|
|
Line 1: |
Line 1: |
− | ==Add HTTPS Settings==
| + | #REDIRECT [[How to use EPrints with HTTPS]] |
− | | |
− | For each <tt>ARCHIVEID.xml</tt> file, fill in the <tt>securehost</tt> and <tt>securepath</tt> entries.
| |
− | | |
− | Example:
| |
− | | |
− | <archive id="demo">
| |
− | ....
| |
− | <securehost>secure.mydomain.com</securehost>
| |
− | <securepath>/demo</securepath>
| |
− | ....
| |
− | </archive>
| |
− | | |
− | The <tt>securehost</tt> is vhosted on the same server as your EPrints archive(s).
| |
− | | |
− | Secure requests will be of the form <tt>https://securehost/securepath</tt>.
| |
− | | |
− | <tt>securepath</tt> therefore differentiates requests from individual archives.
| |
− | | |
− | ==Generate Secure Config==
| |
− | | |
− | $ bin/generate_apacheconf
| |
− | | |
− | As well as the usual apache configuration files, this will generate an <tt>auto-secure.conf</tt> file in each archive's <tt>cfg</tt> directory.
| |
− | | |
− | ==Set up Secure Host==
| |
− | | |
− | Under Fedora Core 4, run:
| |
− | | |
− | $ yum install mod_ssl
| |
− | | |
− | This sets up a test SSL server.
| |
− | | |
− | ===Certificates===
| |
− | | |
− | For a production system, you would need to provide the relevant certificates and tweak the mod_ssl config accordingly - see:
| |
− | | |
− | * [http://httpd.apache.org/docs/2.2/mod/mod_ssl.html Apache Module mod_ssl]
| |
− | * [http://www.modssl.org/docs/2.8/ssl_faq.html mod_ssl FAQ]
| |
− | | |
− | Create a <tt>server.key</tt> on the EPrints server (remembering the passphrase you enter):
| |
− | | |
− | $ openssl genrsa -des3 -out server.key 1024
| |
− | | |
− | Create a certificate request:
| |
− | | |
− | $ openssl req -new -key server.key -out server.csr
| |
− | | |
− | The important thing when answering the questions is the CommonName: if ultimately the secure web address of your EPrints server is <tt>https://www.myeprints.com</tt>, then the CommonName value to enter is exactly <tt>www.myeprints.com</tt>.
| |
− | | |
− | Send the <tt>server.csr</tt> file to your Certificate Authority administrator, who should send you back a <tt>.cer</tt> file.
| |
− | | |
− | Copy <tt>server.key</tt> and the <tt>.cer</tt> file to the following locations:
| |
− | | |
− | /etc/httpd/conf/ssl.key/server.key
| |
− | /etc/httpd/conf/ssl.crt/eprints.cer
| |
− | | |
− | Modify <tt>/etc/httpd/conf.d/ssl.conf</tt> accordingly:
| |
− | | |
− | SSLCertificateFile /etc/httpd/conf/ssl.crt/eprints.cer
| |
− | SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
| |
− | | |
− | ===Include EPrints SSL config===
| |
− | | |
− | Include each <tt>auto-secure.conf</tt> file generated by EPrints inside the <tt>Virtualhost</tt> directive.
| |
− | | |
− | On FC4, edit <tt>/etc/httpd/conf.d/ssl.conf</tt>:
| |
− | | |
− | <VirtualHost _default_:443>
| |
− | ....
| |
− | Include /opt/eprints2/archives/ARCHIVEID/cfg/auto-secure.conf
| |
− | </VirtualHost>
| |
− | | |
− | If you have set up SSL certificates, you will be asked to enter your passphrase when you restart apache. To override this, see [http://www.modssl.org/docs/2.8/ssl_faq.html#remove-passphrase How can I get rid of the pass-phrase dialog at Apache startup time?].
| |
− | | |
− | ==Create Template for Secure Pages==
| |
− | | |
− | Make a copy of <tt>template-en.xml</tt>:
| |
− | | |
− | $ cp template-en.xml template-secure-en.xml
| |
− | | |
− | In a multi-language archive, you would need to do this for each language-specific template.
| |
− | | |
− | It's a good idea to have a visual differentiation between secure and non-secure pages, e.g. edit <tt>template-secure-en.xml</tt> and add "(SECURE)" to the title of the page.
| |
− | | |
− | Some browsers will complain if images/CSS etc. embedded in a secure page are served by the non-secure host. To solve this, add a new entity to <tt>ArchiveConfig.pm/sub get_entities</tt>:
| |
− | | |
− | $entities{https_base_url} = "https://" . $archive->get_conf("securehost") . $archive->get_conf("securepath");
| |
− | | |
− | Now replace image/CSS <tt>base_url</tt>s with <tt>https_base_url</tt>.
| |