EZproxy Changes

2007-07-11

EZproxy 4.0h contains the following changes:

Introduce the ability to perform user authentication against a SirsiDynix Horizon Information Portal 3.x server. See Horizon Information Portal 3.x Authentication for details.
Add support for NetLibrary URL API integration, allowing NetLibrary accounts to be replaced by single sign-on integration with EZproxy accounts. Please note that this functionality is not currently compatible with high-availability configurations. Contact support@oclc.org for configuration assistance with this new option.
Correct an error that intermittently prevented IntruderIPAttempts data from being preserved across EZproxy restarts.
Correct issue that prevented LDAP TestWithUser and Test -Wild from working correctly.
Correct issue that prevented username from being reflected correctly when a user first accessed by AutoLoginIP and later authenticated through Shibboleth.
Correct issue that prevented proper operation with a mixture of CAS authentication, high availability, and ExcludeIP.
Correct a problem when intermixing groups, AutoLoginIP directives, and Shibboleth authentication.
Incorporates a slight change for Follett authentication.
In ezproxy.usr, added new IfQueryStringPass to test if the password was provided in the query string, making it possible to block when someone decides to submit their password in this manner instead of through the login form POST method. Sample use:

::Common IfQueryStringPass; Deny loginbu.htm /Common

This logic should appear as the first part of ezproxy.usr. As shown above, EZproxy will immediately send loginbu.htm, which is the normal behavior if a username/password is provided incorrectly. If you prefer, you can use a different file for Deny to provide the user with feedback indicating that this is not permitted.

2007-03-12

EZproxy 4.0g contains the following changes:

Slight change to correct a problem encountered by some sites when proxying InfoTrac products. A sample problem included long hit lists being truncated.
Add ezproxy.cfg "Option DisableSSL40bit" to direct EZproxy not to allow EZproxy to negotiate https connection with 40-bit keys.
Change behavior when handling Location redirects with relative URLs that begin with a ? to enable select Newsbank links to work correctly, particularly extended links from Serials Solutions.
Correct an issue that prevented group memberships for groups containing spaces from being restored correctly during a restart.
Add new Timeout directive for LDAP authentication to specify the maximum amount of time in seconds that EZproxy should wait before giving up on an LDAP server to respond. Sample use:

::LDAP BindUser CN=ezproxy,CN=users,DC=yourlib,DC=org BindPassword verysecret Timeout 10 URL ldap://ldapserv.yourlib.org/CN=users,DC=yourlib,DC=org?sAMAccountName?sub?(objectClass=person) Unauthenticated; Stop

Timeout may appear anywhere after ::LDAP but before URL.
Add new ezproxy.cfg "Option ForceHttpsAdmin" which forces all access to EZproxy administration pages to occur through an https connection.
Add a new -ActiveIP qualifier for the AnonymousURL directive that specifies that the user may access a URL matching the AnonymousURL directive only if that user is also currently accessing from an IP address associated with an authenticated user. Sample use:

AnonymousURL -ActiveIP +http://www.somedb.com/*

Such access may fail if a user is accessing through a network that uses multiple proxy servers such as AOL.
Destination URLs in starting point URLs that are authorized through an AnonymousURL directive now provide immediate access. In previous versions of EZproxy, such URLs had to appear in rewritten form to work. For example:

AnonymousURL -RE +http://www.somedb.com/[^?]+\.rss Title Some Database URL http://www.somedb.com/ Domain somedb.com

would only have allowed a rewritten URL such as http://www.somedb.com.ezproxy.yourlib.org/feed.rss to be used by an RSS aggregator whereas this new version would also allow access if requested by http://ezproxy.yourlib.org/login?url=http://www.somedb.com/feed.rss
Adds Follett library system authentication. A sample entry for ezproxy.usr is:

::Follett URL http://fsc.yourlib.org /Follett
Adds Sagebrush InfoCentre library system authentication. A sample entry for ezproxy.usr is:

::Sagebrush URL http://sagebrush.yourlib.org /Sagebrush

2006-12-10

EZproxy 4.0f contains the following changes:

Correct an issue in EZproxy 3.6i through 4.0e that can cause EZproxy to restart if it receives a particular URL from an IP address within an ExcludeIP address range. Sites running one of these versions of EZproxy that do not use the "/limited" directory can add:

IncludeIP 0.0.0.0-255.255.255.255

as the last line of ezproxy.cfg to avoid this possibility. Sites using EZproxy 3.6i through 4.0e that use the "/limited" directory are encouraged to update to EZproxy 4.0f.
Correct an issue that could cause the Solaris versions of EZproxy to restart under heavy load.
Add the ability to generate SHA512 hashes of passwords for use in ezproxy.usr. Sample use from a command prompt or shell to generate a SHA512 hash:

ezproxy SHA512 testing $021NGKBG$FTRoPxyZ1S2O2bJ5qRtlXcI/tKPXZRoaQojBFZKWOif0g5Fionk07Bo13fN2+a/kmL8w80VumtcA2m1ENEiT2A

Sample use in ezproxy.usr for this password:

someuser::SHA512=$021NGKBG$FTRoPxyZ1S2O2bJ5qRtlXcI/tKPXZRoaQojBFZKWOif0g5Fionk07Bo13fN2+a/kmL8w80VumtcA2m1ENEiT2A
The Shibboleth metadata used by ShibbolethSites may now be in either Shibboleth 1.2 or 1.3 format.
NCIP authentication now allows the specification of which values should be sent to the NCIP server. Sample use:
::NCIP AuthenticationInput user Barcode Id AuthenticationInput pass PIN Server ncip.yourlib.org /NCIP

You can specify any number of AuthenticationInput directives. The first argument can be user, pass, or pin and specifies that the login form field user, pass, or pin should be used. The balance of the directive is the NCIP authentication input field and will most commonly be one of Barcode Id, PIN, Password, or User Id. In the absence of any AuthenticationInput directives, the user field is sent as Barcode Id and the pass field is sent as PIN.
The Cookie directive for pre-loading cookie values into a session is now affected by Group directives, allow different values to be pre-loaded based on group membership. Sample use:

Group Legal Cookie somecookie=legal; domain=.somedb.com Group Medical Cookie somecookie=medical; domain=.somedb.com Group Legal+Medical Title Some Database URL http://www.somedb.com Domain somedb.com

In this example, if a user is a member of the Legal group, the cookie somecookie is pre-loaded with the value of legal, whereas if the user is a member of the Medical group, the cookie somecookie is pre-loaded with the value of medical. If the user is a member of both groups, the first Cookie directive that matches take precedence, so the cookie somecookie would have the value legal in this scenario.

2006-10-27

EZproxy 4.0e contains the following changes:

The Athens-enabled versions of EZproxy have been released.
Added Solaris 10 (x86) as an officially supported platform. At this time, Athens does not support this platform, so there is no Athens-enabled version of EZproxy for this platform.
Allow a certificate to be associated with database definitions to allow client authentication to remote databases. SSLCert with a certificate number should appear before the Title line of the first database definition that should be affected and SSLCert without a certificate number should appear before the Title line of the first databse definition where the certificate should no longer be sent. The certificate number can be found on the SSL administration page. Sample use:

SSLCert 5 Title Some Database that will receive the certificate URL http://www.somedb.com Domain somedb.com SSLCert Title Other Database that will not receive certificate URL http://www.otherdb.com/ Domain otherdb.com

See Importing a PEM-formatted Certificate into EZproxy for information on how to import a certificate into EZproxy.
Extend IntruderIPAttempts to allow different limits based on source IP address. Sample use:

IntruderIPAttempts -IP=10.0.0.0-10.255.255.255 -Interval=5 -Expires=1 50 IntruderIPAttempts -Interval=5 -Expires=15 20

In this example, users accessing from a 10.* address will be given 50 attempts in a 5 minutes window and will be allowed to try again after 1 minute of being locked out, whereas all other IP addresses are given 20 tries within a 5 minute window and then locked out for 15 minutes.
Extend RADIUS authentication to allow the NAS port type and NAS port to be specified. To add the NAS port type, include a semi-colon (;) after the RADIUS server name (and UDP port) and then either the keyword virtual to specify the virtual port type or a numeric code for the port type as defined in the RADIUS RFC. To add the NAS port, include a semi-colon (;) after the NAS port type and include the port number. If you want to specify only a NAS port but not a port type, use two semi-colons (;) after the RADIUS server.

Sample use:

# Virtual port type, no NAS port specified ::RADIUS=radserv.yourlib.org;virtual,Secret=shhhh # Virtual port type, NAS port 1 ::RADIUS=radserv.yourlib.org:1645;virtual;1,Secret=shhhh # No port type specified, NAS port 1 ::RADIUS=radserv.yourlib.org:1812;;1,Secret=shhhh

Note that the :1645 and :1812 in these examples demonstrate including the UDP port for communication with the RADIUS server, which is completely different from the NAS port.
By default, ExcludeIPBanner only cause the banner to be sent once during a browser session. This behavior can now be modified to direct EZproxy to send the banner every time an exclude URL is accessed by adding the -Always option. Sample use:

ExcludeIPBanner -Always policy.html
Corrects an issue when "URL -RewriteHost" and AutoLoginIP are combined.
Corrects an issue that prevented EZproxy 4.0 for Linux from authenticating with ldaps.

2006-09-12

EZproxy 4.0d contains the following change:

Correct an issue introduced in EZproxy 4.0c that prevented ::External from working unless a Valid=value was included.

2006-09-10

EZproxy 4.0c contains the following changes:

Corrects an error that prevented large POST requests over https connections from forwarding all data correctly.
By default, when EZproxy performs external authentication, it looks for the "valid" string in both the header and body of the response from the remote web server. Starting with this release, the valid string can be prefixed with header: or body: to specify that EZproxy should only look in the header or the body. Sample use:

::External=http://www.yourlib.org/ezproxy.cgi,Post=user=^u&pass=^p,Valid=body:OK
Contains a security update for a small number of institutions. The affected institutions have been contacted directly.

2006-08-18

EZproxy 4.0b contains the following changes:

Correct an issue introduced in EZproxy 3.8a that affects the ability to download binary content including the ebrary reader plug-in, Word documents, and RTF documents.
Correct an issue with password generated by "ezproxy obscure" and used by "BindPassword -obscure". Passwords generated in EZproxy 3.8a through EZproxy 4.0a will have to be regenerated.
Add support for EZproxy to transfer user authentication information to other systems for single sign-on. Sample ezproxy.cfg entry:

SSO -Secret=abcdefghijklmnopqrstuvw -URL=http://www.yourlib.org/sso.php abc

Example PHP scripts are available at phpsso.tar and example Perl scripts are available at perlsso.tar .
Correct an issue when using MetaFind in a high availability configuration with Factiva.
Add new PDFRefreshPre and PDFRefreshPost directives to alter the text that appears before and after the link that is generated when a starting point URL refers to a PDF document. Sample use with the default values is:

PDFRefreshPre To access this document, wait a moment or click <a href=" PDFRefreshPost ">here to continue

To make the link appear only in browsers that have JavaScript disabled, use:

PDFRefreshPre <noscript>To access this document, wait a moment or click <a href=" PDFRefreshPost ">here</a> to continue</noscript>

EZproxy will always insert the actual link between these two items, but if you want to override the link, you can use  at the beginning of PDFRefreshPost to place the link into an HTML comment.
Correct a flaw that caused inaccurate warnings to be logged to ezproxy.msg for DRAWeb2's System and Type conditions, III's PartialNameMatch action and Test condition, and Ticket's MD5 and SHA1 actions.
Add new common condition "IfPassword wildpass" to test the value of the supplied password. Can be used as "IfPassword;" to test to see if the user did not provide any password.

2006-08-02

EZproxy 4.0a contains the following changes:

Unify and extend common conditions and action used by Athens, CAS, DRAWeb2, III, LDAP, NCIP, ODBC, Shibboleth, SIP, and Ticket. This requires slight changes to existing ezproxy.usr for DRAWeb2, III, LDAP, and Ticket configurations.
A version of EZproxy that is Athens-enabled is available for beta testing. For more information, send an email message to ezproxy@oclc.org.
Add AutoLoginIPBanner and ExcludeIPBanner to augment the ezproxy.usr directive ::Banner and the common action Banner.
Add support for EZproxy to perform user authentication by testing a username and password against a URL that is protected by "HTTP basic" authentication. Sample use is:

::HTTPBasic=http://www.yourlib.org/secure/index.html

In this example, http://www.yourlib.org/secure/index.html should be a URL that normally sends a "401 authentication required" response, triggering a user's browser to display a username/password dialog box. If you provide a URL that does not require authentication, EZproxy will allow the use of any username and password, so this should be used with great care.
The "URL -form=(get|post) name url" form of database definition has been extended.
1. The same name can now appear multiples time in ezproxy.cfg with different groups used to protect different versions. This allows the use of different destination URLs and different FormVariables based on user group membership. In this configuration, EZproxy will always use the first database definition in ezproxy.cfg that matches the remote user's group membership.
2. In FormVariable, you can include ^0 through ^9 in the values to direct EZproxy to substitute values from "UsrVar" variables that are set during user authorization. You can also use ^I to include the remote user's source IP address.
3. In FormVariable, if you specify a variable name but do not include an equal sign, this directs EZproxy to allow the user to specify a value in the URL that should be included when accessing the remote site. For instance:
  
  Title Some Database URL -form=get somedb http://www.somedb.com/search.cgi FormVariable index=author FormVariable term
  
  allows the use of an EZproxy URL such as:
  
  http://ezproxy.yourlib.org/login/somedb?term=Twain
  
  to specify that EZproxy should take the value Twain and pass it on as the value of the term variable, resulting in a destination URL of:
  
  http://www.somedb.com/search.cgi?index=author&term=Twain
4. "Option GroupInReferer" directs EZproxy to include the group that authorized access to a database definition should be included in the referring URL. This option should appear before the Title line of the database and may be later reversed with "Option NoGroupInReferer". For example, if a user in group Default accessed:
  
  Option GroupInReferer Title Some Database URL -form=get somedb http://www.somedb.com/
  
  the referring URL would be similar to:
  
  http://ezproxy.yourlib.org/login/2/Default/somedb
Removed requirement that an SSL certificate be active before EZproxy can connect to SSL-based authentication servers to verify usernames and passwords. For example, in previous versions of EZproxy, you could not use external authentication to an https URL unless EZproxy had been configured with an SSL certificate. However, as before, all SSL functions are disabled if no EZproxy license is installed, and if you want to proxy access to https web sites, you will still need to configure SSL.
Add "Option RecordPeaks" to direct EZproxy to record the peak values reached for active sessions, concurrent transfers, and virtual hosts to ezproxy.msg. EZproxy records values for active sessions and virutal hosts at startup, then records additional as new peaks are reached. Peak values are checked once a minute to determine if new values should be recorded.
Add ezproxy.usr IfAfter and IfBefore to test if the current date is after and/or before a date specified in YYYY-MM-DD format. The date may be followed by a semi-colon and the name of a file to send to the user if access is attempted outside the specified date. Sample use:
# user1 may access starting January 1st, 2006 or later user1:pass1:IfAfter=2006-01-01 # user2 may access up to to July 1, 2007, but not on or after user2:pass2:IfBefore=2007-07-01 # user3 may access starting January 1st, 2006 and up to # but not including August 1, 2006 user3:pass3:IfAfter=2006-07-01,IfBefore=2006-08-01
Allow authentication based on a username provided in a request header, such as would occur when using SiteMinder in front of EZproxy. Sample use in ezproxy.usr is:

::HeaderUser=SM-User
Change that may affect the network connectivity test when used with certain firewalls.
Add support for Siku Quanshu. The Siku Quanshu database should be defined like this:

Option UTF16 Title Siku Quanshu URL http://skqs.yourlib.org DJ skqs.yourlib.org Option NoUTF16

replacing skqs.yourlib.org with the name of your Siku Quanshu server.
Enhanced the AnonymousURL directive to support regular expressions

2006-07-07

EZproxy 3.8a contains the following changes:

Add support required for the EZproxy/Blackboard Building Block to work with Blackboard 7.1.
You can specify the source IP address to use when connecting to remote web servers on a user-by-user basis through ezproxy.usr. Sample usage:

::SourceIP=24.249.162.194 jdoe:secret ::File=users194.txt ::SourceIP=24.249.162.195 ::File=users195.txt

In the above example, user jdoe and all the users in users194.txt would use 24.249.162.194 as the source IP for requests, but users from users195.txt would use 24.249.162.195.

The Interface directive can be used to assign specific source IP addresses for databases. An explicit Interface assignment in ezproxy.cfg takes priority over ::SourceIP. If you need to use Interface to modify LoginPort directives, you can use "Interface Any" before the first Title directive to insure that SourceIP will still function.
Allow the "/form" URL to accept auth=, such as:
http://ezproxy.yourlib.org:2048/form?auth=opac&qurl=http%3a%2f%2fscholar.google.com%2fscholar
See also Creating Public Forms to Proxied Resources .
Correct issue that prevented EZproxy from being able to untangle starting point URLs written in the form:
http://ezproxy.yourlib.org/login?url=http://www.somedb.com.ezproxy.yourlib.org
Add IfURL condition to ezproxy.usr, along for constructions such as:
::IfURL=http://www.yourlib.org/*,DocsCustom=yourlib
to allow custom pages to be triggered based on the destination of a starting point URL. IfURL is a general condition that be combined with other ezproxy.usr directives.
Add an ezproxy.usr option to associate a directory to users to allow custom versions of the files in the docs directory to be sent to remote users. For example, you can use the Auth test to associate incoming users to different files during login, such as:

::Auth=branch1,DocsCustom=dir1 ::Auth=branch1,File=branch1.usr ::Auth=branch2,DocsCustom=dir2 ::Auth=branch2,File=branch2.usr

to indicate that if EZproxy sees Auth=branch1 in an incoming login URL, it should look for files such as login.htm in the docs/custom/dir1 directory first, and if it does not find a copy of the file, then it should look in docs. to indicate that if EZproxy sees Auth=branch1 in an incoming login URL, it should look for files such as login.htm in the docs/custom/dir1 directory first, and if it does not find a copy of the file, then it should look in docs. to indicate that if EZproxy sees Auth=branch1 in an incoming login URL, it should look for files such as login.htm in the docs/custom/dir1 directory first, and if it does not find a copy of the file, then it should look in docs. If the user logs in successfully, the DocsCustom is transferred to the user session, allowing EZproxy to continue to look for custom versions of files such as menu.htm and error messages.
Add ezproxy.usr condition IfLanguage to allow variant behavior based on the Accept-Language header from the remote user's browser.
The obscure feature has a flaw that prevents it from working consistently. This is corrected in EZproxy 4.0b. Using this feature in versions prior to 4.0b is not recommended.

Add the ability to obscure the password used for BindPassword. To create the obscured version of a password, invoke EZproxy with obscure and the password, such as:

ezproxy obscure somepassword

In ezproxy.usr, insert the obscured value into the LDAP configuration like this:

BindPassword -Obscure MVpJRjDh6AhGYy72LMGYKnoAL06r

Obscured passwords are case-sensitive, so copy the value exactly as it appears from the ezproxy obscure command.
Change the administrative Decrypt Tokens option to Manage Tokens, including the ability to translate EZproxy usernames into their corresponding token values instead of only being able to decrypt token values back to EZproxy usernames.
Correct an issue with IntruderIPAttempts -Reject

2006-06-18

EZproxy 3.6i contains the following changes:

In prior versions of EZproxy, if a user entered EZproxy through a ticket URL, the user would be proxied even if the user's source IP address was within an ExcludeIP range. Starting with 3.6i, such a user is redirected to the real URL, giving priority to the ExcludeIP behavior. If the previous behavior is required, add the following line anywhere in ezproxy.cfg:
Option TicketIgnoreExcludeIP
Add support for the HTTP SOAPAction header.
Add "IP" as a condition that can be tested in CAS, NCIP, ODBC, and Shibboleth (in ezproxy.usr for the first three and shib.usr for the last). IP accepts one or more ranges and tests true if the remote user is accessing from one of the addresses. Sample use:

IP 192.168.0.0-192.168.1.255:192.168.5.0-192.168.5.255; Group +Medical

In this example, if the user is accessing from an address that starts 192.168.0, 192.1, or 192.168.5, the user is also added into the Medical group.

You can place "Not " in front of IP to check that the user is not accessing from one of the addresses, such as:

Not IP 192.168.0.0-192.168.1.255; Group +Remote
In some instances where a starting point URL pointed to a PDF document, the browser back button was disabled. This version contains an alternate approach to handling these links to help avoid this issue.
Add ezproxy.cfg "Option DisableSSLv2" to direct EZproxy to disable any SSLv2 support. This option must appear before any LoginPortSSL directives.
Add support for OverDrive external authentication.
Correct issue that prevented unrecognized destination URLs from reporting status code 599 and %{ezproxy-spuaccess}i unknown when submitted under certain scenarios.
Contains a change to support Factiva Search 2.0.
Add application/rdf+xml and application/rss+xml as MIME types that EZproxy should rewrite.

2006-04-28

EZproxy 3.6h contains the following changes:

Slight change in domain-based cookie handling that affected InfoTrac and NetLibrary in some instances.
Correct cookie/daylight savings issue that was preventing public-record.com from working properly.
Correct issue that prevents enforcement of group restrictions for special database configuration such as "URL -append", "URL -form" and "URL -redirect".
Add ezproxy.cfg directive "SendBufferSize" to specify the maximum send buffer size to use when communicating with other systems. This directive is rarely required and should only be applied when recommended by Useful Utilities.
Add ezproxy.cfg directive "ReceiveBufferSize" to specify the maximum receive buffer size to use when communicating with other systems. This directive is rarely required and should only be applied when recommended by Useful Utilities.
Correct issue that caused the logging username to be corrupted in certain unusual circumstances.

2006-04-06

EZproxy 3.6g contains the following change:

Corrects an error with auditing that can cause the Solaris version of EZproxy to restart and records "(null)" in the other field on Linux and Windows.

2006-04-02

EZproxy 3.6f contains the following changes:

Withdrew Audit events Login.Success.Password and Login.Failure.Password due to potential conflicts they might pose to some sites during security reviews.
Correct issue that prevented audit event Login.Success.Groups from working properly.
Correct issue with URL -append -encoded.
Allowing specific username other than auto to be associated with AutoLoginIP lines. Sample usage:
AutoLoginIP -user=main 68.14.0.0-68.14.1.255 AutoLoginIP -user=science 68.14.2.0-68.14.2.255
When viewing audit events, add the option to have the audit page automatically refresh when viewing the current day's events.
Corrects an issue that prevents the EZproxy login cookie from being set when using high availability configurations (HAName and HAPeer).
Corrects cookie handling issue that prevented Lexis-Nexis HK from working correctly. Also introduces new "Option NoHttpsHyphens" and "Option HttpsHyphens" directives which can appear before and after a database definition to tell EZproxy not to change periods to hyphens for specific databases when using a wildcard certificate. Sample usage:

Option NoHttpsHyphens Title LexisNexis Hong Kong URL http://www.lexisnexis.com/hk DJ lexis-nexis.com DJ lexisnexis.com DJ lexis.com DJ cispubs.com HJ web.lexis-nexis.com HJ web.lexisnexis.com HJ www.lexis-nexis.com HJ www.lexisnexis.com DJ lexisnexis.com.au DJ lexisnexis.com.hk Find GetCookie("LNAUTH") Replace "LNAUTH-IP" Find NAME="_PRIORREFERER" VALUE="http:// Replace NAME="_PRIORREFERER" VALUE="http://^A Option HttpsHyphens # Databases from here on will have the normal change of # periods to hyphens in https hostnames
Add "IgnorePassword" directive to LDAP. This option is appropriate when you have authenticated the user through another system, and want to access LDAP solely to make authorization decisions, such as might occur when using Blackboard or CAS authentication. This option must appear before the URL line and should be used with great care. This sample demonstrates a configuration where you are using the EZproxy Blackboard Building Block for full integration of login, where you all allow alumni to use Blackboard so they are able to authenticate, need to filter out alumni from accessing EZproxy, LDAP knows about the alumni status, but nothing is testable in Blackboard.

*** ezproxy.usr ***

::Ticket,File=filter.usr SHA1 sharedsecret /Ticket

*** filter.usr ***

::LDAP IgnorePassword URL ldap://ldapserv.yourlib.org/DC=yourlib,DC=org?uid?sub?(objectClass=person) Test eduPersonAffiliation alum; Deny alum.html /LDAP

2006-03-20

EZproxy 3.6e contains the following changes:

Correct issue that prevented unauthenticated users who tried to access the /admin EZproxy Administration page from an ExcludeIP (on-site) address from getting the chance to log in. The same issue also prevented the loggedin directory from requiring local users to log in under some circumstances.
Correct issue that prevented Audit from recording usernames in some instances.

2006-03-17

EZproxy 3.6d contains the following changes:

When using the Audit directive to record only specific events, additional unrequested events were also being audited.
The CookieName directive did not work properly in EZproxy 3.6c.
An error introduced in EZproxy 3.6c could prevent CAS and Shibboleth for working correctly.
SIP was enhanced to allow access to additional patron information for making user authorization decisions.

2006-03-10

EZproxy 3.6c contains the following changes:

Support for EBSCO's Visual Search.
Added new auditing facility, enabled with ezproxy.cfg directive Audit such as:

Audit Most

to have most events audited. See Audit for detailed information on this directive.
Correct issue with enforced UsageLimits where a remote user did not appear on the UsageLimit administration page as being locked out, and yet the user remained locked out until EZproxy was restarted.
LoginPort and LoginPortSSL now accept a -Virtual qualifier to direct EZproxy to act as though it uses one set of ports when it is actually using another, simplifying the placement of EZproxy behind proxy servers and some network address translation servers. Sample usage:

LoginPort -Virtual 80 LoginPort 8080 LoginPortSSL -Virtual 443 LoginPortSSL 8443

In this configuration, EZproxy will act as though it using port 80 for https and port 443 for https, but will only list for such requests on ports 8080 and 8443.
Scripts that are called through the ::External method can now respond with:

ezproxy_deny=somefile.htm

This directs EZproxy to deny the user access and to look in the docs subdirectory for a file named somefile.htm which is sent to the remote user to specify why access is being denied.
Added ability to specify different sesion lives through ezproxy.usr, particularly to allow shorter session lifetime for temporary sessions created by metasearch products. Sample use:

::Lifetime=5 metauser:metapass ::Lifetime=0 # The rest of ezproxy.usr ...

In this example, any session created for "metauser" expires after 5 minutes, instead of the normal expiration which defaults to 120 minutes. The ::Lifetime=0 tells EZproxy to apply the system default to anyone who logs in with information that appears further on in ezproxy.usr.
Resolved issue that prevented Factiva and ProQuest CINAHL from working with III MetaFind.
Change ::CGI redirect to allow use of ^R to include a URL-safe reference to the destination URL, which can simplify the preservation of the destination URL as it passed through a remote CGI script.

cgiuser:cgipass:CGI=http://www.yourlib.org/ezproxy.cgi?url=^R
Add ::Comment to ezproxy.usr to allow inclusion of arbitrary comments into Login.Success audit records. For example:

::Comment=Student FTP ::FTP=student.yourlib.org ::Comment=Employee FTP ::FTP=employee.yourlib.org
Correct error in processing group restrictions to databases.
Correct error in cookie handling that affected NetLibrary and could affect other databases as well.
Correct error in Shibboleth that prevents domain scoping of attributes to fail to be recognized correctly if Domain does not have a regexp attribute. Also extend the shib.usr MapUser directive to add the -AppendScope directive to direct EZproxy to append @ and the scope value to the end of the specified attribute when using it as the EZproxy username.
Revision to Option SafariCookiePatch to avoid warning when using proxy by hostname and SSL without a wildcard certificate.
Add new option to allow the username to be included with the htm files served from the docs subdirectory. To enable this, add:

Option Username^N

to ezproxy.cfg and restart. After that, you can insert ^N in the various .htm files to have EZproxy include the username of the logged in user when it sends the file. Given the privacy implications, this option should be used with care.
Add AddUserHeader directivive to have EZproxy include a header containing the current user's username when proxying to a database. Format:

AddUserHeader -base64 headername

The -base64 is an optional qualifier to indicate that the username should be encoded in base64.

This directive is position-dependent, allowing its use to vary by database. For example:

AddUserHeader X-User Title Some Database URL http://www.somedb.com Domain somedb.com AddUserHeader X-Username Title Other Database URL http://www.otherdb.com Domain otherdb.com Title Another Databse URL http://www.anotherdb.com Domain anotherdb.com AddUserHeader Title Yet Another Database URL http://yanotherdb.com Domain yanotherdb.com

In this example, Some Database receives the X-User header, Other Database and Another Database receive the X-Username header, and Yet Another Database does not receive any header at all.
Change Linux/Solaris -si to include a symbolic link in the rc2.d directory to insure automatic startup for Debian.
Slight adjustments to the method in which StartMuseCookie and StartMuseRefer are processed for MetaFind.
Bug corrected that prevented www.sourceoecd.org from being proxied correctly.
Several of the system administration pages now include options to sort their contents by column headings.
Change SIP support to add the option NoPatronPassword. This option can be used when no patron password is to be used as part of testing, and when included must appear before the SIP line. When this option is enabled, EZproxy cannot distinguish valid users from invalid users without an additional test. The recommended test to combine with this option is "Test 0 Y; Unknown" which checks SIP status position 0, the charging privilege denied field, for a value of Y, in which case the user is considered to be unknown.
Sample usage:

::SIP Host sip.yourlib.org:1234 NoPatronPassword SIP Test 0 Y; Unknown /SIP
Corrected incompatibility with Jane's Sentinel Security Assessments.
Alter Ticket authentication to allow users to be designed as EZproxy administrators by specifiying the new Admin directive. Sample usage:

::Ticket MD5 verysecret User someuser; Admin /Ticket

In this example, if the username provided is someuser, then EZproxy will grant the user administrative access.
Corrected issue when more than one ShibbolethSites statement appears in ezproxy.cfg.
Extends ODBC support to allow the use of Debug to have more diagnostic information included and allows the use of additional SQL command to set connection state. For example:

::ODBC Debug DSN SomeSystemDSN DBUser SomeUser DBPassword SomePassword SQL USE SomeDatabase Parameter User Parameter Password SQL \ SELECT 'Allow' \ FROM auth \ WHERE \ user = ? AND \ pass = ? /ODBC
Adds new ezproxy.cfg option to instruct EZproxy to use a different method to set its cookie when users access using Apple's Safari 2.0 browser. This option is only needed for EZproxy server's whose names end in a two-letter domain and whose names contain only two periods (e.g., ezproxy.yourlib.ca would need this, but ezproxy.library.yourlib.ca and ezproxy.yourlib.org would not). To enable this, add:

Option SafariCookiePatch

to ezproxy.cfg and restart.
Extends Central Authentication Service (CAS) to allow varied behavior based on attributes provided during service validation. This form uses a new syntax to invoke CAS authentication. The minimal entry in this new form is:

::CAS LoginURL http://www.yourlib.org/cas/login ServiceValidateURL http://www.yourlib.org/cas/serviceValidate /CAS

This form also supports the general directives Admin, Allow, Authenticated, Banner, Debug, Deny, Group, Invalid, NoGroups, Refused, Stop, Unknown, User, and UsrVar, plus a specialized version of Test to check tag values using an XPath to specify the tag to check. For example:

::CAS Debug LoginURL http://www.yourlib.org/cas/login ServiceValidateURL http://www.yourlib.org/cas/serviceValidate Group NULL Test -RE cas:group (Undergrad|Grad); Group +Student Test //*/cas:group Employees; Group +Employee Test /cas:authenticationSuccess/cas:groups/cas:group Staff; Group +Staff NoGroups; Deny unaffiliated.html /CAS

For this example to work, ezproxy.cfg would need to default the Student, Employee, and Staff groups as well.

When EZproxy redirects through CAS encoding, the destination database URL is now encoded in a different manner, a side-effect of which is that you can no longer readily view the URL that arrives at the CAS server and determine where the user was originally headed.

The Debug directive tells EZproxy to record additional diagnostic messages to ezproxy.msg. This includes recording the entire XML response from the Service Validation URL, which can help in sorting out which attributes are available to use for making authorization decisions.

In all three tests, the tag cas:group is being tested. The first and second tests use an identical search to locate tags, as EZproxy assumes a search from the root across all nodes if no path infomation is included. The third test uses an absolute path to the tag.
Correct an issue with Solaris that prevented EZproxy from detecting an attempt to start a second copy running from the same directory.
Extend AnonymousURL to allow access to additional groups beyond just the Default group.
The public, limited, and loggedin directories now allow the use of subdirectories if:

Option AllowWebSubdirectories

is added to ezproxy.cfg.

The behavior for loggedin is slightly different, as the first directory level is matched up with EZproxy groups, such that a URL like:

http://ezproxy.yourlib.org:2048/loggedin/somegroup/somedir/somefile.html

can only be retrieved by someone who is a member of the EZproxy group "somegroup".
When users access EZproxy using AutoLoginIP or referring URL authentication, EZproxy now appends a hyphen and the user's source IP address to the username used for limit tracking. For example, auto- instead of just auto. This makes it possible to enforce limits at the workstation level for automatic login and the user level for all other access.

In addition, Usage limits have new -IgnoreAutoLoginIP, -IgnoreRefererLogin, and -IgnoreNormalLogin options to exclude certain types of logins from participating in those limits. For example:

UsageLimit -enforce -interval=60 -expires=360 -MB=100 -IgnoreAutoLoginIP Global

enforces a limit of 100 MB transferred within a 60 minute window, with automatic expiration after 360 minutes, but ignores any access that occurs as a result of AutoLoginIP.
An issue that cause login banners to be presented to the wrong users has been corrected.
SIP authentication contains a correction that may have caused the use of excessive CPU time.
::Ticket,Debug in ezproxy.usr now causes additional diagnostic information to be recorded in ezproxy.msg.
When performing LDAP group membership tests, if the distinguished contains spaces before and/or after commas, EZproxy perform two compare operations: one with the dn as returned, and another using a copy of the dn with the spaces around the commas removed.
EZproxy now records a message in ezproxy.msg when a usage limit suspension is cleared.
On Linux and Solaris, when a group is specified using RunAs, EZproxy now clears access to all other supplemental groups.
Updated CAS support for backward compatibility to CAS 1.0.
Corrected issue that could prevent Find/Replace statements from being processed.
The "URL -form=" format for enabling access to remote services that require referring URL and/or username/passwords has been updated to insure that remote web server will receive the referring URL matching the URL specified, whereas previous versions could send the login page as their referring URL.
The MaxLifetime session defines how long an EZproxy session can be idle before it is terminated. It is now also possible to specify an absolute amount of time after which the user is required to login again to continue using his/her current session. The amount of time is speciifed in minutes by adding one or more lines like this to ezproxy.usr:
jdoe:secret ::ReLogin=30 rsmith:shhhh ::ReLogin=60 ::FTP=ftpserv.yourlib.org ::ReLogin=0 pwilliams:hush

In this example, jdoe and pwilliams are never required to reauthenticate, rsmith is required to reauthenticate every 30 minutes, and users authenticated by the FTP server are required to reauthenticate every hour.
LDAP extended to allow the detection of eDirectory accounts that have passed their account expiration date using the Disabled directive. This example demonstrates how to intermix this with testing the loginGraceRemaining attribute to configure EZproxy to provide feedback while grace logins are diminishing, then provide expiration information when they are almost exhausted. The amount of debugging information recorded when using ::LDAP,Debug has also been enhanced.
::LDAP URL ldaps://ldapserv.yourlib.org/OU=users,O=yourlib?cn?sub?(objectClass=person) Disabled; Deny disabled.html Expired; Test -wild loginGraceRemaining 0; Deny expired.html Expired; Test loginGraceRemaining 1; Deny expired.html Expired; Test loginGraceRemaining 2; Deny expired.html Expired; Banner grace.html; Ignore /LDAP
In this example, the file grace.html is located in the docs subdirectory and should contain information to the user to indicate that they only have a few logins left. The file must also contain a link like this:
<a href="/login?url=^V">continue to resource</a>
If you do not want to provide feedback, you can omit the Banner portion but must include Ignore or else EZproxy will not allow the user to log in.
Change to avoid "page expired" errors in PubMed when using the back button to return to a hit list of articles.

2006-02-26

EZproxy 3.6b was released but withdrawn. Any site using this version should update to a newer release of EZproxy.

2006-02-20

EZproxy 3.6a was released but withdrawn. Any site using this version should update to a newer release of EZproxy.

2005-08-04

EZproxy 3.4c corrects an issue introduced in EZproxy 3.4a that prevented concurrent user login limits from working properly.

2005-08-03

This release was a flawed attempt to correct an issue in EZproxy 3.4a.

2005-08-02

EZproxy 3.4a contains the following changes:

EZproxy can now be directed to monitor the volume of use by users and can be directed to suspend access if specific threshholds are exceeded. See UsageLimit for details.
EZproxy now support Shibboleth authentication.
EZproxy now supports Central Authentication Server (CAS).
Ticket authentication with time format specified using $c now accounts for daylight savings correctly.
When using external authentication, you can now add the debug keyword to indicate that extra details should be record to ezproxy.msg. Sample use:
::debug,external=http://www.yourlib.org/ezproxy.cgi,post=user=^u&pass=^p
Within SIP authentication, introduces new Wait directive to allow a pause during process. Sample usage:
::SIP Host sip.yourlib.org:23 Expect Choice Send SIP\r Wait 1 SIP /SIP
Allow database definition that have only Title and Description lines. During menu presentation, when EZproxy encounters such a definition, it sends only the database description, ignoring all other directives between ^B and ^E, allowing arbitrary text to be included between database definitions. Sample usage:
Title Text that appears in /status but not to remote user Description HTML Text sent to the remote user Description which may span multiple lines by repeating Description the Description directive
Adds new HTTPMethod ezproxy.cfg directive to authorize EZproxy to proxy additional HTTP methods beyond GET, POST, and HEAD. Sample usage:
HTTPMethod SEARCH HTTPMethod SUBSCRIBE HTTPMethod BMOVE
This version introduces the ExtraLoginCookie directive for ezproxy.cfg. This directive allows you to tell EZproxy to send extra Set-Cookie headers during the login process. The most typical use is with load balancing applications. In most instances, the cookie used should be paired with a CookieFilter statement to tell EZproxy not to forward the cookie's value to remote databases. A sample use is:
ExtraLoginCookie proxyid=1025; domain=.yourlib.org CookieFilter proxyid
This version includes a patch to allow EZproxy to work with big5.lawyee.com. To access this database, use this version of EZproxy along with the following database definition:
Option LawYeePatch Title LawYee URL http://big5.lawyee.com/ DJ lawyee.com
With LDAP, previous versions of EZproxy needlessly required read or compare access to the objectClass attribute to succeed. This requirement has been removed.
The "ezproxy log" command now forces EZproxy to reopen the main log file along with any other log files established by LogSPU directives.
III authentication can now match based on any part of the III patron name field matching any part of the EZproxy password field. For example, if pn is Smith-Jones Jr, Patricia "Pat" Robin Q, then any of the following would match:
Pat Smith Smith Patricia Smith Jones Robin Jones Pattie Smith

Note that Pattie Smith matches, even though Pattie is not present, since Smith is present and does match.

When performing this test, Jr and Sr are ignored. Unless pn is made up of only single characters, single characters are also ignored. As a result, these by themselves would not match:

Jr Q
To use this form of name match, add the directive PartialNameMatch before your Host line, such as:
::III PartialNameMatch Host iii.yourlib.org /III
LDAP now supports detecting expired accounts and expired password when authenticating against Microsoft Active Directory and Novell eDirectory.

The following examples demonstrate the use of the Expired and PasswordForm directives with a Microsoft Active Directory server. For Novell eDirectory, add the Expired and PasswordForm directives in a similar manner within your existing LDAP configuration, with Expired appear after the URL line and PasswordForm appearing before the URL line. If you are using eDirectory and anonymous searching is permitted, you can omit the BindUser and BindPassword in both examples.

To provide user feedback if a user's account or password is expired, use:

::LDAP BindUser CN=ezproxy,CN=users,DC=yourlib,DC=org BindPassword verysecret URL ldap://ldapserv.yourlib.org/CN=users,DC=yourlib,DC=org?sAMAccountName?sub?(objectClass=person) Expired; Deny expired.htm /LDAP

In this example, you need to create the file expired.htm in the docs directory. This file will provide the user with feedback as to why he/she was denied access.

If you would like to allow the user to change an expired password, issue the command:

ezproxy -ml
to create the file ldappass.htm in the docs directory, then use an LDAP entry like this:
::LDAP PasswordForm ldappass.htm BindUser CN=ezproxy,CN=users,DC=yourlib,DC=org BindPassword verysecret URL ldaps://ldapserv.yourlib.org/CN=users,DC=yourlib,DC=org?sAMAccountName?sub?(objectClass=person) Expired; Deny expired.htm /LDAP

Note the use of ldaps:// in this example. For password changing to work, you must use ldaps (LDAP over SSL). Both Active Directory and eDirectory require this. See Microsoft articles 247078 and 321051 for more information on configuring Active Directory to support ldaps.

Note that the CN=ezproxy... account does not need to have any privileges for password changing to work. It is only used to locate the user's distinguished name in the directory.

In this version, the user will be allowed to change his/her password as long as it is only the password that is expired. If the account has passed its expiration date, the expired.htm file is sent to let the user know that his/her account has expired and is now disabled.
The "ezproxy -md" command now generates template files for DRA Classic using DRA macros, DRA classic using WEB2 macros, and Unicorn using WEB2 macros.
In III authentication, Test can now accept one of the following operators: <s =s >s ~s !s <i =i >i !i <d =d >d !d . These operations allow you to specify the exact form of test to perform. In these forms, s is for a string comparison, i is for an integer comparision, and d is for a decimal comparison. Sample usage is:
Test p96 >d 20.00; Deny excessfines.htm
When using ::cgi in ezproxy.usr, you can now omit the username and password fields, and you can also specify ^A, ^U, and ^V in the URL. This form makes it easier to redirect the user to CGI scripts without requiring the use of the original variables. ^A is substituted with the auth variable (if present), ^U is substituted with the destination URL in URL-encoded format, and ^V is substituted with the destination URL in its "verbatim" format.
The LogFormat and LogSPU directives now accept %{ezproxy-url#}i where # can be any number to specify the inclusion of a specific portion of the URL. For example, in the URL http://www.somedb.com/abc/def, %{ezproxy-url1}i would return abc, %{ezproxy-url2}i def, %{ezproxy-url3}i returns a blank string.
LDAP authentication now allows testing against multiple servers with an ezproxy.usr configuration like this:
::LDAP URL ldap://ldapserv1.yourlib.org/DC=yourlib,DC=org?uid?sub?(objectClass=person) Refused; URL ldap://ldapserv2.yourlib.org/DC=yourlib,DC=org?uid?sub?(objectClass=person) Refused; URL ldap://ldapserv3.yourlib.org/DC=yourlib,DC=org?uid?sub?(objectClass=person) /LDAP
Other LDAP directives may appear before the closing /LDAP, and will apply based on whichever server was able to accept the request and process it.
The ::external user authentication method now allows the inclusion of ^a to pass the auth variable from the login form to the external script.
The LogFormat and LogSPU directives now accept %{ezproxy-groups}i to allow the inclusion of user group membership in the log file.

2005-04-03

EZproxy 3.2b contains the following changes:

Corrects an issue which caused the login page to appear when using referring URL authentication without providing a specific destination URL.
The installation copy of ezproxy.usr no longer contains any default username or password. If default accounts from older versions of EZproxy appear in ezproxy.usr, they are not allowed for use to login and a warning is recorded to ezproxy.msg.
Allows ::cgi to be specified without a username on the line when used just for rerouting, and also allows the use of ^U and ^V in the destination URL. Typical use for excluding the username occurs when combining ::cgi to reroute unauthenticated user with ticket authentication.

The inclusion of ^L, ^S, ^U or ^V overrides the normal appending of the destination URL and instead provides the ability to explicit pick where the destination URL should be inserted. When used, ^U is the URL-encoded version of the URL and ^V is the verbatim version of the URL with no encoding.

^L is true if the user is already logged in and tries to access a database outside current group membership (a "logup" condition) or false otherwise. If the user tries to access a database outside group membership and ^L isn't included in the redirect URL, then EZproxy will not redirect the user, but instead presents the logup.htm page. This requriement avoids the possibility of user login loops if the receiving CGI script is not designed to handle the logup scenario.

^S is the EZproxy session identifier if the user is already logged in.

For the starting point URL:

http://ezproxy.yourlib.org/login?url=http://www.somedb/com/

if you use the ezproxy.usr entry:

::cgi=http://www.yourlib.org/ezpauth.cgi?dest=^U

the user will be redirected to:

http://www.yourlib.org/ezpauth.cgi?dest=http%3a%2f%2fwww.somedb.com%2f
whereas if you use the ezproxy.usr entry:
::cgi=http://www.yourlib.org/ezpauth.cgi?dest=^V

the user will be redirected to:

http://www.yourlib.org/ezpauth.cgi?dest=http://www.somedb.com/
Linux and Solaris versions now support command line option stopall for use when updating, such as:
./ezproxy stopall
LDAP authentication now support "Admin" as option to declare that a user is an administrative user, such as:
Test -user rdoe; Admin

2005-03-28

EZproxy 3.2a contains the following changes.

Server status now contains new "Host Maintenance" options to prune away hosts and ports that are no longer being used.
Administration interface contains new "Test network connectivity" option.
"MetaFind MuseCookie" handling has been improved. There is also two new ezproxy.cfg directives, LoginSocketBacklog and HostSocketBacklog, to configure how many outstanding, unserviced requests can queue up to EZproxy. Sample usage:
LoginSocketBacklog 50 HostSocketBacklog 10

In proxy by port, LoginSocketBacklog controls the number of unserviced login requests that can be pending, and HostSocketBacklog controls the number of unservice requests to specific virtual web servers can be pending. In proxy by hostname, only LoginSocketBacklog matters.

In older versions of EZproxy, these defaulted to 5. The default for LoginSocketBacklog is now 20 and for HostSocketBacklog remains 5. Raising LoginSocketBacklog above 200 is not recommended, nor is raising HostSocketBacklog above 20.
III Patron API authentication now allows a new option "PartialNameMatch" which directs directs EZproxy to match the user supplied password against the patron name, and if everything matches up to the point where the password ends, and if that point in patron name is a non-space, the two are considered to match. This allows pn "Doe Robin" to match password "Doe". In instances where pn starts "Mac " or "Mc ", the space is removed, such that pn "Mac Donald" will match password "MacDonald" or "Mac Donald", but will not match just "Mac".
::III PartialNameMatch Host iii.yourlib.org /III
PartialNameMatch must appear before Host.
For instances where CGI authentication creates a new session for someone who is already logged in, the method of merging the attributes of the two sessions together has been improved.
It is now possible to reject requests to EZproxy based on the presence of arbitrary HTTP request headers. The general form of the ezproxy.cfg directive is:
DenyIfRequestHeader denyfile wildcardtest
where denyfile is a file in the docs subdirectory to send if wildcardtest is present in a header. Sample usage is:
DenyIfHeader nowebzip.html User-Agent:*WebZip*
The denyfile may also take the special value of allow to indicate that a specific header should combination of positive and negative logic.
Mini-DNS server debug logging enhanced.
Corrects issue with LogFile directive and group memberships when many groups are specified in a single Group statement.
Adds new ezproxy.cfg directive ClientTimeout that controls how long EZproxy will wait on the remote client (in seconds) before closing a connection. The default value is 60 seconds. This directive should be used with RemoteTimeout or else a long wait on the client could cause the connection to the remote server to timeout.

Sample usage:

ClientTimeout 120 RemoteTimeout 120
The docs directory contains a directory named loggedin. You can now create directories in loggedin that become EZproxy group names. Files placed within these directories are only accessible by users who are members of the group.
Adds new ezproxy.cfg EBLSecret directive for configuring access to Ebook Library.
The ezproxy.cfg LogFile directive now accepts a new -strftime qualifier, such as:
LogFile -strftime ezproxy%Y%m%d.log
When strftime is present, EZproxy will evaluate the filename using the strftime function. This allows the filename to be based on the current date and time, allowing new log files to be created automatically. In the above example, EZproxy will open a new log file every day, using names such as ezproxy20080818.log for each file. Another useful form is:
LogFile -strftime ezproxy%Y%W.log
which create a new log file each week such as ezproxy200833.log.
Optimizes the way EZproxy retrieves system time.
Adds ezproxy.cfg directive ProxyURLPassword to specify a password that activates new EZproxy's support to respond to XML request sent to /proxy_url. This URL is used to support Ross Singer's "WAG the Dog Localizer".
The LogFormat directive now supports %m to record the request method (e.g., GET, POST), %v to record the host requested, and %{ezproxy-protocol}i to retrieve whether http or https was used in the request. This can be used to construct a log entry that omits URL information, such as:
LogFormat %h %l %u %t "%m %{ezproxy-protocol}i://%v HTTP/1.0" %s %b
These options are also compatible with LogSPU.
Add new ezproxy.cfg directive RADIUSRetry that controls how frequently EZproxy will resend RADIUS requests if it does not receive any responses. The directive is followed by the number of seconds to wait before retrying, and defaults to 1 second.

Sample usage:

RADIUSRetry 3
The IntruderAttempts directive has been expanded. You can now include multiple directives to provide varying behavior based on source IP address.

Sample usage:

IntruderTimeout 600 IntruderAttempts 5 IntruderTimeout 300 IntruderAttempts -ip=68.14.229.0-68.14.229.255 10 IntruderAttempts -ip=68.14.229.198 -x-forwarded-for 15

IntruderAttempts statements should be listed from most general to most specific. The last IntruderAttempts line in ezproxy.cfg that matches a computer defines how intruder detection will be handled.

In this example, the general behavior is to start evading users after they make 5 login failures from the same IP address. Once this occurs, the source IP remains locked out for 600 seconds (10 minutes).

However, if someone is accessing from a source IP between 68.14.229.0 and 68.14.229.255, EZproxy will give them 10 tries and will reset after 300 seconds (5 minutes).

But, even more specifically, if someone is accessing from 68.14.229.198, EZproxy should look for an "X-Forwarded-For" header, and if one is present, it should consider the source IP address of the request to include the source IP specified in this header, and in that case, allow up to 15 retries. The X-Forwarded-For header is an optional header that can be sent by proxy servers and some network address translation devices. Including this option enables EZproxy to use an extra piece of information to separate out users who are behind that proxy. This option should only be used if your institution controls the proxy server involved.
There is a new form of database definition that can be used for databases that require the submission of variables by a form. With this configuration, EZproxy generates a temporary form used to give the user access to the remote system.

An example of this configuration for Canadian Pharmacists Association is:

Title Canadian Pharmacists Association URL -Form=post -RewriteHost ecps http://www.pharmacists.ca/function/subscriptions/ecps.cfm?extlink=ecps FormVariable loginname=someuser FormVariable loginpassword=somepass DJ pharmacists.ca

Users gain access to this with a URL similar to:

http://ezproxy.yourlib.org:2048/login/ecps
IntruderAttempts handling has been enhanced.
Adds special diagnostic feature to pinpoint the source of "400" errors.
Corrects a problem that prevented referenced to the EZproxy /loggedin directory from working properly when invoked with an https URL.
Enhances Domain authentication to handle an additional case of expired password changing.
Introduces new intrusion control directives:

IntruderLog 25 IntruderReject 100

IntruderLog controls the maximum number of times that EZproxy should log intrusion attempts to ezproxy.msg during a particular incident, with a default value of 25.

IntruderReject controls the maximum number of login failures that should occur before the remote site moves from evasion to total rejection of login attempts, with a default value of 100.
The maximum number of groups has been increased from 32 to 4096.
The Validate directive may now include a path restriction to control which URLs receive a username and password.

Sample usage:

Title Journal of Transpersonal Psychology Validate path=/jtparchive/* someuser:somepass URL http://www.atpweb.org/jtparchive/ Domain atpweb.org
For the Windows platform, adds authentication against ODBC sources. A sample ezproxy.usr entry is:
::ODBC DSN SomeSystemDSN DBUser SomeUser DBPassword SomePassword Parameter User Parameter Password SQL \ SELECT 'Allow' \ FROM auth \ WHERE \ user = ? AND \ pass = ? /ODBC

DSN is the ODBC system DSN to use.

DBUser and DBPassword are optional. If includes, they provide the username and/or password to use to access the database.

Parameter may be followed by User, Password, or IP and indicate values that should be supplied for each ? that appears in the SQL statement. The first Parameter value goes to the first ? in the SQL statement, the second Parameter to the second ?, and so forth.

SQL is followed by an SQL statement. Since SQL statements may become quite long, you may continue SQL statements across multiple lines by ending each line with a \ character. The SQL statement should be constructed to return the literal Allow if the user is to be allowed access, Deny if the user should be denied all access to EZproxy. If the first value returned is neither Allow or Deny, EZproxy moves on to the next authentication check in ezproxy.usr.

For Allow, the SQL statement may also return a second column that indicates one or more EZproxy groups to which the user should have access. To use the group feature, the query should return several rows with one group per row, such as:

Allow Default
Allow Medical
Allow Legal

For Deny, the SQL statement may also return a second column that indicates the name of the file from the docs directory that should be sent to the user who is being denied access. To use this feature, the query should return a something like this:

Deny alumni.html
It is now possible to configure EZproxy to look for a meta directive tht tells it to stop rewriting URLs within a web page.

In ezproxy.cfg, you indicate to EZproxy which databases should use this directive like this:

Option MetaEZproxyRewriting Title Some Database that can use this meta tag URL http://www.somedb.com/ Domain somedb.com Option NoMetaEZproxyRewriting Title Other Database that will ignore the meta tag URL http://www.otherdb.com/ Domain otherdb.com

The default behavior is Option NoMetaEZproxyRewriting.

If Option MetaEZproxyRewriting is set for a database, then web pages from that database may contain these special tags:

<meta name="EZproxyRewriting" content="disable"> <meta name="EZproxyRewriting" content="enable">

which tell EZproxy at which points URL rewriting should be disabled or enabled as the web page is processed.
Domain statements that match a broad range of hosts such as:

Domain * Domain com Domain ac.uk

are now disallowed by default as these are outside the scope of EZproxy's design to handle and they pose security risks when enabled.

Sites that choose to ignore this risk do so without the support of Useful Utilities. To enable such lines to be proxied, the very first line of ezproxy.cfg must be set to exactly:

Option I choose to use Domain lines that threaten the security of my network
Adds a "Disable Referral Chasing" option to LDAP authentication which should correct some issues when searching Windows Active Directory from the root.
Corrects an issue in Shibboleth processing with NoGroups testing.
Corrects error when using username::crypt= in ezproxy.usr
Adds support for NCIP authentication. A sample ezproxy.usr entry is:
::NCIP Server ncip.yourlib.org:7777 /NCIP
With just a hostname and port, EZproxy uses the socket protocol to connect to NCIP. These may be replaced by a URL to use http or https POST protocol.
Allows a specific rejection file to be associated with a group restriction. This is particularly useful for databases that are intended for inhouse usage only. Sample usage:
Group InHouse Deny=inhouse.html Title Some Database for local use only URL http://www.somedb.com Domain somedb.com Group Default Title Other databases follow ...
In this example, Some Database is placed in the InHouse group, and the custom error file inhouse.html is associated with it. As long as your users are never placed in the InHouse group, they will never have access to this database, and will receive the inhouse.html file. Users who access from an ExcludeIP address are redirected to the resource.
Automatic login can be enabled based on the reverse DNS hostname associated with an IP address. This method of authentication is prone to spoofing. Recommended use includes limiting the source IP range as well.

Sample usage:

::ip=68.14.0.0-68.14.255.255,hostname=*.something.somedomain.com ::hostname=*.otherdomain.com

In the first example, the source IP address must be in the specified IP range before the hostname test is considered. In the second, the hostname is checked regardless of source IP address.
Text file username and password checks now ignore ISO-8859-1 diacritics.
You can now record starting point URLs into their own, separate file. Sample usage is:
LogSPU spu.log %h %{ezproxy-spuaccess}i %u %t "%r" %s %b
The %{ezproxy-spuaccess} is a special variable that will record either proxy (user's access to remote URL will be proxied), local (user is within an ExcludeIP address and will be redirected to URL without being proxied), or unknown (URL was not recognized by EZproxy and Option RedirectUnknown appears in ezproxy.cfg).
LogSPU must be followed by a filename, and can optionally be followed by a log format. LogSPU can appear more than once in ezproxy.cfg, with different formats possible for each file. As of this release, each LogSPU must reference a different file.
With III authentication, you can now associate arbitrary text with users during login that can be recorded into EZproxy log files. Sample usage:
::iii Host iii.yourlib.org Type 1,2,3,4,5; UsrVar 1 Student Type 6,7,8; UsrVar 1 Faculty /iii
The number after UsrVar can be any digit 0 to 9. All UsrVar values default to blank.
To record this variable in ezproxy.log, use a LogFormat similar to:

LogFormat %h %l %u %t "%r" %s %b %{ezproxy-usrvar1}i
The default menu generated after login can now be limited to display just those databases to which the user's group memberships allow access. To enable this feature, add:
Option MenuByGroups
to ezproxy.cfg and restart EZproxy.
Corrects issue that prevented "Test -wild dn somevalue" from working correctly.
Extends LDAP interface to allow:
test -user someuser test -wild -user somewildcarduser test -auth authvalue test -wild -auth somewildcardauthvalue
as a way to test the values from the user and auth variables of the login form.
It is now possible to control the HTTP "Server" header sent by EZproxy when it is sending its own web content (e.g., during login processing). The directive to control this is:
ServerHeader server-identifier
By default, EZProxy sends the EZproxy as its server identifier. If you specify ServerHeader with no server-identifier, this header is omitted. i Otherwise, EZproxy uses server-identifier in this header.
ezproxy.cfg now accepts the directive:
Option IgnoreWildcardCertificate
When EZproxy is running in proxy by hostname with SSL enabled and with a certificate that starts with an asterisk (*), EZproxy normally adds "login." to the front of its hostname when it constructs URLs that point to itself. Adding this directive tells EZproxy not to override this behavior.
This directive is mainly useful in instances where an EZproxy server is named something similar to ezproxy.yourlib.org and you want to use a certificate named *.yourlib.org.
Add a "-hide" qualifier to the Title directive to indicate that a database definition should not appear when automatically generating the menu. Sample use:

Title -hide Some Database that will not appear in menu

Allow	Default
Allow	Medical
Allow	Legal

Deny	alumni.html

2004-10-26

EZproxy 3.0f contains the following changes.

Corrects an issue introduced in 3.0e that corrupted the content attribute of meta tags when http-equiv was not refresh.
Extends LDAP interface to allow:
Test -wild attribute wildcardvalue
where wildcardvalue can use the * wildcard to match 0 or more characters.

When Test is used without -wild, EZproxy only needs compare access to the directory. When -wild is present, EZproxy needs read access to the directory.

Correct problem that prevented long cookie values from being preset.
Adds an option to override SSL certificate checks.
Shibboleth change to enhance IdP 1.1 interoperability.

2004-09-19

EZproxy 3.0e contains the following changes.

Changes DNS handling to address ISI incompatibility.
Correct issue when using entries such as:
user1::deny=locked.htm
from an included file.
Correct flaw with LDAP processing when no filter included in the LDAP URL.
Correct typographical errors in a few administration pages.
Binary size increased noticeably due to inclusion of first beta release of Shibboleth Service Provider support.

2004-08-30

EZproxy 3.0d GA (2004-08-30) corrects a problem when using "ezproxy log" on Microsoft Windows Terminal Services, allows EZproxy to rewrite URLs that contain line breaks (HeinOnline), and corrects for relative URLs that start ../ in redirects.

2004-08-05

EZproxy 3.0c GA (2004-08-05) corrects an issue that caused the combination of auth and old-style LDAP authentication in the same line in ezproxy.usr to cause EZproxy to ignore other sections of ezproxy.usr.

2004-08-04

EZproxy 3.0b GA (2004-08-04) corrects an issue that prevented wildcards from working properly in Domain/DomainJavaScript statements.

This release corrects a similar issue for the new NeverProxy statement. In ezproxy.cfg, you can now add lines like this:

NeverProxy www.somedb.com NeverProxy www.somedb.com:8080 NeverProxy *.somedb.com

The first line tells EZproxy never to rewrite the hostname www.somedb.com. The second tells EZproxy never to rewrite www.somedb.com:8080, but rewrite any other www.somedb.com references. The third line tells EZproxy never to rewrite any hostname that ends in .somedb.com.

2004-08-02

EZproxy 3.0a GA (2004-08-02) contains the following changes:

LDAP support has been greatly enhanced. For configuration details, see LDAP Authentication
EZproxy now supports intruder detection. See IntruderAttempts for information on how to configure this feature.
EZproxy now supports a secure method to allow portals to generate links directly to EZproxy. See Ticket Authentication for details.
The /admin page has been enhanced to provide more options for managing your EZproxy server.
Introduces new high availability multi-server coordinated configuration including new HAName and HAPeer directives.
If you receive a renewal SSL certificate, you can now bring up the original certificate and use the "copy" feature to create a copy of the certificate, then apply the renewal certificate to this copy.
When a server fails to provide a content-type header, EZproxy examines the beginning of the document to check whether or not it is HTML. This check has been extended to support an unusual response from scitation.aip.org that includes a series of comments before the page is declared to be in HTML.
When generating self-signed certificate, you can now choose for how many years the certificate should be valid.
EZproxy can now send a Platform for Privacy Preferences (P3P) header when it sets its authentication cookie. This can be used to allow EZproxy authentication to occur within a framed window.
Sample usage:

P3P CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Corrects a problem with III Millenium pin validation.
In DRAWeb2 authentication, the setup process provides files for use with class DRA_ macros as well as newer WEB2_ macros.

Also, you can now specify the userid field that EZproxy should use when it verifies someone's access using the new userid directive.

Sample usage:

::draweb2 userid alt_user_id url http://draweb2.yourlib.org/Web2/tramp2.exe/log_in?SETTING_KEY=guest&screen=ezp1.html /draweb2

EZproxy previously imposed stringent checks on the user and password information used by Web2, which lead to information that is valid for Unicorn systems being locked out. These restrictions have been changed to accomodate the broader range of options supported by Unicorn.
The Campus Pipeline Integration Protocol (CPIP) URLs can now be accessed by the EZproxy session ID by specifiying the sid as ezproxy: followed by the EZproxy session identifier.
When making an outgoing SSL connection, previous versions of EZproxy would present their SSL certificate to the remote host. EZproxy no longer presents an SSL certificate on outgoing connections.
This next section applies only to the traditional LDAP configuration in ezproxy.usr, not the new LDAP functionality triggered by just ::LDAP. If required, EZproxy can still present a certificate for outgoing LDAP connections. In ezproxy.usr, use an entry similar to this:

::ssl=2,ldap=pdc.yourlib.org,$U@yourlib.org
where "2" is the number of the certificate for EZproxy to present in the outgoing request.
By default, EZproxy allows a remote server to pause for a maximum of 60 seconds before it will timeout a connection. You can now change this value by adding a line to ezproxy.cfg like:
RemoteTimeout 120
In this example, the timeout is raised from 60 seconds to 120 seconds.
The following deny option has flaws and is under review for possible changes. If you need this type of functionality, please contact support@oclc.org to discuss options. This option does not work correctly from an included file.

When using deny in ezproxy.usr, you can now include a filename to present to the user, such as:

user1::deny=expired.html

In this example, the expired.html file would need to be placed in the docs subdirectory.
Adds a variety of new options to the SIP interface.
Includes changes to support having EZproxy include the login username in starting point URLs, either in plain-text or encrypted form.
Title ebooks.com EncryptVar u astringyoupick URL http://www.curtin.eblib.com/EBLWeb/patron.html?userid=^u&usertype=student
In addition, the EZproxy /admin menu displays a new "Decrypt User Variable" option whenever EncryptVar appears in ezproxy.cfg. This option allows the EZproxy administrator to enter an encrypted value and see what the original plain-text value was.
Includes changes to make it possible to use ::external authentication against a Dynix RPA server.
Adds new "AllowVars" database definition option along with "vars=" to ezproxy.usr to support MD Consult integrated authentication.
Corrects an issue that prevented EZproxy from being controlled by an administrative account when running EZproxy is running under a non-privileged account on Windows.

2004-05-12

EZproxy 2.4e GA (2004-05-12) contains the following changes:

III Patron API updated to support changes in III Silver release. This update is compatible with both the original Patron API and the updated version.
Problem corrected when switching log file in Windows when EZproxy runs from a non-privileged account.
This version is required for temporary licenses that expired after June 23, 2004.

2004-04-09

EZproxy 2.4d GA (2004-04-09) contains the following changes:

Corrects an issue that prevented EZproxy from running under a non-privileged account on Windows.
Change use of 303 see other redirect code back to 302 moved temporarily during login processing to resolve some issues encountered by the CGI authentication method.

2004-03-21

EZproxy 2.4c GA (2004-03-21) contains the following changes:

When a remote web server responds with a 1xx, 204, or 304 HTTP result code, EZproxy considers the request finished once the header is received from the remote web server, instead of waiting until the remote web server closes the connection. This change dramatically improves performance when accessing the Brookers database.
EZproxy now supports SIP authentication. See 3M Standard Interchange Protocol (SIP) for configuration details.
EZproxy no longer generates hostnames for proxy by hostname that start with digits. Where EZproxy did this previously such as 8080-www.somedb.com.ezproxy.yourlib.org, it now includes the letter p at the beginning, such as p8080-www.somedb.com.ezproxy.yourlib.org.
APOP authentication can now be disabled. See POP Authentication for details.
Older versions of EZproxy would strip angle brackets (<, >) from starting point URLs. In this release, the angle brackets are changed to their hex-encoded counter-parts.
In ezproxy.cfg, you can add:
Option RelaxedRADIUS
This tells EZproxy not to verify the source IP address for RADIUS responses, but rather to just look at the received packet to check whether or not a valid response has been returned.
The length limits for username and password have been raised from 32 to 64 characters.
EZproxy can now proxy .wmv files correctly.
Foot and Ankle International can be proxied when using this update along with this database definition:
Title Foot and Ankle International URL http://www.datatrace.com/e-chemtracts/emailurl.html?http://www.newslettersonline.com/user/user.fas/s=563/fp=20/tp=37?T=open_non_issue,5167,3&P=non_issue DJ datatrace.com DJ newslettersonline.com Find location.href="' + idOrUrl Replace location.href="^p^/login?url=' + idOrUrl
One EZproxy server can now be configured to route starting point URLs of specified domains to a different server (can be EZproxy or something else). Sample usage is:
RerouteTo http://otherezp.yourlib.org/login?url= RerouteHost www.somedb.com RerouteDomain otherdb.com

The RerouteTo statement appears before any RerouteHost and RerouteDomain statements. The string specified in RerouteTo is placed in front of the URL that was specified in the starting point URL, then the user is redirected. RerouteTo can be omitted, in which case the other Reroute statements would effectively tell EZproxy to reroute starting point URLs of those domains to the regular URL.

RerouteHost indicates that any host name that exactly matches the specified host name should be rerouted, whereas RerouteDomain indicates that any host names that exactly matches or ends with the domain specified should be rerouted.

RerouteTo can also take the form:

RerouteTo -quote http://www.yourlib.org/script.cgi?dest=
With the -quote added, it tells EZproxy to apply URL encoding to the URL, making it suitable to be directly passed under normal CGI semantics (e.g., http://ezproxy becomes http%3a%2f%2fezproxy if -quote is present).
The ::external user authentication method will now accept a response back of the form:
ezproxy_menu=menufile.htm
where menufile.htm specifies the menu that should be presented to the user after login.

2004-02-15

EZproxy 2.4b GA (2004-02-15) contains the following changes:

Adding the line
Option RequireAuthenticate
to ezproxy.cfg allows you to configure individual machines to present the EZproxy login for starting point URLs, even if their IP addresses fall within AutoLoginIP or ExcludeIP address ranges.
Once you have added the option line and restarted EZproxy, you can force the presentation of the login page using a URL similar to:

http://ezproxy.yourlib.org:2048/auth
This page allows you to enable or disable this behavior, either for the balance of your browser session (useful for quick testing or perhaps information literacy instruction sessions) or "permanently." Since this feature uses a cookie, it can be undone if the cookie is removed, so it is not something you can count on to work indefinitely, but it can be useful in situations where machines receive their addresses by DHCP and cannot be identified by specific, static IP addresses for this purpose.
Corrects an issue with the mini-DNS server that prevented it from working reliably under Solaris.
Corrects a problem that prevented browser request headers in LogFormat statements from being recorded properly.
In III authentication, an error that caused "Password None" to accept any barcode as valid has been corrected.
Proxy by hostname no longer prefixes hostnames with 80- and s443- when the remote hostname uses the standard web ports of 80 for http traffic and 443 for https traffic, although EZproxy recognizes this form to allow existing bookmarks to work properly.
When an attempt is made to access EZproxy under a name it does not recognize, its normal behavior is to redirect the user to its proper name. Starting in 2.4, when this situation occurs, if the file badhost.htm exists in the docs subdirectory, EZproxy will send this file instead of performing the redirect.
Added new "Option ProxyFTP" and "Option NoProxyFTP" to allow/disallow proxying of ftp:// URLs. Default is "Option NoProxyFTP". These options are position-dependent and affect database definitions that follow them and remain in effect unless changed by another appearance of one of these options.
Sample usage:

Option ProxyFTP Title Some database where FTP URLs will be proxied URL http://www.somedb.com Domain somedb.com Option NoProxyFTP Title Other database where FTP URLs will not be proxied URL http://www.otherdb.com/ Domain otherdb.com Title Another database where FTP URLs will not be proxied URL http://www.anotherdb.com/ Domain anotherdb.com
EZproxy for Windows contains a correction for a problem that would cause the error "OpenFileMapping failed: 5 Access is denied" to occur if EZproxy was configured to run under a non-administrator account.
EZproxy can now include the X-Forwarded-For header when it sends a request to a remote web server. This header includes the remote user's IP address. This feature is enabled in ezproxy.cfg with "Option X-Forwarded-For" and disabled by "Option NoX-Forwarded-For". Each of these options should appear just prior to a Title (T) line.
Sample use:

Option X-Forwarded-For Title Some Database URL http://www.somedb.com Domain somedb.com Option NoX-Forwarded-For # No databases after this point will send the X-Forwarded-For header Title Other Database URL http://www.otherdb.com Domain otherdb.com
Extensions to the DRAWeb2 authentication options.
The SkipPort directive for ezproxy.cfg. Sample usage is:
SkipPort 3307
The ezproxy.cfg file may contain any number of SkipPort lines.
Cookies may be pre-loaded into new EZproxy sessions by specifying them in ezproxy.cfg. Sample usage is:
Cookie Demo-OpenURL="http://sfx.exlibrisgroup.com:9003/yourlib"; domain=.doi.org
The cookie must specify the domain of hosts to which it applies.
The print option for CRC Handbook now works.
Database definitions may now contain the line:
MetaFind MuseCookie
to activate special cookie handling needed by III's MetaFind product. This line must appear in each database that requires this special handling.
This version corrects a problem that was causing EZproxy to truncate hidden fields whose values where more than 16K in length. This prevented http://www.infomedia.dk from working properly.

2003-09-09

EZproxy 2.2e GA (2003-09-09) contains a change that corrects a compatibility issue between EZproxy and SFX links to Web of Knowledge. It also contains changes to the mini-DNS server.

2003-09-01

EZproxy 2.2d GA (2003-09-01) contains two changes:

All versions of EZproxy prior to this release rearranged the location of the Host and Referer headers of an HTTP request. This rearrangement of these headers was linked to a problem that caused some web page retrievals to come up blank. EZproxy 2.2d has been altered to keep these headers in their original locations while processing a request.
EZproxy 2.2a introduced a change to avoid a SIGCHLD kernel warning under RedHat 9. However, this change negatively impacted at least one site running RedHat 6.0. The manner in which EZproxy handled this prior to the release of 2.2 can now be restored by adding:
Option IgnoreSIGCHLD
to ezproxy.cfg.
Under "new style" DRA Web2 authentication, the pin may now contain either letters or digits, whereas older versions of EZproxy limited the pin to digits only.

2003-08-14

EZproxy 2.2c GA (2003-08-14) contains the following changes:

When a user either tried to use the proxied form of an EZproxy URL (e.g., http://ezproxy.yourlib.org:2060 or http://80-www.somedb.ezproxy.yourlib.org) while not logged in, or tried to access a resource outside the user's groups, the user did not automatically proceed to the login page. This problem also effected sites that were using AutoLoginIP to access some resources (e.g., an automated catalog), but had other resources restricted by group.
The method by which the "-si" option creates a startup script on Linux and Solaris has changed, although the actual script created is the same.
Using the new administrative URL of the general form http://ezproxy.yourlib.org/admin when you have proxy by hostname enabled along with a wildcard SSL certificate now properly proceeds to the Administration page after login.
The "ezproxy -c" connectivity test will now route its request through your outgoing proxy server is an outgoing proxy server has been specified in ezproxy.cfg.
This version contains the new mini-DNS server for use with proxy by hostname, although this feature is still in initial testing. You must explicitly activate this feature, so it has no impact on existing sites that update to this version, but is available for those sites that want to perform testing of this feature.

2003-08-05

EZproxy 2.2b GA (2003-08-05) corrects a problem in 2.2a that had disabled the URLAppend (UA) command in ezproxy.cfg.

2003-08-02

EZproxy 2.2a GA (2003-08-02) contains the following changes:

In ezproxy.cfg, comment lines are formed by placing a # at the beginnnig of a line.
In some instances, people have placed comments on the end of lines that contain EZproxy directives, such as:

IncludeIP 68.15.177.100 # Test machine
The use of comments like this is not supported, and in EZproxy 2.2, it actually causes ExcludeIP and IncludeIP lines that contain such comments to fail.
Please make certain to always place comments on their own lines, such as:

# Test machine IncludeIP 68.15.177.101
If you have use https for login processing, EZproxy no longer defaults to forcing the main login page to upgrade from http to https. To restore the previous forced behavior, add:
Option ForceHTTPSLogin
to ezproxy.cfg.
When generating a new certificate under proxy by hostname, you can now have the option to create a wildcard certificate. This tells EZproxy that it should add "login." to the front of its name when handling login requests and should generate its SSL certificate using the form "*.ezproxy.yourlib.org". It also changes periods to hyphens when generating the host name for sites using https. These changes should allow a single wildcard certificate to generate only one error if self-signed, and no errors if purchased from a certificate authority.
New /admin page that coordinates access to various administrative function with EZproxy.
When SSL certificates are generated, they now receive distinct serial numbers to avoid generating conflicts for browsers that track certificates by issuer and serial number.
Corrections to AutoLoginIP interaction with groups.
New warning message when a server is configured for proxy by hostname but the wildcard DNS entry has not been registered.
In some instances and network configuration, Find/Replace statements would not be processed. This likely lead to some issues with Web of Science and Kluwer, along with other databases that require Find/Replace to operate.
The /status screen has been enhanced. The new version:
1. contains links from sessions that allow you to terminate sessions.
2. defaults to displaying source IP addresses instead of host names to reduce the wait time for this page to display when a large number of people are logged in.
3. rearranges the way databases are displayed, moving the domains column over to the left so it is not necessary to scroll right to see the domain information if they are any really long URLs.
4. allows the display of Find/Replace commands in the database listing if you use the extended display option.
5. enhances the host listing to ease diagnosis by indicating whether or not added JavaScript processing is enabled
  for the host, and also containing a link that allows you to see which database definition in ezproxy.cfg controls a given virtual host.
The Proxy and ProxySSL statements are now position-dependent in ezproxy.cfg.
Sites that use these statements should verify that they appear before your first Title (T) line, or else any databases that appear before them will not be directed through your outgoing proxy server.

This changes allows you to route proxy requests for different database vendors to different outgoing proxy servers, and to disable proxy server use for specific databases. This change was implemented in support of the LOCKSS project. Sample use in ezproxy.cfg is:

Proxy proxy1.yourlib.org ProxySSL proxy1.yourlib.org Title Some database accessed through proxy1.yourlib.org URL http://www.somedb.com Domain somedb.com Proxy ProxySSL Title Other database that will not use a proxy server URL http://www.otherdb.com Domain otherdb.com Proxy proxy2.yourlib.org Title Another database that will use proxy2 for http, but will make https requests directly ...
Proxy and ProxySSL statements effect all databases that follow them until another Proxy or ProxySSL statement appears.
As before, the Proxy and ProxySSL statements may still contain a username:password at the end to allow EZproxy to send a username/password when making proxy requests.
New support for Books24x7.com authentication, including revisions since the 2003-06-29 release for revised encryption. A sample entry is:
Title Book24x7.com URL http://library.books24x7.com/library.asp?^B Books24x7Site ABC123 TokenKey SomethingYouPickAndDontTellAnyone TokenSignatureKey YouGetThisFromBooks24x7 DJ books24x7.com
In this example, the ABC123 is a site identifier issues to you by Books24x7.com. The TokenKey is a random string that you pick that is used to encrypt the username of the person accessing EZproxy before sending it to Books24x7.com. The TokenSignatureKey is used to encrypt a combination of the IP address making the request and the encrypted username formed with TokenKey, or just the IP address if someone is accessing from within an ExcludeIP range.
This process does not disclose the identify of the EZproxy user to Books24x7.com. It sends an encrypted string that identifies each user uniquely. If necessary, Books24x7.com can provide your library with this encrypted string, then you can cross-reference it to the original user using the new:

http://ezproxy.yourlib.org:2048/token
page.
When ::limit is used to impose a login limit, the error message that appears for those who exceed their limit may now be overridden by creating the file limit.htm in the docs subdirectory. Within that file, you may use ^0 (number zero) to represent the maximum number of logins allowed on the account, ^1 (number one) to include an s if the limit is not 1 but nothing if the limit is one, and ^2 (number two) for the word "is" if the limit is 1 or "are" if the limit is 2. The existing message can be created with this string:
Your account is limited to ^0 session^1
When a web server claims a page is text/plain, it was previously left untouched. EZproxy now examines the content of the page to determine if it is HTML, and if it is, it rewrites the page. This behavior makes EZproxy emulate IE's behavior and should correct a problem with one errant Web of Science page.
In RedHat 9.0, a warning was being generated to /var/log/messages about SIGCHLD. This warning no longer appears.
The III interface now supports a keyword Unknown which tells EZproxy to consider the user unknown and proceed to the next authentication method in ezproxy.cfg. This keyword mainly exists to allow III processing to be terminated if the III server is unavailable, particularly when you are use Deny statements to block users.
Here is a typical application:

::iii Host iii.yourlib.org Refused; Unknown ...more authentication statements... /iii

2003-06-13

EZproxy 2.0k GA (2003-06-12) contains changes that:

correct a problem introduced in 2.0j when connecting to EBSCO databases.
suppress the "WARNING: address range applies to #### hosts" when AutoLogin, ExcludeIP, IncludeIP and RejectIP ranges refer to private IP address ranges (e.g., 10.0.0.0-10.255.255.255).
log warning messages to ezproxy.msg when unrecognized lines appear in ezproxy.cfg. Please note that this release will report the directives CookieName and LogFile as unrecognized, even though they are correctly recognized and processed. This misreporting will be corrected in the next release of EZproxy.
correct a problem that prevented CookieFilter from working under Solaris.

2003-06-05

EZproxy 2.0j GA (2003-06-02) contains corrections:

that restore the EZproxy 1.x method of setting the EZproxy cookie, which prevents users from receiving the login screen multiple times.
for proxying Lexis-Nexis (see LexisNexis for additional configuration requirements).
when using the form POST method with some SSL sites including ScienceDirect.
for a ScienceDirect problem that was only triggered for those sites that also have EZproxy configured to point to an outgoing proxy server.
that improve EZproxy's method used for reconnection when remote server refuses or times out, particularly if remote server has multiple IP addresses.
that provide a work-around for access to EBSCO EJS redirection problems with Internet Explorer. In addition to updating to EZproxy 2.0j, you must use a starting point URL similar to this to access EJS:
http://ezproxy.yourlib.org:2048/login?refresh=local&url=http://ejournals.ebsco.com/Home
to insure that people clicking on this URL from your local machines are redirected correctly to EJS.
allow you to specify what certificate should be provided to LDAP servers when making an SSL connection or allows you to suppress providing any certificate using entries in ezproxy.usr such as:
::ssl=5,ldap=ldaphost.yourlib.org,uid=$U,ou=student,o=yourlib,c=us ::ssl=0,ldap=ldaphost.yourlib.org,uid=$U,ou=student,o=yourlib,c=us
where "ssl=5" specifies that certificate number 5 should be provided and "ssl=0" specifies that no certificate should be provided.
allow you to specify a "banner file" that should be displayed to remote users after login but before they proceed on to the menu or their pre-specified web site. Sample use in ezproxy.usr is:
::banner=hello.html
EZproxy will look for hello.html in the docs subdirectory.
ezproxy.usr may contain multiple banner statements. The last such statement that appears before a user authenticates determines which web page will be used as the banner, such as:

::banner=robin.html robin:secret ::banner=pat.html pat:passcode ::banner=general.html ::ftp=ftp.yourlib.org
eliminate slow EZproxy startup when ezproxy.log exceeds 2 gigabytes in size.
support new authentication method were an outgoing proxy server can be tested with a username and password, and if the username and password are accepted, then EZproxy will continue to use that username and password for all outgoing proxy requests, allowing the outgoing proxy server to log all traffic. Sample entry in ezproxy.usr looks like this:
::proxy=mpa;http://some.valid.url/
where http://some.valid.url/ is some URL that the proxy server will always be able to access.
This option may only be used if ezproxy.cfg has an outgoing proxy server statement such as:

Proxy outproxy.yourlib.org:3128 someuser:somepass
EZproxy does not store the user's password in any files, so if EZproxy is restarted, it will use the "someuser:somepass" for outgoing requests for any existing users.

2001-11-30

Changes between EZproxy 1.4e and EZproxy 1.4d include corrections for:

byte-streaming that caused some PDF files to appear as blank pages.
proxying files from a web server running on the same server as EZproxy (e.g., for electronic reserves).
the ezproxy.cfg option "runas" on Linux that prevented all the threads from running under the specified username.

2001-11-07

EZproxy version 1.4d corrected a problem that caused the Linux and Solaris versions to abort under certain conditions.

2001-10-29

Changes between EZproxy 1.4a and EZproxy 1.c include:

an increase in timeout value while handling binary content such as PDF files, eliminating some Acrobat errors.
a Solaris 8 version of EZproxy.
support for Worldbook Online.
new options during login processing to support virtual reference.
extensions for external web page validation. Previously, an entry in ezproxy.usr like:
::external=http://auth.yourlib.org/cgi-bin/script?
would result in EZproxy taking this URL then concatenating the literal "0=", the username from the login form, the literal "&2=", and the password from the login form. EZproxy would then access this URL and scan the results of the script for one of the strings "webchkpass" or "+VALID" (the latter in any form of capitalization), and if found one of those strings, consider the login valid.
This first form continues to work, but this has now been extended to allow the inclusion of the special strings "^u" and "^p" in the URL, along with allowing a new option "valid=" to specify what string is considered valid. For example, you might now use:

::external=http://auth.yourlib.org/ezpcheck.cfm?user=^u&pass=^p
which would allow this hypothetical Cold Fusion script to check the variables url.user and url.pass to obtain the username and password that needs to be checked. As show above, the script would need to display +VALID to indicate the login was valid, although you can change this with something like:
::external=http://auth.yourlib.org/ezpcheck.cfm?user=^u&pass=^p,valid=known
which would make EZproxy look for the string "known" instead of the default strings.

2001-08-06

Changes between EZproxy 1.2b2 and EZproxy 1.4a include:

the ability to proxy by hostname (also known as "new strategy proxying").
the ability to have EZproxy perform arbitrary text editing as may be required to address JavaScript compatibility.
the ability to specify alternate menu files for different users. Alternate menus can be selected by editing ezproxy.usr and adding lines like this:
user1:pass1 ::menu=alt.htm user2:pass2 ::menu=ftp.htm ::ftp=ftpserv.yourlib.org
In this example, user1 would see the default menu.htm, user2 would see alt.htm, and anyone who authenticated from ftpserv.yourlib.org would see ftp.htm.
EZproxy looks for all menu files in the docs subdirectory. The filenames may not start with a period and may only contain letters, digits and periods.
contains corrections for built-in DRA Web2 authentication, including the ability to support barcodes with letters and the ability to limit access by system type using a configuration such as:
::draweb2 url http://...your-real-url-here.../ezp1.html system 02,03,05,1* /draweb2
This definition will only allow patrons with a library system code of 02, 03, 05 or any code that starts with a 1 to have access.
corrects a problem when proxying some resources that require username/password authentication.
corrects a problem with "::external" authentication.
allow the acceptance of domain cookies to allow the storage of cookies that violate the RFC but are commonly allowed by browsers.
adds cookie suppression feature. In some instances, cookies set by other web servers at your web site may be sent by your browser to EZproxy. EZproxy cannot distinguish these cookies from other cookies that have been set by database vendors, so it normally passes them through. This behavior confuses the IEEExplore login process. To prevent this from happening, use this database definition:
OPTION NOCOOKIE T IEEExplore U http://ieeexplore.ieee.org/lpdocs/epic03 D ieee.org OPTION COOKIE
The placement of OPTION COOKIE and OPTION NOCOOKIE is very important as both of these options take effect starting with the next database definition in the file.
adds special redirection handling. In some instances, web servers using a redirect process to embed cookies into users' browsers. If such a redirection occurs at the end of a chain of other redirections (e.g., as occurs during the EZproxy login process), the browser may stop performing redirections and leave the user at a point just prior to reaching the desired page, often with a link on that page that can then take the user on to the proper page. This behavior has been seen with ABC CLIO EBooks.
The following definition corrects the ABC CLIO problem. If your definition for this database is slightly different, simply insure that OPTION REDIRECTPATCH appears before it, and OPTION NOREDIRECTPATCH follows it.

OPTION REDIRECTPATCH T ABC CLIO Ebooks U http://ebooks1.abc-clio.com/plibrary/read/read.asp? DJ abc-clio.com OPTION NOREDIRECTPATCH
allows starting point URLs to take the form:
http://ezproxy.yourlib.org:2048/login?qurl=http%3a%2f%2fwww.somedb.com
Special characters that appear after qurl= must be "hex quoted," especially & to %26, = to %3d and ? to %3f. As such, the URL:
http://ezproxy.yourlib.org:2048/login?url=http://www.somedb.com/search?name=db&option=1
would need to be changed to:
http://ezproxy.yourlib.org:2048/login?qurl=http%3a%2f%2fwww.somedb.com%2fsearch%3fname%3ddb%26option%3d1

This alternate form is not required, but is provided for instances where using a character encoded URL is useful.
improves compatibility between IE 5.5 and EZproxy servers operating with numeric host names. It eliminates the cookie message that would appear previously, but may not work with all databases. Specifically, numeric host names probably do not allow the use of Dow Jones Interactive, although this has not been confirmed.
adds the ability to specify the port number to be used for LDAP authentication. To specify the port number, include a colon after the host name, followed by the port number, such as:
::ldap=ldaphost.yourlib.org:10389,cn=^U,o=yourlib
changes the way host name lookups are handled under Linux.
allows EZproxy to recognize its own rewritten URLs as part of starting point URLs.
adds support for byte range transfers for PDF documents.
corrects a bug that misinterpreted certain valid FTP server responses as invalid.
enhances logging support to record the number of bytes transferred and the actual HTTP status code (previously, the status code was always recorded as 200).
includes a change to improve WebSPIRS compatibility.
improves response time when searching large user authentication text files.
corrects a problem with NT domain login validation that would allow any invalid username with any password to be considered valid if the Guest account was enabled on the machine running EZproxy.
adds the new ezproxy.cfg option:
COOKIENAME somecookie
Normally, EZproxy names its own cookie "ezproxy" during authentication. With this option, you can tell EZproxy to use a different cookie name. The name is limited to 16 letters and digits.
changes RADIUS authentication to include the NAS-IP-Address attribute as part of the authentication request and also adds an option to specify an authentication realm with an entry in ezproxy.usr like:
::radius=radserv.yourlib.org,secret=linkup,realm=yourlib.org
When realm= is specified, an @ sign followed by the realm text is automatically appended to the username in the RADIUS request.
adds the new keyword RUNAS was added to ezproxy.cfg for the Linux and Solaris versions. This keyword can be used to specify the user and group that should be used when running EZproxy. Sample usage is:
RUNAS username RUNAS username:group
Both username and group may be specified by text names or numeric values.
This keyword is mainly useful to have EZproxy change from running as root to running as an unprivileged user after it has started listening on a privileged port such as the standard web server port 80. However, EZproxy does perform some file operations before making this switch, so this keyword should not be considered to mitigate all security issues, but rather to limit the potential security problems that could occur once EZproxy is running.

2001-02-11

Differences between EZproxy 1.00e and EZproxy 1.2b include:

changes required to support updated AP Photo Archive, AusStats, Dow Jones Interactive, EBSCO, FirstSearch, Grolier Encyclopedia and Worldbook Online.
correction for LDAP authentication against Microsoft Active Directory.
"prefix=" as an option for ezproxy.usr. This option can be used in conjunction with "O LOGUSER" in ezproxy.cfg to customize usernames logged to ezproxy.log.
Sample use might be:

::domain=student,prefix=student\ ::domain=employee,prefix=employee\
These lines would use "student\" or "employee\" to be prefix the username recorded in ezproxy.log.
corrections for III authentication: allows blank expiration dates to be viewed as unlimited expiration dates and determine field value based solely on the tag portion in brackets, instead of the entire field name.
correction of a problem with the Linux and Solaris versions of EZproxy that caused the ezproxy.msg file to be overwritten.
compensation for problems between webspirs4.informit.com.au:8590 and Solaris.
changes to avoid user reauthentication in instances where the host name in a starting point URL did not match the host name of the EZproxy server. EZproxy now detects this and redirects such a request to its "real" name to avoid the need to reauthenticate the user.
support for Windows NT domain users to change their initial passwords if they are expired. To activate this feature, after installing this version, you must also issue the command:
ezproxy -mw
to create the file wexpired.htm in your docs subdirectory. This new file is a customizable template for the pages displayed to the user during password change.
new ezproxy.cfg option:
OPTION REQUIREAUTHENTICATE
After adding this line to ezproxy.cfg and restarting EZproxy, you can use these URLs:

http://ezproxy.yourlib.org:2048/auth?1

If you enter this URL on a computer that is normally excluded from proxying (and thereby normally not required to login), EZproxy will set a permanent cookie on the computer indicating that users must login before accessing databases.

http://ezproxy.yourlib.org:2048/auth?0

This URL cancels the requirement that a user must login before accessing resources through EZproxy.

http://ezproxy.yourlib.org:2048/auth

This URL report whether or not the user will be required to login or not.

1999-10-05

EZproxy 1.00d contains the following changes:

The ability to authenticate users against an existing FTP, IMAP or POP server is now built-into EZproxy. See User Authentication for details.
Internet Explorer 3.0 users could not complete authentication, but would rather receive the "cookie" messages. This is now corrected.
The Linux version had problems accessing some databases using the POST form method. This is now corrected.

1999-08-19

EZproxy 1.00c corrects the following issues:

Transfers of large binary files (especially PDF files) were being terminated prematurely.
External authentication processing and ezproxy.cfg "E" (exclude from proxying) entries could previously conflict in such a manner that external users might not be proxied.
In most instances, if you use "ML" (maximum session life) or "E" (exclude from proxying) lines in the ezproxy.cfg file, you must now place these lines prior to the first "T" (title) line. These entries can now appear in different parts of the file to require user authentication for certain databases regardless of on-site and off-site access, while allowing other databases to require authentication only for off-site access. This will be covered more fully in the upcoming documentation for the ezproxy.cfg file.

1999-08-15

EZproxy 1.00b corrects the following issues:

DRA Web2 integration presented the cookie warning screen instead of the unregistered version screen when used with an the unregistered version of EZproxy.
An option is now available to allow user identifications to be recorded in the ezproxy.log file. This is enabled by adding:
O LOGUSER

to the ezproxy.cfg file. External authentication scripts can provide the username for logging by adding "loguser=(name)&" before the "url=" value. See the updated reference scripts under User Authentication for more details.
EZproxy can now attempt to rewrite domain names within JavaScript code. This option may inappropriately rewrite certain web page information, so it should only be used if a web site does not currently work and if you see untranslated URLs within JavaScript code. To enable this option, edit ezproxy.cfg and change the "H" and "D" lines within the database description to "HJ" and "DJ". If you find this is required to make a particular database work, please also send a note to ezproxy@oclc.org.
The "-m" and "-r" command line options caused EZproxy to crash if it was not possible to create files in the current directory.