Difference between revisions of "How to use EPrints with HTTPS"

From EPrints Documentation
Jump to: navigation, search
(Create Template for Secure Pages)
Line 1: Line 1:
 
{{development}}
 
{{development}}
 +
{{ep2}}
 
{{manual}}
 
{{manual}}
 
==Add HTTPS Settings==
 
==Add HTTPS Settings==

Revision as of 16:52, 7 June 2007

Warning This page is under development as part of the EPrints 3.0 manual. It may still contain content specific to earlier versions. Manuals for previous versions of EPrints are also available.

Please note! This page was written for EPrints version 2 and may not apply to version 3.


Manual Sections

Add HTTPS Settings

For each ARCHIVEID.xml file, fill in the securehost and securepath entries.

Example:

<archive id="demo">
   ....
   <securehost>secure.mydomain.com</securehost>
   <securepath>/demo</securepath>
   ....
</archive>

The securehost is vhosted on the same server as your EPrints archive(s).

Secure requests will be of the form https://securehost/securepath.

securepath therefore differentiates requests from individual archives.

Generate Secure Config

$ bin/generate_apacheconf

As well as the usual apache configuration files, and depending on the version of EPrints, this will generate:

  • an auto-secure.conf file in each archive's cfg directory (2.3.13)
  • an auto-your.secure.host.conf file (for each secure host) in the main cfg directory (2.3.11)

Set up Secure Host

Under Fedora Core 4, run:

$ yum install mod_ssl

This sets up a test SSL server.

Certificates

For a production system, you would need to provide the relevant certificates and tweak the mod_ssl config accordingly - see:

Create a server.key on the EPrints server (remembering the passphrase you enter):

$ openssl genrsa -des3 -out server.key 1024

Create a certificate request:

$ openssl req -new -key server.key -out server.csr

The important thing when answering the questions is the CommonName: if ultimately the secure web address of your EPrints server is https://www.myeprints.com, then the CommonName value to enter is exactly www.myeprints.com.

Send the server.csr file to your Certificate Authority administrator, who should send you back a .cer file.

Copy server.key and the .cer file to the following locations:

/etc/httpd/conf/ssl.key/server.key
/etc/httpd/conf/ssl.crt/eprints.cer

Modify /etc/httpd/conf.d/ssl.conf accordingly:

SSLCertificateFile /etc/httpd/conf/ssl.crt/eprints.cer
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key

Include EPrints SSL config

Include each auto-secure.conf file generated by EPrints inside the Virtualhost directive.

On FC4, edit /etc/httpd/conf.d/ssl.conf:

<VirtualHost _default_:443>
   ....
   Include /opt/eprints2/archives/ARCHIVEID/cfg/auto-secure.conf # 2.3.13
   Include /opt/eprints2/cfg/auto-your.secure.host.conf # 2.3.11
   Include /opt/eprints3/archives/soton/var/auto-secure.conf # 3.0.0
</VirtualHost>

If you have set up SSL certificates, you will be asked to enter your passphrase when you restart apache. To override this, see How can I get rid of the pass-phrase dialog at Apache startup time?.

Create Template for Secure Pages

Make a copy of the default template in archives/ARCHIVEID/cfg/lang/en/templates/:

$ cp default.xml secure.xml

In a multi-language archive, you would need to do this for each language-specific template (en = ENglish).

It's a good idea to have a visual differentiation between secure and non-secure pages, e.g. edit secure.xml and add "(SECURE)" to the title of the page.

Some browsers will complain if images/CSS etc. embedded in a secure page are served by the non-secure host. To solve this modify the secure_urlpath and secure_url entries in archives/ARCHIVEID/cfg/cfg.d/20_baseurls.pl:

$c->{secure_urlpath} = "";
$c->{secure_url} = "https://".$c->{securehost}.$c->{securepath};

In the secure.xml template replace image/CSS base_urls with secure_url.

BUG FIX: In bin/generate_static replace import url($base_url$1); with import url($1);.