Difference between revisions of "How to use EPrints with HTTPS"
| Line 1: | Line 1: | ||
| − | + | ==Add HTTPS Settings== | |
| − | |||
| − | |||
| − | |||
| − | + | For each <tt>ARCHIVEID.xml</tt> file, fill in the <tt>securehost</tt> and <tt>securepath</tt> entries. | |
| − | |||
| − | For each | ||
Example: | Example: | ||
| Line 17: | Line 12: | ||
</archive> | </archive> | ||
| − | The | + | The <tt>securehost</tt> is vhosted on the same server as your EPrints archive(s). |
| − | Secure requests will be of the form https://securehost/securepath. | + | Secure requests will be of the form <tt>https://securehost/securepath</tt>. |
| − | + | <tt>securepath</tt> therefore differentiates requests from individual archives. | |
| − | + | ==Generate Secure Config== | |
$ bin/generate_apacheconf | $ bin/generate_apacheconf | ||
| − | As well as the usual apache configuration files, this will generate an | + | As well as the usual apache configuration files, this will generate an <tt>auto-secure.conf</tt> file in each archive's <tt>cfg</tt> directory. |
| − | + | ==Set up Secure Host== | |
| − | Under Fedora Core 4, | + | Under Fedora Core 4, run: |
$ yum install mod_ssl | $ yum install mod_ssl | ||
| Line 37: | Line 32: | ||
This sets up a test SSL server. | This sets up a test SSL server. | ||
| − | For a production system, you would need to provide the relevant certificates and tweak the mod_ssl config accordingly. | + | ===Certificates=== |
| + | |||
| + | For a production system, you would need to provide the relevant certificates and tweak the mod_ssl config accordingly - see: | ||
| + | |||
| + | * [http://httpd.apache.org/docs/2.2/mod/mod_ssl.html Apache Module mod_ssl] | ||
| + | * [http://www.modssl.org/docs/2.8/ssl_faq.html mod_ssl FAQ] | ||
| + | |||
| + | Create a <tt>server.key</tt> on the EPrints server (remembering the passphrase you enter): | ||
| + | |||
| + | $ openssl genrsa -des3 -out server.key 1024 | ||
| + | |||
| + | Create a certificate request: | ||
| + | |||
| + | $ openssl req -new -key server.key -out server.csr | ||
| − | + | The important thing when answering the questions is the CommonName: if ultimately the secure web address of your EPrints server is <tt>https://www.myeprints.com</tt>, then the CommonName value to enter is exactly <tt>www.myeprints.com</tt>. | |
| − | + | Send the <tt>server.csr</tt> file to your Certificate Authority administrator, who should send you back a <tt>.cer</tt> file. | |
| − | + | Copy <tt>server.key</tt> and the <tt>.cer</tt> file to the following locations: | |
| + | |||
| + | /etc/httpd/conf/ssl.key/server.key | ||
| + | /etc/httpd/conf/ssl.crt/eprints.cer | ||
| + | |||
| + | Modify <tt>/etc/httpd/conf.d/ssl.conf</tt> accordingly: | ||
| + | |||
| + | SSLCertificateFile /etc/httpd/conf/ssl.crt/eprints.cer | ||
| + | SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key | ||
| + | |||
| + | ===Include EPrints SSL config=== | ||
| + | |||
| + | Include each <tt>auto-secure.conf</tt> file generated by EPrints inside the <tt>Virtualhost</tt> directive. | ||
| + | |||
| + | On FC4, edit <tt>/etc/httpd/conf.d/ssl.conf</tt>: | ||
<VirtualHost _default_:443> | <VirtualHost _default_:443> | ||
.... | .... | ||
| − | Include /opt/eprints2/archives/ | + | Include /opt/eprints2/archives/ARCHIVEID/cfg/auto-secure.conf |
| + | </VirtualHost> | ||
| − | + | If you have set up SSL certificates, you will be asked to enter your passphrase when you restart apache. To override this, see [http://www.modssl.org/docs/2.8/ssl_faq.html#remove-passphrase How can I get rid of the pass-phrase dialog at Apache startup time?]. | |
| − | + | ==Create Template for Secure Pages== | |
| − | + | Make a copy of <tt>template-en.xml</tt>: | |
$ cp template-en.xml template-secure-en.xml | $ cp template-en.xml template-secure-en.xml | ||
| Line 59: | Line 82: | ||
In a multi-language archive, you would need to do this for each language-specific template. | In a multi-language archive, you would need to do this for each language-specific template. | ||
| − | It's a good idea to have a visual differentiation between secure and non-secure pages | + | It's a good idea to have a visual differentiation between secure and non-secure pages, e.g. edit <tt>template-secure-en.xml</tt> and add "(SECURE)" to the title of the page. |
| − | Some browsers will complain if images/CSS etc. embedded in a secure page are served by the non-secure host. To solve this, | + | Some browsers will complain if images/CSS etc. embedded in a secure page are served by the non-secure host. To solve this, add a new entity to <tt>ArchiveConfig.pm/sub get_entities</tt>: |
| − | $entities{ | + | $entities{https_base_url} = "https://" . $archive->get_conf("securehost") . $archive->get_conf("securepath"); |
| − | + | Now replace image/CSS <tt>base_url</tt>s with <tt>https_base_url</tt>. | |
Revision as of 12:55, 24 May 2006
Contents
Add HTTPS Settings
For each ARCHIVEID.xml file, fill in the securehost and securepath entries.
Example:
<archive id="demo"> .... <securehost>secure.mydomain.com</securehost> <securepath>/demo</securepath> .... </archive>
The securehost is vhosted on the same server as your EPrints archive(s).
Secure requests will be of the form https://securehost/securepath.
securepath therefore differentiates requests from individual archives.
Generate Secure Config
$ bin/generate_apacheconf
As well as the usual apache configuration files, this will generate an auto-secure.conf file in each archive's cfg directory.
Set up Secure Host
Under Fedora Core 4, run:
$ yum install mod_ssl
This sets up a test SSL server.
Certificates
For a production system, you would need to provide the relevant certificates and tweak the mod_ssl config accordingly - see:
Create a server.key on the EPrints server (remembering the passphrase you enter):
$ openssl genrsa -des3 -out server.key 1024
Create a certificate request:
$ openssl req -new -key server.key -out server.csr
The important thing when answering the questions is the CommonName: if ultimately the secure web address of your EPrints server is https://www.myeprints.com, then the CommonName value to enter is exactly www.myeprints.com.
Send the server.csr file to your Certificate Authority administrator, who should send you back a .cer file.
Copy server.key and the .cer file to the following locations:
/etc/httpd/conf/ssl.key/server.key /etc/httpd/conf/ssl.crt/eprints.cer
Modify /etc/httpd/conf.d/ssl.conf accordingly:
SSLCertificateFile /etc/httpd/conf/ssl.crt/eprints.cer SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
Include EPrints SSL config
Include each auto-secure.conf file generated by EPrints inside the Virtualhost directive.
On FC4, edit /etc/httpd/conf.d/ssl.conf:
<VirtualHost _default_:443> .... Include /opt/eprints2/archives/ARCHIVEID/cfg/auto-secure.conf </VirtualHost>
If you have set up SSL certificates, you will be asked to enter your passphrase when you restart apache. To override this, see How can I get rid of the pass-phrase dialog at Apache startup time?.
Create Template for Secure Pages
Make a copy of template-en.xml:
$ cp template-en.xml template-secure-en.xml
In a multi-language archive, you would need to do this for each language-specific template.
It's a good idea to have a visual differentiation between secure and non-secure pages, e.g. edit template-secure-en.xml and add "(SECURE)" to the title of the page.
Some browsers will complain if images/CSS etc. embedded in a secure page are served by the non-secure host. To solve this, add a new entity to ArchiveConfig.pm/sub get_entities:
$entities{https_base_url} = "https://" . $archive->get_conf("securehost") . $archive->get_conf("securepath");
Now replace image/CSS base_urls with https_base_url.
