Difference between revisions of "HTTPS2"

From EPrints Documentation
Jump to: navigation, search
(New page: ==Add HTTPS Settings== For each <tt>ARCHIVEID.xml</tt> file, fill in the <tt>securehost</tt> and <tt>securepath</tt> entries. Example: <archive id="demo"> .... <securehost>secu...)
 
(Create Template for Secure Pages)
 
(2 intermediate revisions by one other user not shown)
Line 1: Line 1:
 +
[[Category:Authentication]]
 
==Add HTTPS Settings==
 
==Add HTTPS Settings==
  
Line 97: Line 98:
  
 
BUG FIX: In bin/generate_static replace <tt>import url($base_url$1);</tt> with <tt>import url($1);</tt>.
 
BUG FIX: In bin/generate_static replace <tt>import url($base_url$1);</tt> with <tt>import url($1);</tt>.
 +
 +
At the top of the page, replace the reference to '''/javascript/auto.js''' with '''/javascript/secure_auto.js'''.
 +
 +
At the top of auto.js, there are the following 3 lines:
 +
var eprints_http_root = "http:\/\/myrepository.ac.uk";
 +
var eprints_http_cgiroot = "http:\/\/myrepository.ac.uk\/cgi";
 +
var eprints_oai_archive_id = "myrepository.ac.uk";
 +
... in secure_auto.js, these must start with 'https' rather than just 'http'.

Latest revision as of 19:34, 20 October 2011

Add HTTPS Settings

For each ARCHIVEID.xml file, fill in the securehost and securepath entries.

Example:

<archive id="demo">
   ....
   <securehost>secure.mydomain.com</securehost>
   <securepath>/demo</securepath>
   ....
</archive>

The securehost is vhosted on the same server as your EPrints archive(s).

Secure requests will be of the form https://securehost/securepath.

securepath therefore differentiates requests from individual archives.

Generate Secure Config

$ bin/generate_apacheconf

As well as the usual apache configuration files, and depending on the version of EPrints, this will generate:

  • an auto-secure.conf file in each archive's cfg directory (2.3.13)
  • an auto-your.secure.host.conf file (for each secure host) in the main cfg directory (2.3.11)

Set up Secure Host

Under Fedora Core 4, run:

$ yum install mod_ssl

This sets up a test SSL server.

Certificates

For a production system, you would need to provide the relevant certificates and tweak the mod_ssl config accordingly - see:

Create a server.key on the EPrints server (remembering the passphrase you enter):

$ openssl genrsa -des3 -out server.key 1024

Create a certificate request:

$ openssl req -new -key server.key -out server.csr

The important thing when answering the questions is the CommonName: if ultimately the secure web address of your EPrints server is https://www.myeprints.com, then the CommonName value to enter is exactly www.myeprints.com.

Send the server.csr file to your Certificate Authority administrator, who should send you back a .cer file.

Copy server.key and the .cer file to the following locations:

/etc/httpd/conf/ssl.key/server.key
/etc/httpd/conf/ssl.crt/eprints.cer

Modify /etc/httpd/conf.d/ssl.conf accordingly:

SSLCertificateFile /etc/httpd/conf/ssl.crt/eprints.cer
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key

Include EPrints SSL config

Include each auto-secure.conf file generated by EPrints inside the Virtualhost directive.

On FC4, edit /etc/httpd/conf.d/ssl.conf:

<VirtualHost _default_:443>
   ....
   Include /opt/eprints2/archives/ARCHIVEID/cfg/auto-secure.conf # 2.3.13
   Include /opt/eprints2/cfg/auto-your.secure.host.conf # 2.3.11
   Include /opt/eprints3/archives/soton/var/auto-secure.conf # 3.0.0
</VirtualHost>

If you have set up SSL certificates, you will be asked to enter your passphrase when you restart apache. To override this, see How can I get rid of the pass-phrase dialog at Apache startup time?.

Create Template for Secure Pages

Make a copy of the default template in archives/ARCHIVEID/cfg/lang/en/templates/:

$ cp default.xml secure.xml

In a multi-language archive, you would need to do this for each language-specific template (en = ENglish).

It's a good idea to have a visual differentiation between secure and non-secure pages, e.g. edit secure.xml and add "(SECURE)" to the title of the page.

Some browsers will complain if images/CSS etc. embedded in a secure page are served by the non-secure host. To solve this modify the secure_urlpath and secure_url entries in archives/ARCHIVEID/cfg/cfg.d/20_baseurls.pl:

$c->{secure_urlpath} = "";
$c->{secure_url} = "https://".$c->{securehost}.$c->{securepath};

In the secure.xml template replace image/CSS base_urls with secure_url.

BUG FIX: In bin/generate_static replace import url($base_url$1); with import url($1);.

At the top of the page, replace the reference to /javascript/auto.js with /javascript/secure_auto.js.

At the top of auto.js, there are the following 3 lines:

var eprints_http_root = "http:\/\/myrepository.ac.uk";
var eprints_http_cgiroot = "http:\/\/myrepository.ac.uk\/cgi";
var eprints_oai_archive_id = "myrepository.ac.uk";

... in secure_auto.js, these must start with 'https' rather than just 'http'.