How to use EPrints with HTTPS

From EPrints Documentation
Revision as of 16:53, 27 June 2006 by (talk) (Include EPrints SSL config)
Jump to: navigation, search

Add HTTPS Settings

For each ARCHIVEID.xml file, fill in the securehost and securepath entries.


<archive id="demo">

The securehost is vhosted on the same server as your EPrints archive(s).

Secure requests will be of the form https://securehost/securepath.

securepath therefore differentiates requests from individual archives.

Generate Secure Config

$ bin/generate_apacheconf

As well as the usual apache configuration files, and depending on the version of EPrints, this will generate:

  • an auto-secure.conf file in each archive's cfg directory (2.3.13)
  • an file (for each secure host) in the main cfg directory (2.3.11)

Set up Secure Host

Under Fedora Core 4, run:

$ yum install mod_ssl

This sets up a test SSL server.


For a production system, you would need to provide the relevant certificates and tweak the mod_ssl config accordingly - see:

Create a server.key on the EPrints server (remembering the passphrase you enter):

$ openssl genrsa -des3 -out server.key 1024

Create a certificate request:

$ openssl req -new -key server.key -out server.csr

The important thing when answering the questions is the CommonName: if ultimately the secure web address of your EPrints server is, then the CommonName value to enter is exactly

Send the server.csr file to your Certificate Authority administrator, who should send you back a .cer file.

Copy server.key and the .cer file to the following locations:


Modify /etc/httpd/conf.d/ssl.conf accordingly:

SSLCertificateFile /etc/httpd/conf/ssl.crt/eprints.cer
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key

Include EPrints SSL config

Include each auto-secure.conf file generated by EPrints inside the Virtualhost directive.

On FC4, edit /etc/httpd/conf.d/ssl.conf:

<VirtualHost _default_:443>
   Include /opt/eprints2/archives/ARCHIVEID/cfg/auto-secure.conf # 2.3.13
   Include /opt/eprints2/cfg/ # 2.3.11

If you have set up SSL certificates, you will be asked to enter your passphrase when you restart apache. To override this, see How can I get rid of the pass-phrase dialog at Apache startup time?.

Create Template for Secure Pages

Make a copy of template-en.xml:

$ cp template-en.xml template-secure-en.xml

In a multi-language archive, you would need to do this for each language-specific template.

It's a good idea to have a visual differentiation between secure and non-secure pages, e.g. edit template-secure-en.xml and add "(SECURE)" to the title of the page.

Some browsers will complain if images/CSS etc. embedded in a secure page are served by the non-secure host. To solve this, add a new entity to get_entities:

$entities{https_base_url} = "https://" . $archive->get_conf("securehost") . $archive->get_conf("securepath");

Now replace image/CSS base_urls with https_base_url.