Difference between revisions of "How to use EPrints with HTTPS"

From EPrints Documentation
Jump to: navigation, search
 
Line 1: Line 1:
* '''Contributor:''' [[http://www.eprints.org/services/ Tim Miles-Board]]
+
==Add HTTPS Settings==
* '''Eprints version:''' 2.3
+
* '''Purpose:''' Secure EPrints with HTTPS
+
* '''License:''' GNU General Public License
+
  
!!! Add HTTPS Settings
+
For each <tt>ARCHIVEID.xml</tt> file, fill in the <tt>securehost</tt> and <tt>securepath</tt> entries.
 
+
For each @@ARCHIVEID.xml@@ file, fill in the @@securehost@@ and @@securepath@@ entries.
+
  
 
Example:
 
Example:
Line 17: Line 12:
 
  </archive>
 
  </archive>
  
The @@securehost@@ is vhosted on the same server as your EPrints archive(s).
+
The <tt>securehost</tt> is vhosted on the same server as your EPrints archive(s).
  
Secure requests will be of the form https://securehost/securepath.
+
Secure requests will be of the form <tt>https://securehost/securepath</tt>.
  
@@securepath@@ therefore differentiates requests from individual archives.
+
<tt>securepath</tt> therefore differentiates requests from individual archives.
  
!!! Generate Secure Config
+
==Generate Secure Config==
  
 
  $ bin/generate_apacheconf
 
  $ bin/generate_apacheconf
  
As well as the usual apache configuration files, this will generate an @@auto-secure.conf@@ file in each archive's @@cfg@@ directory.
+
As well as the usual apache configuration files, this will generate an <tt>auto-secure.conf</tt> file in each archive's <tt>cfg</tt> directory.
  
!!! Set up Secure Host
+
==Set up Secure Host==
  
Under Fedora Core 4, I ran:
+
Under Fedora Core 4, run:
  
 
  $ yum install mod_ssl
 
  $ yum install mod_ssl
Line 37: Line 32:
 
This sets up a test SSL server.
 
This sets up a test SSL server.
  
For a production system, you would need to provide the relevant certificates and tweak the mod_ssl config accordingly.
+
===Certificates===
  
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html
+
For a production system, you would need to provide the relevant certificates and tweak the mod_ssl config accordingly - see:
  
Include each @@auto-secure.conf@@ file generated by EPrints inside the @@Virtualhost@@ directive.
+
* [http://httpd.apache.org/docs/2.2/mod/mod_ssl.html Apache Module mod_ssl]
 +
* [http://www.modssl.org/docs/2.8/ssl_faq.html mod_ssl FAQ]
  
For me, this meant editing @@/etc/httpd/conf.d/ssl.conf@@:
+
Create a <tt>server.key</tt> on the EPrints server (remembering the passphrase you enter):
 +
 
 +
$ openssl genrsa -des3 -out server.key 1024
 +
 
 +
Create a certificate request:
 +
 
 +
$ openssl req -new -key server.key -out server.csr
 +
 
 +
The important thing when answering the questions is the CommonName: if ultimately the secure web address of your EPrints server is <tt>https://www.myeprints.com</tt>, then the CommonName value to enter is exactly <tt>www.myeprints.com</tt>.
 +
 
 +
Send the <tt>server.csr</tt> file to your Certificate Authority administrator, who should send you back a <tt>.cer</tt> file.
 +
 
 +
Copy <tt>server.key</tt> and the <tt>.cer</tt> file to the following locations:
 +
 
 +
/etc/httpd/conf/ssl.key/server.key
 +
/etc/httpd/conf/ssl.crt/eprints.cer
 +
 
 +
Modify <tt>/etc/httpd/conf.d/ssl.conf</tt> accordingly:
 +
 
 +
SSLCertificateFile /etc/httpd/conf/ssl.crt/eprints.cer
 +
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
 +
 
 +
===Include EPrints SSL config===
 +
 
 +
Include each <tt>auto-secure.conf</tt> file generated by EPrints inside the <tt>Virtualhost</tt> directive.
 +
 
 +
On FC4, edit <tt>/etc/httpd/conf.d/ssl.conf</tt>:
  
 
  <VirtualHost _default_:443>
 
  <VirtualHost _default_:443>
 
     ....
 
     ....
     Include /opt/eprints2/archives/demo/cfg/auto-secure.conf
+
     Include /opt/eprints2/archives/ARCHIVEID/cfg/auto-secure.conf
 
+
 
  </VirtualHost>
 
  </VirtualHost>
  
!!! Create Template for Secure Pages
+
If you have set up SSL certificates, you will be asked to enter your passphrase when you restart apache. To override this, see [http://www.modssl.org/docs/2.8/ssl_faq.html#remove-passphrase How can I get rid of the pass-phrase dialog at Apache startup time?].
 +
 
 +
==Create Template for Secure Pages==
  
I made a copy of @@template-en.xml@@:
+
Make a copy of <tt>template-en.xml</tt>:
  
 
  $ cp template-en.xml template-secure-en.xml
 
  $ cp template-en.xml template-secure-en.xml
Line 59: Line 82:
 
In a multi-language archive, you would need to do this for each language-specific template.
 
In a multi-language archive, you would need to do this for each language-specific template.
  
It's a good idea to have a visual differentiation between secure and non-secure pages: e.g. I edited @@template-secure-en.xml@@ and added "(SECURE)" to the title of the page.
+
It's a good idea to have a visual differentiation between secure and non-secure pages, e.g. edit <tt>template-secure-en.xml</tt> and add "(SECURE)" to the title of the page.
  
Some browsers will complain if images/CSS etc. embedded in a secure page are served by the non-secure host. To solve this, I added a new entity to @@ArchiveConfig.pm/sub get_entities@@:
+
Some browsers will complain if images/CSS etc. embedded in a secure page are served by the non-secure host. To solve this, add a new entity to <tt>ArchiveConfig.pm/sub get_entities</tt>:
  
  $entities{ssl_base_url} = "https://" . $archive->get_conf("securehost") . $archive->get_conf("securepath");
+
  $entities{https_base_url} = "https://" . $archive->get_conf("securehost") . $archive->get_conf("securepath");
  
I then replaced image/CSS @@base_url@@s with @@ssl_base_url@@.
+
Now replace image/CSS <tt>base_url</tt>s with <tt>https_base_url</tt>.

Revision as of 12:55, 24 May 2006

Add HTTPS Settings

For each ARCHIVEID.xml file, fill in the securehost and securepath entries.

Example:

<archive id="demo">
   ....
   <securehost>secure.mydomain.com</securehost>
   <securepath>/demo</securepath>
   ....
</archive>

The securehost is vhosted on the same server as your EPrints archive(s).

Secure requests will be of the form https://securehost/securepath.

securepath therefore differentiates requests from individual archives.

Generate Secure Config

$ bin/generate_apacheconf

As well as the usual apache configuration files, this will generate an auto-secure.conf file in each archive's cfg directory.

Set up Secure Host

Under Fedora Core 4, run:

$ yum install mod_ssl

This sets up a test SSL server.

Certificates

For a production system, you would need to provide the relevant certificates and tweak the mod_ssl config accordingly - see:

Create a server.key on the EPrints server (remembering the passphrase you enter):

$ openssl genrsa -des3 -out server.key 1024

Create a certificate request:

$ openssl req -new -key server.key -out server.csr

The important thing when answering the questions is the CommonName: if ultimately the secure web address of your EPrints server is https://www.myeprints.com, then the CommonName value to enter is exactly www.myeprints.com.

Send the server.csr file to your Certificate Authority administrator, who should send you back a .cer file.

Copy server.key and the .cer file to the following locations:

/etc/httpd/conf/ssl.key/server.key
/etc/httpd/conf/ssl.crt/eprints.cer

Modify /etc/httpd/conf.d/ssl.conf accordingly:

SSLCertificateFile /etc/httpd/conf/ssl.crt/eprints.cer
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key

Include EPrints SSL config

Include each auto-secure.conf file generated by EPrints inside the Virtualhost directive.

On FC4, edit /etc/httpd/conf.d/ssl.conf:

<VirtualHost _default_:443>
   ....
   Include /opt/eprints2/archives/ARCHIVEID/cfg/auto-secure.conf
</VirtualHost>

If you have set up SSL certificates, you will be asked to enter your passphrase when you restart apache. To override this, see How can I get rid of the pass-phrase dialog at Apache startup time?.

Create Template for Secure Pages

Make a copy of template-en.xml:

$ cp template-en.xml template-secure-en.xml

In a multi-language archive, you would need to do this for each language-specific template.

It's a good idea to have a visual differentiation between secure and non-secure pages, e.g. edit template-secure-en.xml and add "(SECURE)" to the title of the page.

Some browsers will complain if images/CSS etc. embedded in a secure page are served by the non-secure host. To solve this, add a new entity to ArchiveConfig.pm/sub get_entities:

$entities{https_base_url} = "https://" . $archive->get_conf("securehost") . $archive->get_conf("securepath");

Now replace image/CSS base_urls with https_base_url.