Difference between revisions of "HTTPS-only and HSTS"

From EPrints Documentation
Jump to: navigation, search
(Changed to suggesting using securevhost.conf)
m (Add the HSTS header)
 
(4 intermediate revisions by 2 users not shown)
Line 27: Line 27:
 
== Implementing HTTPS-only with HSTS on an EPrints repository ==
 
== Implementing HTTPS-only with HSTS on an EPrints repository ==
  
=== Changes to /cfg.d/10_core.pl ===
+
=== Changes to archive's cfg.d/10_core.pl ===
  
 
Initialize the following variables to be the https URL (i.e., https://<nowiki>YOUR-REPOSITORY-DOMAIN</nowiki>)
 
Initialize the following variables to be the https URL (i.e., https://<nowiki>YOUR-REPOSITORY-DOMAIN</nowiki>)
Line 38: Line 38:
 
</source>
 
</source>
  
=== Changes to <tt>/cfg/lang/LANGID/templates/default.xml</tt>, and <tt>/cfg/lang/LANGID/static/*.XPAGE</tt> files ===
+
=== Changes to archive's <tt>cfg/lang/LANGID/templates/default.xml</tt>, and <tt>/cfg/lang/LANGID/static/*.XPAGE</tt> files ===
  
Remove any hard coded links to HTTP
+
* Remove any hard coded links to HTTP
If you have Google Search included as an XPAGE file,
+
* If you have Google Search included as an XPAGE file, call on the Google API (and any other APIs) using HTTPS.
call on the Google API (and any other APIs) using HTTPS.
 
  
 
=== Changes to Apache config files ===
 
=== Changes to Apache config files ===
Line 48: Line 47:
 
==== Add the HSTS header ====
 
==== Add the HSTS header ====
  
Edit [[Template:Securevhost.conf|EPRINTS_PATH/archives/REPOID/ssl/securevhost.conf]] and add the following HSTS header.  The max-age variable is a time in seconds for how long the HSTS settings should be remembered by the browser.  15780000 is six months, which is a long time, you may want to set it to a shorter time while testing.
+
Edit [[Template:Securevhost.conf|EPRINTS_PATH/archives/REPOID/ssl/securevhost.conf]] and add the following HSTS header after ther <tt>ServerName</tt> line.  The max-age variable is a time in seconds for how long the HSTS settings should be remembered by the browser.  15780000 is six months, which is a long time, you may want to set it to a shorter time while testing.
  
 +
<syntaxhighlight lang="apache">
 
  Header set Strict-Transport-Security "max-age=15780000"
 
  Header set Strict-Transport-Security "max-age=15780000"
 +
</syntaxhighlight>
  
 
Include this file from the core apache conf file for the secure port (443) in <tt>/etc/</tt>
 
Include this file from the core apache conf file for the secure port (443) in <tt>/etc/</tt>
Line 56: Line 57:
 
==== Add 301 redirects to secure port from HTTP (port 80) ====
 
==== Add 301 redirects to secure port from HTTP (port 80) ====
  
By following the instructions above, if you use [https://github.com/eprints/eprints/commit/c29574dbdcd49c67f3aea522998960f2eb19f544 this patch] or are running [https://github.com/eprints/eprints the latest revision of EPrints on GitHub], <tt>/bin/generate_apacheconf</tt> will generate an <tt>/cfg/apache/REPOID.conf</tt>, which automatically redirects HTTP to HTTPS.  Otherwise, this can be achieved by modifying <tt>/cfg/apache/REPOID.conf</tt> to the following, substituting your domain as appropriate:
+
By making the above changes to the archive's <tt>cfg.d/10_core.pl</tt>, if you use [https://github.com/eprints/eprints/commit/c29574dbdcd49c67f3aea522998960f2eb19f544 this patch] or are running [https://github.com/eprints/eprints the latest revision of EPrints on GitHub], <tt>/bin/generate_apacheconf</tt> will generate an <tt>/cfg/apache/REPOID.conf</tt>, which automatically redirects HTTP to HTTPS.  Otherwise, this can be achieved by modifying <tt>/cfg/apache/REPOID.conf</tt> to the following, substituting your domain as appropriate:
  
 
<source lang="xml">
 
<source lang="xml">

Latest revision as of 11:06, 21 May 2021

Manual Sections

HTTPS with EPrints

See the pages in Category Authentication for how to setup up HTTPS on EPrints, for example:

The following is a description of how to configure EPrints so that all content, not just login pages, is served over HTTPS.

Google Best Practices for HTTPS

The following are the best practices specified by Google

  • HSTS Headers on HTTPS
  • No “Mixed Content” warnings/errors
  • Links point to HTTPS locations
  • 301 Redirects from HTTP to HTTPS

HSTS

To summarize how HSTS works, if a browser (Chrome, Firefix, IE) sees the HSTS header in the HTTPS response, and there are no certificate errors or mixed content warnings or anything (if it is green), then the next time a user of that browser requests the HTTP page of that site, the browser will modify the request from an HTTP to a HTTPS request. The browser will remember that setting for as long as you specify max-age to be. This means that even with HSTS, it is still possible to request and receive content over HTTP. To close that down, a server redirect is necessary, so those browsers that haven’t seen the HSTS header in the past that happen to try to go to HTTP will get that initial redirect to HTTPS.

Implementing HTTPS-only with HSTS on an EPrints repository

Changes to archive's cfg.d/10_core.pl

Initialize the following variables to be the https URL (i.e., https://YOUR-REPOSITORY-DOMAIN)

 $c->{host} = "YOUR-REPOSITORY-DOMAIN"; 
 $c->{http_url} = 'https://YOUR-REPOSITORY-DOMAIN';
 $c->{http_cgiurl} = 'https://YOUR-REPOSITORY-DOMAIN/cgi';
 $c->{base_url} = "https://$c->{host}";

Changes to archive's cfg/lang/LANGID/templates/default.xml, and /cfg/lang/LANGID/static/*.XPAGE files

  • Remove any hard coded links to HTTP
  • If you have Google Search included as an XPAGE file, call on the Google API (and any other APIs) using HTTPS.

Changes to Apache config files

Add the HSTS header

Edit EPRINTS_PATH/archives/REPOID/ssl/securevhost.conf and add the following HSTS header after ther ServerName line. The max-age variable is a time in seconds for how long the HSTS settings should be remembered by the browser. 15780000 is six months, which is a long time, you may want to set it to a shorter time while testing.

 Header set Strict-Transport-Security "max-age=15780000"

Include this file from the core apache conf file for the secure port (443) in /etc/

Add 301 redirects to secure port from HTTP (port 80)

By making the above changes to the archive's cfg.d/10_core.pl, if you use this patch or are running the latest revision of EPrints on GitHub, /bin/generate_apacheconf will generate an /cfg/apache/REPOID.conf, which automatically redirects HTTP to HTTPS. Otherwise, this can be achieved by modifying /cfg/apache/REPOID.conf to the following, substituting your domain as appropriate:

<VirtualHost *:80>
RedirectPermanent / https://YOUR-REPOSITORY-DOMAIN/  
</VirtualHost>