpfptBannerStart

Warning: This email has been sent from outside KFUPM. Do not open links or attachments unless you are sure they are safe.

ZjQcmQRYFpfptBannerEnd

Hi Maher,

The issue may be that the _javascript_ variables eprints_http_root and eprints_http_cgiroot have not updated.  You can check these by viewing the source of:

https://eprints.kfupm.edu.sa/cgi/users/home?screen=EPrint::Edit&eprintid=142529&stage=files#t

Near, the top of the page there should be a script block which contains a load of JS variables.  You should find these look something like:

var eprints_http_root = "https://eprints.kfupm.edu.sa";
var eprints_http_cgiroot = "https://eprints.kfupm.edu.sa/cgi";

If they are still HTTP, then you could try running generate_static and reloading your webserver again and see if this fixes it.  The issue may be that the cached versions of your auto.js and secure_auto.js cannot be deleted.  So before running generate_static it is worth deleting the cached version in your archive at:

ARCHIVE_PATH/html/en/_javascript_/auto.js

ARCHIVE_PATH/html/en/_javascript_/secure_auto.js

If the _javascript_ variables are already HTTPS then there is another issue.  I have tried switching to the same version of EPrints that you have installed and I have not been able to reproduce this issue as yet.

Regards

David Newman

On 02/10/2023 15:27, Agung Prasetyo W. wrote:

CAUTION: This e-mail originated outside the University of Southampton.

CAUTION: This e-mail originated outside the University of Southampton.

Hi,

 

Maybe you can try to remove crsf.pl from your cfg.d directory, and then run epadmin reload.

 

Thank you

 

Regards,

Agung PW

 

On Mon, Oct 2, 2023, 15:44 Maher Abdellatif Ahmad Qahwash <qahwash@kfupm.edu.sa> wrote:

CAUTION: This e-mail originated outside the University of Southampton.

CAUTION: This e-mail originated outside the University of Southampton.

Internal

 

Hi David

 

We went ahead and added the  ($c->{http_url} = "$uri"; and $c->{http_cgiurl} = "$uri/cgi";) settings in the 20_baseurls.pl file but are still receiving the error when clicking on “choose file” to upload a file.

 

Mixed Content: The page at 'https://eprints.kfupm.edu.sa/cgi/users/home?screen=EPrint::Edit&eprintid=142529&stage=files#t' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://eprints.kfupm.edu.sa/cgi/users/home?csrf_token=1696235789%3A7760c7306de2042b1ca48603739ac69f&screen=EPrint%3A%3AEdit&eprintid=142529&stage=files&c2_Screen%3A%3AEPrint%3A%3AUploadMethod%3A%3AURL_url=&component=c3&c3_export=119120'. This request has been blocked; the content must be served over HTTPS.

 

Please note that the issue is with redirecting from https https://eprints.kfupm.edu.sa/cgi/users/home?screen=EPrint::Edit ... “ to “'http://eprints.kfupm.edu.sa/cgi/users/home?csrf_token= ...

Which file does this redirection? Maybe we can check the file for any http settings and modify to https.

 

Thanks,

Maher

 

 

 

 

From: eprints-tech-request@ecs.soton.ac.uk <eprints-tech-request@ecs.soton.ac.uk> On Behalf Of Maher Abdellatif Ahmad Qahwash
Sent: Monday, October 2, 2023 8:51 AM
To: David R Newman <drn@ecs.soton.ac.uk>; eprints-tech@ecs.soton.ac.uk
Subject: RE: [EP-tech] Mixed Content

 

CAUTION: This e-mail originated outside the University of Southampton. CAUTION: This e-mail originated outside the University of Southampton. Internal Hi David Thank you for your continuous support. The below settings are already set in the

ZjQcmQRYFpfptBannerStart

Warning: This email has been sent from outside KFUPM. Do not open links or attachments unless you are sure they are safe.

ZjQcmQRYFpfptBannerEnd

CAUTION: This e-mail originated outside the University of Southampton.

CAUTION: This e-mail originated outside the University of Southampton.

Internal

 

Hi David

 

Thank you for your continuous support.

 

The below settings are already set in the 20_baseurls.pl,

my $uri = URI->new( "http://" );
        if( EPrints::Utils::is_set( $c->{securehost} ) )
        {
                $uri->scheme( "https" );
                $uri->host( $c->{securehost} );
                $uri->port( $c->{secureport} );
                $uri = $uri->canonical;
                $uri->path( $c->{https_root} );
        }
        else
        {
                $uri->scheme( "http" );
                $uri->host( $c->{host} );
                $uri->port( $c->{port} );
                $uri = $uri->canonical;
                $uri->path( $c->{http_root} );
        }

As for the ($c->{http_url} = "$uri"; and $c->{http_cgiurl} = "$uri/cgi";) settings,  we already have them set in the 10_core.pl file as follows:

$c->{http_url} = 'https://eprints.kfupm.edu.sa';

$c->{http_cgiroot} = 'https://eprints.kfupm.edu.sa/cgi';

$c->{http_cgiurl} = 'https://eprints.kfupm.edu.sa/cgi';

$c->{base_url} = "https://$c->{host}";

 

Do we still need to add the ($c->{http_url} = "$uri"; and $c->{http_cgiurl} = "$uri/cgi";) in the 20_baseurls.pl file?

If not, then are there any other files we need to change to resolve the error we are facing when uploading a file?

 

Thanks

Maher

 

 

 

 

From: David R Newman <drn@ecs.soton.ac.uk>
Sent: Sunday, October 1, 2023 10:43 PM
To: eprints-tech@ecs.soton.ac.uk; Maher Abdellatif Ahmad Qahwash <qahwash@kfupm.edu.sa>
Subject: Re: [EP-tech] Mixed Content

 

Hi Maher, What you want to do (as you are running pre 3. 4. 1) you will need to change the default scheme and then manually set the HTTP URLs settings in lib/cfg. d/20_baseurls. pl. So first make sure the block of code that sets the default scheme

ZjQcmQRYFpfptBannerStart

Warning: This email has been sent from outside KFUPM. Do not open links or attachments unless you are sure they are safe.

ZjQcmQRYFpfptBannerEnd

Hi Maher,

What you want to do (as you are running pre 3.4.1)  you will need to change the default scheme and then manually set the HTTP URLs settings in lib/cfg.d/20_baseurls.pl.   So first make sure the block of code that sets the default scheme looks like this (and defaults to HTTPS):

        my $uri = URI->new( "http://" );
        if( EPrints::Utils::is_set( $c->{securehost} ) )
        {
                $uri->scheme( "https" );
                $uri->host( $c->{securehost} );
                $uri->port( $c->{secureport} );
                $uri = $uri->canonical;
                $uri->path( $c->{https_root} );
        }
        else
        {
                $uri->scheme( "http" );
                $uri->host( $c->{host} );
                $uri->port( $c->{port} );
                $uri = $uri->canonical;
                $uri->path( $c->{http_root} );
        }

Then below this and after the settings for base_url and perl_url add:

$c->{http_url} = "$uri";
$c->{http_cgiurl} = "$uri/cgi";

Once you are done run "epadmin test".  Then reload the webserver.  Also to make sure caches are clear be sure to run "epadmin refresh_views", "epadmin refresh_abstracts" and "generate_static" before testing pages to make sure mixed content warnings have been fixed.  EPrints 3.4.1 (official release) has fixed many of the mixed content warnings if you had the correct config.  However, it was not until later versions where some outstanding issues were fixed and the need to manually set http_url and http_cgiurl was no longer needed.

Regards

David Newman

On 01/10/2023 2:37 pm, Maher Abdellatif Ahmad Qahwash wrote:

CAUTION: This e-mail originated outside the University of Southampton.

CAUTION: This e-mail originated outside the University of Southampton.

Internal

 

Hi

 

We are running eprints 3.4.1 rc2, only recently for some reason users are facing issues when uploading a file.  The following error is generated:

 

/cgi/users/home?screen=EPrint::Edit&eprintid=142511&stage=files#t:1 Mixed Content: The page at 'https://eprints.kfupm.edu.sa/cgi/users/home?screen=EPrint::Edit&eprintid=142511&stage=files#t' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://eprints.kfupm.edu.sa/cgi/users/home?csrf_token=1696158508%3A255c5c0055815c8209be816b4315cacf&screen=EPrint%3A%3AEdit&eprintid=142511&stage=files&c2_Screen%3A%3AEPrint%3A%3AUploadMethod%3A%3AURL_url=&component=c3&c3_export=119081'. This request has been blocked; the content must be served over HTTPS.

 

Could you please mention which file we should check.

 

Thanks,

Maher

 

This message is marked for Internal university use only. Not to be circulated outside KFUPM.

 

*** Options: https://wiki.eprints.org/w/Eprints-tech_Mailing_List
*** Archive: https://www.eprints.org/tech.php/
*** EPrints community wiki: https://wiki.eprints.org/
 

 

 

This message is marked for Internal university use only. Not to be circulated outside KFUPM.

*** Options: https://wiki.eprints.org/w/Eprints-tech_Mailing_List
*** Archive: https://www.eprints.org/tech.php/
*** EPrints community wiki: https://wiki.eprints.org/

 

*** Options: https://wiki.eprints.org/w/Eprints-tech_Mailing_List
*** Archive: https://www.eprints.org/tech.php/
*** EPrints community wiki: https://wiki.eprints.org/
 
 

This message is marked for Internal university use only. Not to be circulated outside KFUPM.