Difference between revisions of "How to use EPrints with HTTPS"
(Added better info about HSTS and whether you need site wide HTTPS) |
m (linking/formatting improved) |
||
(13 intermediate revisions by one other user not shown) | |||
Line 3: | Line 3: | ||
[[Category:Authentication]] | [[Category:Authentication]] | ||
− | '''This guide is intended for EPrints 3. | + | '''This guide is intended for EPrints 3.3 or later,<br/> but the [[Simplified_HTTPS_Configuration | Update]] may be more appropriate for the current version!''' |
'''N.B.''' Setting up your Apache Web server is beyond the scope of this document. Please see your operating system documentation and the Apache documentation for assistance in setting up Apache in your environment.''' | '''N.B.''' Setting up your Apache Web server is beyond the scope of this document. Please see your operating system documentation and the Apache documentation for assistance in setting up Apache in your environment.''' | ||
− | |||
== Configuration == | == Configuration == | ||
− | + | Below is a list of variable names described in these instructions and example values of what they might be in a real-world configuration. | |
+ | {| border="1" cellpadding="10" cellspacing="0" | ||
+ | !Variable | ||
+ | !Example | ||
+ | |- | ||
+ | |EPRINTS_PATH | ||
+ | |/opt/eprints3 | ||
+ | |- | ||
+ | |YOUR-REPOSITORY-DOMAIN | ||
+ | |example.eprints.org | ||
+ | |- | ||
+ | |REPOID | ||
+ | |example | ||
+ | |- | ||
+ | |} | ||
− | To start setting up your existing archive to work under HTTPS, you must first edit < | + | To start setting up your existing archive to work under HTTPS, you must first edit <code>EPRINTS_PATH/archives/REPOID/cfg/cfg.d/10_core.pl</code>. Initially it will probably look something like the configuration directly below, which is the basic <code>10_core.pl</code> configuration file after you have run <code>EPRINTS_PATH/bin/epadmin create</code> to set up your archive. Alternatively you could run <code>/opt/eprints3/bin/epadmin config_core REPOID</code> that will prompt you for the following information. It is suggested that you make a backup of the <code>10_core.pl</code> file regardless before proceeding. |
− | $c->{host} = ' | + | $c->{host} = 'YOUR-REPOSITORY-DOMAIN'; |
$c->{port} = 80; | $c->{port} = 80; | ||
$c->{aliases} = []; | $c->{aliases} = []; | ||
Line 20: | Line 33: | ||
$c->{http_root} = undef; | $c->{http_root} = undef; | ||
− | Update the file to define the secure host and modify ports as needed. If your Apache web server is not using the standard ports (80,443) you can adjust the | + | Update the file to define the secure host and modify ports as needed. If your Apache web server is not using the standard ports (80,443) you can adjust the <code>port</code> and <code>secureport</code> parameters in the config file accordingly. |
− | $c->{host} = ' | + | $c->{host} = 'YOUR-REPOSITORY-DOMAIN'; |
$c->{port} = 80; | $c->{port} = 80; | ||
$c->{aliases} = []; | $c->{aliases} = []; | ||
Line 29: | Line 42: | ||
$c->{http_root} = undef; | $c->{http_root} = undef; | ||
− | Now, you need to create the directory < | + | Now, you need to create the directory <code>EPRINTS_PATH/archives/REPOID/ssl/</code> and then edit the file <code>REPOID/ssl/securevhost.conf</code>. This file should look something like below. If you are installing EPrints on Debian/Ubuntu based systems you will need to create a symlink <code>logs</code> in <code>/etc/apache2/</code> to point at <code>/var/log/apache2/</code>. |
+ | {{Securevhost.conf}} | ||
− | + | It is advised that you keep the SSL key, certificate and chain files in the same directory as <code>securevhost.conf</code>, as this will make it easy if you need to migrate you EPrints repository to a new server in the future. | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
== Generate the Apache Configuration File for HTTPS == | == Generate the Apache Configuration File for HTTPS == | ||
− | Run < | + | Run <code>EPRINTS_PATH/bin/generate_apacheconf --system --replace</code> to generate the secure Apache configuration files. This will set up the repository configuration file located in the <code>EPRINTS_PATH/cfg/apache_ssl/</code> directory named <code>REPOID.conf</code>. |
== Add the Main Apache Config File to SSL Config == | == Add the Main Apache Config File to SSL Config == | ||
− | Depending upon the version of EPrints you are running there are a couple files that may be involved. It is recommended to run < | + | Depending upon the version of EPrints you are running there are a couple files that may be involved. It is recommended to run <code>EPRINTS_PATH/bin/generate_apacheconf --man</code> or view the source of <code>EPRINTS_PATH/bin/generate_apacheconf</code> file to understand what file(s) need to be set up. Apache will not yet have been set up to include <code>EPRINTS_PATH/archives/REPOID/ssl/securevhost.conf</code>. |
− | + | To include this, you will need to find the file that already includes <code>cfg/apache.conf</code>. (For Red Hat/Fedora/CentOS Linux you will need to look in <code>/etc/httpd/</code>. For Debian/Ubuntu Linux you will need to look in <code>/etc/apache2/</code>). Then add the following line afterwards | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
+ | Include EPRINTS_PATH/archives/*/ssl/securevhost.conf | ||
== Restart Apache to pick up the changes to the Apache configuration == | == Restart Apache to pick up the changes to the Apache configuration == | ||
− | Consult your operating system documentation on how to restart service processes but in general you need to run one of the following commands either as < | + | Consult your operating system documentation on how to restart service processes but in general you need to run one of the following commands either as <code>root</code> or using <code>sudo</code>: |
=== For Red Hat/Fedora/CentOS Linux === | === For Red Hat/Fedora/CentOS Linux === | ||
Line 89: | Line 65: | ||
=== For Debian/Ubuntu Linux === | === For Debian/Ubuntu Linux === | ||
+ | Before restarting Apache make sure <code>mod_ssl</code> is enabled: | ||
+ | a2enmod ssl | ||
+ | Then restart Apache: | ||
/etc/init.d/apache2 restart | /etc/init.d/apache2 restart | ||
== Confirmation == | == Confirmation == | ||
− | Open your web browser and access your repository via its URL, this should be done over HTTP. When you click to login you should notice that you will be redirected to an HTTPS connection. | + | Open your web browser and access your repository via its URL, this should be done over HTTP. When you click to login you should notice that you will be redirected to an HTTPS connection.<br/>N.B. Any task that require you to be logged in will be redirected to an HTTPS connection otherwise an HTTP request will be used by default. |
+ | |||
+ | == HTTPS Only == | ||
+ | EPrints default HTTPS configuration is usually sufficient for most institutions needs, as there is no absolute need to encrypt the requesting and sending of Open Access research. However, if you wish to only ever use HTTPS, then follow the instructions for [[HTTPS-only and HSTS]]. HSTS (HTTP Strict Transport Security) ensures that even if the link you click on is for HTTP, your web browser will convert this to HTTPS before making the request. Meaning you will never send any un-encrypted traffic to EPrints. It also helps reduce the load on your repository's server, as it save it having to do the HTTP to HTTPS redirection. | ||
+ | |||
+ | It is generally a good idea to enable HSTS even on repositories with default HTTPS configuration, in case there are any errant bespoke links that could send private information using HTTP. This can be done by adding the following line to <code>EPRINTS_PATH/archives/REPOID/ssl/securevhost.conf</code> after the <code>ServerName</code> line and then restarting Apache again: | ||
− | + | Header set Strict-Transport-Security "max-age=15780000" |
Latest revision as of 13:31, 6 August 2019
Manual Sections | ||
|
This guide is intended for EPrints 3.3 or later,
but the Update may be more appropriate for the current version!
N.B. Setting up your Apache Web server is beyond the scope of this document. Please see your operating system documentation and the Apache documentation for assistance in setting up Apache in your environment.
Contents
Configuration
Below is a list of variable names described in these instructions and example values of what they might be in a real-world configuration.
Variable | Example |
---|---|
EPRINTS_PATH | /opt/eprints3 |
YOUR-REPOSITORY-DOMAIN | example.eprints.org |
REPOID | example |
To start setting up your existing archive to work under HTTPS, you must first edit EPRINTS_PATH/archives/REPOID/cfg/cfg.d/10_core.pl
. Initially it will probably look something like the configuration directly below, which is the basic 10_core.pl
configuration file after you have run EPRINTS_PATH/bin/epadmin create
to set up your archive. Alternatively you could run /opt/eprints3/bin/epadmin config_core REPOID
that will prompt you for the following information. It is suggested that you make a backup of the 10_core.pl
file regardless before proceeding.
$c->{host} = 'YOUR-REPOSITORY-DOMAIN'; $c->{port} = 80; $c->{aliases} = []; $c->{securehost} = ''; $c->{secureport} = 443; $c->{http_root} = undef;
Update the file to define the secure host and modify ports as needed. If your Apache web server is not using the standard ports (80,443) you can adjust the port
and secureport
parameters in the config file accordingly.
$c->{host} = 'YOUR-REPOSITORY-DOMAIN'; $c->{port} = 80; $c->{aliases} = []; $c->{securehost} = $c->{host}; $c->{secureport} = 443; $c->{http_root} = undef;
Now, you need to create the directory EPRINTS_PATH/archives/REPOID/ssl/
and then edit the file REPOID/ssl/securevhost.conf
. This file should look something like below. If you are installing EPrints on Debian/Ubuntu based systems you will need to create a symlink logs
in /etc/apache2/
to point at /var/log/apache2/
.
<VirtualHost *:443> ServerName YOUR-REPOSITORY-DOMAIN:443 ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log LogLevel warn SSLEngine on SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLHonorCipherOrder on SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 SSLCertificateFile EPRINTS_PATH/archives/REPOID/ssl/YOUR-REPOSITORY-DOMAIN.crt SSLCertificateKeyFile EPRINTS_PATH/archives/REPOID/ssl/YOUR-REPOSITORY-DOMAIN.key SSLCertificateChainFile EPRINTS_PATH/archives/REPOID/ssl/YOUR-REPOSITORY-DOMAIN.ca-bundle SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" Include EPRINTS_PATH/cfg/apache_ssl/REPOID.conf PerlTransHandler +EPrints::Apache::Rewrite </VirtualHost>
It is advised that you keep the SSL key, certificate and chain files in the same directory as securevhost.conf
, as this will make it easy if you need to migrate you EPrints repository to a new server in the future.
Generate the Apache Configuration File for HTTPS
Run EPRINTS_PATH/bin/generate_apacheconf --system --replace
to generate the secure Apache configuration files. This will set up the repository configuration file located in the EPRINTS_PATH/cfg/apache_ssl/
directory named REPOID.conf
.
Add the Main Apache Config File to SSL Config
Depending upon the version of EPrints you are running there are a couple files that may be involved. It is recommended to run EPRINTS_PATH/bin/generate_apacheconf --man
or view the source of EPRINTS_PATH/bin/generate_apacheconf
file to understand what file(s) need to be set up. Apache will not yet have been set up to include EPRINTS_PATH/archives/REPOID/ssl/securevhost.conf
.
To include this, you will need to find the file that already includes cfg/apache.conf
. (For Red Hat/Fedora/CentOS Linux you will need to look in /etc/httpd/
. For Debian/Ubuntu Linux you will need to look in /etc/apache2/
). Then add the following line afterwards
Include EPRINTS_PATH/archives/*/ssl/securevhost.conf
Restart Apache to pick up the changes to the Apache configuration
Consult your operating system documentation on how to restart service processes but in general you need to run one of the following commands either as root
or using sudo
:
For Red Hat/Fedora/CentOS Linux
/sbin/service httpd restart
For Debian/Ubuntu Linux
Before restarting Apache make sure mod_ssl
is enabled:
a2enmod ssl
Then restart Apache:
/etc/init.d/apache2 restart
Confirmation
Open your web browser and access your repository via its URL, this should be done over HTTP. When you click to login you should notice that you will be redirected to an HTTPS connection.
N.B. Any task that require you to be logged in will be redirected to an HTTPS connection otherwise an HTTP request will be used by default.
HTTPS Only
EPrints default HTTPS configuration is usually sufficient for most institutions needs, as there is no absolute need to encrypt the requesting and sending of Open Access research. However, if you wish to only ever use HTTPS, then follow the instructions for HTTPS-only and HSTS. HSTS (HTTP Strict Transport Security) ensures that even if the link you click on is for HTTP, your web browser will convert this to HTTPS before making the request. Meaning you will never send any un-encrypted traffic to EPrints. It also helps reduce the load on your repository's server, as it save it having to do the HTTP to HTTPS redirection.
It is generally a good idea to enable HSTS even on repositories with default HTTPS configuration, in case there are any errant bespoke links that could send private information using HTTP. This can be done by adding the following line to EPRINTS_PATH/archives/REPOID/ssl/securevhost.conf
after the ServerName
line and then restarting Apache again:
Header set Strict-Transport-Security "max-age=15780000"