Search:

Asia Pacific (English) Change

Support, training and documentation PDF guides Initial evaluation Initial setup Maintenance and upgrades

Enhancements

User authentication EZproxy configuration Database setup Related OCLC services Troubleshooting and known issues Frequently asked questions Additional resources Documentation

EZproxy Changes

Updates available via RSS Subscribe

2008-04-10

2008-04-02

EZproxy 5.0b contains a correction for an issue that resulted in high processor utilization.

2008-03-31

EZproxy 5.0a includes the ability to:

1. View enhanced audit details that incorporate the location associated with source IP address. See Location to enable location date and Audit for information on how to enable auditing.
2. Search across audit data to identify suspicious activity, including options to search based on location. See Location to enable location date and Audit for information on how to enable auditing.
3. Alter user access based on location, including the ability to block access or require additional information for access. See IfCity, IfCountry, and IfRegion in Common Conditions and Actions.
4. View a summary of database conflicts to identify and correct configuration issues. Access this feature from the EZproxy Administration page.
5. Develop advanced user authentication and authorization configurations using a new administration page. Access this feature from the EZproxy Administration page.
6. Redirect users who are being denied access to pages on other web servers. See Deny -URL.
7. Authenticate against Insignia, L4U, and TLC library systems.
8. Manipulate incoming URLs to reformat them for use by EZproxy or to redirect users to edited URLs. See SPUEdit.
9. Route users to databases using referring URL authentication instead of IP authentication. See Referer.
10. Detect when remote web servers have become unavailable and minimize network attempts to such servers until they become available again.
11. Allow sending the real username to OverDrive instead of a user token by adding -NoTokens to the OverDriveSite directive.
12. Permit a user to be granted access just to the manage token page without having access to other administrative functions by assigning the user to the Admin.Token group.
13. Support the use of tokens across high availability configurations.
14. Correct an error introduced in EZproxy 4.0f when using NCIP authentication without specifying specific authentication input fields.
15. Enable access to Gartner reports using Gartner's proprietary encryption method. See Gartner.
16. Enable proxied access to SciFinder Scholar. See SciFinder.
17. Apply variable find/replace rules to simplify automating access for select databases that use username/password authentication. See Find.

2007-07-11

EZproxy 4.0h contains the following changes:

1. Introduce the ability to perform user authentication against a SirsiDynix Horizon Information Portal 3.x server. See Horizon Information Portal 3.x Authentication for details.

2. Add support for NetLibrary URL API integration, allowing NetLibrary accounts to be replaced by single sign-on integration with EZproxy accounts. Please note that this functionality is not currently compatible with high-availability configurations. Contact support@oclc.org for configuration assistance with this new option.
3. Correct an error that intermittently prevented IntruderIPAttempts data from being preserved across EZproxy restarts.
4. Correct issue that prevented LDAP TestWithUser and Test -Wild from working correctly.
5. Correct issue that prevented username from being reflected correctly when a user first accessed by AutoLoginIP and later authenticated through Shibboleth.
6. Correct issue that prevented proper operation with a mixture of CAS authentication, high availability, and ExcludeIP.
7. Correct a problem when intermixing groups, AutoLoginIP directives, and Shibboleth authentication.
8. Incorporates a slight change for Follett authentication.

9. In ezproxy.usr, added new IfQueryStringPass to test if the password was provided in the query string, making it possible to block when someone decides to submit their password in this manner instead of through the login form POST method. Sample use:

   ::Common
IfQueryStringPass; Deny loginbu.htm
/Common


   This logic should appear as the first part of ezproxy.usr. As shown above, EZproxy will immediately send loginbu.htm, which is the normal behavior if a username/password is provided incorrectly. If you prefer, you can use a different file for Deny to provide the user with feedback indicating that this is not permitted.

2007-03-12

EZproxy 4.0g contains the following changes:

1. Slight change to correct a problem encountered by some sites when proxying InfoTrac products. A sample problem included long hit lists being truncated.
2. Add ezproxy.cfg "Option DisableSSL40bit" to direct EZproxy not to allow EZproxy to negotiate https connection with 40-bit keys.
3. Change behavior when handling Location redirects with relative URLs that begin with a ? to enable select Newsbank links to work correctly, particularly extended links from Serials Solutions.
4. Correct an issue that prevented group memberships for groups containing spaces from being restored correctly during a restart.

5. Add new Timeout directive for LDAP authentication to specify the maximum amount of time in seconds that EZproxy should wait before giving up on an LDAP server to respond. Sample use (one or more line breaks were added in this example for display purposes; an example without added line breaks is available):

   ::LDAP
BindUser CN=ezproxy,CN=users,DC=yourlib,DC=org
BindPassword verysecret
Timeout 10
URL ldap://ldapserv.yourlib.org/CN=users,DC=yourlib,DC=org
?sAMAccountName?sub?(objectClass=person)
Unauthenticated; Stop


   Timeout may appear anywhere after ::LDAP but before URL.

6. Add new ezproxy.cfg "Option ForceHttpsAdmin" which forces all access to EZproxy administration pages to occur through an https connection.

7. Add a new -ActiveIP qualifier for the AnonymousURL directive that specifies that the user may access a URL matching the AnonymousURL directive only if that user is also currently accessing from an IP address associated with an authenticated user. Sample use:

   AnonymousURL -ActiveIP +http://www.somedb.com/*

   Such access may fail if a user is accessing through a network that uses multiple proxy servers such as AOL.

8. Destination URLs in starting point URLs that are authorized through an AnonymousURL directive now provide immediate access. In previous versions of EZproxy, such URLs had to appear in rewritten form to work. For example:

   AnonymousURL -RE +http://www.somedb.com/[^?]+\.rss
Title Some Database
URL http://www.somedb.com/
Domain somedb.com


   would only have allowed a rewritten URL such as http://www.somedb.com.ezproxy.yourlib.org/feed.rss to be used by an RSS aggregator whereas this new version would also allow access if requested by http://ezproxy.yourlib.org/login?url=http://www.somedb.com/feed.rss

9. Adds Follett library system authentication. A sample entry for ezproxy.usr is:

   ::Follett
URL http://fsc.yourlib.org
/Follett


10. Adds Sagebrush InfoCentre library system authentication. A sample entry for ezproxy.usr is:

    ::Sagebrush
URL http://sagebrush.yourlib.org
/Sagebrush


2006-12-10

EZproxy 4.0f contains the following changes:

1. Correct an issue in EZproxy 3.6i through 4.0e that can cause EZproxy to restart if it receives a particular URL from an IP address within an ExcludeIP address range. Sites running one of these versions of EZproxy that do not use the "/limited" directory can add:

   IncludeIP 0.0.0.0-255.255.255.255


   as the last line of ezproxy.cfg to avoid this possibility. Sites using EZproxy 3.6i through 4.0e that use the "/limited" directory are encouraged to update to EZproxy 4.0f.

2. Correct an issue that could cause the Solaris versions of EZproxy to restart under heavy load.

3. Add the ability to generate SHA512 hashes of passwords for use in ezproxy.usr. Sample use from a command prompt or shell to generate a SHA512 hash (one or more line breaks were added in these examples for display purposes; examples without added line breaks are available):

   ezproxy SHA512 testing
$021NGKBG$FTRoPxyZ1S2O2bJ5qRtlXcI/tKPXZRoaQojBFZKWOif0g5
Fionk07Bo13fN2+a/kmL8w80VumtcA2m1ENEiT2A


   Sample use in ezproxy.usr for this password:

   someuser::SHA512=$021NGKBG$FTRoPxyZ1S2O2bJ5qRtlXcI/tKPXZRoa
QojBFZKWOif0g5Fionk07Bo13fN2+a/kmL8w80VumtcA2m1ENEiT2A


4. The Shibboleth metadata used by ShibbolethSites may now be in either Shibboleth 1.2 or 1.3 format.
5. NCIP authentication now allows the specification of which values should be sent to the NCIP server. Sample use:

   ::NCIP
AuthenticationInput user Barcode Id
AuthenticationInput pass PIN
Server ncip.yourlib.org
/NCIP


   You can specify any number of AuthenticationInput directives. The first argument can be user, pass, or pin and specifies that the login form field user, pass, or pin should be used. The balance of the directive is the NCIP authentication input field and will most commonly be one of Barcode Id, PIN, Password, or User Id. In the absence of any AuthenticationInput directives, the user field is sent as Barcode Id and the pass field is sent as PIN.

6. The Cookie directive for pre-loading cookie values into a session is now affected by Group directives, allow different values to be pre-loaded based on group membership. Sample use:

   Group Legal
Cookie somecookie=legal; domain=.somedb.com
Group Medical
Cookie somecookie=medical; domain=.somedb.com

Group Legal+Medical
Title Some Database
URL http://www.somedb.com
Domain somedb.com


   In this example, if a user is a member of the Legal group, the cookie somecookie is pre-loaded with the value of legal, whereas if the user is a member of the Medical group, the cookie somecookie is pre-loaded with the value of medical. If the user is a member of both groups, the first Cookie directive that matches take precedence, so the cookie somecookie would have the value legal in this scenario.

2006-10-27

EZproxy 4.0e contains the following changes:

1. The Athens-enabled versions of EZproxy have been released.
2. Added Solaris 10 (x86) as an officially supported platform. At this time, Athens does not support this platform, so there is no Athens-enabled version of EZproxy for this platform.

3. Allow a certificate to be associated with database definitions to allow client authentication to remote databases. SSLCert with a certificate number should appear before the Title line of the first database definition that should be affected and SSLCert without a certificate number should appear before the Title line of the first databse definition where the certificate should no longer be sent. The certificate number can be found on the SSL administration page. Sample use:

   SSLCert 5

Title Some Database that will receive the certificate
URL http://www.somedb.com
Domain somedb.com

SSLCert

Title Other Database that will not receive certificate
URL http://www.otherdb.com/
Domain otherdb.com


   See Importing a PEM-formatted Certificate into EZproxy for information on how to import a certificate into EZproxy.

4. Extend IntruderIPAttempts to allow different limits based on source IP address. Sample use:

   IntruderIPAttempts -IP=10.0.0.0-10.255.255.255 -Interval=5 -Expires=1 50
IntruderIPAttempts -Interval=5 -Expires=15 20


   In this example, users accessing from a 10.* address will be given 50 attempts in a 5 minutes window and will be allowed to try again after 1 minute of being locked out, whereas all other IP addresses are given 20 tries within a 5 minute window and then locked out for 15 minutes.

5. Extend RADIUS authentication to allow the NAS port type and NAS port to be specified. To add the NAS port type, include a semi-colon (;) after the RADIUS server name (and UDP port) and then either the keyword virtual to specify the virtual port type or a numeric code for the port type as defined in the RADIUS RFC. To add the NAS port, include a semi-colon (;) after the NAS port type and include the port number. If you want to specify only a NAS port but not a port type, use two semi-colons (;) after the RADIUS server.

   Sample use:

   # Virtual port type, no NAS port specified
::RADIUS=radserv.yourlib.org;virtual,Secret=shhhh
# Virtual port type, NAS port 1
::RADIUS=radserv.yourlib.org:1645;virtual;1,Secret=shhhh
# No port type specified, NAS port 1
::RADIUS=radserv.yourlib.org:1812;;1,Secret=shhhh


   Note that the :1645 and :1812 in these examples demonstrate including the UDP port for communication with the RADIUS server, which is completely different from the NAS port.

6. By default, ExcludeIPBanner only cause the banner to be sent once during a browser session. This behavior can now be modified to direct EZproxy to send the banner every time an exclude URL is accessed by adding the -Always option. Sample use:

   ExcludeIPBanner -Always policy.html


7. Corrects an issue when "URL -RewriteHost" and AutoLoginIP are combined.
8. Corrects an issue that prevented EZproxy 4.0 for Linux from authenticating with ldaps.

2006-09-12

EZproxy 4.0d contains the following change:

1. Correct an issue introduced in EZproxy 4.0c that prevented ::External from working unless a Valid=value was included.

2006-09-10

EZproxy 4.0c contains the following changes:

1. Corrects an error that prevented large POST requests over https connections from forwarding all data correctly.

2. By default, when EZproxy performs external authentication, it looks for the "valid" string in both the header and body of the response from the remote web server. Starting with this release, the valid string can be prefixed with header: or body: to specify that EZproxy should only look in the header or the body. Sample use:

   ::External=http://www.yourlib.org/ezproxy.cgi,Post=user=^u&pass=^p,Valid=body:OK

3. Contains a security update for a small number of institutions. The affected institutions have been contacted directly.

2006-08-18

EZproxy 4.0b contains the following changes:

1. Correct an issue introduced in EZproxy 3.8a that affects the ability to download binary content including the ebrary reader plug-in, Word documents, and RTF documents.
2. Correct an issue with password generated by "ezproxy obscure" and used by "BindPassword -obscure". Passwords generated in EZproxy 3.8a through EZproxy 4.0a will have to be regenerated.

3. Add support for EZproxy to transfer user authentication information to other systems for single sign-on. Sample ezproxy.cfg entry:

   SSO -Secret=abcdefghijklmnopqrstuvw -URL=http://www.yourlib.org/sso.php abc


   Example PHP scripts are available at phpsso.tar and example Perl scripts are available at perlsso.tar .

4. Correct an issue when using MetaFind in a high availability configuration with Factiva.

5. Add new PDFRefreshPre and PDFRefreshPost directives to alter the text that appears before and after the link that is generated when a starting point URL refers to a PDF document. Sample use with the default values is:

   PDFRefreshPre To access this document, wait a moment or click <a href="
PDFRefreshPost ">here to continue


   To make the link appear only in browsers that have JavaScript disabled, use:

   PDFRefreshPre <noscript>To access this document, wait a moment or click <a href="
PDFRefreshPost ">here</a> to continue</noscript>


   EZproxy will always insert the actual link between these two items, but if you want to override the link, you can use <!-- at the end of PDFRefreshPre and --> at the beginning of PDFRefreshPost to place the link into an HTML comment.

6. Correct a flaw that caused inaccurate warnings to be logged to ezproxy.msg for DRAWeb2's System and Type conditions, III's PartialNameMatch action and Test condition, and Ticket's MD5 and SHA1 actions.
7. Add new common condition "IfPassword wildpass" to test the value of the supplied password. Can be used as "IfPassword;" to test to see if the user did not provide any password.

2006-08-02

EZproxy 4.0a contains the following changes:

1. Unify and extend common conditions and action used by Athens, CAS, DRAWeb2, III, LDAP, NCIP, ODBC, Shibboleth, SIP, and Ticket. This requires slight changes to existing ezproxy.usr for DRAWeb2, III, LDAP, and Ticket configurations.
2. A version of EZproxy that is Athens-enabled is available for beta testing. For more information, send an email message to ezproxy@oclc.org.
3. Add AutoLoginIPBanner and ExcludeIPBanner to augment the ezproxy.usr directive ::Banner and the common action Banner.

4. Add support for EZproxy to perform user authentication by testing a username and password against a URL that is protected by "HTTP basic" authentication. Sample use is:

   ::HTTPBasic=http://www.yourlib.org/secure/index.html

   In this example, http://www.yourlib.org/secure/index.html should be a URL that normally sends a "401 authentication required" response, triggering a user's browser to display a username/password dialog box. If you provide a URL that does not require authentication, EZproxy will allow the use of any username and password, so this should be used with great care.

5. The "URL -form=(get|post) name url" form of database definition has been extended.

   1. The same name can now appear multiples time in ezproxy.cfg with different groups used to protect different versions. This allows the use of different destination URLs and different FormVariables based on user group membership. In this configuration, EZproxy will always use the first database definition in ezproxy.cfg that matches the remote user's group membership.
   2. In FormVariable, you can include ^0 through ^9 in the values to direct EZproxy to substitute values from "UsrVar" variables that are set during user authorization. You can also use ^I to include the remote user's source IP address.

   3. In FormVariable, if you specify a variable name but do not include an equal sign, this directs EZproxy to allow the user to specify a value in the URL that should be included when accessing the remote site. For instance:

      Title Some Database
URL -form=get somedb http://www.somedb.com/search.cgi
FormVariable index=author
FormVariable term


      allows the use of an EZproxy URL such as:

      http://ezproxy.yourlib.org/login/somedb?term=Twain

      to specify that EZproxy should take the value Twain and pass it on as the value of the term variable, resulting in a destination URL of:

      http://www.somedb.com/search.cgi?index=author&term=Twain

   4. "Option GroupInReferer" directs EZproxy to include the group that authorized access to a database definition should be included in the referring URL. This option should appear before the Title line of the database and may be later reversed with "Option NoGroupInReferer". For example, if a user in group Default accessed:

      Option GroupInReferer

Title Some Database
URL -form=get somedb http://www.somedb.com/


      the referring URL would be similar to:

      http://ezproxy.yourlib.org/login/2/Default/somedb

6. Removed requirement that an SSL certificate be active before EZproxy can connect to SSL-based authentication servers to verify usernames and passwords. For example, in previous versions of EZproxy, you could not use external authentication to an https URL unless EZproxy had been configured with an SSL certificate. However, as before, all SSL functions are disabled if no EZproxy license is installed, and if you want to proxy access to https web sites, you will still need to configure SSL.
7. Add "Option RecordPeaks" to direct EZproxy to record the peak values reached for active sessions, concurrent transfers, and virtual hosts to ezproxy.msg. EZproxy records values for active sessions and virutal hosts at startup, then records additional as new peaks are reached. Peak values are checked once a minute to determine if new values should be recorded.
8. Add ezproxy.usr IfAfter and IfBefore to test if the current date is after and/or before a date specified in YYYY-MM-DD format. The date may be followed by a semi-colon and the name of a file to send to the user if access is attempted outside the specified date. Sample use:

   # user1 may access starting January 1st, 2006 or later
user1:pass1:IfAfter=2006-01-01
# user2 may access up to to July 1, 2007, but not on or after
user2:pass2:IfBefore=2007-07-01
# user3 may access starting January 1st, 2006 and up to
# but not including August 1, 2006
user3:pass3:IfAfter=2006-07-01,IfBefore=2006-08-01


9. Allow authentication based on a username provided in a request header, such as would occur when using SiteMinder in front of EZproxy. Sample use in ezproxy.usr is:

   ::HeaderUser=SM-User

10. Change that may affect the network connectivity test when used with certain firewalls.

11. Add support for Siku Quanshu. The Siku Quanshu database should be defined like this:

    Option UTF16
Title Siku Quanshu
URL http://skqs.yourlib.org
DJ skqs.yourlib.org
Option NoUTF16


    replacing skqs.yourlib.org with the name of your Siku Quanshu server.

12. Enhanced the AnonymousURL directive to support regular expressions

2006-07-07

EZproxy 3.8a contains the following changes:

1. Add support required for the EZproxy/Blackboard Building Block to work with Blackboard 7.1.

2. You can specify the source IP address to use when connecting to remote web servers on a user-by-user basis through ezproxy.usr. Sample usage:

   ::SourceIP=24.249.162.194
jdoe:secret
::File=users194.txt
::SourceIP=24.249.162.195
::File=users195.txt


   In the above example, user jdoe and all the users in users194.txt would use 24.249.162.194 as the source IP for requests, but users from users195.txt would use 24.249.162.195.

   The Interface directive can be used to assign specific source IP addresses for databases. An explicit Interface assignment in ezproxy.cfg takes priority over ::SourceIP. If you need to use Interface to modify LoginPort directives, you can use "Interface Any" before the first Title directive to insure that SourceIP will still function.

3. Allow the "/form" URL to accept auth=, such as (one or more line breaks were added in this example for display purposes; an example without added line breaks is available):

   http://ezproxy.yourlib.org:2048/form?auth=opac&qurl=
http%3a%2f%2fscholar.google.com%2fscholar

   See also Creating Public Forms to Proxied Resources .
4. Correct issue that prevented EZproxy from being able to untangle starting point URLs written in the form:

   http://ezproxy.yourlib.org/login?url=http://www.somedb.com.ezproxy.yourlib.org

5. Add IfURL condition to ezproxy.usr, along for constructions such as:

   ::IfURL=http://www.yourlib.org/*,DocsCustom=yourlib

   to allow custom pages to be triggered based on the destination of a starting point URL. IfURL is a general condition that be combined with other ezproxy.usr directives.

6. Add an ezproxy.usr option to associate a directory to users to allow custom versions of the files in the docs directory to be sent to remote users. For example, you can use the Auth test to associate incoming users to different files during login, such as:

   ::Auth=branch1,DocsCustom=dir1
::Auth=branch1,File=branch1.usr
::Auth=branch2,DocsCustom=dir2
::Auth=branch2,File=branch2.usr


   to indicate that if EZproxy sees Auth=branch1 in an incoming login URL, it should look for files such as login.htm in the docs/custom/dir1 directory first, and if it does not find a copy of the file, then it should look in docs. to indicate that if EZproxy sees Auth=branch1 in an incoming login URL, it should look for files such as login.htm in the docs/custom/dir1 directory first, and if it does not find a copy of the file, then it should look in docs. to indicate that if EZproxy sees Auth=branch1 in an incoming login URL, it should look for files such as login.htm in the docs/custom/dir1 directory first, and if it does not find a copy of the file, then it should look in docs. If the user logs in successfully, the DocsCustom is transferred to the user session, allowing EZproxy to continue to look for custom versions of files such as menu.htm and error messages.

7. Add ezproxy.usr condition IfLanguage to allow variant behavior based on the Accept-Language header from the remote user's browser.

8. The obscure feature has a flaw that prevents it from working consistently. This is corrected in EZproxy 4.0b. Using this feature in versions prior to 4.0b is not recommended.

   Add the ability to obscure the password used for BindPassword. To create the obscured version of a password, invoke EZproxy with obscure and the password, such as:

   ezproxy obscure somepassword


   In ezproxy.usr, insert the obscured value into the LDAP configuration like this:

   BindPassword -Obscure MVpJRjDh6AhGYy72LMGYKnoAL06r


   Obscured passwords are case-sensitive, so copy the value exactly as it appears from the ezproxy obscure command.

9. Change the administrative Decrypt Tokens option to Manage Tokens, including the ability to translate EZproxy usernames into their corresponding token values instead of only being able to decrypt token values back to EZproxy usernames.
10. Correct an issue with IntruderIPAttempts -Reject

2006-06-18

EZproxy 3.6i contains the following changes:

1. In prior versions of EZproxy, if a user entered EZproxy through a ticket URL, the user would be proxied even if the user's source IP address was within an ExcludeIP range. Starting with 3.6i, such a user is redirected to the real URL, giving priority to the ExcludeIP behavior. If the previous behavior is required, add the following line anywhere in ezproxy.cfg:

   Option TicketIgnoreExcludeIP


2. Add support for the HTTP SOAPAction header.

3. Add "IP" as a condition that can be tested in CAS, NCIP, ODBC, and Shibboleth (in ezproxy.usr for the first three and shib.usr for the last). IP accepts one or more ranges and tests true if the remote user is accessing from one of the addresses. Sample use:

   IP 192.168.0.0-192.168.1.255:192.168.5.0-192.168.5.255; Group +Medical

   In this example, if the user is accessing from an address that starts 192.168.0, 192.1, or 192.168.5, the user is also added into the Medical group.

   You can place "Not " in front of IP to check that the user is not accessing from one of the addresses, such as:

   Not IP 192.168.0.0-192.168.1.255; Group +Remote

4. In some instances where a starting point URL pointed to a PDF document, the browser back button was disabled. This version contains an alternate approach to handling these links to help avoid this issue.
5. Add ezproxy.cfg "Option DisableSSLv2" to direct EZproxy to disable any SSLv2 support. This option must appear before any LoginPortSSL directives.
6. Add support for OverDrive external authentication.
7. Correct issue that prevented unrecognized destination URLs from reporting status code 599 and %{ezproxy-spuaccess}i unknown when submitted under certain scenarios.
8. Contains a change to support Factiva Search 2.0.
9. Add application/rdf+xml and application/rss+xml as MIME types that EZproxy should rewrite.

2006-04-28

EZproxy 3.6h contains the following changes:

1. Slight change in domain-based cookie handling that affected InfoTrac and NetLibrary in some instances.
2. Correct cookie/daylight savings issue that was preventing public-record.com from working properly.
3. Correct issue that prevents enforcement of group restrictions for special database configuration such as "URL -append", "URL -form" and "URL -redirect".
4. Add ezproxy.cfg directive "SendBufferSize" to specify the maximum send buffer size to use when communicating with other systems. This directive is rarely required and should only be applied when recommended by Useful Utilities.
5. Add ezproxy.cfg directive "ReceiveBufferSize" to specify the maximum receive buffer size to use when communicating with other systems. This directive is rarely required and should only be applied when recommended by Useful Utilities.
6. Correct issue that caused the logging username to be corrupted in certain unusual circumstances.

2006-04-06

EZproxy 3.6g contains the following change:

1. Corrects an error with auditing that can cause the Solaris version of EZproxy to restart and records "(null)" in the other field on Linux and Windows.

2006-04-02

EZproxy 3.6f contains the following changes:

1. Withdrew Audit events Login.Success.Password and Login.Failure.Password due to potential conflicts they might pose to some sites during security reviews.
2. Correct issue that prevented audit event Login.Success.Groups from working properly.
3. Correct issue with URL -append -encoded.
4. Allowing specific username other than auto to be associated with AutoLoginIP lines. Sample usage:

   AutoLoginIP -user=main 68.14.0.0-68.14.1.255
AutoLoginIP -user=science 68.14.2.0-68.14.2.255


5. When viewing audit events, add the option to have the audit page automatically refresh when viewing the current day's events.
6. Corrects an issue that prevents the EZproxy login cookie from being set when using high availability configurations (HAName and HAPeer).

7. Corrects cookie handling issue that prevented Lexis-Nexis HK from working correctly. Also introduces new "Option NoHttpsHyphens" and "Option HttpsHyphens" directives which can appear before and after a database definition to tell EZproxy not to change periods to hyphens for specific databases when using a wildcard certificate. Sample usage:

   Option NoHttpsHyphens

Title LexisNexis Hong Kong
URL http://www.lexisnexis.com/hk
DJ lexis-nexis.com
DJ lexisnexis.com
DJ lexis.com
DJ cispubs.com
HJ web.lexis-nexis.com
HJ web.lexisnexis.com
HJ www.lexis-nexis.com
HJ www.lexisnexis.com
DJ lexisnexis.com.au
DJ lexisnexis.com.hk
Find GetCookie("LNAUTH")
Replace "LNAUTH-IP"
Find NAME="_PRIORREFERER" VALUE="http://
Replace NAME="_PRIORREFERER" VALUE="http://^A

Option HttpsHyphens

# Databases from here on will have the normal change of
# periods to hyphens in https hostnames


8. Add "IgnorePassword" directive to LDAP. This option is appropriate when you have authenticated the user through another system, and want to access LDAP solely to make authorization decisions, such as might occur when using Blackboard or CAS authentication. This option must appear before the URL line and should be used with great care. This sample demonstrates a configuration where you are using the EZproxy Blackboard Building Block for full integration of login, where you all allow alumni to use Blackboard so they are able to authenticate, need to filter out alumni from accessing EZproxy, LDAP knows about the alumni status, but nothing is testable in Blackboard.

   *** ezproxy.usr ***

   ::Ticket,File=filter.usr
SHA1 sharedsecret
/Ticket


   *** filter.usr ***

   ::LDAP
IgnorePassword
URL ldap://ldapserv.yourlib.org/DC=yourlib,DC=org?uid?sub?(objectClass=person)
Test eduPersonAffiliation alum; Deny alum.html
/LDAP

2006-03-20

EZproxy 3.6e contains the following changes:

1. Correct issue that prevented unauthenticated users who tried to access the /admin EZproxy Administration page from an ExcludeIP (on-site) address from getting the chance to log in. The same issue also prevented the loggedin directory from requiring local users to log in under some circumstances.
2. Correct issue that prevented Audit from recording usernames in some instances.

2006-03-17

EZproxy 3.6d contains the following changes:

1. When using the Audit directive to record only specific events, additional unrequested events were also being audited.
2. The CookieName directive did not work properly in EZproxy 3.6c.
3. An error introduced in EZproxy 3.6c could prevent CAS and Shibboleth for working correctly.
4. SIP was enhanced to allow access to additional patron information for making user authorization decisions.

2006-03-10

EZproxy 3.6c contains the following changes:

1. Support for EBSCO's Visual Search.

2. Added new auditing facility, enabled with ezproxy.cfg directive Audit such as:

   Audit Most


   to have most events audited. See Audit for detailed information on this directive.

3. Correct issue with enforced UsageLimits where a remote user did not appear on the UsageLimit administration page as being locked out, and yet the user remained locked out until EZproxy was restarted.

4. LoginPort and LoginPortSSL now accept a -Virtual qualifier to direct EZproxy to act as though it uses one set of ports when it is actually using another, simplifying the placement of EZproxy behind proxy servers and some network address translation servers. Sample usage:

   LoginPort -Virtual 80
LoginPort 8080
LoginPortSSL -Virtual 443
LoginPortSSL 8443


   In this configuration, EZproxy will act as though it using port 80 for https and port 443 for https, but will only list for such requests on ports 8080 and 8443.

5. Scripts that are called through the ::External method can now respond with:

   ezproxy_deny=somefile.htm


   This directs EZproxy to deny the user access and to look in the docs subdirectory for a file named somefile.htm which is sent to the remote user to specify why access is being denied.

6. Added ability to specify different sesion lives through ezproxy.usr, particularly to allow shorter session lifetime for temporary sessions created by metasearch products. Sample use:

   ::Lifetime=5
metauser:metapass
::Lifetime=0
# The rest of ezproxy.usr ...


   In this example, any session created for "metauser" expires after 5 minutes, instead of the normal expiration which defaults to 120 minutes. The ::Lifetime=0 tells EZproxy to apply the system default to anyone who logs in with information that appears further on in ezproxy.usr.

7. Resolved issue that prevented Factiva and ProQuest CINAHL from working with III MetaFind.

8. Change ::CGI redirect to allow use of ^R to include a URL-safe reference to the destination URL, which can simplify the preservation of the destination URL as it passed through a remote CGI script.

   cgiuser:cgipass:CGI=http://www.yourlib.org/ezproxy.cgi?url=^R

9. Add ::Comment to ezproxy.usr to allow inclusion of arbitrary comments into Login.Success audit records. For example:

   ::Comment=Student FTP
::FTP=student.yourlib.org
::Comment=Employee FTP
::FTP=employee.yourlib.org


10. Correct error in processing group restrictions to databases.
11. Correct error in cookie handling that affected NetLibrary and could affect other databases as well.
12. Correct error in Shibboleth that prevents domain scoping of attributes to fail to be recognized correctly if Domain does not have a regexp attribute. Also extend the shib.usr MapUser directive to add the -AppendScope directive to direct EZproxy to append @ and the scope value to the end of the specified attribute when using it as the EZproxy username.
13. Revision to Option SafariCookiePatch to avoid warning when using proxy by hostname and SSL without a wildcard certificate.

14. Add new option to allow the username to be included with the htm files served from the docs subdirectory. To enable this, add:

    Option Username^N


    to ezproxy.cfg and restart. After that, you can insert ^N in the various .htm files to have EZproxy include the username of the logged in user when it sends the file. Given the privacy implications, this option should be used with care.

15. Add AddUserHeader directivive to have EZproxy include a header containing the current user's username when proxying to a database. Format:

    AddUserHeader -base64 headername


    The -base64 is an optional qualifier to indicate that the username should be encoded in base64.

    This directive is position-dependent, allowing its use to vary by database. For example:

    AddUserHeader X-User

Title Some Database
URL http://www.somedb.com
Domain somedb.com

AddUserHeader X-Username

Title Other Database
URL http://www.otherdb.com
Domain otherdb.com

Title Another Databse
URL http://www.anotherdb.com
Domain anotherdb.com

AddUserHeader

Title Yet Another Database
URL http://yanotherdb.com
Domain yanotherdb.com


    In this example, Some Database receives the X-User header, Other Database and Another Database receive the X-Username header, and Yet Another Database does not receive any header at all.

16. Change Linux/Solaris -si to include a symbolic link in the rc2.d directory to insure automatic startup for Debian.
17. Slight adjustments to the method in which StartMuseCookie and StartMuseRefer are processed for MetaFind.
18. Bug corrected that prevented www.sourceoecd.org from being proxied correctly.
19. Several of the system administration pages now include options to sort their contents by column headings.
20. Change SIP support to add the option NoPatronPassword. This option can be used when no patron password is to be used as part of testing, and when included must appear before the SIP line. When this option is enabled, EZproxy cannot distinguish valid users from invalid users without an additional test. The recommended test to combine with this option is "Test 0 Y; Unknown" which checks SIP status position 0, the charging privilege denied field, for a value of Y, in which case the user is considered to be unknown.

    Sample usage:

    ::SIP
Host sip.yourlib.org:1234
NoPatronPassword
SIP
Test 0 Y; Unknown
/SIP


21. Corrected incompatibility with Jane's Sentinel Security Assessments.

22. Alter Ticket authentication to allow users to be designed as EZproxy administrators by specifiying the new Admin directive. Sample usage:

    ::Ticket
MD5 verysecret
User someuser; Admin
/Ticket


    In this example, if the username provided is someuser, then EZproxy will grant the user administrative access.

23. Corrected issue when more than one ShibbolethSites statement appears in ezproxy.cfg.

24. Extends ODBC support to allow the use of Debug to have more diagnostic information included and allows the use of additional SQL command to set connection state. For example:

    ::ODBC
Debug
DSN SomeSystemDSN
DBUser SomeUser
DBPassword SomePassword
SQL USE SomeDatabase Parameter User
Parameter Password
SQL \
SELECT 'Allow' \
FROM auth \
WHERE \
user = ? AND \
pass = ?
/ODBC


25. Adds new ezproxy.cfg option to instruct EZproxy to use a different method to set its cookie when users access using Apple's Safari 2.0 browser. This option is only needed for EZproxy server's whose names end in a two-letter domain and whose names contain only two periods (e.g., ezproxy.yourlib.ca would need this, but ezproxy.library.yourlib.ca and ezproxy.yourlib.org would not). To enable this, add:

    Option SafariCookiePatch

    to ezproxy.cfg and restart.

26. Extends Central Authentication Service (CAS) to allow varied behavior based on attributes provided during service validation. This form uses a new syntax to invoke CAS authentication. The minimal entry in this new form is:

    ::CAS
LoginURL http://www.yourlib.org/cas/login
ServiceValidateURL http://www.yourlib.org/cas/serviceValidate
/CAS


    This form also supports the general directives Admin, Allow, Authenticated, Banner, Debug, Deny, Group, Invalid, NoGroups, Refused, Stop, Unknown, User, and UsrVar, plus a specialized version of Test to check tag values using an XPath to specify the tag to check. For example:

    ::CAS
Debug
LoginURL http://www.yourlib.org/cas/login
ServiceValidateURL http://www.yourlib.org/cas/serviceValidate
Group NULL
Test -RE cas:group (Undergrad|Grad); Group +Student
Test //*/cas:group Employees; Group +Employee
Test /cas:authenticationSuccess/cas:groups/cas:group Staff; Group +Staff
NoGroups; Deny unaffiliated.html
/CAS


    For this example to work, ezproxy.cfg would need to default the Student, Employee, and Staff groups as well.

    When EZproxy redirects through CAS encoding, the destination database URL is now encoded in a different manner, a side-effect of which is that you can no longer readily view the URL that arrives at the CAS server and determine where the user was originally headed.

    The Debug directive tells EZproxy to record additional diagnostic messages to ezproxy.msg. This includes recording the entire XML response from the Service Validation URL, which can help in sorting out which attributes are available to use for making authorization decisions.

    In all three tests, the tag cas:group is being tested. The first and second tests use an identical search to locate tags, as EZproxy assumes a search from the root across all nodes if no path infomation is included. The third test uses an absolute path to the tag.

27. Correct an issue with Solaris that prevented EZproxy from detecting an attempt to start a second copy running from the same directory.
28. Extend AnonymousURL to allow access to additional groups beyond just the Default group.

29. The public, limited, and loggedin directories now allow the use of subdirectories if:

    Option AllowWebSubdirectories

    is added to ezproxy.cfg.

    The behavior for loggedin is slightly different, as the first directory level is matched up with EZproxy groups, such that a URL like:

    http://ezproxy.yourlib.org:2048/loggedin/somegroup/somedir/somefile.html

    can only be retrieved by someone who is a member of the EZproxy group "somegroup".

30. When users access EZproxy using AutoLoginIP or referring URL authentication, EZproxy now appends a hyphen and the user's source IP address to the username used for limit tracking. For example, auto- instead of just auto. This makes it possible to enforce limits at the workstation level for automatic login and the user level for all other access.

    In addition, Usage limits have new -IgnoreAutoLoginIP, -IgnoreRefererLogin, and -IgnoreNormalLogin options to exclude certain types of logins from participating in those limits. For example:

    UsageLimit -enforce -interval=60 -expires=360 -MB=100 -IgnoreAutoLoginIP Global

    enforces a limit of 100 MB transferred within a 60 minute window, with automatic expiration after 360 minutes, but ignores any access that occurs as a result of AutoLoginIP.

31. An issue that cause login banners to be presented to the wrong users has been corrected.
32. SIP authentication contains a correction that may have caused the use of excessive CPU time.
33. ::Ticket,Debug in ezproxy.usr now causes additional diagnostic information to be recorded in ezproxy.msg.
34. When performing LDAP group membership tests, if the distinguished contains spaces before and/or after commas, EZproxy perform two compare operations: one with the dn as returned, and another using a copy of the dn with the spaces around the commas removed.
35. EZproxy now records a message in ezproxy.msg when a usage limit suspension is cleared.
36. On Linux and Solaris, when a group is specified using RunAs, EZproxy now clears access to all other supplemental groups.
37. Updated CAS support for backward compatibility to CAS 1.0.
38. Corrected issue that could prevent Find/Replace statements from being processed.
39. The "URL -form=" format for enabling access to remote services that require referring URL and/or username/passwords has been updated to insure that remote web server will receive the referring URL matching the URL specified, whereas previous versions could send the login page as their referring URL.
40. The MaxLifetime session defines how long an EZproxy session can be idle before it is terminated. It is now also possible to specify an absolute amount of time after which the user is required to login again to continue using his/her current session. The amount of time is speciifed in minutes by adding one or more lines like this to ezproxy.usr:

    jdoe:secret
::ReLogin=30
rsmith:shhhh
::ReLogin=60
::FTP=ftpserv.yourlib.org
::ReLogin=0
pwilliams:hush


    In this example, jdoe and pwilliams are never required to reauthenticate, rsmith is required to reauthenticate every 30 minutes, and users authenticated by the FTP server are required to reauthenticate every hour.

41. LDAP extended to allow the detection of eDirectory accounts that have passed their account expiration date using the Disabled directive. This example demonstrates how to intermix this with testing the loginGraceRemaining attribute to configure EZproxy to provide feedback while grace logins are diminishing, then provide expiration information when they are almost exhausted. The amount of debugging information recorded when using ::LDAP,Debug has also been enhanced.

    ::LDAP
URL ldaps://ldapserv.yourlib.org/OU=users,O=yourlib?cn?sub?(objectClass=person)
Disabled; Deny disabled.html
Expired; Test -wild loginGraceRemaining 0; Deny expired.html
Expired; Test loginGraceRemaining 1; Deny expired.html
Expired; Test loginGraceRemaining 2; Deny expired.html
Expired; Banner grace.html; Ignore
/LDAP


    In this example, the file grace.html is located in the docs subdirectory and should contain information to the user to indicate that they only have a few logins left. The file must also contain a link like this:

    <a href="/login?url=^V">continue to resource</a>

    If you do not want to provide feedback, you can omit the Banner portion but must include Ignore or else EZproxy will not allow the user to log in.
42. Change to avoid "page expired" errors in PubMed when using the back button to return to a hit list of articles.

2006-02-26

EZproxy 3.6b was released but withdrawn. Any site using this version should update to a newer release of EZproxy.

2006-02-20

EZproxy 3.6a was released but withdrawn. Any site using this version should update to a newer release of EZproxy.

2005-08-04

EZproxy 3.4c corrects an issue introduced in EZproxy 3.4a that prevented concurrent user login limits from working properly.

2005-08-03

This release was a flawed attempt to correct an issue in EZproxy 3.4a.

2005-08-02

EZproxy 3.4a contains the following changes:

1. EZproxy can now be directed to monitor the volume of use by users and can be directed to suspend access if specific threshholds are exceeded. See UsageLimit for details.
2. EZproxy now support Shibboleth authentication.
3. EZproxy now supports Central Authentication Server (CAS).
4. Ticket authentication with time format specified using $c now accounts for daylight savings correctly.
5. When using external authentication, you can now add the debug keyword to indicate that extra details should be record to ezproxy.msg. Sample use:

   ::debug,external=http://www.yourlib.org/ezproxy.cgi,post=user=^u&pass=^p

6. Within SIP authentication, introduces new Wait directive to allow a pause during process. Sample usage:

   ::SIP
Host sip.yourlib.org:23
Expect Choice
Send SIP\r
Wait 1
SIP
/SIP

7. Allow database definition that have only Title and Description lines. During menu presentation, when EZproxy encounters such a definition, it sends only the database description, ignoring all other directives between ^B and ^E, allowing arbitrary text to be included between database definitions. Sample usage:

   Title Text that appears in /status but not to remote user
Description HTML Text sent to the remote user
Description which may span multiple lines by repeating
Description the Description directive


8. Adds new HTTPMethod ezproxy.cfg directive to authorize EZproxy to proxy additional HTTP methods beyond GET, POST, and HEAD. Sample usage:

   HTTPMethod SEARCH
HTTPMethod SUBSCRIBE
HTTPMethod BMOVE


9. This version introduces the ExtraLoginCookie directive for ezproxy.cfg. This directive allows you to tell EZproxy to send extra Set-Cookie headers during the login process. The most typical use is with load balancing applications. In most instances, the cookie used should be paired with a CookieFilter statement to tell EZproxy not to forward the cookie's value to remote databases. A sample use is:

   ExtraLoginCookie proxyid=1025; domain=.yourlib.org
CookieFilter proxyid


10. This version includes a patch to allow EZproxy to work with big5.lawyee.com. To access this database, use this version of EZproxy along with the following database definition:

    Option LawYeePatch
Title LawYee
URL http://big5.lawyee.com/
DJ lawyee.com


11. With LDAP, previous versions of EZproxy needlessly required read or compare access to the objectClass attribute to succeed. This requirement has been removed.
12. The "ezproxy log" command now forces EZproxy to reopen the main log file along with any other log files established by LogSPU directives.
13. III authentication can now match based on any part of the III patron name field matching any part of the EZproxy password field. For example, if pn is Smith-Jones Jr, Patricia "Pat" Robin Q, then any of the following would match:

    Pat Smith
Smith Patricia
Smith
Jones
Robin Jones
Pattie Smith


    Note that Pattie Smith matches, even though Pattie is not present, since Smith is present and does match.

    When performing this test, Jr and Sr are ignored. Unless pn is made up of only single characters, single characters are also ignored. As a result, these by themselves would not match:

    Jr
Q


    To use this form of name match, add the directive PartialNameMatch before your Host line, such as:

    ::III
PartialNameMatch
Host iii.yourlib.org
/III

14. LDAP now supports detecting expired accounts and expired password when authenticating against Microsoft Active Directory and Novell eDirectory.

    The following examples demonstrate the use of the Expired and PasswordForm directives with a Microsoft Active Directory server. For Novell eDirectory, add the Expired and PasswordForm directives in a similar manner within your existing LDAP configuration, with Expired appear after the URL line and PasswordForm appearing before the URL line. If you are using eDirectory and anonymous searching is permitted, you can omit the BindUser and BindPassword in both examples.

    To provide user feedback if a user's account or password is expired, use (one or more line breaks were added in this example for display purposes; an example without added line breaks is available):

    ::LDAP
BindUser CN=ezproxy,CN=users,DC=yourlib,DC=org
BindPassword verysecret
URL ldap://ldapserv.yourlib.org/CN=users,DC=yourlib,DC=org
?sAMAccountName?sub?(objectClass=person)
Expired; Deny expired.htm
/LDAP


    In this example, you need to create the file expired.htm in the docs directory. This file will provide the user with feedback as to why he/she was denied access.

    If you would like to allow the user to change an expired password, issue the command:

    ezproxy -ml

    to create the file ldappass.htm in the docs directory, then use an LDAP entry like this (one or more line breaks were added in this example for display purposes; an example without added line breaks is available):

    ::LDAP
PasswordForm ldappass.htm
BindUser CN=ezproxy,CN=users,DC=yourlib,DC=org
BindPassword verysecret
URL ldaps://ldapserv.yourlib.org/CN=users,DC=yourlib,DC=org?sAMAccountName?sub?
(objectClass=person)
Expired; Deny expired.htm
/LDAP


    Note the use of ldaps:// in this example. For password changing to work, you must use ldaps (LDAP over SSL). Both Active Directory and eDirectory require this. See Microsoft articles 247078 and 321051 for more information on configuring Active Directory to support ldaps.

    Note that the CN=ezproxy... account does not need to have any privileges for password changing to work. It is only used to locate the user's distinguished name in the directory.

    In this version, the user will be allowed to change his/her password as long as it is only the password that is expired. If the account has passed its expiration date, the expired.htm file is sent to let the user know that his/her account has expired and is now disabled.

15. The "ezproxy -md" command now generates template files for DRA Classic using DRA macros, DRA classic using WEB2 macros, and Unicorn using WEB2 macros.
16. In III authentication, Test can now accept one of the following operators: <s =s >s ~s !s <i =i >i !i <d =d >d !d . These operations allow you to specify the exact form of test to perform. In these forms, s is for a string comparison, i is for an integer comparision, and d is for a decimal comparison. Sample usage is:

    Test p96 >d 20.00; Deny excessfines.htm


17. When using ::cgi in ezproxy.usr, you can now omit the username and password fields, and you can also specify ^A, ^U, and ^V in the URL. This form makes it easier to redirect the user to CGI scripts without requiring the use of the original variables. ^A is substituted with the auth variable (if present), ^U is substituted with the destination URL in URL-encoded format, and ^V is substituted with the destination URL in its "verbatim" format.
18. The LogFormat and LogSPU directives now accept %{ezproxy-url#}i where # can be any number to specify the inclusion of a specific portion of the URL. For example, in the URL http://www.somedb.com/abc/def, %{ezproxy-url1}i would return abc, %{ezproxy-url2}i def, %{ezproxy-url3}i returns a blank string.
19. LDAP authentication now allows testing against multiple servers with an ezproxy.usr configuration like this:

    ::LDAP
URL ldap://ldapserv1.yourlib.org/DC=yourlib,DC=org?uid?sub?(objectClass=person)
Refused; URL ldap://ldapserv2.yourlib.org/DC=yourlib,DC=org?uid?sub?(objectClass=person)
Refused; URL ldap://ldapserv3.yourlib.org/DC=yourlib,DC=org?uid?sub?(objectClass=person)
/LDAP

    Other LDAP directives may appear before the closing /LDAP, and will apply based on whichever server was able to accept the request and process it.
20. The ::external user authentication method now allows the inclusion of ^a to pass the auth variable from the login form to the external script.
21. The LogFormat and LogSPU directives now accept %{ezproxy-groups}i to allow the inclusion of user group membership in the log file.

2005-04-03

EZproxy 3.2b contains the following changes:

1. Corrects an issue which caused the login page to appear when using referring URL authentication without providing a specific destination URL.
2. The installation copy of ezproxy.usr no longer contains any default username or password. If default accounts from older versions of EZproxy appear in ezproxy.usr, they are not allowed for use to login and a warning is recorded to ezproxy.msg.

3. Allows ::cgi to be specified without a username on the line when used just for rerouting, and also allows the use of ^U and ^V in the destination URL. Typical use for excluding the username occurs when combining ::cgi to reroute unauthenticated user with ticket authentication.

   The inclusion of ^L, ^S, ^U or ^V overrides the normal appending of the destination URL and instead provides the ability to explicit pick where the destination URL should be inserted. When used, ^U is the URL-encoded version of the URL and ^V is the verbatim version of the URL with no encoding.

   ^L is true if the user is already logged in and tries to access a database outside current group membership (a "logup" condition) or false otherwise. If the user tries to access a database outside group membership and ^L isn't included in the redirect URL, then EZproxy will not redirect the user, but instead presents the logup.htm page. This requriement avoids the possibility of user login loops if the receiving CGI script is not designed to handle the logup scenario.

   ^S is the EZproxy session identifier if the user is already logged in.

   For the starting point URL:

   http://ezproxy.yourlib.org/login?url=http://www.somedb/com/

   if you use the ezproxy.usr entry:

   ::cgi=http://www.yourlib.org/ezpauth.cgi?dest=^U

   the user will be redirected to:

   http://www.yourlib.org/ezpauth.cgi?dest=http%3a%2f%2fwww.somedb.com%2f

   whereas if you use the ezproxy.usr entry:

   ::cgi=http://www.yourlib.org/ezpauth.cgi?dest=^V

   the user will be redirected to:

   http://www.yourlib.org/ezpauth.cgi?dest=http://www.somedb.com/

4. Linux and Solaris versions now support command line option stopall for use when updating, such as:

   ./ezproxy stopall

5. LDAP authentication now support "Admin" as option to declare that a user is an administrative user, such as:

   Test -user rdoe; Admin

2005-03-28

EZproxy 3.2a contains the following changes.

1. Server status now contains new "Host Maintenance" options to prune away hosts and ports that are no longer being used.
2. Administration interface contains new "Test network connectivity" option.
3. "MetaFind MuseCookie" handling has been improved. There is also two new ezproxy.cfg directives, LoginSocketBacklog and HostSocketBacklog, to configure how many outstanding, unserviced requests can queue up to EZproxy. Sample usage:

   LoginSocketBacklog 50
HostSocketBacklog 10


   In proxy by port, LoginSocketBacklog controls the number of unserviced login requests that can be pending, and HostSocketBacklog controls the number of unservice requests to specific virtual web servers can be pending. In proxy by hostname, only LoginSocketBacklog matters.

   In older versions of EZproxy, these defaulted to 5. The default for LoginSocketBacklog is now 20 and for HostSocketBacklog remains 5. Raising LoginSocketBacklog above 200 is not recommended, nor is raising HostSocketBacklog above 20.

4. III Patron API authentication now allows a new option "PartialNameMatch" which directs directs EZproxy to match the user supplied password against the patron name, and if everything matches up to the point where the password ends, and if that point in patron name is a non-space, the two are considered to match. This allows pn "Doe Robin" to match password "Doe". In instances where pn starts "Mac " or "Mc ", the space is removed, such that pn "Mac Donald" will match password "MacDonald" or "Mac Donald", but will not match just "Mac".

   ::III
PartialNameMatch
Host iii.yourlib.org
/III


   PartialNameMatch must appear before Host.
5. For instances where CGI authentication creates a new session for someone who is already logged in, the method of merging the attributes of the two sessions together has been improved.
6. It is now possible to reject requests to EZproxy based on the presence of arbitrary HTTP request headers. The general form of the ezproxy.cfg directive is:

   DenyIfRequestHeader denyfile wildcardtest

   where denyfile is a file in the docs subdirectory to send if wildcardtest is present in a header. Sample usage is:

   DenyIfHeader nowebzip.html User-Agent:*WebZip*

   The denyfile may also take the special value of allow to indicate that a specific header should combination of positive and negative logic.
7. Mini-DNS server debug logging enhanced.
8. Corrects issue with LogFile directive and group memberships when many groups are specified in a single Group statement.

9. Adds new ezproxy.cfg directive ClientTimeout that controls how long EZproxy will wait on the remote client (in seconds) before closing a connection. The default value is 60 seconds. This directive should be used with RemoteTimeout or else a long wait on the client could cause the connection to the remote server to timeout.

   Sample usage:

   ClientTimeout 120
RemoteTimeout 120


10. The docs directory contains a directory named loggedin. You can now create directories in loggedin that become EZproxy group names. Files placed within these directories are only accessible by users who are members of the group.
11. Adds new ezproxy.cfg EBLSecret directive for configuring access to Ebook Library.
12. The ezproxy.cfg LogFile directive now accepts a new -strftime qualifier, such as:

    LogFile -strftime ezproxy%Y%m%d.log


    When strftime is present, EZproxy will evaluate the filename using the strftime function. This allows the filename to be based on the current date and time, allowing new log files to be created automatically. In the above example, EZproxy will open a new log file every day, using names such as ezproxy20080325.log for each file. Another useful form is:

    LogFile -strftime ezproxy%Y%W.log


    which create a new log file each week such as ezproxy200812.log.
13. Optimizes the way EZproxy retrieves system time.
14. Adds ezproxy.cfg directive ProxyURLPassword to specify a password that activates new EZproxy's support to respond to XML request sent to /proxy_url. This URL is used to support Ross Singer's "WAG the Dog Localizer".
15. The LogFormat directive now supports %m to record the request method (e.g., GET, POST), %v to record the host requested, and %{ezproxy-protocol}i to retrieve whether http or https was used in the request. This can be used to construct a log entry that omits URL information, such as:

    LogFormat %h %l %u %t "%m %{ezproxy-protocol}i://%v HTTP/1.0" %s %b

    These options are also compatible with LogSPU.

16. Add new ezproxy.cfg directive RADIUSRetry that controls how frequently EZproxy will resend RADIUS requests if it does not receive any responses. The directive is followed by the number of seconds to wait before retrying, and defaults to 1 second.

    Sample usage:

    RADIUSRetry 3

17. The IntruderAttempts directive has been expanded. You can now include multiple directives to provide varying behavior based on source IP address.

    Sample usage:

    IntruderTimeout 600
IntruderAttempts 5
IntruderTimeout 300
IntruderAttempts -ip=68.14.229.0-68.14.229.255 10
IntruderAttempts -ip=68.14.229.198 -x-forwarded-for 15


    IntruderAttempts statements should be listed from most general to most specific. The last IntruderAttempts line in ezproxy.cfg that matches a computer defines how intruder detection will be handled.

    In this example, the general behavior is to start evading users after they make 5 login failures from the same IP address. Once this occurs, the source IP remains locked out for 600 seconds (10 minutes).

    However, if someone is accessing from a source IP between 68.14.229.0 and 68.14.229.255, EZproxy will give them 10 tries and will reset after 300 seconds (5 minutes).

    But, even more specifically, if someone is accessing from 68.14.229.198, EZproxy should look for an "X-Forwarded-For" header, and if one is present, it should consider the source IP address of the request to include the source IP specified in this header, and in that case, allow up to 15 retries. The X-Forwarded-For header is an optional header that can be sent by proxy servers and some network address translation devices. Including this option enables EZproxy to use an extra piece of information to separate out users who are behind that proxy. This option should only be used if your institution controls the proxy server involved.

18. There is a new form of database definition that can be used for databases that require the submission of variables by a form. With this configuration, EZproxy generates a temporary form used to give the user access to the remote system.

    An example of this configuration for Canadian Pharmacists Association is (one or more line breaks were added in this example for display purposes; an example without added line breaks is available):

    Title Canadian Pharmacists Association
URL -Form=post -RewriteHost ecps
http://www.pharmacists.ca/function/subscriptions/ecps.cfm?extlink=ecps
FormVariable loginname=someuser
FormVariable loginpassword=somepass
DJ pharmacists.ca


    Users gain access to this with a URL similar to:

    http://ezproxy.yourlib.org:2048/login/ecps


19. IntruderAttempts handling has been enhanced.

20. Adds special diagnostic feature to pinpoint the source of "400" errors.
21. Corrects a problem that prevented referenced to the EZproxy /loggedin directory from working properly when invoked with an https URL.
22. Enhances Domain authentication to handle an additional case of expired password changing.

23. Introduces new intrusion control directives:

    IntruderLog 25
IntruderReject 100


    IntruderLog controls the maximum number of times that EZproxy should log intrusion attempts to ezproxy.msg during a particular incident, with a default value of 25.

    IntruderReject controls the maximum number of login failures that should occur before the remote site moves from evasion to total rejection of login attempts, with a default value of 100.

24. The maximum number of groups has been increased from 32 to 4096.

25. The Validate directive may now include a path restriction to control which URLs receive a username and password.

    Sample usage:

    Title Journal of Transpersonal Psychology
Validate path=/jtparchive/* someuser:somepass
URL http://www.atpweb.org/jtparchive/
Domain atpweb.org


26. For the Windows platform, adds authentication against ODBC sources. A sample ezproxy.usr entry is:

    ::ODBC
DSN SomeSystemDSN
DBUser SomeUser
DBPassword SomePassword
Parameter User
Parameter Password
SQL \
SELECT 'Allow' \
FROM auth \
WHERE \
user = ? AND \
pass = ?
/ODBC


    DSN is the ODBC system DSN to use.

    DBUser and DBPassword are optional. If includes, they provide the username and/or password to use to access the database.

    Parameter may be followed by User, Password, or IP and indicate values that should be supplied for each ? that appears in the SQL statement. The first Parameter value goes to the first ? in the SQL statement, the second Parameter to the second ?, and so forth.

    SQL is followed by an SQL statement. Since SQL statements may become quite long, you may continue SQL statements across multiple lines by ending each line with a \ character. The SQL statement should be constructed to return the literal Allow if the user is to be allowed access, Deny if the user should be denied all access to EZproxy. If the first value returned is neither Allow or Deny, EZproxy moves on to the next authentication check in ezproxy.usr.

    For Allow, the SQL statement may also return a second column that indicates one or more EZproxy groups to which the user should have access. To use the group feature, the query should return several rows with one group per row, such as:

    Allow	Default
    Allow	Medical
    Allow	Legal

    For Deny, the SQL statement may also return a second column that indicates the name of the file from the docs directory that should be sent to the user who is being denied access. To use this feature, the query should return a something like this:

    Deny	alumni.html

27. It is now possible to configure EZproxy to look for a meta directive tht tells it to stop rewriting URLs within a web page.

    In ezproxy.cfg, you indicate to EZproxy which databases should use this directive like this:

    Option MetaEZproxyRewriting
 
Title Some Database that can use this meta tag
URL http://www.somedb.com/
Domain somedb.com
 
Option NoMetaEZproxyRewriting  
Title Other Database that will ignore the meta tag URL http://www.otherdb.com/
Domain otherdb.com


    The default behavior is Option NoMetaEZproxyRewriting.

    If Option MetaEZproxyRewriting is set for a database, then web pages from that database may contain these special tags:

    <meta name="EZproxyRewriting" content="disable">
<meta name="EZproxyRewriting" content="enable">


    which tell EZproxy at which points URL rewriting should be disabled or enabled as the web page is processed.

28. Domain statements that match a broad range of hosts such as:

    Domain *
Domain com
Domain ac.uk


    are now disallowed by default as these are outside the scope of EZproxy's design to handle and they pose security risks when enabled.

    Sites that choose to ignore this risk do so without the support of Useful Utilities. To enable such lines to be proxied, the very first line of ezproxy.cfg must be set to exactly:

    Option I choose to use Domain lines that threaten the security of my network


29. Adds a "Disable Referral Chasing" option to LDAP authentication which should correct some issues when searching Windows Active Directory from the root.
30. Corrects an issue in Shibboleth processing with NoGroups testing.
31. Corrects error when using username::crypt= in ezproxy.usr
32. Adds support for NCIP authentication. A sample ezproxy.usr entry is:

    ::NCIP
Server ncip.yourlib.org:7777
/NCIP


    With just a hostname and port, EZproxy uses the socket protocol to connect to NCIP. These may be replaced by a URL to use http or https POST protocol.
33. Allows a specific rejection file to be associated with a group restriction. This is particularly useful for databases that are intended for inhouse usage only. Sample usage:

    Group InHouse Deny=inhouse.html
 
Title Some Database for local use only
URL http://www.somedb.com
Domain somedb.com
 
Group Default
 
Title Other databases follow
...


    In this example, Some Database is placed in the InHouse group, and the custom error file inhouse.html is associated with it. As long as your users are never placed in the InHouse group, they will never have access to this database, and will receive the inhouse.html file. Users who access from an ExcludeIP address are redirected to the resource.

34. Automatic login can be enabled based on the reverse DNS hostname associated with an IP address. This method of authentication is prone to spoofing. Recommended use includes limiting the source IP range as well.

    Sample usage:

    ::ip=68.14.0.0-68.14.255.255,hostname=*.something.somedomain.com
::hostname=*.otherdomain.com


    In the first example, the source IP address must be in the specified IP range before the hostname test is considered. In the second, the hostname is checked regardless of source IP address.

35. Text file username and password checks now ignore ISO-8859-1 diacritics.
36. You can now record starting point URLs into their own, separate file. Sample usage is:

    LogSPU spu.log %h %{ezproxy-spuaccess}i %u %t "%r" %s %b


    The %{ezproxy-spuaccess} is a special variable that will record either proxy (user's access to remote URL will be proxied), local (user is within an ExcludeIP address and will be redirected to URL without being proxied), or unknown (URL was not recognized by EZproxy and Option RedirectUnknown appears in ezproxy.cfg).

    LogSPU must be followed by a filename, and can optionally be followed by a log format. LogSPU can appear more than once in ezproxy.cfg, with different formats possible for each file. As of this release, each LogSPU must reference a different file.

37. With III authentication, you can now associate arbitrary text with users during login that can be recorded into EZproxy log files. Sample usage:

    ::iii
Host iii.yourlib.org
Type 1,2,3,4,5; UsrVar 1 Student
Type 6,7,8; UsrVar 1 Faculty
/iii


    The number after UsrVar can be any digit 0 to 9. All UsrVar values default to blank.

    To record this variable in ezproxy.log, use a LogFormat similar to:

    LogFormat %h %l %u %t "%r" %s %b %{ezproxy-usrvar1}i


38. The default menu generated after login can now be limited to display just those databases to which the user's group memberships allow access. To enable this feature, add:

    Option MenuByGroups

    to ezproxy.cfg and restart EZproxy.
39. Corrects issue that prevented "Test -wild dn somevalue" from working correctly.
40. Extends LDAP interface to allow:

    test -user someuser
test -wild -user somewildcarduser
test -auth authvalue
test -wild -auth somewildcardauthvalue


    as a way to test the values from the user and auth variables of the login form.
41. It is now possible to control the HTTP "Server" header sent by EZproxy when it is sending its own web content (e.g., during login processing). The directive to control this is:

    ServerHeader server-identifier


    By default, EZProxy sends the EZproxy as its server identifier. If you specify ServerHeader with no server-identifier, this header is omitted. i Otherwise, EZproxy uses server-identifier in this header.
42. ezproxy.cfg now accepts the directive:

    Option IgnoreWildcardCertificate

    When EZproxy is running in proxy by hostname with SSL enabled and with a certificate that starts with an asterisk (*), EZproxy normally adds "login." to the front of its hostname when it constructs URLs that point to itself. Adding this directive tells EZproxy not to override this behavior.

    This directive is mainly useful in instances where an EZproxy server is named something similar to ezproxy.yourlib.org and you want to use a certificate named *.yourlib.org.

43. Add a "-hide" qualifier to the Title directive to indicate that a database definition should not appear when automatically generating the menu. Sample use:

    Title -hide Some Database that will not appear in menu


2004-10-26

EZproxy 3.0f contains the following changes.

1. Corrects an issue introduced in 3.0e that corrupted the content attribute of meta tags when http-equiv was not refresh.
2. Extends LDAP interface to allow:

   Test -wild attribute wildcardvalue

   where wildcardvalue can use the * wildcard to match 0 or more characters.

When Test is used without -wild, EZproxy only needs compare access to the directory. When -wild is present, EZproxy needs read access to the directory.

3. Correct problem that prevented long cookie values from being preset.
4. Adds an option to override SSL certificate checks.
5. Shibboleth change to enhance IdP 1.1 interoperability.

2004-09-19

EZproxy 3.0e contains the following changes.

1. Changes DNS handling to address ISI incompatibility.
2. Correct issue when using entries such as:

   user1::deny=locked.htm

   from an included file.
3. Correct flaw with LDAP processing when no filter included in the LDAP URL.
4. Correct typographical errors in a few administration pages.
5. Binary size increased noticeably due to inclusion of first beta release of Shibboleth Service Provider support.

2004-08-30

EZproxy 3.0d GA (2004-08-30) corrects a problem when using "ezproxy log" on Microsoft Windows Terminal Services, allows EZproxy to rewrite URLs that contain line breaks (HeinOnline), and corrects for relative URLs that start ../ in redirects.

2004-08-05

EZproxy 3.0c GA (2004-08-05) corrects an issue that caused the combination of auth and old-style LDAP authentication in the same line in ezproxy.usr to cause EZproxy to ignore other sections of ezproxy.usr.

2004-08-04

EZproxy 3.0b GA (2004-08-04) corrects an issue that prevented wildcards from working properly in Domain/DomainJavaScript statements.

This release corrects a similar issue for the new NeverProxy statement. In ezproxy.cfg, you can now add lines like this:

NeverProxy www.somedb.com
NeverProxy www.somedb.com:8080
NeverProxy *.somedb.com


The first line tells EZproxy never to rewrite the hostname www.somedb.com. The second tells EZproxy never to rewrite www.somedb.com:8080, but rewrite any other www.somedb.com references. The third line tells EZproxy never to rewrite any hostname that ends in .somedb.com.

2004-08-02

EZproxy 3.0a GA (2004-08-02) contains the following changes:

1. LDAP support has been greatly enhanced. For configuration details, see LDAP Authentication

2. EZproxy now supports intruder detection. See IntruderAttempts for information on how to configure this feature.

3. EZproxy now supports a secure method to allow portals to generate links directly to EZproxy. See Ticket Authentication for details.
4. The /admin page has been enhanced to provide more options for managing your EZproxy server.
5. Introduces new high availability multi-server coordinated configuration including new HAName and HAPeer directives.
6. If you receive a renewal SSL certificate, you can now bring up the original certificate and use the "copy" feature to create a copy of the certificate, then apply the renewal certificate to this copy.
7. When a server fails to provide a content-type header, EZproxy examines the beginning of the document to check whether or not it is HTML. This check has been extended to support an unusual response from scitation.aip.org that includes a series of comments before the page is declared to be in HTML.
8. When generating self-signed certificate, you can now choose for how many years the certificate should be valid.
9. EZproxy can now send a Platform for Privacy Preferences (P3P) header when it sets its authentication cookie. This can be used to allow EZproxy authentication to occur within a framed window.

   Sample usage:

   P3P CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"

10. Corrects a problem with III Millenium pin validation.

11. In DRAWeb2 authentication, the setup process provides files for use with class DRA_ macros as well as newer WEB2_ macros.

    Also, you can now specify the userid field that EZproxy should use when it verifies someone's access using the new userid directive.

    Sample usage (one or more line breaks were added in this example for display purposes; an example without added line breaks is available):

    ::draweb2
userid alt_user_id
url http://draweb2.yourlib.org/Web2/tramp2.exe/log_in?
SETTING_KEY=guest&screen=ezp1.html
/draweb2


    EZproxy previously imposed stringent checks on the user and password information used by Web2, which lead to information that is valid for Unicorn systems being locked out. These restrictions have been changed to accomodate the broader range of options supported by Unicorn.

12. The Campus Pipeline Integration Protocol (CPIP) URLs can now be accessed by the EZproxy session ID by specifiying the sid as ezproxy: followed by the EZproxy session identifier.
13. When making an outgoing SSL connection, previous versions of EZproxy would present their SSL certificate to the remote host. EZproxy no longer presents an SSL certificate on outgoing connections.

    This next section applies only to the traditional LDAP configuration in ezproxy.usr, not the new LDAP functionality triggered by just ::LDAP. If required, EZproxy can still present a certificate for outgoing LDAP connections. In ezproxy.usr, use an entry similar to this:

    ::ssl=2,ldap=pdc.yourlib.org,$U@yourlib.org

    where "2" is the number of the certificate for EZproxy to present in the outgoing request.
14. By default, EZproxy allows a remote server to pause for a maximum of 60 seconds before it will timeout a connection. You can now change this value by adding a line to ezproxy.cfg like:

    RemoteTimeout 120

    In this example, the timeout is raised from 60 seconds to 120 seconds.

15. The following deny option has flaws and is under review for possible changes. If you need this type of functionality, please contact support@oclc.org to discuss options. This option does not work correctly from an included file.

    When using deny in ezproxy.usr, you can now include a filename to present to the user, such as:

    user1::deny=expired.html

    In this example, the expired.html file would need to be placed in the docs subdirectory.

16. Adds a variety of new options to the SIP interface.
17. Includes changes to support having EZproxy include the login username in starting point URLs, either in plain-text or encrypted form.

    Title ebooks.com
EncryptVar u astringyoupick
URL http://www.curtin.eblib.com/EBLWeb/patron.html?userid=^u&usertype=student


    In addition, the EZproxy /admin menu displays a new "Decrypt User Variable" option whenever EncryptVar appears in ezproxy.cfg. This option allows the EZproxy administrator to enter an encrypted value and see what the original plain-text value was.
18. Includes changes to make it possible to use ::external authentication against a Dynix RPA server.
19. Adds new "AllowVars" database definition option along with "vars=" to ezproxy.usr to support MD Consult integrated authentication.
20. Corrects an issue that prevented EZproxy from being controlled by an administrative account when running EZproxy is running under a non-privileged account on Windows.

2004-05-12

EZproxy 2.4e GA (2004-05-12) contains the following changes:

1. III Patron API updated to support changes in III Silver release. This update is compatible with both the original Patron API and the updated version.
2. Problem corrected when switching log file in Windows when EZproxy runs from a non-privileged account.
3. This version is required for temporary licenses that expired after June 23, 2004.

2004-04-09

EZproxy 2.4d GA (2004-04-09) contains the following changes:

1. Corrects an issue that prevented EZproxy from running under a non-privileged account on Windows.
2. Change use of 303 see other redirect code back to 302 moved temporarily during login processing to resolve some issues encountered by the CGI authentication method.

2004-03-21

EZproxy 2.4c GA (2004-03-21) contains the following changes:

1. When a remote web server responds with a 1xx, 204, or 304 HTTP result code, EZproxy considers the request finished once the header is received from the remote web server, instead of waiting until the remote web server closes the connection. This change dramatically improves performance when accessing the Brookers database.
2. EZproxy now supports SIP authentication. See 3M Standard Interchange Protocol (SIP) for configuration details.
3. EZproxy no longer generates hostnames for proxy by hostname that start with digits. Where EZproxy did this previously such as 8080-www.somedb.com.ezproxy.yourlib.org, it now includes the letter p at the beginning, such as p8080-www.somedb.com.ezproxy.yourlib.org.
4. APOP authentication can now be disabled. See POP Authentication for details.
5. Older versions of EZproxy would strip angle brackets (<, >) from starting point URLs. In this release, the angle brackets are changed to their hex-encoded counter-parts.
6. In ezproxy.cfg, you can add:

   Option RelaxedRADIUS

   This tells EZproxy not to verify the source IP address for RADIUS responses, but rather to just look at the received packet to check whether or not a valid response has been returned.
7. The length limits for username and password have been raised from 32 to 64 characters.
8. EZproxy can now proxy .wmv files correctly.
9. Foot and Ankle International can be proxied when using this update along with this database definition (one or more line breaks were added in this example for display purposes; an example without added line breaks is available):

   Title Foot and Ankle International
URL http://www.datatrace.com/e-chemtracts/emailurl.html?
http://www.newslettersonline.com/user/user.fas/s=563/fp=20/tp=37?
T=open_non_issue,5167,3&P=non_issue
DJ datatrace.com
DJ newslettersonline.com
Find location.href="' + idOrUrl
Replace location.href="^p^/login?url=' + idOrUrl


10. One EZproxy server can now be configured to route starting point URLs of specified domains to a different server (can be EZproxy or something else). Sample usage is:

    RerouteTo http://otherezp.yourlib.org/login?url=
RerouteHost www.somedb.com
RerouteDomain otherdb.com


    The RerouteTo statement appears before any RerouteHost and RerouteDomain statements. The string specified in RerouteTo is placed in front of the URL that was specified in the starting point URL, then the user is redirected. RerouteTo can be omitted, in which case the other Reroute statements would effectively tell EZproxy to reroute starting point URLs of those domains to the regular URL.

    RerouteHost indicates that any host name that exactly matches the specified host name should be rerouted, whereas RerouteDomain indicates that any host names that exactly matches or ends with the domain specified should be rerouted.

    RerouteTo can also take the form:

    RerouteTo -quote http://www.yourlib.org/script.cgi?dest=


    With the -quote added, it tells EZproxy to apply URL encoding to the URL, making it suitable to be directly passed under normal CGI semantics (e.g., http://ezproxy becomes http%3a%2f%2fezproxy if -quote is present).
11. The ::external user authentication method will now accept a response back of the form:

    ezproxy_menu=menufile.htm

    where menufile.htm specifies the menu that should be presented to the user after login.

2004-02-15

EZproxy 2.4b GA (2004-02-15) contains the following changes:

1. Adding the line

   Option RequireAuthenticate

   to ezproxy.cfg allows you to configure individual machines to present the EZproxy login for starting point URLs, even if their IP addresses fall within AutoLoginIP or ExcludeIP address ranges.

   Once you have added the option line and restarted EZproxy, you can force the presentation of the login page using a URL similar to:

   http://ezproxy.yourlib.org:2048/auth

   This page allows you to enable or disable this behavior, either for the balance of your browser session (useful for quick testing or perhaps information literacy instruction sessions) or "permanently." Since this feature uses a cookie, it can be undone if the cookie is removed, so it is not something you can count on to work indefinitely, but it can be useful in situations where machines receive their addresses by DHCP and cannot be identified by specific, static IP addresses for this purpose.
2. Corrects an issue with the mini-DNS server that prevented it from working reliably under Solaris.
3. Corrects a problem that prevented browser request headers in LogFormat statements from being recorded properly.
4. In III authentication, an error that caused "Password None" to accept any barcode as valid has been corrected.
5. Proxy by hostname no longer prefixes hostnames with 80- and s443- when the remote hostname uses the standard web ports of 80 for http traffic and 443 for https traffic, although EZproxy recognizes this form to allow existing bookmarks to work properly.
6. When an attempt is made to access EZproxy under a name it does not recognize, its normal behavior is to redirect the user to its proper name. Starting in 2.4, when this situation occurs, if the file badhost.htm exists in the docs subdirectory, EZproxy will send this file instead of performing the redirect.
7. Added new "Option ProxyFTP" and "Option NoProxyFTP" to allow/disallow proxying of ftp:// URLs. Default is "Option NoProxyFTP". These options are position-dependent and affect database definitions that follow them and remain in effect unless changed by another appearance of one of these options.

   Sample usage:

   Option ProxyFTP

Title Some database where FTP URLs will be proxied
URL http://www.somedb.com
Domain somedb.com

Option NoProxyFTP

Title Other database where FTP URLs will not be proxied
URL http://www.otherdb.com/
Domain otherdb.com

Title Another database where FTP URLs will not be proxied
URL http://www.anotherdb.com/
Domain anotherdb.com

8. EZproxy for Windows contains a correction for a problem that would cause the error "OpenFileMapping failed: 5 Access is denied" to occur if EZproxy was configured to run under a non-administrator account.
9. EZproxy can now include the X-Forwarded-For header when it sends a request to a remote web server. This header includes the remote user's IP address. This feature is enabled in ezproxy.cfg with "Option X-Forwarded-For" and disabled by "Option NoX-Forwarded-For". Each of these options should appear just prior to a Title (T) line.

   Sample use:

   Option X-Forwarded-For
 
Title Some Database
URL http://www.somedb.com
Domain somedb.com
 
Option NoX-Forwarded-For
# No databases after this point will send the X-Forwarded-For header
 
Title Other Database
URL http://www.otherdb.com
Domain otherdb.com


10. Extensions to the DRAWeb2 authentication options.
11. The SkipPort directive for ezproxy.cfg. Sample usage is:

    SkipPort 3307

    The ezproxy.cfg file may contain any number of SkipPort lines.
12. Cookies may be pre-loaded into new EZproxy sessions by specifying them in ezproxy.cfg. Sample usage is:

    Cookie Demo-OpenURL="http://sfx.exlibrisgroup.com:9003/yourlib"; domain=.doi.org

    The cookie must specify the domain of hosts to which it applies.
13. The print option for CRC Handbook now works.
14. Database definitions may now contain the line:

    MetaFind MuseCookie

    to activate special cookie handling needed by III's MetaFind product. This line must appear in each database that requires this special handling.
15. This version corrects a problem that was causing EZproxy to truncate hidden fields whose values where more than 16K in length. This prevented http://www.infomedia.dk from working properly.

2003-09-09

EZproxy 2.2e GA (2003-09-09) contains a change that corrects a compatibility issue between EZproxy and SFX links to Web of Knowledge. It also contains changes to the mini-DNS server.

2003-09-01

EZproxy 2.2d GA (2003-09-01) contains two changes:

1. All versions of EZproxy prior to this release rearranged the location of the Host and Referer headers of an HTTP request. This rearrangement of these headers was linked to a problem that caused some web page retrievals to come up blank. EZproxy 2.2d has been altered to keep these headers in their original locations while processing a request.
2. EZproxy 2.2a introduced a change to avoid a SIGCHLD kernel warning under RedHat 9. However, this change negatively impacted at least one site running RedHat 6.0. The manner in which EZproxy handled this prior to the release of 2.2 can now be restored by adding:

   Option IgnoreSIGCHLD

   to ezproxy.cfg.
3. Under "new style" DRA Web2 authentication, the pin may now contain either letters or digits, whereas older versions of EZproxy limited the pin to digits only.

2003-08-14

EZproxy 2.2c GA (2003-08-14) contains the following changes:

1. When a user either tried to use the proxied form of an EZproxy URL (e.g., http://ezproxy.yourlib.org:2060 or http://80-www.somedb.ezproxy.yourlib.org) while not logged in, or tried to access a resource outside the user's groups, the user did not automatically proceed to the login page. This problem also effected sites that were using AutoLoginIP to access some resources (e.g., an automated catalog), but had other resources restricted by group.
2. The method by which the "-si" option creates a startup script on Linux and Solaris has changed, although the actual script created is the same.
3. Using the new administrative URL of the general form http://ezproxy.yourlib.org/admin when you have proxy by hostname enabled along with a wildcard SSL certificate now properly proceeds to the Administration page after login.
4. The "ezproxy -c" connectivity test will now route its request through your outgoing proxy server is an outgoing proxy server has been specified in ezproxy.cfg.
5. This version contains the new mini-DNS server for use with proxy by hostname, although this feature is still in initial testing. You must explicitly activate this feature, so it has no impact on existing sites that update to this version, but is available for those sites that want to perform testing of this feature.

2003-08-05

EZproxy 2.2b GA (2003-08-05) corrects a problem in 2.2a that had disabled the URLAppend (UA) command in ezproxy.cfg.

2003-08-02

EZproxy 2.2a GA (2003-08-02) contains the following changes:

1. In ezproxy.cfg, comment lines are formed by placing a # at the beginnnig of a line.

   In some instances, people have placed comments on the end of lines that contain EZproxy directives, such as:

   IncludeIP 68.15.177.100 # Test machine

   The use of comments like this is not supported, and in EZproxy 2.2, it actually causes ExcludeIP and IncludeIP lines that contain such comments to fail.

   Please make certain to always place comments on their own lines, such as:

   # Test machine
IncludeIP 68.15.177.101

2. If you have use https for login processing, EZproxy no longer defaults to forcing the main login page to upgrade from http to https. To restore the previous forced behavior, add:

   Option ForceHTTPSLogin

   to ezproxy.cfg.
3. When generating a new certificate under proxy by hostname, you can now have the option to create a wildcard certificate. This tells EZproxy that it should add "login." to the front of its name when handling login requests and should generate its SSL certificate using the form "*.ezproxy.yourlib.org". It also changes periods to hyphens when generating the host name for sites using https. These changes should allow a single wildcard certificate to generate only one error if self-signed, and no errors if purchased from a certificate authority.
4. New /admin page that coordinates access to various administrative function with EZproxy.
5. When SSL certificates are generated, they now receive distinct serial numbers to avoid generating conflicts for browsers that track certificates by issuer and serial number.
6. Corrections to AutoLoginIP interaction with groups.
7. New warning message when a server is configured for proxy by hostname but the wildcard DNS entry has not been registered.
8. In some instances and network configuration, Find/Replace statements would not be processed. This likely lead to some issues with Web of Science and Kluwer, along with other databases that require Find/Replace to operate.
9. The /status screen has been enhanced. The new version:
   1. contains links from sessions that allow you to terminate sessions.
   2. defaults to displaying source IP addresses instead of host names to reduce the wait time for this page to display when a large number of people are logged in.
   3. rearranges the way databases are displayed, moving the domains column over to the left so it is not necessary to scroll right to see the domain information if they are any really long URLs.
   4. allows the display of Find/Replace commands in the database listing if you use the extended display option.
   5. enhances the host listing to ease diagnosis by indicating whether or not added JavaScript processing is enabled
      for the host, and also containing a link that allows you to see which database definition in ezproxy.cfg controls a given virtual host.
10. The Proxy and ProxySSL statements are now position-dependent in ezproxy.cfg.

    Sites that use these statements should verify that they appear before your first Title (T) line, or else any databases that appear before them will not be directed through your outgoing proxy server.

    This changes allows you to route proxy requests for different database vendors to different outgoing proxy servers, and to disable proxy server use for specific databases. This change was implemented in support of the LOCKSS project. Sample use in ezproxy.cfg is:

    Proxy proxy1.yourlib.org
    ProxySSL proxy1.yourlib.org

    Title Some database accessed through proxy1.yourlib.org
    URL http://www.somedb.com
    Domain somedb.com

    Proxy
    ProxySSL

    Title Other database that will not use a proxy server
    URL http://www.otherdb.com
    Domain otherdb.com

    Proxy proxy2.yourlib.org

    Title Another database that will use proxy2 for http, but will make https requests directly
    ...
    

    Proxy and ProxySSL statements effect all databases that follow them until another Proxy or ProxySSL statement appears.

    As before, the Proxy and ProxySSL statements may still contain a username:password at the end to allow EZproxy to send a username/password when making proxy requests.

11. New support for Books24x7.com authentication, including revisions since the 2003-06-29 release for revised encryption. A sample entry is:

    Title Book24x7.com
URL http://library.books24x7.com/library.asp?^B
Books24x7Site ABC123
TokenKey SomethingYouPickAndDontTellAnyone
TokenSignatureKey YouGetThisFromBooks24x7
DJ books24x7.com


    In this example, the ABC123 is a site identifier issues to you by Books24x7.com. The TokenKey is a random string that you pick that is used to encrypt the username of the person accessing EZproxy before sending it to Books24x7.com. The TokenSignatureKey is used to encrypt a combination of the IP address making the request and the encrypted username formed with TokenKey, or just the IP address if someone is accessing from within an ExcludeIP range.

    This process does not disclose the identify of the EZproxy user to Books24x7.com. It sends an encrypted string that identifies each user uniquely. If necessary, Books24x7.com can provide your library with this encrypted string, then you can cross-reference it to the original user using the new:

    http://ezproxy.yourlib.org:2048/token

    page.
12. When ::limit is used to impose a login limit, the error message that appears for those who exceed their limit may now be overridden by creating the file limit.htm in the docs subdirectory. Within that file, you may use ^0 (number zero) to represent the maximum number of logins allowed on the account, ^1 (number one) to include an s if the limit is not 1 but nothing if the limit is one, and ^2 (number two) for the word "is" if the limit is 1 or "are" if the limit is 2. The existing message can be created with this string:

    Your account is limited to ^0 session^1

13. When a web server claims a page is text/plain, it was previously left untouched. EZproxy now examines the content of the page to determine if it is HTML, and if it is, it rewrites the page. This behavior makes EZproxy emulate IE's behavior and should correct a problem with one errant Web of Science page.
14. In RedHat 9.0, a warning was being generated to /var/log/messages about SIGCHLD. This warning no longer appears.
15. The III interface now supports a keyword Unknown which tells EZproxy to consider the user unknown and proceed to the next authentication method in ezproxy.cfg. This keyword mainly exists to allow III processing to be terminated if the III server is unavailable, particularly when you are use Deny statements to block users.

    Here is a typical application:

    ::iii
Host iii.yourlib.org
Refused; Unknown
...more authentication statements...
/iii

2003-06-13

EZproxy 2.0k GA (2003-06-12) contains changes that:

1. correct a problem introduced in 2.0j when connecting to EBSCO databases.
2. suppress the "WARNING: address range applies to #### hosts" when AutoLogin, ExcludeIP, IncludeIP and RejectIP ranges refer to private IP address ranges (e.g., 10.0.0.0-10.255.255.255).
3. log warning messages to ezproxy.msg when unrecognized lines appear in ezproxy.cfg. Please note that this release will report the directives CookieName and LogFile as unrecognized, even though they are correctly recognized and processed. This misreporting will be corrected in the next release of EZproxy.
4. correct a problem that prevented CookieFilter from working under Solaris.

2003-06-05

EZproxy 2.0j GA (2003-06-02) contains corrections: