HTTPS2
Contents
Add HTTPS Settings
For each ARCHIVEID.xml file, fill in the securehost and securepath entries.
Example:
<archive id="demo"> .... <securehost>secure.mydomain.com</securehost> <securepath>/demo</securepath> .... </archive>
The securehost is vhosted on the same server as your EPrints archive(s).
Secure requests will be of the form https://securehost/securepath.
securepath therefore differentiates requests from individual archives.
Generate Secure Config
$ bin/generate_apacheconf
As well as the usual apache configuration files, and depending on the version of EPrints, this will generate:
- an auto-secure.conf file in each archive's cfg directory (2.3.13)
- an auto-your.secure.host.conf file (for each secure host) in the main cfg directory (2.3.11)
Set up Secure Host
Under Fedora Core 4, run:
$ yum install mod_ssl
This sets up a test SSL server.
Certificates
For a production system, you would need to provide the relevant certificates and tweak the mod_ssl config accordingly - see:
Create a server.key on the EPrints server (remembering the passphrase you enter):
$ openssl genrsa -des3 -out server.key 1024
Create a certificate request:
$ openssl req -new -key server.key -out server.csr
The important thing when answering the questions is the CommonName: if ultimately the secure web address of your EPrints server is https://www.myeprints.com, then the CommonName value to enter is exactly www.myeprints.com.
Send the server.csr file to your Certificate Authority administrator, who should send you back a .cer file.
Copy server.key and the .cer file to the following locations:
/etc/httpd/conf/ssl.key/server.key /etc/httpd/conf/ssl.crt/eprints.cer
Modify /etc/httpd/conf.d/ssl.conf accordingly:
SSLCertificateFile /etc/httpd/conf/ssl.crt/eprints.cer SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
Include EPrints SSL config
Include each auto-secure.conf file generated by EPrints inside the Virtualhost directive.
On FC4, edit /etc/httpd/conf.d/ssl.conf:
<VirtualHost _default_:443> .... Include /opt/eprints2/archives/ARCHIVEID/cfg/auto-secure.conf # 2.3.13 Include /opt/eprints2/cfg/auto-your.secure.host.conf # 2.3.11 Include /opt/eprints3/archives/soton/var/auto-secure.conf # 3.0.0 </VirtualHost>
If you have set up SSL certificates, you will be asked to enter your passphrase when you restart apache. To override this, see How can I get rid of the pass-phrase dialog at Apache startup time?.
Create Template for Secure Pages
Make a copy of the default template in archives/ARCHIVEID/cfg/lang/en/templates/:
$ cp default.xml secure.xml
In a multi-language archive, you would need to do this for each language-specific template (en = ENglish).
It's a good idea to have a visual differentiation between secure and non-secure pages, e.g. edit secure.xml and add "(SECURE)" to the title of the page.
Some browsers will complain if images/CSS etc. embedded in a secure page are served by the non-secure host. To solve this modify the secure_urlpath and secure_url entries in archives/ARCHIVEID/cfg/cfg.d/20_baseurls.pl:
$c->{secure_urlpath} = ""; $c->{secure_url} = "https://".$c->{securehost}.$c->{securepath};
In the secure.xml template replace image/CSS base_urls with secure_url.
BUG FIX: In bin/generate_static replace import url($base_url$1); with import url($1);.