<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
        {font-family:Wingdings;
        panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
        {font-family:SimSun;
        panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:"\@SimSun";
        panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
span.EmailStyle17
        {mso-style-type:personal-reply;
        font-family:"Calibri",sans-serif;
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-family:"Calibri",sans-serif;}
@page WordSection1
        {size:612.0pt 792.0pt;
        margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-CA" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D">Thanks again, Matthew for sharing your solution.&nbsp;
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D">It seems very straightforward, the only thing is that I will have to configure our apache to understand the Header command first
</span><span style="font-size:11.0pt;font-family:Wingdings;color:#1F497D">J</span><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D">
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D">Have a great weekend,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D">Tomasz<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D"><o:p>&nbsp;</o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif;color:#1F497D"><o:p>&nbsp;</o:p></span></p>
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif">From:</span></b><span lang="EN-US" style="font-size:11.0pt;font-family:&quot;Calibri&quot;,sans-serif"> eprints-tech-bounces@ecs.soton.ac.uk [mailto:eprints-tech-bounces@ecs.soton.ac.uk]
<b>On Behalf Of </b>Matthew Kerwin<br>
<b>Sent:</b> August-24-17 7:59 PM<br>
<b>To:</b> eprints-tech@ecs.soton.ac.uk<br>
<b>Subject:</b> Re: [EP-tech] SSL (HTTPS) only for an EPrints repository<o:p></o:p></span></p>
<p class="MsoNormal"><o:p>&nbsp;</o:p></p>
<div>
<p class="MsoNormal"><br>
On 25 August 2017 at 06:30, Tomasz Neugebauer &lt;<a href="mailto:Tomasz.Neugebauer@concordia.ca">Tomasz.Neugebauer@concordia.ca</a>&gt; wrote:<br>
&gt; Thank you, Matthew!&nbsp; We have HTTPS working, with the apache config, but the<br>
&gt; repository allows users to access “browse/abstract” pages with HTTP as well.<br>
&gt; Since we have a search box in our header, Chrome will soon start warning<br>
&gt; that inputting any text on an HTTP connection is not secure.<br>
&gt;<br>
&gt;<br>
&gt; I was looking at this Google page which recommends HSTS as well:<br>
&gt; <a href="https://support.google.com/webmasters/answer/6073543?hl=en&amp;ref_topic=6001951">
https://support.google.com/webmasters/answer/6073543?hl=en&amp;ref_topic=6001951</a><br>
&gt;<br>
&gt; I think that is what we need to implement, I’m just not sure how to do that<br>
&gt; yet.<br>
&gt;<br>
&gt; I noticed that when I try to access a QUT ePrints page with HTTP, it<br>
&gt; switches over to HTTPS, for example, going here :<br>
&gt; <a href="http://eprints.qut.edu.au/view/thesis/phd/">http://eprints.qut.edu.au/view/thesis/phd/</a> , you end up<br>
&gt; <a href="https://eprints.qut.edu.au/view/thesis/phd/">https://eprints.qut.edu.au/view/thesis/phd/</a><br>
&gt;<br>
&gt; Does that mean that QUT ePrints is supporting HSTS?<br>
&gt;<br>
<br>
Yep, if you look at the response for a HTTPS request you'll see a header like:<br>
<br>
~~~<br>
Strict-Transport-Security: max-age=2419200<br>
~~~<br>
<br>
I'm not sure how other sites have their .confs organised, but we have in /etc/httpd/conf.d/ a core 'eprints.conf' which sets up the modperl environment (PerlModule,PerlSwitches,etc.), and then repo-specific configs which we keep in version control.<br>
<br>
The one for QUT ePrints looks like this:<br>
<br>
~~~<br>
<span style="font-family:&quot;Courier New&quot;"># &lt;VirtualHost :80/&gt; is generated by bin/generate_apacheconf<br>
Include /opt/eprints3/cfg/apache/quteprints.conf<br>
<br>
&lt;VirtualHost <a href="http://131.181.186.218:443"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font> <b><span style="color:red">MailScanner warning: numerical links are often malicious:</span></b> 131.181.186.218:443</a>&gt;<br>
&nbsp; ServerName ...<br>
&nbsp; # ...etc...<br>
<br>
&nbsp; SSLCertificateFile ...</span><o:p></o:p></p>
<div>
<p class="MsoNormal"><span style="font-family:&quot;Courier New&quot;">&nbsp; # ...etc...<br>
<br>
&nbsp; # EPrints configuration created by bin/generate_apacheconf<br>
&nbsp; PerlTransHandler &#43;EPrints::Apache::Rewrite<br>
&nbsp; Include /opt/eprints3/cfg/apache_ssl/quteprints.conf<br>
<br>
&nbsp; # Include additional archive-specific configuration<br>
&nbsp; Include /opt/eprints3/archives/quteprints/cfg/apachevhost_ssl.conf<br>
<br>
&nbsp; # All future navigation to the site should be to <a href="https://">https://</a><br>
&nbsp; # Times: 31536000 = 365 days<br>
&nbsp; # &nbsp; &nbsp; &nbsp; &nbsp; 2419200 = 28 days<br>
&nbsp; Header set Strict-Transport-Security &quot;max-age=2419200&quot;<br>
&lt;/VirtualHost&gt;</span><br>
~~~<br>
<br>
It's a pretty broad stroke, but it gets it done.<br>
<br>
HTH<br>
-- <br>
&nbsp; Matthew Kerwin<br>
&nbsp; <a href="http://matthew.kerwin.net.au/">http://matthew.kerwin.net.au/</a><o:p></o:p></p>
</div>
</div>
</div>
</body>
</html>