EZproxy Changes

Updates available via RSS

2014-08-11

EZproxy changes for version 5.7.42

Enhancements for EZproxy implementations:

  1. This version of EZproxy is built with OpenSSL v0.9.8.za. 
  2. This version will report EZproxy 5.7.42 GA [SOURCE:5.7.41_SOURCE] when you use the –v flag to report the version.
  3. Resolved issue with cookie expiration headers. Expirations for domain level cookies are now honored.
  4. Resolved an issue where EZproxy 5.7.2 disabled TLS when Option DisableSSLv2 is presentl.
  5. Corrected issue with strict-transport-security headers. In previous versions, when a web server sends a strict-transport-security header, this results in the browser only using https for communication with any request to a web server with the same name as the one that sends this header. In the case of proxy by port, this header indicates that all communication with all ports must be https, which ends up blocking all communication to ports that use only http. Now EZproxy does not pass strict-transport-security headers back to the browser.
IMPORTANT NOTE: the old license keys will work in all releases of EZproxy up to and including V5.7 and its maintenance releases. You will need new license keys which are provided as part of the subscription service for the next release of EZproxy.

2014-03-04

EZproxy changes for version 5.7.32

Enhancements for EZproxy implementations:

Bug fixes include the following:

  1. Use of the ProxyURLPassword caused EZproxy to exit abnormally. This command is primarily used for integration with the LibX browser toolbar. 
  2. In some rare cases, use of UserFile or login:user in user.txt resulted in EZproxy not correctly processing the statement or block containing these directives.
  3. Resolved an issue with the Option UTF16 option. This option was only working if it was listed after the last database stanza. This behavior has been corrected so that Option UTF16 and Option NoUTF16 work correctly in any location in config.txt.
  4. Resolved a problem in previous EZproxy V5.7 releases that caused DRA2 Web2 authentication to fail.
  5. Support for new license keys has been added to this release. Old keys previously issued continue to work
IMPORTANT NOTE: the old license keys will work in all releases of EZproxy up to and including V5.7 and its maintenance releases. You will need new license keys which are provided as part of the subscription service for the next release of EZproxy.

2013-10-21

EZproxy changes for version 5.7.26

Enhancements for EZproxy implementations:

New feature:

  1. EZproxy now supports SHA-256 signing of SAML assertions. This change makes it easier to integrate with Active Directory Federation Services (ADFS) and provides support for some federations that require SHA-256 signing.

Bug fixes include the following:

  1. MimeFilter matching. Previously EZproxy matched MimeFilter Directive on "M", but this overlapped with the MetaFind statement. Now Ezproxy requires you to use the string “MimeFilter” to match the MimeFilter directive. Note that the match is case insensitive.
  2. Resolve an issue with LDAP authentication that could result in crashes
  3. Removed extraneous start-up messages. Removed showing status at startup for already removed directives that dictate maximums for the number of databases (MD) and excluded IP addresses (MI).
  4. Implemented a warning for the SSLCipherSuite directive that states that it needs to be in config.txt before the LoginPortSSL directive in order for it to take effect
  5. Resolved a problem where III authentication with a Password PIN using https would fail
  6. Other general bug fixes were also addressed in this release.

2013-05-29

EZproxy changes for version 5.7

Enhancements for EZproxy implementations:

  1. A new config.txt option, MimeFilter, has been added to allow EZproxy to determine which object types should support URL rewriting. Usage:

    MimeFilter mime-type URI-pattern [-] action where

    mime-type
    : mime type of object to apply URL rewriting rules to.

    URI-pattern: URIs to apply URL rewriting to. This can be a PCRE regular expression.

    action: rewrite objects that match the above criteria that are embedded in Javascript, pdf, text, or HTML. Values are javascript, none, pdf, text, or html.  If action is preceded by a “-“, then remove default patterns for rewrite and ONLY consider these patterns for rewrite.

  2. In the admin server status screen, there is a new column, location, that shows the location of the user by mapping the IP address to the region. If the IP address cannot be mapped, the value will be blank.

  3. When using LDAP authentication, expressions are now accepted for the BindUser and BindPassword directives. For example, the following LDAP authentication example is now supported.
  4.  

    ::LDAP
    BindUser -expr login:user . "@library.com"
    BindPassword -expr login:pass
    DisableReferralChasing
    URL ldaps://ldap.library.com/DC=library,DC=com?sAMAccountName?sub?(objectClass=person)
    IfUnauthenticated; Stop
    IfUser doe; Admin
    /LDAP

     

  5. EZproxy now supports the range of cipher options using the syntax and options supported in the Apache web server. See the Apache documentation for SSLCipherSuite (http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS).
  6. Use the configuration statement SSLCipherSuite to specify the cipher options. Example:

    SSLCipherSuite HIGH:MEDIUM:LOW:EXP:!ADH:!aNULL

    The previous cipher-related options can still be used.

  7. Many general bug fixes and additional security issues were also addressed in this release.

  8.  

 

2012-11-27

EZproxy changes for version 5.6.3

Bug fixes for specific EZproxy implementations related to Linux and Windows machines running Shibboleth:

  1. Resolved incompatibility with recent 64-bit Linux kernels, which generated error messages in the messages.txt file similar to the ones below:

    2012-05-01 11:37:18 Unrecognized config.txt(31): OPTON ProxyByHoostname

    2012-05-01 11:37:18 Unrecognized config.txt(35): LOGINORRT 80

    2012-05-01 11:37:18 Unrecognized config.txt(43): OPTON AllowHTTPPLogin

    2012-05-01 11:37:18 Unrecognized config.txt(44): OPTON ForceHTTPPSLogin

  2. Resolved underlying problem on the Windows platform where EZproxy would crash and restart after receiving a Shibboleth assertion, without sending a message to describe why the crash was occurring.

2012-05-24

EZproxy Changes for v5.6

Enhancements for EZproxy implementations:

  1. Beta EZproxy implementations now simply "expire," without requiring a license agreement.
  2. Functionality and logic has been added to the ezproxy.ftl file to insert the actual machine instruction that causes an EZproxy crash.
  3. Option Cookie information is now displayed in the EZproxy Administration Extended Information view for each database.

General bug fixes:

  1. Removed extraneous repeating lines in messages.txt for Shibboleth and UUAcquireMutex/UUReleaseMutex.
  2. Raised timers for the Guardian process and for Athens sites, eliminating a potential restart.
  3. Removed requirement for the "FriendlyName" attribute for Shibboleth 2.X, preventing further crashes.
  4. Resolved a potential problem in the SSL certificate import process. In some cases, a failed SSL certificate import would leave an incomplete .cnf file.
  5. Resolved a problem where, in rare cases, EZproxy would have problems running from a symlinked directory.
  6. Resolved an issue with referring URL authentication where some users were being sent the suspend.htm file instead of being transparently authenticated.
  7. Removed case sensitivity in URL starting checks.
  8. Resolved the issue where in some cases, EZProxy would crash when querying a Shibboleth Identity Provider for attributes.
  9. EZproxy once again ignores SIGHUP signals, so the Guardian process will keep running.
  10. Resolved an invalid pointer in the UTF-16 parser, preventing unauthorized access to the Siku Quanshu content, one of the largest collection of books in Chinese history.
  11. A number of additional security issues were also addressed in this release.

2011-12-14

EZproxy Changes for V5.5

Enhancements for Shibboleth implementations:

  1. Shibboleth 2.3's default settings for IdPs are now compatible with EZproxy.
  2. The NameIdentifier (non-persistent ID) is now exposed through the expression variable auth:nameid.
  3. HTTP POST data can now be in excess of 64 k bytes for Shibboleth. Other HTTP POST data remains limited to 64k bytes.
  4. Shibboleth 1.3 authentication no longer creates the "SAMLResponse no encrypted Assertion elements" message to the messages.txt file unnecessarily.
  5. Shibboleth authentication now successful for institutions in the UK Access Federation, instead of logging potential message "SAML received assertion without a status of success, denying access."
  6. In cases where XDebug directive is used, or if the -D command line argument is used; and there is no "shibuser.txt" file; then, Shibboleth processing will no longer be disabled.

General bug fixes:

  1. Removed extraneous messages in the messages.txt file about "License Validation."
  2. The string concatenation operator is interpreted as a character belonging to the neighboring textual constant rather than as a concatenation operator for the following namespaces.

    auth:, group:, http:, cookie:

    This longstanding behavior will be fixed in 5.5.x for only the following namespaces.

    login:, env:, ParseName:, session:, db:, re:

    If you see this problem, the workaround is to insert a space around the concatenation operator. For example, this syntax works:

    UserFile("groups/" . login:instNumber.".txt")

    While this syntax does not:
    UserFile("groups/".login:instNumber.".txt")
  3. Long lines greater than approximately 8192 characters written to messages.txt are now accepted.
  4. The EZproxy "stopall" command line argument will stop all processes named "ezproxy". It will then remove the ".ipc" and ".lck" files for the EZproxy directory from which the executable was run. The ".ipc" and ".lck" files for other execution directories are left unchanged. This may require that you manually remove them from those directories.
  5. A number of additional security issues were also addressed in this release.

2011-07-19

EZproxy Changes for V5.4.1

  1. The restart function now correctly restarts EZproxy on Windows platforms.
  2. The IPC file (named ezproxy.ipc) is now being created on Windows platforms. This resolves the possibility of multiple instances of EZproxy being started on a server out of the same directory.
  3. Shibboleth with groups is now completing authentication instead of being presented with logup.htm.
  4. The limit on number of includeFile entries is now set at 4096 include files allowed at a depth of up to 64 nested includes - include files with another include statement.
  5. If EZproxy is restarted and an IPC file exists, EZproxy will now issue a message suggesting you can delete this file if you know EZproxy isn't currently running.
  6. Workaround for known bug: the string concatenation operator is interpreted as a character belonging to the neighboring textual constant rather than as a concatenation operator. If you see this problem, the workaround is to insert a space around the operator. For example, this syntax:

    UserFile("groups/" . login:instNumber.".txt")

    works, while

    UserFile("groups/".login:instNumber.".txt")

    does not.

2011-05-26

EZproxy Changes for V5.4

  • Support for Windows 7
  • A user can now submit a username or password that is longer than 32 characters or contains a "|" when using SIP Authentication
  • Support signing cert 'rollover' by supporting multiple x.509 certificates in SAML metadata.
  • Made changes to prevent PDF files from being treated as HTML files and improperly returned to the user.
  • Numerous updates and bug fixes to further support Shibboleth implementations
  • Improved security measures now:
    • Prevent a potential denial of service vulnerability
    • Integrate with  version 0.9.8q of OpenSSL
  • Enhanced debugging features, such as
    • Line numbers for the EZproxy Admin "test user.txt" page
    • Line numbers for the config.txt file.
    • Error messages are now written just below the line that caused them. The actual text of the file is written instead of the trimmed text. Enable this feature by adding XDEBUG 128 to your configuration file.

      Note: OCLC does not recommend running this feature in a live production environment due to the quantity of messages logged.

2010-10-14

EZproxy Changes for V5.3

  1. EZproxy now supports Shibboleth Version 2.1 Identity Providers (IdPs). IdPs from V1.3 to 2.1 are supported by EZproxy V5.3
  2. When generating a configuration file (config.txt) via ezproxy –m, a commented out SafariCookiePatch configuration line is now in the config.txt file.
  3. On the administration page which manages Books 24x7 tokens, a change has been made so that the tokens generated on this page properly consume the supplied username as part of the token generation process.
  4. The Option BlockCountryChange, when used with Shibboleth, no longer requires the workaround line Location 0.0.0.0-0.0.0.0 US in order to work.
  5. LOGFORMAT now returns the correct number of bytes transferred for https connections. In previous versions, 0 was returned.
  6. In previous versions, when complex nesting of conditional blocks exist in user.txt, sometimes unexpected results could occur. This issue is fixed in V5.3.
  7. For Navigator users, the administration button view user object now works correctly.
  8. A new function, Length, is available in V5.3. This function returns the number of characters in a string. Example usage:

    ::Common
    Set x1 = "1"
    Set x2 = "12"
    Set x5 = "12345"
    Set x10 = "1234567890"
    If Length(x1) == 1 && Length(x2) == 2 && Length(x5) == 5 &&
    Length(x10) == 10 {
        Msg Length test passes
    } else {
    Msg Length test fails
    }
    /Common
  9. Implemented an improvement to the generation of tickets with Ticket authentication. This improvement provides a higher level of security to the ticket. It allows you to add a $e to the end of the packet value when creating the ticket. When the $e is present, it is an end-of-ticket marker. If the $e doesn’t appear in the ticket, a warning is placed in the messages.txt log file, and the ticket is accepted for backward compatibility. If the $e is present and some text follows it, the ticket is rejected. Users are encouraged to move to the practice of adding the $e to the end of the packet before constructing the ticket.
  10. A new option, Option CookiePassThrough, has been added. This option passes ALL cookies through EZproxy to the user’s browser. Some web sites require this feature.
  11. A security change has been made to the cgiuser functionality. There is minimal impact to running configurations with this change.
  12. For Gartner group, a false error message is returned in some cases regarding an encryption problem. This error was being issued when there wasn’t a problem and is now suppressed.

2009-08-31

EZproxy 5.2 contains the following changes:

  1. New directive for use in LDAP authentication, which allows the search filters that are used in login to also be used when reading attributes.
  2. EZproxy now allows vector notation in the user.txt file, because the Innovative Interfaces, Inc (III) system patron API has changed to support multiple use of the same field. Previous versions of EZproxy would only retrieve the first value of the field--but now they can be specified in the array. For example, if the system has a field named “phone,” the first instance might be home, the second might be work, and the third might be cell. Now EZproxy user.txt can access each as auth:phone[0], auth:phope[1], auth:phone[2], which gives the system more flexibility with contact information.
  3. The sample config.txt (generated by the -m command) has been updated to include more stanzas for OCLC resources. These additional stanzas make it easier and faster to add a new database to your configuration file.
  4. The signing algorithm for certificates has been updated to SHA1, which is more secure than the previous MD5.
  5. DisableSSLv2 directive now works as expected.
  6. There were a number of additional minor fixes to improve the overall stability of EZproxy.

2009-01-19

EZproxy 5.1c contains the following changes:

  1. Disable "Option RedirectUnknown". Recommended replacement is the use of new RedirectSafe directive, although if the original functionality is required, the previous functionality can be restored using "Option UnsafeRedirectUnknown".
  2. Incorporate RedirectSafe to specify hosts and domains that may appear in starting point URLs where the users should simply be redirected instead of being proxied, creating a controlled replacement for "Option RedirectUnknown".

    When moving to this format, be sure to remove "Option RedirectUnknown" from config.txt to disable the original functionality.

    Sample use:

    RedirectSafe cnn.com
    RedirectSafe nytimes.com

    In this example, if the hostname of a URL is exactly cnn.com or nytimes.com, or if the hostname ends with .cnn.com or .nytimes.com, it is considered safe for redirection. If such a hostname appears in a starting point URL, and if EZproxy is not otherwise configured to proxy the URL, then a user accessing such a URL will be silently redirected to the specified URL instead of receiving about the hostname.

  3. Add expression function Coalesce that accepts one or more values, separated by commas. The first value that evaluates as non-NULL is returned.
  4. Add expression function Hash to compute MD5, SHA1, SHA256, or SHA512 hash and return it as a hexadecimal string. Sample usage:

    Set hashed = Hash("MD5", "Some text")
  5. Add expression function ParseName to parse names out into their individual components.
  6. Add expression function UserFile which takes a single parameter filename. The file is processed using the same rules as user.txt, allowing one authentication method to "call out" to another authentication method, typically to obtain extended information from an alternative authentication method.
  7. Allow the setting of expression variable login:user to override the normal user variable used for authentication processing. This is mainly useful when the login:loguser value provided in CGI authentication needs to be remapped to become the main user variable when combining CGI authentication with other authentication methods, such as to search an alternate authentication method for additional user information.
  8. Correct issue introduced in EZproxy 5.1a that prevented SPUEdit from working properly.
  9. Update Insignia authentication to handle revision in how Insignia presents patron information.
  10. Update TLC authentication to handle revision in how TLC presents patron information.
  11. Correct issue when using AutoLoginIP with groups, such as transparent OPAC proxying, when combined with a redirecting authentication method such as CAS.
  12. Increase an internal inactivity limit for SciFinder proxying from 1 minute to 15 minutes.
  13. HTTP status code 205 was being handled as bodyless, which was incorrect and lead to problems proxying lexbase.fr.
  14. Allow SourceIP override if new authentication information is sent into EZproxy for someone who already has an existing session.
  15. Correct issue with long URLs and CGI authentication redirection on Solaris 10 x86.
  16. Correct order of operations for expression ternary (?:) operator to raise its precedence, allowing expressions like this to evaluate correctly:

    Set session:uid = auth:pg ne "" ? auth:pg : auth:pb

  17. Revise CAS server to obey the login gateway parameter behavior defined in http://www.ja-sig.org/products/cas/overview/protocol/index.html .
  18. When using the Shibboleth Discovery Service in previous versions of EZproxy, only Shibboleth 2.0 IdPs could be accessed. This release now supports both Shibboleth 1.3 and Shibboleth 2.0 IdPs.

2008-09-22

EZproxy 5.1b contains the following changes:

  1. Correct an issue in EZproxy 5.1a that caused a fatal exception when using login banners (user.txt Banner directive), concurrent user limits (user.txt Limit directive), SciFinder Scholar client access feedback (config.txt SciFinder directive), and feedback when someone tries to access an https virtual server using http.
  2. Correct an issue with group mismatch when using CGI or Shibboleth authentication.
  3. Add options to view the EZproxy server Shibboleth metadata into Manage Shibboleth and Manage SSL (https) certificate.
  4. Allow "Option LoginReplaceGroups" to work with Shibboleth. To enable this, edit config.txt and add:

    Option LoginReplaceGroups

    and restart EZproxy. With this in place, if a user has already authenticated to EZproxy, but comes into EZproxy with a new Shibboleth assertion, the groups associated with the new assertion replace existing group membership instead of merging into existing group membership.

  5. Incorporate "Option BlockCountryChange" as an indicator that a session should not allow access if the country associated with the session changes. If this occurs, a BlockCountryChange audit event is also recorded.
  6. Change the Deny directive to also record a Login.Denied event with includes the name of the deny file in the Other column. Allow Deny -noaudit to suppress logging of the audit event. Allow Audit -expr to log an arbitrary audit event containing based on an expressions value.
  7. Add ActiveGroupMember, NoActiveGroups, and ActiveSession as expression functions.
  8. Allow access to environment variables in expressions through the env: namespace.
  9. Allow expressions to be evaluate for inclusion in log files using the syntax %{expression}e within a LogFormat or LogSPU directive.
  10. Correct an error in the version text displayed by the "ezproxy -v" command and in the Administration page.

2008-08-25

EZproxy 5.1a contains the following changes:

  1. The files ezproxy.cfg, ezproxy.msg, and ezproxy.usr have been renamed to config.txt, messages.txt, and user.txt. See New Filenames for important details on this change.
  2. Add support for Shibboleth 1.3/2.0.
  3. Add support for Expressions that can be used to make advandced authentication and authorization decisions, add conditional text to pages produced by EZproxy, and record additional variant text to EZproxy log files.
  4. Allow EZproxy to act as a CAS Server. (As of July 2010, OCLC will no longer support this functionality)
  5. Update Gartner authentication to a newer method that is simpler to configure.
  6. Add a "/time" URL to EZproxy to allow the viewing of the server time based on the server's timezone and on UTC to simplify diagnoging problems that can be triggered by inaccurate time, including EZproxy/NetLibrary SSO integration, Gartner authentication, Shibboleth authentication, and ticket authentication.
  7. Correct two EZproxy/NetLibrary SSO issues: one that caused a problem when initial login is deferred using ExcludeIP and another that occurred if a user started access to EZproxy by AutoLoginIP and then later tried to access NetLibrary content.
  8. Correct an incompatibility using SIP authentication against a VTLS SIP server.
  9. In SSL Certificate Management, add options to import an existing certificate and to view the PEM version of certificates.
  10. Correct an issue that prevented the permission indicators from appearing when accessing MetaPress and SpringerLink journals.
  11. Correct an issue that prevented Siku Quanshu from being proxied correctly.
  12. Correct an issue when performing POP authentication against the the SurgeMail POP server.

2008-04-10

EZproxy 5.0c contains corrections to errors that:

  1. Led to high processor utilization.
  2. Prevented SciFinder access from working properly.
  3. Caused EZproxy to report a critical error and restart when certain unusual URL formats were employed.

2008-04-02

EZproxy 5.0b contains a correction for an issue that resulted in high processor utilization.

2008-03-31

EZproxy 5.0a includes the ability to:

  1. View enhanced audit details that incorporate the location associated with source IP address. See Location to enable location date and Audit for information on how to enable auditing.
  2. Search across audit data to identify suspicious activity, including options to search based on location. See Location to enable location date and Audit for information on how to enable auditing.
  3. Alter user access based on location, including the ability to block access or require additional information for access. See IfCity, IfCountry, and IfRegion in Common Conditions and Actions.
  4. View a summary of database conflicts to identify and correct configuration issues. Access this feature from the EZproxy Administration page.
  5. Develop advanced user authentication and authorization configurations using a new administration page. Access this feature from the EZproxy Administration page.
  6. Redirect users who are being denied access to pages on other web servers. See Deny -URL.
  7. Authenticate against Insignia, L4U, and TLC library systems.
  8. Manipulate incoming URLs to reformat them for use by EZproxy or to redirect users to edited URLs. See SPUEdit.
  9. Route users to databases using referring URL authentication instead of IP authentication. See Referer.
  10. Detect when remote web servers have become unavailable and minimize network attempts to such servers until they become available again.
  11. Allow sending the real username to OverDrive instead of a user token by adding -NoTokens to the OverDriveSite directive.
  12. Permit a user to be granted access just to the manage token page without having access to other administrative functions by assigning the user to the Admin.Token group.
  13. Support the use of tokens across high availability configurations.
  14. Correct an error introduced in EZproxy 4.0f when using NCIP authentication without specifying specific authentication input fields.
  15. Enable access to Gartner reports using Gartner's proprietary encryption method. See Gartner.
  16. Enable proxied access to SciFinder Scholar. See SciFinder.
  17. Apply variable find/replace rules to simplify automating access for select databases that use username/password authentication. See Find.

2007-07-11

EZproxy 4.0h contains the following changes:

  1. Introduce the ability to perform user authentication against a SirsiDynix Horizon Information Portal 3.x server. See Horizon Information Portal 3.x Authentication for details.

  2. Add support for NetLibrary URL API integration, allowing NetLibrary accounts to be replaced by single sign-on integration with EZproxy accounts. Please note that this functionality is not currently compatible with high-availability configurations. Contact OCLC support for configuration assistance with this new option.
  3. Correct an error that intermittently prevented IntruderIPAttempts data from being preserved across EZproxy restarts.
  4. Correct issue that prevented LDAP TestWithUser and Test -Wild from working correctly.
  5. Correct issue that prevented username from being reflected correctly when a user first accessed by AutoLoginIP and later authenticated through Shibboleth.
  6. Correct issue that prevented proper operation with a mixture of CAS authentication, high availability, and ExcludeIP.
  7. Correct a problem when intermixing groups, AutoLoginIP directives, and Shibboleth authentication.
  8. Incorporates a slight change for Follett authentication.
  9. In ezproxy.usr, added new IfQueryStringPass to test if the password was provided in the query string, making it possible to block when someone decides to submit their password in this manner instead of through the login form POST method. Sample use:

    ::Common
    IfQueryStringPass; Deny loginbu.htm
    /Common

    This logic should appear as the first part of ezproxy.usr. As shown above, EZproxy will immediately send loginbu.htm, which is the normal behavior if a username/password is provided incorrectly. If you prefer, you can use a different file for Deny to provide the user with feedback indicating that this is not permitted.

2007-03-12

EZproxy 4.0g contains the following changes:

  1. Slight change to correct a problem encountered by some sites when proxying InfoTrac products. A sample problem included long hit lists being truncated.
  2. Add ezproxy.cfg "Option DisableSSL40bit" to direct EZproxy not to allow EZproxy to negotiate https connection with 40-bit keys.
  3. Change behavior when handling Location redirects with relative URLs that begin with a ? to enable select Newsbank links to work correctly, particularly extended links from Serials Solutions.
  4. Correct an issue that prevented group memberships for groups containing spaces from being restored correctly during a restart.
  5. Add new Timeout directive for LDAP authentication to specify the maximum amount of time in seconds that EZproxy should wait before giving up on an LDAP server to respond. Sample use (one or more line breaks were added in this example for display purposes; an example without added line breaks is available):

    ::LDAP
    BindUser CN=ezproxy,CN=users,DC=yourlib,DC=org
    BindPassword verysecret
    Timeout 10
    URL ldap://ldapserv.yourlib.org/CN=users,DC=yourlib,DC=org
    ?sAMAccountName?sub?(objectClass=person)
    Unauthenticated; Stop

    Timeout may appear anywhere after ::LDAP but before URL.

  6. Add new ezproxy.cfg "Option ForceHttpsAdmin" which forces all access to EZproxy administration pages to occur through an https connection.
  7. Add a new -ActiveIP qualifier for the AnonymousURL directive that specifies that the user may access a URL matching the AnonymousURL directive only if that user is also currently accessing from an IP address associated with an authenticated user. Sample use:

    AnonymousURL -ActiveIP +http://www.somedb.com/*

    Such access may fail if a user is accessing through a network that uses multiple proxy servers such as AOL.

  8. Destination URLs in starting point URLs that are authorized through an AnonymousURL directive now provide immediate access. In previous versions of EZproxy, such URLs had to appear in rewritten form to work. For example:

    AnonymousURL -RE +http://www.somedb.com/[^?]+\.rss
    Title Some Database
    URL http://www.somedb.com/
    Domain somedb.com

    would only have allowed a rewritten URL such as http://www.somedb.com.ezproxy.yourlib.org/feed.rss to be used by an RSS aggregator whereas this new version would also allow access if requested by http://ezproxy.yourlib.org/login?url=http://www.somedb.com/feed.rss

  9. Adds Follett library system authentication. A sample entry for ezproxy.usr is:

    ::Follett
    URL http://fsc.yourlib.org
    /Follett
  10. Adds Sagebrush InfoCentre library system authentication. A sample entry for ezproxy.usr is:

    ::Sagebrush
    URL http://sagebrush.yourlib.org
    /Sagebrush

2006-12-10

EZproxy 4.0f contains the following changes:

  1. Correct an issue in EZproxy 3.6i through 4.0e that can cause EZproxy to restart if it receives a particular URL from an IP address within an ExcludeIP address range. Sites running one of these versions of EZproxy that do not use the "/limited" directory can add:

    IncludeIP 0.0.0.0-255.255.255.255

    as the last line of ezproxy.cfg to avoid this possibility. Sites using EZproxy 3.6i through 4.0e that use the "/limited" directory are encouraged to update to EZproxy 4.0f.

  2. Correct an issue that could cause the Solaris versions of EZproxy to restart under heavy load.
  3. Add the ability to generate SHA512 hashes of passwords for use in ezproxy.usr. Sample use from a command prompt or shell to generate a SHA512 hash (one or more line breaks were added in these examples for display purposes; examples without added line breaks are available):

    ezproxy SHA512 testing
    $021NGKBG$FTRoPxyZ1S2O2bJ5qRtlXcI/tKPXZRoaQojBFZKWOif0g5
    Fionk07Bo13fN2+a/kmL8w80VumtcA2m1ENEiT2A

    Sample use in ezproxy.usr for this password:

    someuser::SHA512=$021NGKBG$FTRoPxyZ1S2O2bJ5qRtlXcI/tKPXZRoa
    QojBFZKWOif0g5Fionk07Bo13fN2+a/kmL8w80VumtcA2m1ENEiT2A
  4. The Shibboleth metadata used by ShibbolethSites may now be in either Shibboleth 1.2 or 1.3 format.
  5. NCIP authentication now allows the specification of which values should be sent to the NCIP server. Sample use:
    ::NCIP
    AuthenticationInput user Barcode Id
    AuthenticationInput pass PIN
    Server ncip.yourlib.org
    /NCIP

    You can specify any number of AuthenticationInput directives. The first argument can be user, pass, or pin and specifies that the login form field user, pass, or pin should be used. The balance of the directive is the NCIP authentication input field and will most commonly be one of Barcode Id, PIN, Password, or User Id. In the absence of any AuthenticationInput directives, the user field is sent as Barcode Id and the pass field is sent as PIN.

  6. The Cookie directive for pre-loading cookie values into a session is now affected by Group directives, allow different values to be pre-loaded based on group membership. Sample use:

    Group Legal
    Cookie somecookie=legal; domain=.somedb.com
    Group Medical
    Cookie somecookie=medical; domain=.somedb.com

    Group Legal+Medical
    Title Some Database
    URL http://www.somedb.com
    Domain somedb.com

    In this example, if a user is a member of the Legal group, the cookie somecookie is pre-loaded with the value of legal, whereas if the user is a member of the Medical group, the cookie somecookie is pre-loaded with the value of medical. If the user is a member of both groups, the first Cookie directive that matches take precedence, so the cookie somecookie would have the value legal in this scenario.

2006-10-27

EZproxy 4.0e contains the following changes:

  1. The Athens-enabled versions of EZproxy have been released.
  2. Added Solaris 10 (x86) as an officially supported platform. At this time, Athens does not support this platform, so there is no Athens-enabled version of EZproxy for this platform.
  3. Allow a certificate to be associated with database definitions to allow client authentication to remote databases. SSLCert with a certificate number should appear before the Title line of the first database definition that should be affected and SSLCert without a certificate number should appear before the Title line of the first databse definition where the certificate should no longer be sent. The certificate number can be found on the SSL administration page. Sample use:

    SSLCert 5
    Title Some Database that will receive the certificate
    URL http://www.somedb.com
    Domain somedb.com

    SSLCert
    Title Other Database that will not receive certificate
    URL http://www.otherdb.com/
    Domain otherdb.com

    See Importing a PEM-formatted Certificate into EZproxy for information on how to import a certificate into EZproxy.

  4. Extend IntruderIPAttempts to allow different limits based on source IP address. Sample use:

    IntruderIPAttempts -IP=10.0.0.0-10.255.255.255 -Interval=5 -Expires=1 50
    IntruderIPAttempts -Interval=5 -Expires=15 20

    In this example, users accessing from a 10.* address will be given 50 attempts in a 5 minutes window and will be allowed to try again after 1 minute of being locked out, whereas all other IP addresses are given 20 tries within a 5 minute window and then locked out for 15 minutes.

  5. Extend RADIUS authentication to allow the NAS port type and NAS port to be specified. To add the NAS port type, include a semi-colon (;) after the RADIUS server name (and UDP port) and then either the keyword virtual to specify the virtual port type or a numeric code for the port type as defined in the RADIUS RFC. To add the NAS port, include a semi-colon (;) after the NAS port type and include the port number. If you want to specify only a NAS port but not a port type, use two semi-colons (;) after the RADIUS server.

    Sample use:

    # Virtual port type, no NAS port specified
    ::RADIUS=radserv.yourlib.org;virtual,Secret=shhhh
    # Virtual port type, NAS port 1
    ::RADIUS=radserv.yourlib.org:1645;virtual;1,Secret=shhhh
    # No port type specified, NAS port 1
    ::RADIUS=radserv.yourlib.org:1812;;1,Secret=shhhh

    Note that the :1645 and :1812 in these examples demonstrate including the UDP port for communication with the RADIUS server, which is completely different from the NAS port.

  6. By default, ExcludeIPBanner only cause the banner to be sent once during a browser session. This behavior can now be modified to direct EZproxy to send the banner every time an exclude URL is accessed by adding the -Always option. Sample use:

    ExcludeIPBanner -Always policy.html
  7. Corrects an issue when "URL -RewriteHost" and AutoLoginIP are combined.
  8. Corrects an issue that prevented EZproxy 4.0 for Linux from authenticating with ldaps.

2006-09-12

EZproxy 4.0d contains the following change:

  1. Correct an issue introduced in EZproxy 4.0c that prevented ::External from working unless a Valid=value was included.

2006-09-10

EZproxy 4.0c contains the following changes:

  1. Corrects an error that prevented large POST requests over https connections from forwarding all data correctly.
  2. By default, when EZproxy performs external authentication, it looks for the "valid" string in both the header and body of the response from the remote web server. Starting with this release, the valid string can be prefixed with header: or body: to specify that EZproxy should only look in the header or the body. Sample use:

    ::External=http://www.yourlib.org/ezproxy.cgi,Post=user=^u&pass=^p,Valid=body:OK
  3. Contains a security update for a small number of institutions. The affected institutions have been contacted directly.

2006-08-18

EZproxy 4.0b contains the following changes:

  1. Correct an issue introduced in EZproxy 3.8a that affects the ability to download binary content including the ebrary reader plug-in, Word documents, and RTF documents.
  2. Correct an issue with password generated by "ezproxy obscure" and used by "BindPassword -obscure". Passwords generated in EZproxy 3.8a through EZproxy 4.0a will have to be regenerated.
  3. Add support for EZproxy to transfer user authentication information to other systems for single sign-on. Sample ezproxy.cfg entry:

    SSO -Secret=abcdefghijklmnopqrstuvw -URL=http://www.yourlib.org/sso.php abc

    Example PHP scripts are available at phpsso.tar and example Perl scripts are available at perlsso.tar .

  4. Correct an issue when using MetaFind in a high availability configuration with Factiva.
  5. Add new PDFRefreshPre and PDFRefreshPost directives to alter the text that appears before and after the link that is generated when a starting point URL refers to a PDF document. Sample use with the default values is:

    PDFRefreshPre To access this document, wait a moment or click <a href="
    PDFRefreshPost ">here to continue

    To make the link appear only in browsers that have JavaScript disabled, use:

    PDFRefreshPre <noscript>To access this document, wait a moment or click <a href="
    PDFRefreshPost ">here</a> to continue</noscript>
  6. Correct a flaw that caused inaccurate warnings to be logged to ezproxy.msg for DRAWeb2's System and Type conditions, III's PartialNameMatch action and Test condition, and Ticket's MD5 and SHA1 actions.
  7. Add new common condition "IfPassword wildpass" to test the value of the supplied password. Can be used as "IfPassword;" to test to see if the user did not provide any password.

2006-08-02

EZproxy 4.0a contains the following changes:

  1. Unify and extend common conditions and action used by Athens, CAS, DRAWeb2, III, LDAP, NCIP, ODBC, Shibboleth, SIP, and Ticket. This requires slight changes to existing ezproxy.usr for DRAWeb2, III, LDAP, and Ticket configurations.
  2. A version of EZproxy that is Athens-enabled is available for beta testing. For more information, send an email message to ezproxy@oclc.org.
  3. Add AutoLoginIPBanner and ExcludeIPBanner to augment the ezproxy.usr directive ::Banner and the common action Banner.
  4. Add support for EZproxy to perform user authentication by testing a username and password against a URL that is protected by "HTTP basic" authentication. Sample use is:

    ::HTTPBasic=http://www.yourlib.org/secure/index.html

    In this example, http://www.yourlib.org/secure/index.html should be a URL that normally sends a "401 authentication required" response, triggering a user's browser to display a username/password dialog box. If you provide a URL that does not require authentication, EZproxy will allow the use of any username and password, so this should be used with great care.

  5. The "URL -form=(get|post) name url" form of database definition has been extended.

    1. The same name can now appear multiples time in ezproxy.cfg with different groups used to protect different versions. This allows the use of different destination URLs and different FormVariables based on user group membership. In this configuration, EZproxy will always use the first database definition in ezproxy.cfg that matches the remote user's group membership.
    2. In FormVariable, you can include ^0 through ^9 in the values to direct EZproxy to substitute values from "UsrVar" variables that are set during user authorization. You can also use ^I to include the remote user's source IP address.
    3. In FormVariable, if you specify a variable name but do not include an equal sign, this directs EZproxy to allow the user to specify a value in the URL that should be included when accessing the remote site. For instance:

      Title Some Database
      URL -form=get somedb http://www.somedb.com/search.cgi
      FormVariable index=author
      FormVariable term

      allows the use of an EZproxy URL such as:

      http://ezproxy.yourlib.org/login/somedb?term=Twain

      to specify that EZproxy should take the value Twain and pass it on as the value of the term variable, resulting in a destination URL of:

      http://www.somedb.com/search.cgi?index=author&term=Twain
    4. "Option GroupInReferer" directs EZproxy to include the group that authorized access to a database definition should be included in the referring URL. This option should appear before the Title line of the database and may be later reversed with "Option NoGroupInReferer". For example, if a user in group Default accessed:

      Option GroupInReferer

      Title Some Database
      URL -form=get somedb http://www.somedb.com/

      the referring URL would be similar to:

      http://ezproxy.yourlib.org/login/2/Default/somedb
  6. Removed requirement that an SSL certificate be active before EZproxy can connect to SSL-based authentication servers to verify usernames and passwords. For example, in previous versions of EZproxy, you could not use external authentication to an https URL unless EZproxy had been configured with an SSL certificate. However, as before, all SSL functions are disabled if no EZproxy license is installed, and if you want to proxy access to https web sites, you will still need to configure SSL.
  7. Add "Option RecordPeaks" to direct EZproxy to record the peak values reached for active sessions, concurrent transfers, and virtual hosts to ezproxy.msg. EZproxy records values for active sessions and virutal hosts at startup, then records additional as new peaks are reached. Peak values are checked once a minute to determine if new values should be recorded.
  8. Add ezproxy.usr IfAfter and IfBefore to test if the current date is after and/or before a date specified in YYYY-MM-DD format. The date may be followed by a semi-colon and the name of a file to send to the user if access is attempted outside the specified date. Sample use:
    # user1 may access starting January 1st, 2006 or later
    user1:pass1:IfAfter=2006-01-01
    # user2 may access up to to July 1, 2007, but not on or after
    user2:pass2:IfBefore=2007-07-01
    # user3 may access starting January 1st, 2006 and up to
    # but not including August 1, 2006
    user3:pass3:IfAfter=2006-07-01,IfBefore=2006-08-01
  9. Allow authentication based on a username provided in a request header, such as would occur when using SiteMinder in front of EZproxy. Sample use in ezproxy.usr is:

    ::HeaderUser=SM-User
  10. Change that may affect the network connectivity test when used with certain firewalls.
  11. Add support for Siku Quanshu. The Siku Quanshu database should be defined like this:

    Option UTF16
    Title Siku Quanshu
    URL http://skqs.yourlib.org
    DJ skqs.yourlib.org
    Option NoUTF16

    replacing skqs.yourlib.org with the name of your Siku Quanshu server.

  12. Enhanced the AnonymousURL directive to support regular expressions

2006-07-07

EZproxy 3.8a contains the following changes:

  1. Add support required for the EZproxy/Blackboard Building Block to work with Blackboard 7.1.
  2. You can specify the source IP address to use when connecting to remote web servers on a user-by-user basis through ezproxy.usr. Sample usage:

    ::SourceIP=24.249.162.194
    jdoe:secret
    ::File=users194.txt
    ::SourceIP=24.249.162.195
    ::File=users195.txt

    In the above example, user jdoe and all the users in users194.txt would use 24.249.162.194 as the source IP for requests, but users from users195.txt would use 24.249.162.195.

    The Interface directive can be used to assign specific source IP addresses for databases. An explicit Interface assignment in ezproxy.cfg takes priority over ::SourceIP. If you need to use Interface to modify LoginPort directives, you can use "Interface Any" before the first Title directive to insure that SourceIP will still function.

  3. Allow the "/form" URL to accept auth=, such as (one or more line breaks were added in this example for display purposes; an example without added line breaks is available):
    http://ezproxy.yourlib.org:2048/form?auth=opac&qurl=
    http%3a%2f%2fscholar.google.com%2fscholar
    See also Creating Public Forms to Proxied Resources .
  4. Correct issue that prevented EZproxy from being able to untangle starting point URLs written in the form:
    http://ezproxy.yourlib.org/login?url=http://www.somedb.com.ezproxy.yourlib.org
  5. Add IfURL condition to ezproxy.usr, along for constructions such as:
    ::IfURL=http://www.yourlib.org/*,DocsCustom=yourlib
    to allow custom pages to be triggered based on the destination of a starting point URL. IfURL is a general condition that be combined with other ezproxy.usr directives.
  6. Add an ezproxy.usr option to associate a directory to users to allow custom versions of the files in the docs directory to be sent to remote users. For example, you can use the Auth test to associate incoming users to different files during login, such as:

    ::Auth=branch1,DocsCustom=dir1
    ::Auth=branch1,File=branch1.usr
    ::Auth=branch2,DocsCustom=dir2
    ::Auth=branch2,File=branch2.usr

    to indicate that if EZproxy sees Auth=branch1 in an incoming login URL, it should look for files such as login.htm in the docs/custom/dir1 directory first, and if it does not find a copy of the file, then it should look in docs. to indicate that if EZproxy sees Auth=branch1 in an incoming login URL, it should look for files such as login.htm in the docs/custom/dir1 directory first, and if it does not find a copy of the file, then it should look in docs. to indicate that if EZproxy sees Auth=branch1 in an incoming login URL, it should look for files such as login.htm in the docs/custom/dir1 directory first, and if it does not find a copy of the file, then it should look in docs. If the user logs in successfully, the DocsCustom is transferred to the user session, allowing EZproxy to continue to look for custom versions of files such as menu.htm and error messages.

  7. Add ezproxy.usr condition IfLanguage to allow variant behavior based on the Accept-Language header from the remote user's browser.
  8. The obscure feature has a flaw that prevents it from working consistently. This is corrected in EZproxy 4.0b. Using this feature in versions prior to 4.0b is not recommended.

    Add the ability to obscure the password used for BindPassword. To create the obscured version of a password, invoke EZproxy with obscure and the password, such as:

    ezproxy obscure somepassword

    In ezproxy.usr, insert the obscured value into the LDAP configuration like this:

    BindPassword -Obscure MVpJRjDh6AhGYy72LMGYKnoAL06r

    Obscured passwords are case-sensitive, so copy the value exactly as it appears from the ezproxy obscure command.

  9. Change the administrative Decrypt Tokens option to Manage Tokens, including the ability to translate EZproxy usernames into their corresponding token values instead of only being able to decrypt token values back to EZproxy usernames.
  10. Correct an issue with IntruderIPAttempts -Reject

2006-06-18

EZproxy 3.6i contains the following changes:

  1. In prior versions of EZproxy, if a user entered EZproxy through a ticket URL, the user would be proxied even if the user's source IP address was within an ExcludeIP range. Starting with 3.6i, such a user is redirected to the real URL, giving priority to the ExcludeIP behavior. If the previous behavior is required, add the following line anywhere in ezproxy.cfg:
    Option TicketIgnoreExcludeIP
  2. Add support for the HTTP SOAPAction header.
  3. Add "IP" as a condition that can be tested in CAS, NCIP, ODBC, and Shibboleth (in ezproxy.usr for the first three and shib.usr for the last). IP accepts one or more ranges and tests true if the remote user is accessing from one of the addresses. Sample use:

    IP 192.168.0.0-192.168.1.255:192.168.5.0-192.168.5.255; Group +Medical

    In this example, if the user is accessing from an address that starts 192.168.0, 192.1, or 192.168.5, the user is also added into the Medical group.

    You can place "Not " in front of IP to check that the user is not accessing from one of the addresses, such as:

    Not IP 192.168.0.0-192.168.1.255; Group +Remote
  4. In some instances where a starting point URL pointed to a PDF document, the browser back button was disabled. This version contains an alternate approach to handling these links to help avoid this issue.
  5. Add ezproxy.cfg "Option DisableSSLv2" to direct EZproxy to disable any SSLv2 support. This option must appear before any LoginPortSSL directives.
  6. Add support for OverDrive external authentication.
  7. Correct issue that prevented unrecognized destination URLs from reporting status code 599 and %{ezproxy-spuaccess}i unknown when submitted under certain scenarios.
  8. Contains a change to support Factiva Search 2.0.
  9. Add application/rdf+xml and application/rss+xml as MIME types that EZproxy should rewrite.

2006-04-28

EZproxy 3.6h contains the following changes:

  1. Slight change in domain-based cookie handling that affected InfoTrac and NetLibrary in some instances.
  2. Correct cookie/daylight savings issue that was preventing public-record.com from working properly.
  3. Correct issue that prevents enforcement of group restrictions for special database configuration such as "URL -append", "URL -form" and "URL -redirect".
  4. Add ezproxy.cfg directive "SendBufferSize" to specify the maximum send buffer size to use when communicating with other systems. This directive is rarely required and should only be applied when recommended by OCLC.
  5. Add ezproxy.cfg directive "ReceiveBufferSize" to specify the maximum receive buffer size to use when communicating with other systems. This directive is rarely required and should only be applied when recommended by OCLC.
  6. Correct issue that caused the logging username to be corrupted in certain unusual circumstances.

2006-04-06

EZproxy 3.6g contains the following change:

  1. Corrects an error with auditing that can cause the Solaris version of EZproxy to restart and records "(null)" in the other field on Linux and Windows.

2006-04-02

EZproxy 3.6f contains the following changes:

  1. Withdrew Audit events Login.Success.Password and Login.Failure.Password due to potential conflicts they might pose to some sites during security reviews.
  2. Correct issue that prevented audit event Login.Success.Groups from working properly.
  3. Correct issue with URL -append -encoded.
  4. Allowing specific username other than auto to be associated with AutoLoginIP lines. Sample usage:
    AutoLoginIP -user=main 68.14.0.0-68.14.1.255
    AutoLoginIP -user=science 68.14.2.0-68.14.2.255
  5. When viewing audit events, add the option to have the audit page automatically refresh when viewing the current day's events.
  6. Corrects an issue that prevents the EZproxy login cookie from being set when using high availability configurations (HAName and HAPeer).
  7. Corrects cookie handling issue that prevented Lexis-Nexis HK from working correctly. Also introduces new "Option NoHttpsHyphens" and "Option HttpsHyphens" directives which can appear before and after a database definition to tell EZproxy not to change periods to hyphens for specific databases when using a wildcard certificate. Sample usage:

    Option NoHttpsHyphens
    Title LexisNexis Hong Kong
    URL http://www.lexisnexis.com/hk
    DJ lexis-nexis.com
    DJ lexisnexis.com
    DJ lexis.com
    DJ cispubs.com
    HJ web.lexis-nexis.com
    HJ web.lexisnexis.com
    HJ www.lexis-nexis.com
    HJ www.lexisnexis.com
    DJ lexisnexis.com.au
    DJ lexisnexis.com.hk
    Find GetCookie("LNAUTH")
    Replace "LNAUTH-IP"
    Find NAME="_PRIORREFERER" VALUE="http://
    Replace NAME="_PRIORREFERER" VALUE="http://^A
    Option HttpsHyphens
    # Databases from here on will have the normal change of
    # periods to hyphens in https hostnames
  8. Add "IgnorePassword" directive to LDAP. This option is appropriate when you have authenticated the user through another system, and want to access LDAP solely to make authorization decisions, such as might occur when using Blackboard or CAS authentication. This option must appear before the URL line and should be used with great care. This sample demonstrates a configuration where you are using the EZproxy Blackboard Building Block for full integration of login, where you all allow alumni to use Blackboard so they are able to authenticate, need to filter out alumni from accessing EZproxy, LDAP knows about the alumni status, but nothing is testable in Blackboard.

    *** ezproxy.usr ***

    ::Ticket,File=filter.usr
    SHA1 sharedsecret
    /Ticket

    *** filter.usr ***

    ::LDAP
    IgnorePassword
    URL ldap://ldapserv.yourlib.org/DC=yourlib,DC=org?uid?sub?(objectClass=person)
    Test eduPersonAffiliation alum; Deny alum.html
    /LDAP

2006-03-20

EZproxy 3.6e contains the following changes:

  1. Correct issue that prevented unauthenticated users who tried to access the /admin EZproxy Administration page from an ExcludeIP (on-site) address from getting the chance to log in. The same issue also prevented the loggedin directory from requiring local users to log in under some circumstances.
  2. Correct issue that prevented Audit from recording usernames in some instances.

2006-03-17

EZproxy 3.6d contains the following changes:

  1. When using the Audit directive to record only specific events, additional unrequested events were also being audited.
  2. The CookieName directive did not work properly in EZproxy 3.6c.
  3. An error introduced in EZproxy 3.6c could prevent CAS and Shibboleth for working correctly.
  4. SIP was enhanced to allow access to additional patron information for making user authorization decisions.

2006-03-10

EZproxy 3.6c contains the following changes:

  1. Support for EBSCO's Visual Search.
  2. Added new auditing facility, enabled with ezproxy.cfg directive Audit such as:

    Audit Most

    to have most events audited. See Audit for detailed information on this directive.

  3. Correct issue with enforced UsageLimits where a remote user did not appear on the UsageLimit administration page as being locked out, and yet the user remained locked out until EZproxy was restarted.
  4. LoginPort and LoginPortSSL now accept a -Virtual qualifier to direct EZproxy to act as though it uses one set of ports when it is actually using another, simplifying the placement of EZproxy behind proxy servers and some network address translation servers. Sample usage:

    LoginPort -Virtual 80
    LoginPort 8080
    LoginPortSSL -Virtual 443
    LoginPortSSL 8443

    In this configuration, EZproxy will act as though it using port 80 for https and port 443 for https, but will only list for such requests on ports 8080 and 8443.

  5. Scripts that are called through the ::External method can now respond with:

    ezproxy_deny= somefile.htm
    This directs EZproxy to deny the user access and to look in the docs subdirectory for a file named somefile.htm which is sent to the remote user to specify why access is being denied.
  6. Added ability to specify different sesion lives through ezproxy.usr, particularly to allow shorter session lifetime for temporary sessions created by metasearch products. Sample use:
    ::Lifetime=5
    metauser:metapass
    ::Lifetime=0
    # The rest of ezproxy.usr ...
    In this example, any session created for "metauser" expires after 5 minutes, instead of the normal expiration which defaults to 120 minutes. The ::Lifetime=0 tells EZproxy to apply the system default to anyone who logs in with information that appears further on in ezproxy.usr.
  7. Resolved issue that prevented Factiva and ProQuest CINAHL from working with III MetaFind.
  8. Change ::CGI redirect to allow use of ^R to include a URL-safe reference to the destination URL, which can simplify the preservation of the destination URL as it passed through a remote CGI script.
    cgiuser:cgipass:CGI=http://www.yourlib.org/ezproxy.cgi?url=^R
  9. Add ::Comment to ezproxy.usr to allow inclusion of arbitrary comments into Login.Success audit records. For example:
    ::Comment=Student FTP
    ::FTP=student.yourlib.org
    ::Comment=Employee FTP
    ::FTP=employee.yourlib.org
  10. Correct error in processing group restrictions to databases.
  11. Correct error in cookie handling that affected NetLibrary and could affect other databases as well.
  12. Correct error in Shibboleth that prevents domain scoping of attributes to fail to be recognized correctly if Domain does not have a regexp attribute. Also extend the shib.usr MapUser directive to add the -AppendScope directive to direct EZproxy to append @ and the scope value to the end of the specified attribute when using it as the EZproxy username.
  13. Revision to Option SafariCookiePatch to avoid warning when using proxy by hostname and SSL without a wildcard certificate.
  14. Add new option to allow the username to be included with the htm files served from the docs subdirectory. To enable this, add:
    Option Username^N

    to ezproxy.cfg and restart. After that, you can insert ^N in the various .htm files to have EZproxy include the username of the logged in user when it sends the file. Given the privacy implications, this option should be used with care.

  15. Add AddUserHeader directivive to have EZproxy include a header containing the current user's username when proxying to a database. Format:
    AddUserHeader -base64 headername
    The -base64 is an optional qualifier to indicate that the username should be encoded in base64.
    This directive is position-dependent, allowing its use to vary by database. For example:
    AddUserHeader X-User
    Title Some Database
    URL http://www.somedb.com
    Domain somedb.com
    AddUserHeader X-Username
    Title Other Database
    URL http://www.otherdb.com
    Domain otherdb.com

    Title Another Databse
    URL http://www.anotherdb.com
    Domain anotherdb.com
    AddUserHeader
    Title Yet Another Database
    URL http://yanotherdb.com
    Domain yanotherdb.com
    In this example, Some Database receives the X-User header, Other Database and Another Database receive the X-Username header, and Yet Another Database does not receive any header at all.
  16. Change Linux/Solaris -si to include a symbolic link in the rc2.d directory to insure automatic startup for Debian.
  17. Slight adjustments to the method in which StartMuseCookie and StartMuseRefer are processed for MetaFind.
  18. Bug corrected that prevented www.sourceoecd.org from being proxied correctly.
  19. Several of the system administration pages now include options to sort their contents by column headings.
  20. Change SIP support to add the option NoPatronPassword. This option can be used when no patron password is to be used as part of testing, and when included must appear before the SIP line. When this option is enabled, EZproxy cannot distinguish valid users from invalid users without an additional test. The recommended test to combine with this option is "Test 0 Y; Unknown" which checks SIP status position 0, the charging privilege denied field, for a value of Y, in which case the user is considered to be unknown.

    Sample usage:

    ::SIP
    Host sip.yourlib.org:1234
    NoPatronPassword
    SIP
    Test 0 Y; Unknown
    /SIP
  21. Corrected incompatibility with Jane's Sentinel Security Assessments.
  22. Alter Ticket authentication to allow users to be designed as EZproxy administrators by specifiying the new Admin directive. Sample usage:
    ::Ticket
    MD5 verysecret
    User someuser; Admin
    /Ticket

    In this example, if the username provided is someuser, then EZproxy will grant the user administrative access.
  23. Corrected issue when more than one ShibbolethSites statement appears in ezproxy.cfg.
  24. Extends ODBC support to allow the use of Debug to have more diagnostic information included and allows the use of additional SQL command to set connection state. For example:
    ::ODBC
    Debug
    DSN SomeSystemDSN
    DBUser SomeUser
    DBPassword SomePassword
    SQL USE SomeDatabase Parameter User
    Parameter Password
    SQL \
    SELECT 'Allow' \
    FROM auth \
    WHERE \
    user = ? AND \
    pass = ?
    /ODBC
  25. Adds new ezproxy.cfg option to instruct EZproxy to use a different method to set its cookie when users access using Apple's Safari 2.0 browser. This option is only needed for EZproxy server's whose names end in a two-letter domain and whose names contain only two periods (e.g., ezproxy.yourlib.ca would need this, but ezproxy.library.yourlib.ca and ezproxy.yourlib.org would not). To enable this, add:
    Option SafariCookiePatch

    to ezproxy.cfg and restart.
  26. Extends Central Authentication Service (CAS) to allow varied behavior based on attributes provided during service validation. This form uses a new syntax to invoke CAS authentication. The minimal entry in this new form is:
    ::CAS
    LoginURL http://www.yourlib.org/cas/login
    ServiceValidateURL http://www.yourlib.org/cas/serviceValidate
    /CAS
    This form also supports the general directives Admin, Allow, Authenticated, Banner, Debug, Deny, Group, Invalid, NoGroups, Refused, Stop, Unknown, User, and UsrVar, plus a specialized version of Test to check tag values using an XPath to specify the tag to check. For example:
    ::CAS
    Debug
    LoginURL http://www.yourlib.org/cas/login
    ServiceValidateURL http://www.yourlib.org/cas/serviceValidate
    Group NULL
    Test -RE cas:group (Undergrad|Grad); Group +Student
    Test //*/cas:group Employees; Group +Employee
    Test /cas:authenticationSuccess/cas:groups/cas:group Staff; Group +Staff
    NoGroups; Deny unaffiliated.html
    /CAS
    For this example to work, ezproxy.cfg would need to default the Student, Employee, and Staff groups as well.
    When EZproxy redirects through CAS encoding, the destination database URL is now encoded in a different manner, a side-effect of which is that you can no longer readily view the URL that arrives at the CAS server and determine where the user was originally headed.
    The Debug directive tells EZproxy to record additional diagnostic messages to ezproxy.msg. This includes recording the entire XML response from the Service Validation URL, which can help in sorting out which attributes are available to use for making authorization decisions.
    In all three tests, the tag cas:group is being tested. The first and second tests use an identical search to locate tags, as EZproxy assumes a search from the root across all nodes if no path infomation is included. The third test uses an absolute path to the tag.
  27. Correct an issue with Solaris that prevented EZproxy from detecting an attempt to start a second copy running from the same directory.
  28. Extend AnonymousURL to allow access to additional groups beyond just the Default group.
  29. The public, limited, and loggedin directories now allow the use of subdirectories if:
    Option AllowWebSubdirectories
    s added to ezproxy.cfg.
    The behavior for loggedin is slightly different, as the first directory level is matched up with EZproxy groups, such that a URL like:
    http://ezproxy.yourlib.org:2048/loggedin/somegroup/somedir/somefile.html
    can only be retrieved by someone who is a member of the EZproxy group "somegroup".
  30. When users access EZproxy using AutoLoginIP or referring URL authentication, EZproxy now appends a hyphen and the user's source IP address to the username used for limit tracking. For example, auto- instead of just auto. This makes it possible to enforce limits at the workstation level for automatic login and the user level for all other access.
    In addition, Usage limits have new -IgnoreAutoLoginIP, -IgnoreRefererLogin, and -IgnoreNormalLogin options to exclude certain types of logins from participating in those limits. For example:
    UsageLimit -enforce -interval=60 -expires=360 -MB=100 -IgnoreAutoLoginIP Global
    enforces a limit of 100 MB transferred within a 60 minute window, with automatic expiration after 360 minutes, but ignores any access that occurs as a result of AutoLoginIP.
  31. An issue that cause login banners to be presented to the wrong users has been corrected.
  32. SIP authentication contains a correction that may have caused the use of excessive CPU time.
  33. ::Ticket,Debug in ezproxy.usr now causes additional diagnostic information to be recorded in ezproxy.msg.
  34. When performing LDAP group membership tests, if the distinguished contains spaces before and/or after commas, EZproxy perform two compare operations: one with the dn as returned, and another using a copy of the dn with the spaces around the commas removed.
  35. EZproxy now records a message in ezproxy.msg when a usage limit suspension is cleared.
  36. On Linux and Solaris, when a group is specified using RunAs, EZproxy now clears access to all other supplemental groups.
  37. Updated CAS support for backward compatibility to CAS 1.0.
  38. Corrected issue that could prevent Find/Replace statements from being processed.
  39. The "URL -form=" format for enabling access to remote services that require referring URL and/or username/passwords has been updated to insure that remote web server will receive the referring URL matching the URL specified, whereas previous versions could send the login page as their referring URL.
  40. The MaxLifetime session defines how long an EZproxy session can be idle before it is terminated. It is now also possible to specify an absolute amount of time after which the user is required to login again to continue using his/her current session. The amount of time is speciifed in minutes by adding one or more lines like this to ezproxy.usr:
    jdoe:secret
    ::ReLogin=30
    rsmith:shhhh
    ::ReLogin=60
    ::FTP=ftpserv.yourlib.org
    ::ReLogin=0
    pwilliams:hush
    In this example, jdoe and pwilliams are never required to reauthenticate, rsmith is required to reauthenticate every 30 minutes, and users authenticated by the FTP server are required to reauthenticate every hour.
  41. LDAP extended to allow the detection of eDirectory accounts that have passed their account expiration date using the Disabled directive. This example demonstrates how to intermix this with testing the loginGraceRemaining attribute to configure EZproxy to provide feedback while grace logins are diminishing, then provide expiration information when they are almost exhausted. The amount of debugging information recorded when using ::LDAP,Debug has also been enhanced.
    ::LDAP
    URL ldaps://ldapserv.yourlib.org/OU=users,O=yourlib?cn?sub?(objectClass=person)
    Disabled; Deny disabled.html
    Expired; Test -wild loginGraceRemaining 0; Deny expired.html
    Expired; Test loginGraceRemaining 1; Deny expired.html
    Expired; Test loginGraceRemaining 2; Deny expired.html
    Expired; Banner grace.html; Ignore
    /LDAP
    In this example, the file grace.html is located in the docs subdirectory and should contain information to the user to indicate that they only have a few logins left. The file must also contain a link like this:
    <a href="/login?url=^V">continue to resource</a>
    If you do not want to provide feedback, you can omit the Banner portion but must include Ignore or else EZproxy will not allow the user to log in.
  42. Change to avoid "page expired" errors in PubMed when using the back button to return to a hit list of articles.

2006-02-26

EZproxy 3.6b was released but withdrawn. Any site using this version should update to a newer release of EZproxy.

2006-02-20

EZproxy 3.6a was released but withdrawn. Any site using this version should update to a newer release of EZproxy.

2005-08-04

EZproxy 3.4c corrects an issue introduced in EZproxy 3.4a that prevented concurrent user login limits from working properly.

2005-08-03

This release was a flawed attempt to correct an issue in EZproxy 3.4a.

2005-08-02

EZproxy 3.4a contains the following changes:

  1. EZproxy can now be directed to monitor the volume of use by users and can be directed to suspend access if specific threshholds are exceeded. See UsageLimit for details.
  2. EZproxy now support Shibboleth authentication.
  3. EZproxy now supports Central Authentication Server (CAS).
  4. Ticket authentication with time format specified using $c now accounts for daylight savings correctly.
  5. When using external authentication, you can now add the debug keyword to indicate that extra details should be record to ezproxy.msg. Sample use:
    ::debug,external=http://www.yourlib.org/ezproxy.cgi,post=user=^u&pass=^p
  6. Within SIP authentication, introduces new Wait directive to allow a pause during process. Sample usage:
    ::SIP
    Host sip.yourlib.org:23
    Expect Choice
    Send SIP
    Wait 1
    SIP
    /SIP
  7. Allow database definition that have only Title and Description lines. During menu presentation, when EZproxy encounters such a definition, it sends only the database description, ignoring all other directives between ^B and ^E, allowing arbitrary text to be included between database definitions. Sample usage:
    Title Text that appears in /status but not to remote user
    Description HTML Text sent to the remote user
    Description which may span multiple lines by repeating
    Description the Description directive
  8. Adds new HTTPMethod ezproxy.cfg directive to authorize EZproxy to proxy additional HTTP methods beyond GET, POST, and HEAD. Sample usage:
    HTTPMethod SEARCH
    HTTPMethod SUBSCRIBE
    HTTPMethod BMOVE
  9. This version introduces the ExtraLoginCookie directive for ezproxy.cfg. This directive allows you to tell EZproxy to send extra Set-Cookie headers during the login process. The most typical use is with load balancing applications. In most instances, the cookie used should be paired with a CookieFilter statement to tell EZproxy not to forward the cookie's value to remote databases. A sample use is:
    ExtraLoginCookie proxyid=1025; domain=.yourlib.org
    CookieFilter proxyid
  10. This version includes a patch to allow EZproxy to work with big5.lawyee.com. To access this database, use this version of EZproxy along with the following database definition:
    Option LawYeePatch
    Title LawYee
    URL http://big5.lawyee.com/
    DJ lawyee.com
  11. With LDAP, previous versions of EZproxy needlessly required read or compare access to the objectClass attribute to succeed. This requirement has been removed.
  12. The "ezproxy log" command now forces EZproxy to reopen the main log file along with any other log files established by LogSPU directives.
  13. III authentication can now match based on any part of the III patron name field matching any part of the EZproxy password field. For example, if pn is Smith-Jones Jr, Patricia "Pat" Robin Q, then any of the following would match:
    Pat Smith
    Smith Patricia
    Smith
    Jones
    Robin Jones
    Pattie Smith
    Note that Pattie Smith matches, even though Pattie is not present, since Smith is present and does match.


    When performing this test, Jr and Sr are ignored. Unless pn is made up of only single characters, single characters are also ignored. As a result, these by themselves would not match:
    Jr
    Q
    To use this form of name match, add the directive PartialNameMatch before your Host line, such as:
    ::III
    PartialNameMatch
    Host iii.yourlib.org
    /III
  14. LDAP now supports detecting expired accounts and expired password when authenticating against Microsoft Active Directory and Novell eDirectory.

    The following examples demonstrate the use of the Expired and PasswordForm directives with a Microsoft Active Directory server. For Novell eDirectory, add the Expired and PasswordForm directives in a similar manner within your existing LDAP configuration, with Expired appear after the URL line and PasswordForm appearing before the URL line. If you are using eDirectory and anonymous searching is permitted, you can omit the BindUser and BindPassword in both examples.

    To provide user feedback if a user's account or password is expired, use (one or more line breaks were added in this example for display purposes; an example without added line breaks is available):

    ::LDAP
    BindUser CN=ezproxy,CN=users,DC=yourlib,DC=org
    BindPassword verysecret
    URL ldap://ldapserv.yourlib.org/CN=users,DC=yourlib,DC=org
    ?sAMAccountName?sub?(objectClass=person)
    Expired; Deny expired.htm
    /LDAP

    In this example, you need to create the file expired.htm in the docs directory. This file will provide the user with feedback as to why he/she was denied access.

    If you would like to allow the user to change an expired password, issue the command:

    ezproxy -ml
    to create the file ldappass.htm in the docs directory, then use an LDAP entry like this (one or more line breaks were added in this example for display purposes; an example without added line breaks is available):
    ::LDAP
    PasswordForm ldappass.htm
    BindUser CN=ezproxy,CN=users,DC=yourlib,DC=org
    BindPassword verysecret
    URL ldaps://ldapserv.yourlib.org/CN=users,DC=yourlib,DC=org?sAMAccountName?sub?
    (objectClass=person)
    Expired; Deny expired.htm
    /LDAP

    Note the use of ldaps:// in this example. For password changing to work, you must use ldaps (LDAP over SSL). Both Active Directory and eDirectory require this. See Microsoft articles 247078 and 321051 for more information on configuring Active Directory to support ldaps.

    Note that the CN=ezproxy... account does not need to have any privileges for password changing to work. It is only used to locate the user's distinguished name in the directory.

    In this version, the user will be allowed to change his/her password as long as it is only the password that is expired. If the account has passed its expiration date, the expired.htm file is sent to let the user know that his/her account has expired and is now disabled.

  15. The "ezproxy -md" command now generates template files for DRA Classic using DRA macros, DRA classic using WEB2 macros, and Unicorn using WEB2 macros.
  16. In III authentication, Test can now accept one of the following operators:
    <s =s> s ~s !s <i =i> i !i <d =d> d !d
    These operations allow you to specify the exact form of test to perform. In these forms, s is for a string comparison, i is for an integer comparision, and d is for a decimal comparison. Sample usage is:
    Test p96 >d 20.00; Deny excessfines.htm
  17. When using ::cgi in ezproxy.usr, you can now omit the username and password fields, and you can also specify ^A, ^U, and ^V in the URL. This form makes it easier to redirect the user to CGI scripts without requiring the use of the original variables. ^A is substituted with the auth variable (if present), ^U is substituted with the destination URL in URL-encoded format, and ^V is substituted with the destination URL in its "verbatim" format.
  18. The LogFormat and LogSPU directives now accept %{ezproxy-url#}i where # can be any number to specify the inclusion of a specific portion of the URL. For example, in the URL http://www.somedb.com/abc/def, %{ezproxy-url1}i would return abc, %{ezproxy-url2}i def, %{ezproxy-url3}i returns a blank string.
  19. LDAP authentication now allows testing against multiple servers with an ezproxy.usr configuration like this:
    ::LDAP
    URL ldap://ldapserv1.yourlib.org/DC=yourlib,DC=org?uid?sub?(objectClass=person)
    Refused; URL ldap://ldapserv2.yourlib.org/DC=yourlib,DC=org?uid?sub?(objectClass=person)
    Refused; URL ldap://ldapserv3.yourlib.org/DC=yourlib,DC=org?uid?sub?(objectClass=person)
    /LDAP
    Other LDAP directives may appear before the closing /LDAP, and will apply based on whichever server was able to accept the request and process it.
  20. The ::external user authentication method now allows the inclusion of ^a to pass the auth variable from the login form to the external script.
  21. The LogFormat and LogSPU directives now accept %{ezproxy-groups}i to allow the inclusion of user group membership in the log file.

2005-04-03

EZproxy 3.2b contains the following changes:

  1. Corrects an issue which caused the login page to appear when using referring URL authentication without providing a specific destination URL.
  2. The installation copy of ezproxy.usr no longer contains any default username or password. If default accounts from older versions of EZproxy appear in ezproxy.usr, they are not allowed for use to login and a warning is recorded to ezproxy.msg.
  3. Allows ::cgi to be specified without a username on the line when used just for rerouting, and also allows the use of ^U and ^V in the destination URL. Typical use for excluding the username occurs when combining ::cgi to reroute unauthenticated user with ticket authentication.

    The inclusion of ^L, ^S, ^U or ^V overrides the normal appending of the destination URL and instead provides the ability to explicit pick where the destination URL should be inserted. When used, ^U is the URL-encoded version of the URL and ^V is the verbatim version of the URL with no encoding.

    ^L is true if the user is already logged in and tries to access a database outside current group membership (a "logup" condition) or false otherwise. If the user tries to access a database outside group membership and ^L isn't included in the redirect URL, then EZproxy will not redirect the user, but instead presents the logup.htm page. This requriement avoids the possibility of user login loops if the receiving CGI script is not designed to handle the logup scenario.

    ^S is the EZproxy session identifier if the user is already logged in.

    For the starting point URL:

    http://ezproxy.yourlib.org/login?url=http://www.somedb/com/

    if you use the ezproxy.usr entry:

    ::cgi=http://www.yourlib.org/ezpauth.cgi?dest=^U

    the user will be redirected to:

    http://www.yourlib.org/ezpauth.cgi?dest=http%3a%2f%2fwww.somedb.com%2f
    whereas if you use the ezproxy.usr entry:
    ::cgi=http://www.yourlib.org/ezpauth.cgi?dest=^V

    the user will be redirected to:

    http://www.yourlib.org/ezpauth.cgi?dest=http://www.somedb.com/
  4. Linux and Solaris versions now support command line option stopall for use when updating, such as:
    ./ezproxy stopall
  5. LDAP authentication now support "Admin" as option to declare that a user is an administrative user, such as:
    Test -user rdoe; Admin

2005-03-28

EZproxy 3.2a contains the following changes.

  1. Server status now contains new "Host Maintenance" options to prune away hosts and ports that are no longer being used.
  2. Administration interface contains new "Test network connectivity" option.
  3. "MetaFind MuseCookie" handling has been improved. There is also two new ezproxy.cfg directives, LoginSocketBacklog and HostSocketBacklog, to configure how many outstanding, unserviced requests can queue up to EZproxy. Sample usage:
    LoginSocketBacklog 50
    HostSocketBacklog 10

    In proxy by port, LoginSocketBacklog controls the number of unserviced login requests that can be pending, and HostSocketBacklog controls the number of unservice requests to specific virtual web servers can be pending. In proxy by hostname, only LoginSocketBacklog matters.

    In older versions of EZproxy, these defaulted to 5. The default for LoginSocketBacklog is now 20 and for HostSocketBacklog remains 5. Raising LoginSocketBacklog above 200 is not recommended, nor is raising HostSocketBacklog above 20.

  4. III Patron API authentication now allows a new option "PartialNameMatch" which directs directs EZproxy to match the user supplied password against the patron name, and if everything matches up to the point where the password ends, and if that point in patron name is a non-space, the two are considered to match. This allows pn "Doe Robin" to match password "Doe". In instances where pn starts "Mac " or "Mc ", the space is removed, such that pn "Mac Donald" will match password "MacDonald" or "Mac Donald", but will not match just "Mac".
    ::III
    PartialNameMatch
    Host iii.yourlib.org
    /III
    PartialNameMatch must appear before Host.
  5. For instances where CGI authentication creates a new session for someone who is already logged in, the method of merging the attributes of the two sessions together has been improved.
  6. It is now possible to reject requests to EZproxy based on the presence of arbitrary HTTP request headers. The general form of the ezproxy.cfg directive is:
    DenyIfRequestHeader denyfile wildcardtest
    where denyfile is a file in the docs subdirectory to send if wildcardtest is present in a header. Sample usage is:
    DenyIfRequestHeader nowebzip.html User-Agent:*WebZip*
    The denyfile may also take the special value of allow to indicate that a specific header should combination of positive and negative logic.
  7. Mini-DNS server debug logging enhanced.
  8. Corrects issue with LogFile directive and group memberships when many groups are specified in a single Group statement.
  9. Adds new ezproxy.cfg directive ClientTimeout that controls how long EZproxy will wait on the remote client (in seconds) before closing a connection. The default value is 60 seconds. This directive should be used with RemoteTimeout or else a long wait on the client could cause the connection to the remote server to timeout.

    Sample usage:

    ClientTimeout 120
    RemoteTimeout 120
  10. The docs directory contains a directory named loggedin. You can now create directories in loggedin that become EZproxy group names. Files placed within these directories are only accessible by users who are members of the group.
  11. Adds new ezproxy.cfg EBLSecret directive for configuring access to Ebook Library.
  12. The ezproxy.cfg LogFile directive now accepts a new -strftime qualifier, such as:
    LogFile -strftime ezproxy%Y%m%d.log
    When strftime is present, EZproxy will evaluate the filename using the strftime function. This allows the filename to be based on the current date and time, allowing new log files to be created automatically. In the above example, EZproxy will open a new log file every day, using names such as ezproxy20080325.log for each file. Another useful form is:
    LogFile -strftime ezproxy%Y%W.log
    which create a new log file each week such as ezproxy200812.log.
  13. Optimizes the way EZproxy retrieves system time.
  14. Adds ezproxy.cfg directive ProxyURLPassword to specify a password that activates new EZproxy's support to respond to XML request sent to /proxy_url. This URL is used to support Ross Singer's "WAG the Dog Localizer".
  15. The LogFormat directive now supports %m to record the request method (e.g., GET, POST), %v to record the host requested, and %{ezproxy-protocol}i to retrieve whether http or https was used in the request. This can be used to construct a log entry that omits URL information, such as:
    LogFormat %h %l %u %t "%m %{ezproxy-protocol}i://%v HTTP/1.0" %s %b
    These options are also compatible with LogSPU.
  16. Add new ezproxy.cfg directive RADIUSRetry that controls how frequently EZproxy will resend RADIUS requests if it does not receive any responses. The directive is followed by the number of seconds to wait before retrying, and defaults to 1 second.

    Sample usage:

    RADIUSRetry 3
  17. The IntruderAttempts directive has been expanded. You can now include multiple directives to provide varying behavior based on source IP address.

    Sample usage:

    IntruderTimeout 600
    IntruderAttempts 5
    IntruderTimeout 300
    IntruderAttempts -ip=68.14.229.0-68.14.229.255 10
    IntruderAttempts -ip=68.14.229.198 -x-forwarded-for 15

    IntruderAttempts statements should be listed from most general to most specific. The last IntruderAttempts line in ezproxy.cfg that matches a computer defines how intruder detection will be handled.

    In this example, the general behavior is to start evading users after they make 5 login failures from the same IP address. Once this occurs, the source IP remains locked out for 600 seconds (10 minutes).

    However, if someone is accessing from a source IP between 68.14.229.0 and 68.14.229.255, EZproxy will give them 10 tries and will reset after 300 seconds (5 minutes).

    But, even more specifically, if someone is accessing from 68.14.229.198, EZproxy should look for an "X-Forwarded-For" header, and if one is present, it should consider the source IP address of the request to include the source IP specified in this header, and in that case, allow up to 15 retries. The X-Forwarded-For header is an optional header that can be sent by proxy servers and some network address translation devices. Including this option enables EZproxy to use an extra piece of information to separate out users who are behind that proxy. This option should only be used if your institution controls the proxy server involved.

  18. There is a new form of database definition that can be used for databases that require the submission of variables by a form. With this configuration, EZproxy generates a temporary form used to give the user access to the remote system.

    An example of this configuration for Canadian Pharmacists Association is (one or more line breaks were added in this example for display purposes; an example without added line breaks is available):

    Title Canadian Pharmacists Association
    URL -Form=post -RewriteHost ecps
    http://www.pharmacists.ca/function/subscriptions/ecps.cfm?extlink=ecps
    FormVariable loginname=someuser
    FormVariable loginpassword=somepass
    DJ pharmacists.ca

    Users gain access to this with a URL similar to:

    http://ezproxy.yourlib.org:2048/login/ecps
  19. IntruderAttempts handling has been enhanced.

  20. Adds special diagnostic feature to pinpoint the source of "400" errors.
  21. Corrects a problem that prevented referenced to the EZproxy /loggedin directory from working properly when invoked with an https URL.
  22. Enhances Domain authentication to handle an additional case of expired password changing.
  23. Introduces new intrusion control directives:

    IntruderLog 25 IntruderReject 100

    IntruderLog controls the maximum number of times that EZproxy should log intrusion attempts to ezproxy.msg during a particular incident, with a default value of 25.

    IntruderReject controls the maximum number of login failures that should occur before the remote site moves from evasion to total rejection of login attempts, with a default value of 100.

  24. The maximum number of groups has been increased from 32 to 4096.

  25. The Validate directive may now include a path restriction to control which URLs receive a username and password.

    Sample usage:

    Title Journal of Transpersonal Psychology
    Validate path=/jtparchive/* someuser:somepass
    URL http://www.atpweb.org/jtparchive/
    Domain atpweb.org
  26. For the Windows platform, adds authentication against ODBC sources. A sample ezproxy.usr entry is:
    ::ODBC DSN SomeSystemDSN
    DBUser SomeUser
    DBPassword SomePassword
    Parameter User
    Parameter Password
    SQL \
    SELECT 'Allow' \
    FROM auth \
    WHERE \
    user = ? AND \
    pass = ?
    /ODBC

    DSN is the ODBC system DSN to use.

    DBUser and DBPassword are optional. If includes, they provide the username and/or password to use to access the database.

    Parameter may be followed by User, Password, or IP and indicate values that should be supplied for each ? that appears in the SQL statement. The first Parameter value goes to the first ? in the SQL statement, the second Parameter to the second ?, and so forth.

    SQL is followed by an SQL statement. Since SQL statements may become quite long, you may continue SQL statements across multiple lines by ending each line with a \ character. The SQL statement should be constructed to return the literal Allow if the user is to be allowed access, Deny if the user should be denied all access to EZproxy. If the first value returned is neither Allow or Deny, EZproxy moves on to the next authentication check in ezproxy.usr.

    For Allow, the SQL statement may also return a second column that indicates one or more EZproxy groups to which the user should have access. To use the group feature, the query should return several rows with one group per row, such as:

    Allow Default
    Allow Medical
    Allow Legal

    For Deny, the SQL statement may also return a second column that indicates the name of the file from the docs directory that should be sent to the user who is being denied access. To use this feature, the query should return a something like this:

    Deny alumni.html
  27. It is now possible to configure EZproxy to look for a meta directive tht tells it to stop rewriting URLs within a web page.

    In ezproxy.cfg, you indicate to EZproxy which databases should use this directive like this:

    Option MetaEZproxyRewriting
     
    Title Some Database that can use this meta tag
    URL http://www.somedb.com/
    Domain somedb.com
    Option NoMetaEZproxyRewriting  
    Title Other Database that will ignore the meta tag URL http://www.otherdb.com/
    Domain otherdb.com

    The default behavior is Option NoMetaEZproxyRewriting.

    If Option MetaEZproxyRewriting is set for a database, then web pages from that database may contain these special tags:

    <meta name="EZproxyRewriting" content="disable">
    <meta name="EZproxyRewriting" content="enable">

    which tell EZproxy at which points URL rewriting should be disabled or enabled as the web page is processed.

  28. Domain statements that match a broad range of hosts such as:

    Domain *
    Domain com
    Domain ac.uk

    are now disallowed by default as these are outside the scope of EZproxy's design to handle and they pose security risks when enabled.

    Sites that choose to ignore this risk do so without the support of OCLC. To enable such lines to be proxied, the very first line of ezproxy.cfg must be set to exactly:

    Option I choose to use Domain lines that threaten the security of my network
  29. Adds a "Disable Referral Chasing" option to LDAP authentication which should correct some issues when searching Windows Active Directory from the root.
  30. Corrects an issue in Shibboleth processing with NoGroups testing.
  31. Corrects error when using username::crypt= in ezproxy.usr
  32. Adds support for NCIP authentication. A sample ezproxy.usr entry is:
    ::NCIP
    Server ncip.yourlib.org:7777
    /NCIP
    With just a hostname and port, EZproxy uses the socket protocol to connect to NCIP. These may be replaced by a URL to use http or https POST protocol.
  33. Allows a specific rejection file to be associated with a group restriction. This is particularly useful for databases that are intended for inhouse usage only. Sample usage:
    Group InHouse Deny=inhouse.html
     
    Title Some Database for local use only
    URL http://www.somedb.com
    Domain somedb.com
     
    Group Default
     
    Title Other databases follow
    ...
    In this example, Some Database is placed in the InHouse group, and the custom error file inhouse.html is associated with it. As long as your users are never placed in the InHouse group, they will never have access to this database, and will receive the inhouse.html file. Users who access from an ExcludeIP address are redirected to the resource.
  34. Automatic login can be enabled based on the reverse DNS hostname associated with an IP address. This method of authentication is prone to spoofing. Recommended use includes limiting the source IP range as well.

    Sample usage:

    ::ip=68.14.0.0-68.14.255.255,hostname=*.something.somedomain.com ::hostname=*.otherdomain.com

    In the first example, the source IP address must be in the specified IP range before the hostname test is considered. In the second, the hostname is checked regardless of source IP address.

  35. Text file username and password checks now ignore ISO-8859-1 diacritics.
  36. You can now record starting point URLs into their own, separate file. Sample usage is:
    LogSPU spu.log %h %{ezproxy-spuaccess}i %u %t "%r" %s %b
    The %{ezproxy-spuaccess} is a special variable that will record either proxy (user's access to remote URL will be proxied), local (user is within an ExcludeIP address and will be redirected to URL without being proxied), or unknown (URL was not recognized by EZproxy and Option RedirectUnknown appears in ezproxy.cfg).

    LogSPU must be followed by a filename, and can optionally be followed by a log format. LogSPU can appear more than once in ezproxy.cfg, with different formats possible for each file. As of this release, each LogSPU must reference a different file.

  37. With III authentication, you can now associate arbitrary text with users during login that can be recorded into EZproxy log files. Sample usage:
    ::iii
    Host iii.yourlib.org
    Type 1,2,3,4,5; UsrVar 1 Student
    Type 6,7,8; UsrVar 1 Faculty
    /iii
    The number after UsrVar can be any digit 0 to 9. All UsrVar values default to blank.

    To record this variable in ezproxy.log, use a LogFormat similar to:

    LogFormat %h %l %u %t "%r" %s %b %{ezproxy-usrvar1}i
  38. The default menu generated after login can now be limited to display just those databases to which the user's group memberships allow access. To enable this feature, add:
    Option MenuByGroups
    to ezproxy.cfg and restart EZproxy.
  39. Corrects issue that prevented "Test -wild dn somevalue" from working correctly.
  40. Extends LDAP interface to allow:
    test -user someuser
    test -wild -user somewildcarduser
    test -auth authvalue
    test -wild -auth somewildcardauthvalue
    as a way to test the values from the user and auth variables of the login form.
  41. It is now possible to control the HTTP "Server" header sent by EZproxy when it is sending its own web content (e.g., during login processing). The directive to control this is:
    ServerHeader server-identifier
    By default, EZProxy sends the EZproxy as its server identifier. If you specify ServerHeader with no server-identifier, this header is omitted. i Otherwise, EZproxy uses server-identifier in this header.
  42. ezproxy.cfg now accepts the directive:
    Option IgnoreWildcardCertificate
    When EZproxy is running in proxy by hostname with SSL enabled and with a certificate that starts with an asterisk (*), EZproxy normally adds "login." to the front of its hostname when it constructs URLs that point to itself. Adding this directive tells EZproxy not to override this behavior.

    This directive is mainly useful in instances where an EZproxy server is named something similar to ezproxy.yourlib.org and you want to use a certificate named *.yourlib.org.

  43. Add a "-hide" qualifier to the Title directive to indicate that a database definition should not appear when automatically generating the menu. Sample use:

    Title -hide Some Database that will not appear in menu

2004-10-26

EZproxy 3.0f contains the following changes.

  1. Corrects an issue introduced in 3.0e that corrupted the content attribute of meta tags when http-equiv was not refresh.
  2. Extends LDAP interface to allow:
    Test -wild attribute wildcardvalue
    where wildcardvalue can use the * wildcard to match 0 or more characters.
  3. When Test is used without -wild, EZproxy only needs compare access to the directory. When -wild is present, EZproxy needs read access to the directory.

  4. Correct problem that prevented long cookie values from being preset.
  5. Adds an option to override SSL certificate checks.
  6. Shibboleth change to enhance IdP 1.1 interoperability.

2004-09-19

EZproxy 3.0e contains the following changes.

  1. Changes DNS handling to address ISI incompatibility.
  2. Correct issue when using entries such as:
    user1::deny=locked.htm
    from an included file.
  3. Correct flaw with LDAP processing when no filter included in the LDAP URL.
  4. Correct typographical errors in a few administration pages.
  5. Binary size increased noticeably due to inclusion of first beta release of Shibboleth Service Provider support.

2004-08-30

EZproxy 3.0d GA (2004-08-30) corrects a problem when using "ezproxy log" on Microsoft Windows Terminal Services, allows EZproxy to rewrite URLs that contain line breaks (HeinOnline), and corrects for relative URLs that start ../ in redirects.

2004-08-05

EZproxy 3.0c GA (2004-08-05) corrects an issue that caused the combination of auth and old-style LDAP authentication in the same line in ezproxy.usr to cause EZproxy to ignore other sections of ezproxy.usr.

2004-08-04

EZproxy 3.0b GA (2004-08-04) corrects an issue that prevented wildcards from working properly in Domain/DomainJavaScript statements.

This release corrects a similar issue for the new NeverProxy statement. In ezproxy.cfg, you can now add lines like this:

NeverProxy www.somedb.com
NeverProxy www.somedb.com:8080
NeverProxy *.somedb.com

The first line tells EZproxy never to rewrite the hostname www.somedb.com. The second tells EZproxy never to rewrite www.somedb.com:8080, but rewrite any other www.somedb.com references. The third line tells EZproxy never to rewrite any hostname that ends in .somedb.com.

2004-08-02

EZproxy 3.0a GA (2004-08-02) contains the following changes:

  1. LDAP support has been greatly enhanced. For configuration details, see LDAP Authentication
  2. EZproxy now supports intruder detection. See IntruderAttempts for information on how to configure this feature.
  3. EZproxy now supports a secure method to allow portals to generate links directly to EZproxy. See Ticket Authentication for details.
  4. The /admin page has been enhanced to provide more options for managing your EZproxy server.
  5. Introduces new high availability multi-server coordinated configuration including new HAName and HAPeer directives.
  6. If you receive a renewal SSL certificate, you can now bring up the original certificate and use the "copy" feature to create a copy of the certificate, then apply the renewal certificate to this copy.
  7. When a server fails to provide a content-type header, EZproxy examines the beginning of the document to check whether or not it is HTML. This check has been extended to support an unusual response from scitation.aip.org that includes a series of comments before the page is declared to be in HTML.
  8. When generating self-signed certificate, you can now choose for how many years the certificate should be valid.
  9. EZproxy can now send a Platform for Privacy Preferences (P3P) header when it sets its authentication cookie. This can be used to allow EZproxy authentication to occur within a framed window.

    Sample usage:

    P3P CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
  10. Corrects a problem with III Millenium pin validation.
  11. In DRAWeb2 authentication, the setup process provides files for use with class DRA_ macros as well as newer WEB2_ macros.

    Also, you can now specify the userid field that EZproxy should use when it verifies someone's access using the new userid directive.

    Sample usage (one or more line breaks were added in this example for display purposes; an example without added line breaks is available):

    ::draweb2
    userid alt_user_id
    url http://draweb2.yourlib.org/Web2/tramp2.exe/log_in?
    SETTING_KEY=guest&screen=ezp1.html
    /draweb2

    EZproxy previously imposed stringent checks on the user and password information used by Web2, which lead to information that is valid for Unicorn systems being locked out. These restrictions have been changed to accomodate the broader range of options supported by Unicorn.

  12. The Campus Pipeline Integration Protocol (CPIP) URLs can now be accessed by the EZproxy session ID by specifiying the sid as ezproxy: followed by the EZproxy session identifier.
  13. When making an outgoing SSL connection, previous versions of EZproxy would present their SSL certificate to the remote host. EZproxy no longer presents an SSL certificate on outgoing connections.

    This next section applies only to the traditional LDAP configuration in ezproxy.usr, not the new LDAP functionality triggered by just ::LDAP. If required, EZproxy can still present a certificate for outgoing LDAP connections. In ezproxy.usr, use an entry similar to this:

    ::ssl=2,ldap=pdc.yourlib.org,$U@yourlib.org
    where "2" is the number of the certificate for EZproxy to present in the outgoing request.
  14. By default, EZproxy allows a remote server to pause for a maximum of 60 seconds before it will timeout a connection. You can now change this value by adding a line to ezproxy.cfg like:
    RemoteTimeout 120
    In this example, the timeout is raised from 60 seconds to 120 seconds.
  15. The following deny option has flaws and is under review for possible changes. If you need this type of functionality, please contact OCLC support to discuss options. This option does not work correctly from an included file.
    When using deny in ezproxy.usr, you can now include a filename to present to the user, such as:
    user1::deny=expired.html
    In this example, the expired.html file would need to be placed in the docs subdirectory.
  16. Adds a variety of new options to the SIP interface.
  17. Includes changes to support having EZproxy include the login username in starting point URLs, either in plain-text or encrypted form.
    Title ebooks.com
    EncryptVar u astringyoupick
    URL http://www.curtin.eblib.com/EBLWeb/patron.html?userid=^u&usertype=student
    In addition, the EZproxy /admin menu displays a new "Decrypt User Variable" option whenever EncryptVar appears in ezproxy.cfg. This option allows the EZproxy administrator to enter an encrypted value and see what the original plain-text value was.
  18. Includes changes to make it possible to use ::external authentication against a Dynix RPA server.
  19. Adds new "AllowVars" database definition option along with "vars=" to ezproxy.usr to support MD Consult integrated authentication.
  20. Corrects an issue that prevented EZproxy from being controlled by an administrative account when running EZproxy is running under a non-privileged account on Windows.

2004-05-12

EZproxy 2.4e GA (2004-05-12) contains the following changes:

  1. III Patron API updated to support changes in III Silver release. This update is compatible with both the original Patron API and the updated version.
  2. Problem corrected when switching log file in Windows when EZproxy runs from a non-privileged account.
  3. This version is required for temporary licenses that expired after June 23, 2004.

2004-04-09

EZproxy 2.4d GA (2004-04-09) contains the following changes:

  1. Corrects an issue that prevented EZproxy from running under a non-privileged account on Windows.
  2. Change use of 303 see other redirect code back to 302 moved temporarily during login processing to resolve some issues encountered by the CGI authentication method.

2004-03-21

EZproxy 2.4c GA (2004-03-21) contains the following changes:

  1. When a remote web server responds with a 1xx, 204, or 304 HTTP result code, EZproxy considers the request finished once the header is received from the remote web server, instead of waiting until the remote web server closes the connection. This change dramatically improves performance when accessing the Brookers database.
  2. EZproxy now supports SIP authentication. See 3M Standard Interchange Protocol (SIP) for configuration details.
  3. EZproxy no longer generates hostnames for proxy by hostname that start with digits. Where EZproxy did this previously such as 8080-www.somedb.com.ezproxy.yourlib.org, it now includes the letter p at the beginning, such as p8080-www.somedb.com.ezproxy.yourlib.org.
  4. APOP authentication can now be disabled. See POP Authentication for details.
  5. Older versions of EZproxy would strip angle brackets (<, >) from starting point URLs. In this release, the angle brackets are changed to their hex-encoded counter-parts.
  6. In ezproxy.cfg, you can add:
    Option RelaxedRADIUS
    This tells EZproxy not to verify the source IP address for RADIUS responses, but rather to just look at the received packet to check whether or not a valid response has been returned.
  7. The length limits for username and password have been raised from 32 to 64 characters.
  8. EZproxy can now proxy .wmv files correctly.
  9. Foot and Ankle International can be proxied when using this update along with this database definition (one or more line breaks were added in this example for display purposes; an example without added line breaks is available):
    Title Foot and Ankle International
    URL http://www.datatrace.com/e-chemtracts/emailurl.html?
    http://www.newslettersonline.com/user/user.fas/s=563/fp=20/tp=37?
    T=open_non_issue,5167,3&P=non_issue
    DJ datatrace.com
    DJ newslettersonline.com
    Find location.href="' + idOrUrl
    Replace location.href="^p^/login?url=' + idOrUrl
  10. One EZproxy server can now be configured to route starting point URLs of specified domains to a different server (can be EZproxy or something else). Sample usage is:
    RerouteTo http://otherezp.yourlib.org/login?url=
    RerouteHost www.somedb.com
    RerouteDomain otherdb.com

    The RerouteTo statement appears before any RerouteHost and RerouteDomain statements. The string specified in RerouteTo is placed in front of the URL that was specified in the starting point URL, then the user is redirected. RerouteTo can be omitted, in which case the other Reroute statements would effectively tell EZproxy to reroute starting point URLs of those domains to the regular URL.

    RerouteHost indicates that any host name that exactly matches the specified host name should be rerouted, whereas RerouteDomain indicates that any host names that exactly matches or ends with the domain specified should be rerouted.

    RerouteTo can also take the form:

    RerouteTo -quote http://www.yourlib.org/script.cgi?dest=
    With the -quote added, it tells EZproxy to apply URL encoding to the URL, making it suitable to be directly passed under normal CGI semantics (e.g., http://ezproxy becomes http%3a%2f%2fezproxy if -quote is present).
  11. The ::external user authentication method will now accept a response back of the form:
    ezproxy_menu= menufile.htm
    where menufile.htm specifies the menu that should be presented to the user after login.

2004-02-15

EZproxy 2.4b GA (2004-02-15) contains the following changes:

  1. Adding the line
    Option RequireAuthenticate
    to ezproxy.cfg allows you to configure individual machines to present the EZproxy login for starting point URLs, even if their IP addresses fall within AutoLoginIP or ExcludeIP address ranges.

    Once you have added the option line and restarted EZproxy, you can force the presentation of the login page using a URL similar to:

    http://ezproxy.yourlib.org:2048/auth
    This page allows you to enable or disable this behavior, either for the balance of your browser session (useful for quick testing or perhaps information literacy instruction sessions) or "permanently." Since this feature uses a cookie, it can be undone if the cookie is removed, so it is not something you can count on to work indefinitely, but it can be useful in situations where machines receive their addresses by DHCP and cannot be identified by specific, static IP addresses for this purpose.
  2. Corrects an issue with the mini-DNS server that prevented it from working reliably under Solaris.
  3. Corrects a problem that prevented browser request headers in LogFormat statements from being recorded properly.
  4. In III authentication, an error that caused "Password None" to accept any barcode as valid has been corrected.
  5. Proxy by hostname no longer prefixes hostnames with 80- and s443- when the remote hostname uses the standard web ports of 80 for http traffic and 443 for https traffic, although EZproxy recognizes this form to allow existing bookmarks to work properly.
  6. When an attempt is made to access EZproxy under a name it does not recognize, its normal behavior is to redirect the user to its proper name. Starting in 2.4, when this situation occurs, if the file badhost.htm exists in the docs subdirectory, EZproxy will send this file instead of performing the redirect.
  7. Added new "Option ProxyFTP" and "Option NoProxyFTP" to allow/disallow proxying of ftp:// URLs. Default is "Option NoProxyFTP". These options are position-dependent and affect database definitions that follow them and remain in effect unless changed by another appearance of one of these options.

    Sample usage:

    Option ProxyFTP
    Title Some database where FTP URLs will be proxied
    URL http://www.somedb.com
    Domain somedb.com
    Option NoProxyFTP
    Title Other database where FTP URLs will not be proxied
    URL http://www.otherdb.com/
    Domain otherdb.com
    Title Another database where FTP URLs will not be proxied
    URL http://www.anotherdb.com/
    Domain anotherdb.com
  8. EZproxy for Windows contains a correction for a problem that would cause the error "OpenFileMapping failed: 5 Access is denied" to occur if EZproxy was configured to run under a non-administrator account.
  9. EZproxy can now include the X-Forwarded-For header when it sends a request to a remote web server. This header includes the remote user's IP address. This feature is enabled in ezproxy.cfg with "Option X-Forwarded-For" and disabled by "Option NoX-Forwarded-For". Each of these options should appear just prior to a Title (T) line.

    Sample use:

    Option X-Forwarded-For
    Title Some Database
    URL http://www.somedb.com
    Domain somedb.com
    Option NoX-Forwarded-For
    # No databases after this point will send the X-Forwarded-For header
    Title Other Database
    URL http://www.otherdb.com
    Domain otherdb.com
  10. Extensions to the DRAWeb2 authentication options.
  11. The SkipPort directive for ezproxy.cfg. Sample usage is:
    SkipPort 3307
    The ezproxy.cfg file may contain any number of SkipPort lines.
  12. Cookies may be pre-loaded into new EZproxy sessions by specifying them in ezproxy.cfg. Sample usage is:
    Cookie Demo-OpenURL="http://sfx.exlibrisgroup.com:9003/yourlib"; domain=.doi.org
    The cookie must specify the domain of hosts to which it applies.
  13. The print option for CRC Handbook now works.
  14. Database definitions may now contain the line:
    MetaFind MuseCookie
    to activate special cookie handling needed by III's MetaFind product. This line must appear in each database that requires this special handling.
  15. This version corrects a problem that was causing EZproxy to truncate hidden fields whose values where more than 16K in length. This prevented http://www.infomedia.dk from working properly.

2003-09-09

EZproxy 2.2e GA (2003-09-09) contains a change that corrects a compatibility issue between EZproxy and SFX links to Web of Knowledge. It also contains changes to the mini-DNS server.

2003-09-01

EZproxy 2.2d GA (2003-09-01) contains two changes:

  1. All versions of EZproxy prior to this release rearranged the location of the Host and Referer headers of an HTTP request. This rearrangement of these headers was linked to a problem that caused some web page retrievals to come up blank. EZproxy 2.2d has been altered to keep these headers in their original locations while processing a request.
  2. EZproxy 2.2a introduced a change to avoid a SIGCHLD kernel warning under RedHat 9. However, this change negatively impacted at least one site running RedHat 6.0. The manner in which EZproxy handled this prior to the release of 2.2 can now be restored by adding:
    Option IgnoreSIGCHLD
    to ezproxy.cfg.
  3. Under "new style" DRA Web2 authentication, the pin may now contain either letters or digits, whereas older versions of EZproxy limited the pin to digits only.

2003-08-14

EZproxy 2.2c GA (2003-08-14) contains the following changes:

  1. When a user either tried to use the proxied form of an EZproxy URL (e.g., http://ezproxy.yourlib.org:2060 or http://80-www.somedb.ezproxy.yourlib.org) while not logged in, or tried to access a resource outside the user's groups, the user did not automatically proceed to the login page. This problem also effected sites that were using AutoLoginIP to access some resources (e.g., an automated catalog), but had other resources restricted by group.
  2. The method by which the "-si" option creates a startup script on Linux and Solaris has changed, although the actual script created is the same.
  3. Using the new administrative URL of the general form http://ezproxy.yourlib.org/admin when you have proxy by hostname enabled along with a wildcard SSL certificate now properly proceeds to the Administration page after login.
  4. The "ezproxy -c" connectivity test will now route its request through your outgoing proxy server is an outgoing proxy server has been specified in ezproxy.cfg.
  5. This version contains the new mini-DNS server for use with proxy by hostname, although this feature is still in initial testing. You must explicitly activate this feature, so it has no impact on existing sites that update to this version, but is available for those sites that want to perform testing of this feature.

2003-08-05

EZproxy 2.2b GA (2003-08-05) corrects a problem in 2.2a that had disabled the URLAppend (UA) command in ezproxy.cfg.

2003-08-02

EZproxy 2.2a GA (2003-08-02) contains the following changes:

  1. In ezproxy.cfg, comment lines are formed by placing a # at the beginnnig of a line.

    In some instances, people have placed comments on the end of lines that contain EZproxy directives, such as:

    IncludeIP 68.15.177.100 # Test machine
    The use of comments like this is not supported, and in EZproxy 2.2, it actually causes ExcludeIP and IncludeIP lines that contain such comments to fail.

    Please make certain to always place comments on their own lines, such as:

    # Test machine
    IncludeIP 68.15.177.101
  2. If you have use https for login processing, EZproxy no longer defaults to forcing the main login page to upgrade from http to https. To restore the previous forced behavior, add:
    Option ForceHTTPSLogin
    to ezproxy.cfg.
  3. When generating a new certificate under proxy by hostname, you can now have the option to create a wildcard certificate. This tells EZproxy that it should add "login." to the front of its name when handling login requests and should generate its SSL certificate using the form "*.ezproxy.yourlib.org". It also changes periods to hyphens when generating the host name for sites using https. These changes should allow a single wildcard certificate to generate only one error if self-signed, and no errors if purchased from a certificate authority.
  4. New /admin page that coordinates access to various administrative function with EZproxy.
  5. When SSL certificates are generated, they now receive distinct serial numbers to avoid generating conflicts for browsers that track certificates by issuer and serial number.
  6. Corrections to AutoLoginIP interaction with groups.
  7. New warning message when a server is configured for proxy by hostname but the wildcard DNS entry has not been registered.
  8. In some instances and network configuration, Find/Replace statements would not be processed. This likely lead to some issues with Web of Science and Kluwer, along with other databases that require Find/Replace to operate.
  9. The /status screen has been enhanced. The new version:
    1. contains links from sessions that allow you to terminate sessions.
    2. defaults to displaying source IP addresses instead of host names to reduce the wait time for this page to display when a large number of people are logged in.
    3. rearranges the way databases are displayed, moving the domains column over to the left so it is not necessary to scroll right to see the domain information if they are any really long URLs.
    4. allows the display of Find/Replace commands in the database listing if you use the extended display option.
    5. enhances the host listing to ease diagnosis by indicating whether or not added JavaScript processing is enabled
      for the host, and also containing a link that allows you to see which database definition in ezproxy.cfg controls a given virtual host.
  10. The Proxy and ProxySSL statements are now position-dependent in ezproxy.cfg.

    Sites that use these statements should verify that they appear before your first Title (T) line, or else any databases that appear before them will not be directed through your outgoing proxy server.

    This changes allows you to route proxy requests for different database vendors to different outgoing proxy servers, and to disable proxy server use for specific databases. This change was implemented in support of the LOCKSS project. Sample use in ezproxy.cfg is:

    Proxy proxy1.yourlib.org

    ProxySSL proxy1.yourlib.org

    Title Some database accessed through proxy1.yourlib.org
    URL http://www.somedb.com
    Domain somedb.com

    Proxy
    ProxySSL

    Title Other database that will not use a proxy server
    URL http://www.otherdb.com
    Domain otherdb.com

    Proxy proxy2.yourlib.org

    Title Another database that will use proxy2 for http, but will make https requests directly
    ...

    Proxy and ProxySSL statements effect all databases that follow them until another Proxy or ProxySSL statement appears.

    As before, the Proxy and ProxySSL statements may still contain a username:password at the end to allow EZproxy to send a username/password when making proxy requests.

  11. New support for Books24x7.com authentication, including revisions since the 2003-06-29 release for revised encryption. A sample entry is:
    Title Book24x7.com
    URL http://library.books24x7.com/library.asp?^B
    Books24x7Site ABC123
    TokenKey SomethingYouPickAndDontTellAnyone
    TokenSignatureKey YouGetThisFromBooks24x7
    DJ books24x7.com
    In this example, the ABC123 is a site identifier issues to you by Books24x7.com. The TokenKey is a random string that you pick that is used to encrypt the username of the person accessing EZproxy before sending it to Books24x7.com. The TokenSignatureKey is used to encrypt a combination of the IP address making the request and the encrypted username formed with TokenKey, or just the IP address if someone is accessing from within an ExcludeIP range.

    This process does not disclose the identify of the EZproxy user to Books24x7.com. It sends an encrypted string that identifies each user uniquely. If necessary, Books24x7.com can provide your library with this encrypted string, then you can cross-reference it to the original user using the new:

    http://ezproxy.yourlib.org:2048/token
    page.
  12. When ::limit is used to impose a login limit, the error message that appears for those who exceed their limit may now be overridden by creating the file limit.htm in the docs subdirectory. Within that file, you may use ^0 (number zero) to represent the maximum number of logins allowed on the account, ^1 (number one) to include an s if the limit is not 1 but nothing if the limit is one, and ^2 (number two) for the word "is" if the limit is 1 or "are" if the limit is 2. The existing message can be created with this string:
    Your account is limited to ^0 session^1
  13. When a web server claims a page is text/plain, it was previously left untouched. EZproxy now examines the content of the page to determine if it is HTML, and if it is, it rewrites the page. This behavior makes EZproxy emulate IE's behavior and should correct a problem with one errant Web of Science page.
  14. In RedHat 9.0, a warning was being generated to /var/log/messages about SIGCHLD. This warning no longer appears.
  15. The III interface now supports a keyword Unknown which tells EZproxy to consider the user unknown and proceed to the next authentication method in ezproxy.cfg. This keyword mainly exists to allow III processing to be terminated if the III server is unavailable, particularly when you are use Deny statements to block users.

    Here is a typical application:

    ::iii
    Host iii.yourlib.org
    Refused; Unknown
    ...more authentication statements...
    /iii

2003-06-13

EZproxy 2.0k GA (2003-06-12) contains changes that:

  1. correct a problem introduced in 2.0j when connecting to EBSCO databases.
  2. suppress the "WARNING: address range applies to #### hosts" when AutoLogin, ExcludeIP, IncludeIP and RejectIP ranges refer to private IP address ranges (e.g., 10.0.0.0-10.255.255.255).
  3. log warning messages to ezproxy.msg when unrecognized lines appear in ezproxy.cfg. Please note that this release will report the directives CookieName and LogFile as unrecognized, even though they are correctly recognized and processed. This misreporting will be corrected in the next release of EZproxy.
  4. correct a problem that prevented CookieFilter from working under Solaris.

2003-06-05

EZproxy 2.0j GA (2003-06-02) contains corrections:

  1. that restore the EZproxy 1.x method of setting the EZproxy cookie, which prevents users from receiving the login screen multiple times.
  2. for proxying Lexis-Nexis (see LexisNexis for additional configuration requirements).
  3. when using the form POST method with some SSL sites including ScienceDirect.
  4. for a ScienceDirect problem that was only triggered for those sites that also have EZproxy configured to point to an outgoing proxy server.
  5. that improve EZproxy's method used for reconnection when remote server refuses or times out, particularly if remote server has multiple IP addresses.
  6. that provide a work-around for access to EBSCO EJS redirection problems with Internet Explorer. In addition to updating to EZproxy 2.0j, you must use a starting point URL similar to this to access EJS:
    http://ezproxy.yourlib.org:2048/login?refresh=local&url=http://ejournals.ebsco.com/Home
    to insure that people clicking on this URL from your local machines are redirected correctly to EJS.
  7. allow you to specify what certificate should be provided to LDAP servers when making an SSL connection or allows you to suppress providing any certificate using entries in ezproxy.usr such as:
    ::ssl=5,ldap=ldaphost.yourlib.org,uid=$U,ou=student,o=yourlib,c=us
    ::ssl=0,ldap=ldaphost.yourlib.org,uid=$U,ou=student,o=yourlib,c=us
    where "ssl=5" specifies that certificate number 5 should be provided and "ssl=0" specifies that no certificate should be provided.
  8. allow you to specify a "banner file" that should be displayed to remote users after login but before they proceed on to the menu or their pre-specified web site. Sample use in ezproxy.usr is:
    ::banner=hello.html
    EZproxy will look for hello.html in the docs subdirectory.

    ezproxy.usr may contain multiple banner statements. The last such statement that appears before a user authenticates determines which web page will be used as the banner, such as:

    ::banner=robin.html
    robin:secret
    ::banner=pat.html
    pat:passcode
    ::banner=general.html
    ::ftp=ftp.yourlib.org
  9. eliminate slow EZproxy startup when ezproxy.log exceeds 2 gigabytes in size.
  10. support new authentication method were an outgoing proxy server can be tested with a username and password, and if the username and password are accepted, then EZproxy will continue to use that username and password for all outgoing proxy requests, allowing the outgoing proxy server to log all traffic. Sample entry in ezproxy.usr looks like this:
    ::proxy=mpa; http://some.valid.url/
    where http://some.valid.url/ is some URL that the proxy server will always be able to access.

    This option may only be used if ezproxy.cfg has an outgoing proxy server statement such as:

    Proxy outproxy.yourlib.org:3128 someuser:somepass
    EZproxy does not store the user's password in any files, so if EZproxy is restarted, it will use the "someuser:somepass" for outgoing requests for any existing users.

2001-11-30

Changes between EZproxy 1.4e and EZproxy 1.4d include corrections for:

  1. byte-streaming that caused some PDF files to appear as blank pages.
  2. proxying files from a web server running on the same server as EZproxy (e.g., for electronic reserves).
  3. the ezproxy.cfg option "runas" on Linux that prevented all the threads from running under the specified username.

2001-11-07

EZproxy version 1.4d corrected a problem that caused the Linux and Solaris versions to abort under certain conditions.

2001-10-29

Changes between EZproxy 1.4a and EZproxy 1.c include:

  1. an increase in timeout value while handling binary content such as PDF files, eliminating some Acrobat errors.
  2. a Solaris 8 version of EZproxy.
  3. support for Worldbook Online.
  4. new options during login processing to support virtual reference.
  5. extensions for external web page validation. Previously, an entry in ezproxy.usr like:
    ::external=http://auth.yourlib.org/cgi-bin/script?
    would result in EZproxy taking this URL then concatenating the literal "0=", the username from the login form, the literal "&2=", and the password from the login form. EZproxy would then access this URL and scan the results of the script for one of the strings "webchkpass" or "+VALID" (the latter in any form of capitalization), and if found one of those strings, consider the login valid.

    This first form continues to work, but this has now been extended to allow the inclusion of the special strings "^u" and "^p" in the URL, along with allowing a new option "valid=" to specify what string is considered valid. For example, you might now use:

    ::external=http://auth.yourlib.org/ezpcheck.cfm?user=^u&pass=^p
    which would allow this hypothetical Cold Fusion script to check the variables url.user and url.pass to obtain the username and password that needs to be checked. As show above, the script would need to display +VALID to indicate the login was valid, although you can change this with something like:
    ::external=http://auth.yourlib.org/ezpcheck.cfm?user=^u&pass=^p,valid=known
    which would make EZproxy look for the string "known" instead of the default strings.

2001-08-06

Changes between EZproxy 1.2b2 and EZproxy 1.4a include:

  1. the ability to proxy by hostname (also known as "new strategy proxying").
  2. the ability to have EZproxy perform arbitrary text editing as may be required to address JavaScript compatibility.
  3. the ability to specify alternate menu files for different users. Alternate menus can be selected by editing ezproxy.usr and adding lines like this:
    user1:pass1
    ::menu=alt.htm
    user2:pass2
    ::menu=ftp.htm
    ::ftp=ftpserv.yourlib.org
    In this example, user1 would see the default menu.htm, user2 would see alt.htm, and anyone who authenticated from ftpserv.yourlib.org would see ftp.htm.

    EZproxy looks for all menu files in the docs subdirectory. The filenames may not start with a period and may only contain letters, digits and periods.

  4. contains corrections for built-in DRA Web2 authentication, including the ability to support barcodes with letters and the ability to limit access by system type using a configuration such as:
    ::draweb2
    url http://...your-real-url-here.../ezp1.html
    system 02,03,05,1*
    /draweb2
    This definition will only allow patrons with a library system code of 02, 03, 05 or any code that starts with a 1 to have access.
  5. corrects a problem when proxying some resources that require username/password authentication.
  6. corrects a problem with "::external" authentication.
  7. allow the acceptance of domain cookies to allow the storage of cookies that violate the RFC but are commonly allowed by browsers.
  8. adds cookie suppression feature. In some instances, cookies set by other web servers at your web site may be sent by your browser to EZproxy. EZproxy cannot distinguish these cookies from other cookies that have been set by database vendors, so it normally passes them through. This behavior confuses the IEEExplore login process. To prevent this from happening, use this database definition:
    OPTION NOCOOKIE
    T IEEExplore
    U http://ieeexplore.ieee.org/lpdocs/epic03
    D ieee.org
    OPTION COOKIE
    The placement of OPTION COOKIE and OPTION NOCOOKIE is very important as both of these options take effect starting with the next database definition in the file.
  9. adds special redirection handling. In some instances, web servers using a redirect process to embed cookies into users' browsers. If such a redirection occurs at the end of a chain of other redirections (e.g., as occurs during the EZproxy login process), the browser may stop performing redirections and leave the user at a point just prior to reaching the desired page, often with a link on that page that can then take the user on to the proper page. This behavior has been seen with ABC CLIO EBooks.

    The following definition corrects the ABC CLIO problem. If your definition for this database is slightly different, simply insure that OPTION REDIRECTPATCH appears before it, and OPTION NOREDIRECTPATCH follows it.

    OPTION REDIRECTPATCH
    T ABC CLIO Ebooks
    U http://ebooks1.abc-clio.com/plibrary/read/read.asp?
    DJ abc-clio.com
    OPTION NOREDIRECTPATCH
  10. allows starting point URLs to take the form:
    http://ezproxy.yourlib.org:2048/login?qurl=http%3a%2f%2fwww.somedb.com
    Special characters that appear after qurl= must be "hex quoted," especially & to %26, = to %3d and ? to %3f. As such, the URL (one or more line breaks were added in each of the following two examples for display purposes; examples without added line breaks are available):
    http://ezproxy.yourlib.org:2048/login?url=http://www.somedb.com/search?
    name=db&option=1
    would need to be changed to:
    http://ezproxy.yourlib.org:2048/login?qurl=http%3a%2f%2fwww.somedb.com
    %2fsearch%3fname%3ddb%26option%3d1

    This alternate form is not required, but is provided for instances where using a character encoded URL is useful.

  11. improves compatibility between IE 5.5 and EZproxy servers operating with numeric host names. It eliminates the cookie message that would appear previously, but may not work with all databases. Specifically, numeric host names probably do not allow the use of Dow Jones Interactive, although this has not been confirmed.
  12. adds the ability to specify the port number to be used for LDAP authentication. To specify the port number, include a colon after the host name, followed by the port number, such as:
    ::ldap=ldaphost.yourlib.org:10389,cn=^U,o=yourlib
  13. changes the way host name lookups are handled under Linux.
  14. allows EZproxy to recognize its own rewritten URLs as part of starting point URLs.
  15. adds support for byte range transfers for PDF documents.
  16. corrects a bug that misinterpreted certain valid FTP server responses as invalid.
  17. enhances logging support to record the number of bytes transferred and the actual HTTP status code (previously, the status code was always recorded as 200).
  18. includes a change to improve WebSPIRS compatibility.
  19. improves response time when searching large user authentication text files.
  20. corrects a problem with NT domain login validation that would allow any invalid username with any password to be considered valid if the Guest account was enabled on the machine running EZproxy.
  21. adds the new ezproxy.cfg option:
    COOKIENAME somecookie
    Normally, EZproxy names its own cookie "ezproxy" during authentication. With this option, you can tell EZproxy to use a different cookie name. The name is limited to 16 letters and digits.
  22. changes RADIUS authentication to include the NAS-IP-Address attribute as part of the authentication request and also adds an option to specify an authentication realm with an entry in ezproxy.usr like:
    ::radius=radserv.yourlib.org,secret=linkup,realm=yourlib.org
    When realm= is specified, an @ sign followed by the realm text is automatically appended to the username in the RADIUS request.
  23. adds the new keyword RUNAS was added to ezproxy.cfg for the Linux and Solaris versions. This keyword can be used to specify the user and group that should be used when running EZproxy. Sample usage is:
    RUNAS username
    RUNAS username:group
    Both username and group may be specified by text names or numeric values.

    This keyword is mainly useful to have EZproxy change from running as root to running as an unprivileged user after it has started listening on a privileged port such as the standard web server port 80. However, EZproxy does perform some file operations before making this switch, so this keyword should not be considered to mitigate all security issues, but rather to limit the potential security problems that could occur once EZproxy is running.

2001-02-11

Differences between EZproxy 1.00e and EZproxy 1.2b include:

  1. changes required to support updated AP Photo Archive, AusStats, Dow Jones Interactive, EBSCO, FirstSearch, Grolier Encyclopedia and Worldbook Online.
  2. correction for LDAP authentication against Microsoft Active Directory.
  3. "prefix=" as an option for ezproxy.usr. This option can be used in conjunction with "O LOGUSER" in ezproxy.cfg to customize usernames logged to ezproxy.log.

    Sample use might be:

    ::domain=student,prefix=student\
    ::domain=employee,prefix=employee\
    These lines would use "student\" or "employee\" to be prefix the username recorded in ezproxy.log.
  4. corrections for III authentication: allows blank expiration dates to be viewed as unlimited expiration dates and determine field value based solely on the tag portion in brackets, instead of the entire field name.
  5. correction of a problem with the Linux and Solaris versions of EZproxy that caused the ezproxy.msg file to be overwritten.
  6. compensation for problems between webspirs4.informit.com.au:8590 and Solaris.
  7. changes to avoid user reauthentication in instances where the host name in a starting point URL did not match the host name of the EZproxy server. EZproxy now detects this and redirects such a request to its "real" name to avoid the need to reauthenticate the user.
  8. support for Windows NT domain users to change their initial passwords if they are expired. To activate this feature, after installing this version, you must also issue the command:
    ezproxy -mw
    to create the file wexpired.htm in your docs subdirectory. This new file is a customizable template for the pages displayed to the user during password change.
  9. new ezproxy.cfg option:
    OPTION REQUIREAUTHENTICATE
    After adding this line to ezproxy.cfg and restarting EZproxy, you can use these URLs:
    http://ezproxy.yourlib.org:2048/auth?1

    If you enter this URL on a computer that is normally excluded from proxying (and thereby normally not required to login), EZproxy will set a permanent cookie on the computer indicating that users must login before accessing databases.

    http://ezproxy.yourlib.org:2048/auth?0

    This URL cancels the requirement that a user must login before accessing resources through EZproxy.

    http://ezproxy.yourlib.org:2048/auth

    This URL report whether or not the user will be required to login or not.

1999-10-05

EZproxy 1.00d contains the following changes:

  1. The ability to authenticate users against an existing FTP, IMAP or POP server is now built-into EZproxy. See User Authentication for details.
  2. Internet Explorer 3.0 users could not complete authentication, but would rather receive the "cookie" messages. This is now corrected.
  3. The Linux version had problems accessing some databases using the POST form method. This is now corrected.

1999-08-19

EZproxy 1.00c corrects the following issues:

  1. Transfers of large binary files (especially PDF files) were being terminated prematurely.
  2. External authentication processing and ezproxy.cfg "E" (exclude from proxying) entries could previously conflict in such a manner that external users might not be proxied.
  3. In most instances, if you use "ML" (maximum session life) or "E" (exclude from proxying) lines in the ezproxy.cfg file, you must now place these lines prior to the first "T" (title) line. These entries can now appear in different parts of the file to require user authentication for certain databases regardless of on-site and off-site access, while allowing other databases to require authentication only for off-site access. This will be covered more fully in the upcoming documentation for the ezproxy.cfg file.

1999-08-15

EZproxy 1.00b corrects the following issues:

  1. DRA Web2 integration presented the cookie warning screen instead of the unregistered version screen when used with an the unregistered version of EZproxy.
  2. An option is now available to allow user identifications to be recorded in the ezproxy.log file. This is enabled by adding:

         O LOGUSER

    to the ezproxy.cfg file. External authentication scripts can provide the username for logging by adding "loguser=(name)&" before the "url=" value. See the updated reference scripts under User Authentication for more details.

  3. EZproxy can now attempt to rewrite domain names within JavaScript code. This option may inappropriately rewrite certain web page information, so it should only be used if a web site does not currently work and if you see untranslated URLs within JavaScript code. To enable this option, edit ezproxy.cfg and change the "H" and "D" lines within the database description to "HJ" and "DJ". If you find this is required to make a particular database work, please also send a note to ezproxy@oclc.org.
  4. The "-m" and "-r" command line options caused EZproxy to crash if it was not possible to create files in the current directory.

GeoLite data

This product includes GeoLite data created by MaxMind, available from www.maxmind.com .