From EPrints Documentation
Jump to: navigation, search

Add HTTPS Settings

For each ARCHIVEID.xml file, fill in the securehost and securepath entries.


<archive id="demo">

The securehost is vhosted on the same server as your EPrints archive(s).

Secure requests will be of the form https://securehost/securepath.

securepath therefore differentiates requests from individual archives.

Generate Secure Config

$ bin/generate_apacheconf

As well as the usual apache configuration files, and depending on the version of EPrints, this will generate:

  • an auto-secure.conf file in each archive's cfg directory (2.3.13)
  • an file (for each secure host) in the main cfg directory (2.3.11)

Set up Secure Host

Under Fedora Core 4, run:

$ yum install mod_ssl

This sets up a test SSL server.


For a production system, you would need to provide the relevant certificates and tweak the mod_ssl config accordingly - see:

Create a server.key on the EPrints server (remembering the passphrase you enter):

$ openssl genrsa -des3 -out server.key 1024

Create a certificate request:

$ openssl req -new -key server.key -out server.csr

The important thing when answering the questions is the CommonName: if ultimately the secure web address of your EPrints server is, then the CommonName value to enter is exactly

Send the server.csr file to your Certificate Authority administrator, who should send you back a .cer file.

Copy server.key and the .cer file to the following locations:


Modify /etc/httpd/conf.d/ssl.conf accordingly:

SSLCertificateFile /etc/httpd/conf/ssl.crt/eprints.cer
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key

Include EPrints SSL config

Include each auto-secure.conf file generated by EPrints inside the Virtualhost directive.

On FC4, edit /etc/httpd/conf.d/ssl.conf:

<VirtualHost _default_:443>
   Include /opt/eprints2/archives/ARCHIVEID/cfg/auto-secure.conf # 2.3.13
   Include /opt/eprints2/cfg/ # 2.3.11
   Include /opt/eprints3/archives/soton/var/auto-secure.conf # 3.0.0

If you have set up SSL certificates, you will be asked to enter your passphrase when you restart apache. To override this, see How can I get rid of the pass-phrase dialog at Apache startup time?.

Create Template for Secure Pages

Make a copy of the default template in archives/ARCHIVEID/cfg/lang/en/templates/:

$ cp default.xml secure.xml

In a multi-language archive, you would need to do this for each language-specific template (en = ENglish).

It's a good idea to have a visual differentiation between secure and non-secure pages, e.g. edit secure.xml and add "(SECURE)" to the title of the page.

Some browsers will complain if images/CSS etc. embedded in a secure page are served by the non-secure host. To solve this modify the secure_urlpath and secure_url entries in archives/ARCHIVEID/cfg/cfg.d/

$c->{secure_urlpath} = "";
$c->{secure_url} = "https://".$c->{securehost}.$c->{securepath};

In the secure.xml template replace image/CSS base_urls with secure_url.

BUG FIX: In bin/generate_static replace import url($base_url$1); with import url($1);.

At the top of the page, replace the reference to /javascript/auto.js with /javascript/secure_auto.js.

At the top of auto.js, there are the following 3 lines:

var eprints_http_root = "http:\/\/";
var eprints_http_cgiroot = "http:\/\/\/cgi";
var eprints_oai_archive_id = "";

... in secure_auto.js, these must start with 'https' rather than just 'http'.