Difference between revisions of "How to use EPrints with HTTPS"
(Updated instructions added advice for RHEL and Ubuntu) |
|||
Line 15: | Line 15: | ||
$c->{port} = 80; | $c->{port} = 80; | ||
$c->{aliases} = []; | $c->{aliases} = []; | ||
− | $c->{securehost} = | + | $c->{securehost} = ''; |
$c->{secureport} = 443; | $c->{secureport} = 443; | ||
$c->{http_root} = undef; | $c->{http_root} = undef; | ||
Line 24: | Line 24: | ||
$c->{port} = 80; | $c->{port} = 80; | ||
$c->{aliases} = []; | $c->{aliases} = []; | ||
− | $c->{securehost} = | + | $c->{securehost} = $c->{host}; |
$c->{secureport} = 443; | $c->{secureport} = 443; | ||
$c->{http_root} = undef; | $c->{http_root} = undef; | ||
Line 33: | Line 33: | ||
ServerName your.dnshostname.org:443 | ServerName your.dnshostname.org:443 | ||
− | |||
− | |||
ErrorLog logs/ssl_error_log | ErrorLog logs/ssl_error_log | ||
Line 44: | Line 42: | ||
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW | SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW | ||
− | SSLCertificateFile cert.pem | + | SSLCertificateFile /opt/eprints3/archives/[repoid]/ssl/cert.pem |
− | SSLCertificateKeyFile privkey.pem | + | SSLCertificateKeyFile /opt/eprints3/archives/[repoid]/privkey.pem |
− | SSLCertificateChainFile chain.pem | + | SSLCertificateChainFile /opt/eprints3/archives/[repoid]/chain.pem |
SetEnvIf User-Agent ".*MSIE.*" \ | SetEnvIf User-Agent ".*MSIE.*" \ | ||
Line 62: | Line 60: | ||
== Generate the Apache Configuration File for HTTPS == | == Generate the Apache Configuration File for HTTPS == | ||
− | Run <tt>bin/generate_apacheconf</tt> to generate the secure Apache configuration files and depending upon the version of EPrints you are using, it may copy the default template <tt>archives/[repoid]/cfg/lang/en/templates/default.xml</tt> to the template used for HTTPS <tt>archives/[repoid]/cfg/lang/en/templates/secure.xml</tt>. This will also setup the repository configuration file located in the <tt>/opt/eprints3/cfg/apache_ssl/</tt> directory named [repoid].conf. | + | Run <tt>bin/generate_apacheconf</tt> to generate the secure Apache configuration files and depending upon the version of EPrints you are using, it may copy the default template <tt>archives/[repoid]/cfg/lang/en/templates/default.xml</tt> to the template used for HTTPS <tt>archives/[repoid]/cfg/lang/en/templates/secure.xml</tt>. This will also setup the repository configuration file located in the <tt>/opt/eprints3/cfg/apache_ssl/</tt> directory named [repoid].conf. (N.B. EPrints 3.3 and later now uses default.xml template for both HTTP and HTTPS). |
Line 75: | Line 73: | ||
=== For Red Hat/Fedora/CentOS Linux === | === For Red Hat/Fedora/CentOS Linux === | ||
+ | Add then add the appropriate Include line above, to the end of '''/etc/httpd/conf.d/ssl.conf''' | ||
=== For Debian/Ubuntu Linux === | === For Debian/Ubuntu Linux === | ||
+ | Make sure the SSL Apache module is enabled, by running the following (as root): | ||
+ | a2enmod ssl | ||
+ | Add then add the appropriate Include line above, just before the </IfModule> line: | ||
== Restart Apache to pick up the changes to the Apache configuration == | == Restart Apache to pick up the changes to the Apache configuration == | ||
Consult your operating system documentation on how to restart service processes but in general you need to run one of the following commands either as <tt>root</tt> or using <tt>sudo</tt>: | Consult your operating system documentation on how to restart service processes but in general you need to run one of the following commands either as <tt>root</tt> or using <tt>sudo</tt>: | ||
− | |||
− | + | === For Red Hat/Fedora/CentOS Linux === | |
+ | /sbin/service httpd restart | ||
+ | |||
+ | === For Debian/Ubuntu Linux === | ||
+ | /etc/init.d/apache2 restart | ||
Revision as of 14:28, 17 November 2017
Manual Sections | ||
|
This guide is intended for EPrints 3.2 or later.
N.B. Setting up your Apache Web server is beyond the scope of this document. Please see your operating system documentation and the Apache documentation for assistance in setting up Apache in your environment.
Contents
Configuration
To start setting up your existing archive to work under HTTPS, you must first edit archives/[repoid]/cfg/cfg.d/10_core.pl. Initially it will probably look something like the following which is the basic 10_core.pl configuration file after you have run bin/epadmin create to setup your archive. Alternatively you could run bin/epadmin config_core [repoid] that will prompt you for the following information. It is suggested that you make a backup of the 10_core.pl file regardless before proceeding.
$c->{host} = 'your.dnshostname.org'; $c->{port} = 80; $c->{aliases} = []; $c->{securehost} = ''; $c->{secureport} = 443; $c->{http_root} = undef;
Update the file to define the secure host and modify ports as needed. If your Apache web server is not using the standard ports (80,443) you can adjust the 'port' and 'secureport' parameters in the config file accordingly.
$c->{host} = 'your.dnshostname.org'; $c->{port} = 80; $c->{aliases} = []; $c->{securehost} = $c->{host}; $c->{secureport} = 443; $c->{http_root} = undef;
Now, you need to create the directory archives/[repoid]/ssl/ and then edit the file archives/[repoid]/ssl/securevhost.conf. This file should look something like:
<VirtualHost *:443> ServerName your.dnshostname.org:443 ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log LogLevel warn SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW SSLCertificateFile /opt/eprints3/archives/[repoid]/ssl/cert.pem SSLCertificateKeyFile /opt/eprints3/archives/[repoid]/privkey.pem SSLCertificateChainFile /opt/eprints3/archives/[repoid]/chain.pem SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" Include /opt/eprints3/cfg/apache_ssl/[repoid].conf PerlTransHandler +EPrints::Apache::Rewrite </VirtualHost>
Generate the Apache Configuration File for HTTPS
Run bin/generate_apacheconf to generate the secure Apache configuration files and depending upon the version of EPrints you are using, it may copy the default template archives/[repoid]/cfg/lang/en/templates/default.xml to the template used for HTTPS archives/[repoid]/cfg/lang/en/templates/secure.xml. This will also setup the repository configuration file located in the /opt/eprints3/cfg/apache_ssl/ directory named [repoid].conf. (N.B. EPrints 3.3 and later now uses default.xml template for both HTTP and HTTPS).
Add the Main Apache Config File to SSL Config
Depending upon the version of EPrints you are running there are a couple files that may be involved. It is recommended to run bin/generate_apacheconf --man or view the source of bin/generate_apacheconf file to understand what file(s) need to be setup. In general you will need to place a line like either of the following inside your Apache SSL Virtual Host declaration (most likely found in /etc/httpd/conf.d/mod_ssl.conf or /etc/httpd/conf.d/ssl.conf). Make sure that these lines are placed inside the <VirtualHost> Apache directive.
Include /opt/eprints3/archives/[repoid]/var/auto-secure.conf
Or
Include /opt/eprints3/cfg/apache_ssl.conf
For Red Hat/Fedora/CentOS Linux
Add then add the appropriate Include line above, to the end of /etc/httpd/conf.d/ssl.conf
For Debian/Ubuntu Linux
Make sure the SSL Apache module is enabled, by running the following (as root):
a2enmod ssl
Add then add the appropriate Include line above, just before the </IfModule> line:
Restart Apache to pick up the changes to the Apache configuration
Consult your operating system documentation on how to restart service processes but in general you need to run one of the following commands either as root or using sudo:
For Red Hat/Fedora/CentOS Linux
/sbin/service httpd restart
For Debian/Ubuntu Linux
/etc/init.d/apache2 restart
Confirmation
Open your web browser and access your repository via its URL, this should be done over HTTP. When you click to login you should notice that you will be redirected to an HTTPS connection. Note that in general most tasks that require you to login are now redirected to an HTTPS connection otherwise an HTTP request will be used.
It is also possible to configure EPrints so that it uses HTTPS-only and HSTS.