<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<p>Hi Tomasz,</p>
<p><br>
</p>
<p>Mixed content warnings is something, I have been trying to
improve in recent version of EPrints, so new installs should not
suffer these problems. However, upgrades will still be
problematic. This is because old templates, citations, workflows
and even CSS and Javascript files may have http URLs in them.
This means you really need to go through all these files and seek
out http URLs.</p>
<p><br>
</p>
<p>The main problem I have found is the use http_url or http_cgiurl
in templates citations and even workflows. These should ideally
use rel_path and rel_cgipath instead but as this does not give
your the full URL it might be better to use base_url and perl_url
instead. However, to make sure that these are https not http, you
will need to make sure you have either no or an up to date version
of 20_baseurls.pl in your archive's cfg/cfg.d/ (assuming you are
running 3.4.1+, which it sounds like you are). This is because of
a change made for 3.4.1 to ensure that base_url and perl_url get
configured as https if $c->{securehost} is defined.<br>
</p>
<p><br>
</p>
<p>It is worth grepping across all of your archive's cfg directory
for the string "http:" to route out any hardcoded http URLs.</p>
<p><br>
</p>
<p>One of the things I did in recent versions of EPrints is provide
a way of reconfiguring 10_core.pl to better/more intuitive enable
HTTPS everywhere [1]. This ensures all http URL requests are
redirected to https without needing to have picked up the HSTS
header, which require visiting an https URL at least once (and
therefore does not work for stateless bots). If you deploy HTTPS
everywhere, as well as running generate_apacheconf and reloading
the webserver, you will need to make sure all browse views and
abstract pages are regenerated. <br>
</p>
<p><br>
</p>
<p>As you comment in your email below, you are worried about
unsetting $c->{host} as it may break things. I am aware of one
issue with this in 3.4.3 core code [2]. However, this is a fairly
straightforward fix and is only a problem if your have multiple
languages enabled for your repository. If you use the Repository
Links Bazaar plugin [3], that will also require a similar fix. I
think there may be one or two other Bazaar plugins that use
$c->{host} but I cannot remember what they are off the top of
my head.<br>
</p>
<p><br>
If you look at perl_lib/EPrints/URL.pm line 129 [4] you should see
the line:</p>
<p><br>
</p>
<p>if ( EPrints::Utils::is_set( $session->config( "securehost" )
) && ( $opts{scheme} eq "https" ||
!EPrints::Utils::is_set( $session->config( "host" ) ) <br>
</p>
<p><br>
</p>
<p>If you have HTTPS everywhere configuration enabled this should
ensure HTTPS URLs are always used for things like the thumbnail
URLs you describe having a problem with. However, if you are not
using HTTPS everywhere configuration you will still get http URLs
for thumbnails and similar. I would therefore recommending
enabling this and I will see if I can track down the Bazaar
plugins that may be affected by $c->{host} being undefined.</p>
<p><br>
</p>
<p>The problem with EPrints is it has gone through various
iterations of HTTP/HTTPS use:</p>
<p><br>
</p>
<p>1. No HTTPS <br>
</p>
<p>2. HTTP for public pages and HTTPS for back-end admin pages.</p>
<p>3. HTTPS for all pages</p>
<p><br>
</p>
<p>This means as the code has evolved over time how to configure the
appropriate URLs in various situation has got progressively more
complicated, as way of supporting these different approaches for
HTTPS have been incorporated into ePrints over the year. I go in
to a bit of detail about this in the EPrints 3.4.3 release page
[5]. I still don't think this is perfect, as there is the
potential requirements in Bazaar plugins or bespoke archive
code/configuration that require $c->{host} to be defined.
However, after a lot of consideration, the changes I made for
3.4.3 tried to make the best compromise between fixing the mixed
content warnings, simplifying URLs config variables and their use
and not seriously breaking existing repositories when they are
upgraded.<br>
</p>
<p><br>
</p>
<p>Regards</p>
<p><br>
</p>
<p>David Newman<br>
</p>
<p><br>
</p>
<p>[1] <a class="moz-txt-link-freetext" href="https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.eprints.org%2Fw%2FSimplified_HTTPS_Configuration&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C355ec7272f1f49c7062808d9c678c247%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637759044214530664%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=WYfmqQ6MYjHPnTUqpowhi%2FfmZnjuHvg3pu5SzSx4q%2BM%3D&reserved=0" originalSrc="https://wiki.eprints.org/w/Simplified_HTTPS_Configuration" shash="AH5TNvsKXv03HGZD9rCsaBlAJ9JfDjnCrZZtsdrNq5fRD5BvezC0K97UWBnqZEHzDu7kXBpEs8dQNLOQfIjkUqEwEUNRO21xJfD1hiewTcvOG1IQ8bJV+LlBeY7Jcvm45IEckOCfrSYiIWMjLqIoQqChO72/UQK1e5dxL/ejdJs=">https://wiki.eprints.org/w/Simplified_HTTPS_Configuration</a></p>
<p>[2] <a class="moz-txt-link-freetext" href="https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Feprints%2Feprints3.4%2Fissues%2F118&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C355ec7272f1f49c7062808d9c678c247%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637759044214540621%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=O%2BDsuBU7d9pmC7X31GOAclz3SAmPpJySaPzOQVNWM%2Fw%3D&reserved=0" originalSrc="https://github.com/eprints/eprints3.4/issues/118" shash="Nv3Bi3QpNHtXpniqfTlIoPi5OS4UFViPE06n1Xekd9tVtANLWIul2OwhIQ6d9FOq6jXfOYXmw7swWkrWNUlYnaDdOQ/kWGWu6U76cbUDvh56fK0nmIlfn/K5dC/1CwsHTTulMXZ6Wa4edXXHcfEczl1OOEpA3A215eUAvtKWXaw=">https://github.com/eprints/eprints3.4/issues/118</a></p>
<p>[3] <a class="moz-txt-link-freetext" href="https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fbazaar.eprints.org%2F379%2F&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C355ec7272f1f49c7062808d9c678c247%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637759044214540621%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=GOauQ4K478e6Mz%2FfgxCJwvOIw%2BWtqSCjPhvAIusbwS8%3D&reserved=0" originalSrc="http://bazaar.eprints.org/379/" shash="RIpHVEcT0CZPAnXy0YlxioIYCVokAMHAajaN9eB8fkMUKCqttblknfjiRbvGwhHy37xwIU22VjGqdPHrc5lTEospGh0y3Qyn9wqKK8gpDS34t+BZ/kbeShRSPLXmdCm7EfofNqXa/9xCcxYKtdlxfJKFL3o3Qqu6XYZjzJv/X3Q=">http://bazaar.eprints.org/379/</a><br>
</p>
<p>[4]
<a class="moz-txt-link-freetext" href="https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Feprints%2Feprints3.4%2Fblob%2Fmaster%2Fperl_lib%2FEPrints%2FURL.pm%23L129&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C355ec7272f1f49c7062808d9c678c247%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637759044214550576%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Gs%2FBgbjoU7w6a3zQBqI1R2nqWSfnHTNd76aaNOSoKVk%3D&reserved=0" originalSrc="https://github.com/eprints/eprints3.4/blob/master/perl_lib/EPrints/URL.pm#L129" shash="UFt9gFJ5nqDLb0PHdjhvJoVAWfjUV2/dmDwTX2A/ISmDqOkWoWaBuoZjZgw4h8j2Vxec0clTLCcF3upMCOLJPWStjuHE1Mi4UggitC8j0QYZRL/c9zxJ7bJpomnPNeP89GAC4M43be1oRh5b3l83E6vfXU1elnuPDKECdVpOHOI=">https://github.com/eprints/eprints3.4/blob/master/perl_lib/EPrints/URL.pm#L129</a></p>
<p>[5]
<a class="moz-txt-link-freetext" href="https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.eprints.org%2Fw%2FEPrints_3.4.3%23Configuration_URLs_and_Paths&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C355ec7272f1f49c7062808d9c678c247%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637759044214560535%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Iaods7y71RSLqf6brRD%2FqGOqMUcViotvwXaNSO8fCto%3D&reserved=0" originalSrc="https://wiki.eprints.org/w/EPrints_3.4.3#Configuration_URLs_and_Paths" shash="NkOEQgTcep7aKwkUnd85TcdKfNhzB0NH+tWEH4rDORJ6H5hiAEqLCHYpKJY8QIFiwQlbD4O9JwhmQaqxvcjvHEnMbwU7kjndTj4rzUJODdU9/myP6w+t2lwHcjm2YA0aWndfTGGXpq6Oc5U9vdM44hdF0pbxvgVgeQ3BQ3CmgMg=">https://wiki.eprints.org/w/EPrints_3.4.3#Configuration_URLs_and_Paths</a></p>
<p><br>
</p>
<div class="moz-cite-prefix">On 23/12/2021 23:12, Tomasz Neugebauer
via Eprints-tech wrote:<br>
</div>
<blockquote type="cite" cite="mid:EMEW3|e8c7f182be79eb6eaf16511d82fa3dffxBMNGY14eprints-tech-bounces|ecs.soton.ac.uk|YQXPR01MB240705B87C95CC480A31C7838B7E9@YQXPR01MB2407.CANPRD01.PROD.OUTLOOK.COM">
<style type="text/css" style="display:none;">P {margin-top:0;margin-bottom:0;}</style>
<div style="padding-bottom: 10px; padding-top: 5px;">
<div style="padding:12px; border:1px solid #8D3970;
background-color:#F7F9FA; color:#8D3970; font-size:14px;
line-height:22px; font-family: Calibri, Arial, Helvetica,
sans-serif;">
<strong>CAUTION:</strong> This e-mail originated outside the
University of Southampton.
</div>
</div>
<div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">
I thought​ that I resolved all of the "mixed content" warnings
on our repository a while back, but after a recent upgrade
from 3.3.12 to 3.4.3, I noticed that I have some mixed content
warnings again, specifically on the thumbnails on the abstract
pages. I might have missed some of these warning before,
though, so this might not be a new issue after the upgrade. </div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">
Because I have HSTS headers, the browser redirects those those
requests to HTTPS, but I would like to fix it. Both the SRC
and the HREF of the thumbnails for PDFs are referenced as HTTP
instead of HTTPS. The only thing that fixed it during my
testing was if I was to remove (comment out) " the <span style="background-color:rgb(255, 255, 255);display:inline
!important">$c->{host}<span> </span></span> line/ariable
in 10_core.pl</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">
That resolves the issue, but I'm worried to apply this change
because I don't know if something else might rely on that
variable.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">
I spent a good part of a day trying to follow the code, and I
know that the {scheme} variable in URL.pm doesn't get properly
set to https in the case of the thumbnails, but the code is so
confusing when it comes to the thumbnail URLs that I can't
figure out why. I do have a suspicion that there is a bug in
the core code somewhere, but perhaps it is something in our
own configuration. </div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">
I know this issue is not new to this list, in fact, I wrote
the first drafts of the HSTS page on the Wiki (<a href="https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.eprints.org%2Fw%2FHTTPS-only_and_HSTS&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C355ec7272f1f49c7062808d9c678c247%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637759044214560535%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=DCU7vBNb0m%2FFkXWZ8j%2BEyMLB9KR5e%2FDNLl8cFhJupgw%3D&reserved=0" originalSrc="https://wiki.eprints.org/w/HTTPS-only_and_HSTS" shash="J23/sbLXDTRCs7xGGgSmahkfcu3fUp9FtZJUYjvAzP5RsTcWXq/NbeGEvVPs1FnIyjtnwhQPNCD7YnkfWyAn9nBrxDOi5QV3yV7uW18dIQvzV17pc/WhiM/3r3DeNqth/Y7bcb/VX7MYcuF7Xh9Obw2Ku34ALQUEo4mRp3nE8UM=" originalsrc="https://wiki.eprints.org/w/HTTPS-only_and_HSTS" shash="uRW4601gi/ukoHJ4+tiDZaqhl4jaiekG6CbYY7XOQ5qB4wutIw23UP3BMg7BZ79PQaqGOLoReEAmW15ZbxeFctsigSkOn4dS4jJpRLJ7so/Xro06NtdLuypCXueoTy2RS/nm/1M1jImoYLaLrvfK5qDfyFqhd8GeAdc2Bau7g40=" id="LPNoLPOWALinkPreview" moz-do-not-send="true">https://wiki.eprints.org/w/HTTPS-only_and_HSTS</a>),
but looking through the updated page there and any recent
exchanges that relate to this didn't help me figure it out. </div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">
Let me know if you have any ideas?</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">
Best wishes,
<div>Tomasz</div>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">
<br>
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div>
<div id="Signature">
<div>
<div name="divtagdefaultwrapper" style="font-family:Calibri,Arial,Helvetica,sans-serif;
font-size:; margin:0">
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">*** Options: <a class="moz-txt-link-freetext" href="http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech">http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech</a>
*** Archive: <a class="moz-txt-link-freetext" href="https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.eprints.org%2Ftech.php%2F&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C355ec7272f1f49c7062808d9c678c247%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637759044214570491%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=fMYBJuJhgSio5xSf653nQAyZ%2BET42ktA2%2FK%2F%2BMt%2BDJ4%3D&reserved=0" originalSrc="http://www.eprints.org/tech.php/" shash="es8YZuEIkSj03gMY8pwhrhzQHG6WrW3tCjagVrr2I1B2HsAVXw1AiQ0ZtBPgCB8m6Y4ghASEnTJCkcM1B1cX+vVYlZrA3F9SBHXJ/ud9MRHkkMNR9EZr57iMRfkh+392xeBFGGnoW6Af7IQXON2odwmSQXxam5mel3IQ7W3QXzU=">http://www.eprints.org/tech.php/</a>
*** EPrints community wiki: <a class="moz-txt-link-freetext" href="https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwiki.eprints.org%2F&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C355ec7272f1f49c7062808d9c678c247%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637759044214570491%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=slNzPfENHItaskWfFvzzrATJWO1QapnLK5cI7AeDYs0%3D&reserved=0" originalSrc="http://wiki.eprints.org/" shash="FX5LKnDWD6nU4DIhLomVVQyx/PBJ42/VDfIUERl9LZXKjSW0m61HQvlt+gKEWFnojhjozHLH0zQv9I0Qpd4px/4NMNkB/QaZC2zgyUxGIvpIriW6PyDA5oWXUf6buifXKV8Wzqj8PAuvnWb42I1j63EiZbPkQnACIYuX0s5Op14=">http://wiki.eprints.org/</a></pre>
</blockquote>
<div id="DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2"><br>
<table style="border-top: 1px solid #D3D4DE;">
<tr>
<td style="width: 55px; padding-top: 13px;"><a href="https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.avg.com%2Femail-signature%3Futm_medium%3Demail%26utm_source%3Dlink%26utm_campaign%3Dsig-email%26utm_content%3Demailclient&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C355ec7272f1f49c7062808d9c678c247%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637759044214580442%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=XpFC%2BPNoLunvnnGl%2Bwb9kOdxpSnZ8M%2F7t3%2F4uqpapDs%3D&reserved=0" originalSrc="http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient" shash="rtNEmEJrr4YHcoeg5In/b8L+OF0KWawqRnC3Q7eUntf3ZrsS0GmeAtoCBxLAXWrl+PKjEDskDnwDFbT4tZ4IAaWGKIEBYvyGLVW8cdfKKz8I6WX+M31WJLiHE9A2DCMMFSi1hlcPTDQ+hhl7wb+SQPrXqEpMdKMhocrsxZnGGpQ=" target="_blank"><img src="https://ipmcdn.avast.com/images/icons/icon-envelope-tick-green-avg-v1.png" alt="" width="46" height="29" style="width: 46px; height: 29px;"></a></td>
<td style="width: 470px; padding-top: 12px; color: #41424e; font-size: 13px; font-family: Arial, Helvetica, sans-serif; line-height: 18px;">Virus-free. <a href="https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.avg.com%2Femail-signature%3Futm_medium%3Demail%26utm_source%3Dlink%26utm_campaign%3Dsig-email%26utm_content%3Demailclient&data=04%7C01%7Ceprints-tech%40ecs.soton.ac.uk%7C355ec7272f1f49c7062808d9c678c247%7C4a5378f929f44d3ebe89669d03ada9d8%7C0%7C0%7C637759044214580442%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=XpFC%2BPNoLunvnnGl%2Bwb9kOdxpSnZ8M%2F7t3%2F4uqpapDs%3D&reserved=0" originalSrc="http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient" shash="rtNEmEJrr4YHcoeg5In/b8L+OF0KWawqRnC3Q7eUntf3ZrsS0GmeAtoCBxLAXWrl+PKjEDskDnwDFbT4tZ4IAaWGKIEBYvyGLVW8cdfKKz8I6WX+M31WJLiHE9A2DCMMFSi1hlcPTDQ+hhl7wb+SQPrXqEpMdKMhocrsxZnGGpQ=" target="_blank" style="color: #4453ea;">www.avg.com</a>
</td>
</tr>
</table><a href="#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2" width="1" height="1"> </a></div></body>
</html>