Difference between revisions of "HTTPS-only and HSTS"
m |
m (reformatting including some typo correction) |
||
| Line 3: | Line 3: | ||
== HTTPS with EPrints == | == HTTPS with EPrints == | ||
| − | See the pages in [[:Category:Authentication]] for how to setup up HTTPS on EPrints, for example: | + | See the pages in [[:Category:Authentication|Category Authentication]] for how to setup up HTTPS on EPrints, for example: |
| − | *[[How_to_use_EPrints_with_HTTPS]] | + | *[[How_to_use_EPrints_with_HTTPS|How to use EPrints with HTTPS]] |
| − | *[[Setting_up_HTTPS_using_Let%27s_Encrypt]] | + | *[[Setting_up_HTTPS_using_Let%27s_Encrypt|Setting up HTTPS using Let's Encrypt]] |
The following is a description of how to configure EPrints so that all content, not just login pages, is served over HTTPS. | The following is a description of how to configure EPrints so that all content, not just login pages, is served over HTTPS. | ||
| Line 12: | Line 12: | ||
== Google Best Practices for HTTPS== | == Google Best Practices for HTTPS== | ||
| − | The following are the best practices specified by | + | The following are the best practices specified by [https://support.google.com/webmasters/answer/6073543?hl=en&ref_topic=6001951 Google] |
* HSTS Headers on HTTPS | * HSTS Headers on HTTPS | ||
| Line 21: | Line 21: | ||
== HSTS == | == HSTS == | ||
| − | To summarize how HSTS works, if a browser (Chrome, Firefix, IE) sees the HSTS header in the HTTPS response, and there are no certificate errors or mixed content warnings or anything (if it is green), then the next time a user of that browser requests the HTTP page of that site, the browser will modify the request from an HTTP to a HTTPS request. The browser will remember that setting for as long as you specify | + | To summarize how HSTS works, if a browser (Chrome, Firefix, IE) sees the HSTS header in the HTTPS response, and there are no certificate errors or mixed content warnings or anything (if it is green), then the next time a user of that browser requests the HTTP page of that site, the browser will modify the request from an HTTP to a HTTPS request. The browser will remember that setting for as long as you specify <tt>max-age</tt> to be. This means that even with HSTS, it is still possible to request and receive content over HTTP. To close that down, a server redirect is necessary, so those browsers that haven’t seen the HSTS header in the past that happen to try to go to HTTP will get that initial redirect to HTTPS. |
== Implementing HTTPS-only with HSTS on an EPrints repository == | == Implementing HTTPS-only with HSTS on an EPrints repository == | ||
| Line 27: | Line 27: | ||
=== Changes to /cfg.d/10_core.pl === | === Changes to /cfg.d/10_core.pl === | ||
| − | Initialize the following variables to be the https URL (i.e., https://YOUR-REPOSITORY-DOMAIN) | + | Initialize the following variables to be the https URL (i.e., https://<nowiki>YOUR-REPOSITORY-DOMAIN</nowiki>) |
| + | |||
<source lang="perl"> | <source lang="perl"> | ||
$c->{host} = "YOUR-REPOSITORY-DOMAIN"; | $c->{host} = "YOUR-REPOSITORY-DOMAIN"; | ||
| Line 35: | Line 36: | ||
</source> | </source> | ||
| − | === Changes to /cfg/lang/ | + | === Changes to <tt>/cfg/lang/LANGID/templates/default.xml</tt>, and <tt>/cfg/lang/LANGID/static/*.XPAGE</tt> files === |
Remove any hard coded links to HTTP | Remove any hard coded links to HTTP | ||
| − | If you have Google Search included as an XPAGE file, call on the Google API (and any other APIs) using HTTPS. | + | If you have Google Search included as an XPAGE file, |
| + | call on the Google API (and any other APIs) using HTTPS. | ||
=== Changes to apache conf files === | === Changes to apache conf files === | ||
| Line 44: | Line 46: | ||
==== Add the HSTS header ==== | ==== Add the HSTS header ==== | ||
| − | Add a new include apache-ssl CONF file to the folder /REPOID/cfg/ that has the HSTS header. The max-age variable is a time in seconds for how long the HSTS settings should be remembered by the browser. 15780000 is six months, which is a long time, you may want to set it to a shorter time while testing. | + | Add a new include apache-ssl CONF file to the folder <tt>/REPOID/cfg/</tt> that has the HSTS header. The max-age variable is a time in seconds for how long the HSTS settings should be remembered by the browser. 15780000 is six months, which is a long time, you may want to set it to a shorter time while testing. |
Header set Strict-Transport-Security "max-age=15780000" | Header set Strict-Transport-Security "max-age=15780000" | ||
| − | Include this file from the core apache conf file for the secure port (443) in /etc/ | + | Include this file from the core apache conf file for the secure port (443) in <tt>/etc/</tt> |
| − | A new file is required because [[API:bin/generate apacheconf]] overwrites any of the conf files that were already being included. | + | A new file is required because [[API:bin/generate apacheconf|generate_apacheconf]] overwrites any of the conf files that were already being included. |
==== Add 301 redirects to secure port from HTTP (port 80) ==== | ==== Add 301 redirects to secure port from HTTP (port 80) ==== | ||
| − | The generate_apacheconf would ideally have some new flags, something like | + | The <tt>generate_apacheconf</tt> would ideally have some new flags, something like <tt>--sslonly</tt> and <tt>--hsts</tt>, which would generate the correct apache config files for a repository that follows the Google best practice of HTTPS-only with HSTS, but it does not. Thus, one way to introduce the redirect is to overwrite one of the files that are generated by <tt>/bin/generate_apacheconf</tt>, i.e. <tt>/cfg/apache/REPOID.conf</tt>. This means that you will have to re-apply this redirect (by overwriting the conf file again with the redirect) if/when you need to re-run <tt>/bin/generate_apacheconf</tt>. |
| − | Modify the default port 80 response of Apache to redirect to the secure port, by modifying /cfg/apache/REPOID.conf to: | + | Modify the default port 80 response of Apache to redirect to the secure port, by modifying <tt>/cfg/apache/REPOID.conf</tt> to: |
<source lang="xml"> | <source lang="xml"> | ||
Revision as of 12:54, 26 October 2017
Contents
HTTPS with EPrints
See the pages in Category Authentication for how to setup up HTTPS on EPrints, for example:
The following is a description of how to configure EPrints so that all content, not just login pages, is served over HTTPS.
Google Best Practices for HTTPS
The following are the best practices specified by Google
- HSTS Headers on HTTPS
- No “Mixed Content” warnings/errors
- Links point to HTTPS locations
- 301 Redirects from HTTP to HTTPS
HSTS
To summarize how HSTS works, if a browser (Chrome, Firefix, IE) sees the HSTS header in the HTTPS response, and there are no certificate errors or mixed content warnings or anything (if it is green), then the next time a user of that browser requests the HTTP page of that site, the browser will modify the request from an HTTP to a HTTPS request. The browser will remember that setting for as long as you specify max-age to be. This means that even with HSTS, it is still possible to request and receive content over HTTP. To close that down, a server redirect is necessary, so those browsers that haven’t seen the HSTS header in the past that happen to try to go to HTTP will get that initial redirect to HTTPS.
Implementing HTTPS-only with HSTS on an EPrints repository
Changes to /cfg.d/10_core.pl
Initialize the following variables to be the https URL (i.e., https://YOUR-REPOSITORY-DOMAIN)
$c->{host} = "YOUR-REPOSITORY-DOMAIN";
$c->{http_url} = 'https://YOUR-REPOSITORY-DOMAIN';
$c->{http_cgiurl} = 'https://YOUR-REPOSITORY-DOMAIN/cgi';
$c->{base_url} = "https://$c->{host}";
Changes to /cfg/lang/LANGID/templates/default.xml, and /cfg/lang/LANGID/static/*.XPAGE files
Remove any hard coded links to HTTP If you have Google Search included as an XPAGE file, call on the Google API (and any other APIs) using HTTPS.
Changes to apache conf files
Add the HSTS header
Add a new include apache-ssl CONF file to the folder /REPOID/cfg/ that has the HSTS header. The max-age variable is a time in seconds for how long the HSTS settings should be remembered by the browser. 15780000 is six months, which is a long time, you may want to set it to a shorter time while testing.
Header set Strict-Transport-Security "max-age=15780000"
Include this file from the core apache conf file for the secure port (443) in /etc/
A new file is required because generate_apacheconf overwrites any of the conf files that were already being included.
Add 301 redirects to secure port from HTTP (port 80)
The generate_apacheconf would ideally have some new flags, something like --sslonly and --hsts, which would generate the correct apache config files for a repository that follows the Google best practice of HTTPS-only with HSTS, but it does not. Thus, one way to introduce the redirect is to overwrite one of the files that are generated by /bin/generate_apacheconf, i.e. /cfg/apache/REPOID.conf. This means that you will have to re-apply this redirect (by overwriting the conf file again with the redirect) if/when you need to re-run /bin/generate_apacheconf.
Modify the default port 80 response of Apache to redirect to the secure port, by modifying /cfg/apache/REPOID.conf to:
<VirtualHost *:80>
RedirectPermanent / https://YOUR-REPOSITORY-DOMAIN/
</VirtualHost>
