Difference between revisions of "Https3"
Line 1: | Line 1: | ||
− | == Introduction == | + | == Introduction == |
Setting up EPrints3 to work with https is a little tricky. There seems to be a few bugs to be worked round. This How To considers the following scenario: | Setting up EPrints3 to work with https is a little tricky. There seems to be a few bugs to be worked round. This How To considers the following scenario: | ||
Line 5: | Line 5: | ||
Two repositories, repos1 and repos2, being served by virtual hosts repos1.FQDN:80 and repos2.FQDN:80 | Two repositories, repos1 and repos2, being served by virtual hosts repos1.FQDN:80 and repos2.FQDN:80 | ||
− | A single https domain, at eprints.FQDN:443 (so that only one certificate is needed). | + | A single https domain, at eprints.FQDN:443 (so that only one certificate is needed). Secure pages for repos1 and repos2 will be accessed at eprints.FQDN:443/repos1 and eprints.FQDN:443/repos2 respectively. |
− | This How To should work with EPrints 3.0 or 3.0.1. | + | This How To should work with EPrints 3.0 or 3.0.1. It was developed on Ubuntu Server 6.06, but should work on other systems without significant changes. The instructions can be adapted for an arbitrary number of repositories. |
+ | |||
+ | It is assumed that EPrints is installed in /opt/eprints3/. | ||
+ | |||
+ | == Getting started == | ||
+ | |||
+ | Install EPrints 3.x following the appropriate instructions. | ||
+ | |||
+ | Run bin/epadmin create twice to create repos1 and repos2. | ||
+ | |||
+ | Edit /opt/eprints3/archives/repos1/cfg/cfg.d/10_core.pl to read: | ||
+ | |||
+ | $c->{host} = 'repos1.FQDN'; | ||
+ | $c->{port} = 80; | ||
+ | $c->{aliases} = []; | ||
+ | $c->{securehost} = 'eprints.FQDN'; | ||
+ | $c->{securepath} = '/repos1'; | ||
+ | |||
+ | Make secure versions of the templates: | ||
+ | |||
+ | cp /opt/eprints3/archives/repos1/cfg/lang/en/templates/default.xml /opt/eprints3/archives/repos1/cfg/lang/en/templates/secure.xml | ||
+ | |||
+ | Repeat these steps for repos2. | ||
+ | |||
+ | Generate the Apache configuration: | ||
+ | |||
+ | /opt/eprints3/bin/generate_apacheconf | ||
+ | |||
+ | Add 'Include /opt/eprints3/cfg/apache.conf' to the Apache configuration (for Ubuntu / Debian, can replace everything in /etc/apache/sites-avaliable/default with 'Include /opt/eprints3/cfg/apache.conf'). Apache should now be correctly configured to serve the non-secure pages. | ||
+ | |||
+ | == Secure Apache Configuration == | ||
+ | |||
+ | Next, we want to configure Apache to serve the secure pages. However, generate_apacheconf hasn't created a secure.conf file in /opt/eprints3/cfg/ so this needs to be done manually. Some configuration has been generated for us in /opt/eprints3/archives/repos1/var/auto-secure.conf and /opt/eprints3/archives/repos2/var/auto-secure.conf, but there are some problems with this: | ||
+ | |||
+ | Some sections of the configuration overlap; | ||
+ | The EPrints_ArchiveID and PerlSetVar EPrints_Secure variables have not been set. We'll therefore create our own configuration. Create a new file called cfg/secure.conf: | ||
+ | |||
+ | #cfg/secure.conf: | ||
+ | NameVirtualHost *:443 | ||
+ | <VirtualHost *:443> | ||
+ | ServerAdmin itsupport@FQDN | ||
+ | ServerName eprints.FQDN | ||
+ | |||
+ | SSLEngine On | ||
+ | SSLCertificateFile /etc/apache2/ssl/apache.pem | ||
+ | |||
+ | ErrorLog /var/log/apache2/error.log | ||
+ | |||
+ | # Possible values include: debug, info, notice, warn, error, crit, | ||
+ | # alert, emerg. | ||
+ | LogLevel warn | ||
+ | |||
+ | CustomLog /var/log/apache2/access.log combined | ||
+ | ServerSignature On | ||
+ | |||
+ | DocumentRoot "/var/www/eprints" | ||
+ | |||
+ | <Directory "/opt/eprints3/cgi/users"> | ||
+ | AuthName "User Area" | ||
+ | AuthType "Basic" | ||
+ | PerlAuthenHandler EPrints::Apache::Auth::authen | ||
+ | PerlAuthzHandler EPrints::Apache::Auth::authz | ||
+ | require valid-user | ||
+ | |||
+ | SetHandler perl-script | ||
+ | PerlHandler ModPerl::Registry | ||
+ | PerlSendHeader Off | ||
+ | Options ExecCGI FollowSymLinks | ||
+ | </Directory> | ||
+ | <Directory "/opt/eprints3/cgi/users/awstats"> | ||
+ | PerlSendHeader On | ||
+ | </Directory> | ||
+ | |||
+ | <Directory "/opt/eprints3/cgi"> | ||
+ | SetHandler perl-script | ||
+ | PerlHandler ModPerl::Registry | ||
+ | PerlSendHeader Off | ||
+ | Options ExecCGI FollowSymLinks | ||
+ | </Directory> | ||
+ | |||
+ | PerlTransHandler EPrints::Apache::Rewrite | ||
+ | |||
+ | Include /opt/eprints3/archives/repos1/var/manual-secure.conf | ||
+ | Include /opt/eprints3/archives/repos2/var/manual-secure.conf | ||
+ | </VirtualHost> | ||
+ | |||
+ | Not the line 'DocumentRoot "/var/www/eprints"'. Create an index.html file in /var/www/eprints/ with a welcome message and links to the home pages of the repositories. Also note that we need to create a manual-secure.conf file for each repository. The contents of this file are as follows: | ||
+ | |||
+ | #/opt/eprints3/archives/repos1s/var/manual-secure.conf | ||
+ | |||
+ | <Location "/repos1"> | ||
+ | PerlSetVar EPrints_ArchiveID repos1 | ||
+ | PerlSetVar EPrints_Secure yes | ||
+ | PerlLogHandler EPrints::Apache::LogHandler | ||
+ | </Location> | ||
+ | |||
+ | Alias /repos1/cgi/accounts/confirm /opt/eprints3/cgi/confirm | ||
+ | Alias /repos1/cgi/accounts/register /opt/eprints3/cgi/register | ||
+ | Alias /repos1/cgi/accounts/reset_password /opt/eprints3/cgi/reset_password | ||
+ | Alias /repos1/cgi/accounts/set_password /opt/eprints3/cgi/set_password | ||
+ | Alias /repos1/cgi/users/ /opt/eprints3/cgi/users/ | ||
+ | Alias /repos1/ /opt/eprints3/archives/publications/html/ | ||
+ | |||
+ | For completeness, we'll also want to add the welcome page to http: Add the following lines to /opt/eprints3/cfg/apache.conf | ||
+ | |||
+ | <VirtualHost *:80> | ||
+ | ServerName eprints.FQDN | ||
+ | ServerAdmin itsupport@FQDN | ||
+ | DocumentRoot "/var/www/eprints" | ||
+ | </VirtualHost> | ||
+ | |||
+ | Add 'Include /opt/eprints3/cfg/secure.conf' to the Apache configuration. | ||
+ | |||
+ | === Debian / Ubuntu specific instructions === | ||
+ | |||
+ | , create a file called ssl in /etc/apache2/sites-available/ssl and add the line 'Include /opt/eprints3/cfg/secure.conf'. Remember to enable it with the command a2ensite ssl |
Revision as of 13:20, 15 June 2007
Contents
Introduction
Setting up EPrints3 to work with https is a little tricky. There seems to be a few bugs to be worked round. This How To considers the following scenario:
Two repositories, repos1 and repos2, being served by virtual hosts repos1.FQDN:80 and repos2.FQDN:80
A single https domain, at eprints.FQDN:443 (so that only one certificate is needed). Secure pages for repos1 and repos2 will be accessed at eprints.FQDN:443/repos1 and eprints.FQDN:443/repos2 respectively.
This How To should work with EPrints 3.0 or 3.0.1. It was developed on Ubuntu Server 6.06, but should work on other systems without significant changes. The instructions can be adapted for an arbitrary number of repositories.
It is assumed that EPrints is installed in /opt/eprints3/.
Getting started
Install EPrints 3.x following the appropriate instructions.
Run bin/epadmin create twice to create repos1 and repos2.
Edit /opt/eprints3/archives/repos1/cfg/cfg.d/10_core.pl to read:
$c->{host} = 'repos1.FQDN'; $c->{port} = 80; $c->{aliases} = []; $c->{securehost} = 'eprints.FQDN'; $c->{securepath} = '/repos1';
Make secure versions of the templates:
cp /opt/eprints3/archives/repos1/cfg/lang/en/templates/default.xml /opt/eprints3/archives/repos1/cfg/lang/en/templates/secure.xml
Repeat these steps for repos2.
Generate the Apache configuration:
/opt/eprints3/bin/generate_apacheconf
Add 'Include /opt/eprints3/cfg/apache.conf' to the Apache configuration (for Ubuntu / Debian, can replace everything in /etc/apache/sites-avaliable/default with 'Include /opt/eprints3/cfg/apache.conf'). Apache should now be correctly configured to serve the non-secure pages.
Secure Apache Configuration
Next, we want to configure Apache to serve the secure pages. However, generate_apacheconf hasn't created a secure.conf file in /opt/eprints3/cfg/ so this needs to be done manually. Some configuration has been generated for us in /opt/eprints3/archives/repos1/var/auto-secure.conf and /opt/eprints3/archives/repos2/var/auto-secure.conf, but there are some problems with this:
Some sections of the configuration overlap; The EPrints_ArchiveID and PerlSetVar EPrints_Secure variables have not been set. We'll therefore create our own configuration. Create a new file called cfg/secure.conf:
- cfg/secure.conf:
NameVirtualHost *:443 <VirtualHost *:443>
ServerAdmin itsupport@FQDN ServerName eprints.FQDN
SSLEngine On SSLCertificateFile /etc/apache2/ssl/apache.pem
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn
CustomLog /var/log/apache2/access.log combined ServerSignature On
DocumentRoot "/var/www/eprints"
<Directory "/opt/eprints3/cgi/users"> AuthName "User Area" AuthType "Basic" PerlAuthenHandler EPrints::Apache::Auth::authen PerlAuthzHandler EPrints::Apache::Auth::authz require valid-user
SetHandler perl-script PerlHandler ModPerl::Registry PerlSendHeader Off Options ExecCGI FollowSymLinks </Directory> <Directory "/opt/eprints3/cgi/users/awstats"> PerlSendHeader On </Directory>
<Directory "/opt/eprints3/cgi"> SetHandler perl-script PerlHandler ModPerl::Registry PerlSendHeader Off Options ExecCGI FollowSymLinks </Directory>
PerlTransHandler EPrints::Apache::Rewrite
Include /opt/eprints3/archives/repos1/var/manual-secure.conf Include /opt/eprints3/archives/repos2/var/manual-secure.conf
</VirtualHost>
Not the line 'DocumentRoot "/var/www/eprints"'. Create an index.html file in /var/www/eprints/ with a welcome message and links to the home pages of the repositories. Also note that we need to create a manual-secure.conf file for each repository. The contents of this file are as follows:
- /opt/eprints3/archives/repos1s/var/manual-secure.conf
<Location "/repos1">
PerlSetVar EPrints_ArchiveID repos1 PerlSetVar EPrints_Secure yes PerlLogHandler EPrints::Apache::LogHandler </Location>
Alias /repos1/cgi/accounts/confirm /opt/eprints3/cgi/confirm Alias /repos1/cgi/accounts/register /opt/eprints3/cgi/register Alias /repos1/cgi/accounts/reset_password /opt/eprints3/cgi/reset_password Alias /repos1/cgi/accounts/set_password /opt/eprints3/cgi/set_password Alias /repos1/cgi/users/ /opt/eprints3/cgi/users/ Alias /repos1/ /opt/eprints3/archives/publications/html/
For completeness, we'll also want to add the welcome page to http: Add the following lines to /opt/eprints3/cfg/apache.conf
<VirtualHost *:80>
ServerName eprints.FQDN ServerAdmin itsupport@FQDN DocumentRoot "/var/www/eprints"
</VirtualHost>
Add 'Include /opt/eprints3/cfg/secure.conf' to the Apache configuration.
Debian / Ubuntu specific instructions
, create a file called ssl in /etc/apache2/sites-available/ssl and add the line 'Include /opt/eprints3/cfg/secure.conf'. Remember to enable it with the command a2ensite ssl