In order for EZproxy to give remote users access to resources with secure URLs, you must obtain, install, and configure an SSL Certificate. Secure URLs begin with https instead of http. For example:
is a URL that would require an SSL certificate and configuration in EZproxy. If you have any resources with URLs beginning with https, you will need to configure EZproxy to run with an SSL Certificate.
This page will guide you through the steps required to create an SSL certificate and activate it for use by EZproxy.
These features of EZproxy use the OpenSSL Toolkit. The EZproxy program files contain the OpenSSL routines required by EZproxy, so no separate library files need to be downloaded to provide this functionality.
If you are already using an SSL certificate with EZproxy and need to renew that certificate, refer to SSL Certificate Renewal for more information.
The following video tutorial provides a detailed overview of SSL certificates and how they work with EZproxy (11:23 minutes):
EZproxy allows you to generate self-signed certificates or to request certificates from a certificate authority such as ipsCA, VeriSign, Thawte, etc. You must decide whether you want to use a self-signed certificate or purchase a certificate from a certificate authority.
You must also determine whether to use a wildcard certificate.
For more information on differences in browser behavior, consult SSL Certificate Options.
If you purchase a certificate, make certain that you are backing up your EZproxy installation, and particularly the ssl subdirectory because if you lose these files, you may have to pay to replace the certificate.
If you find this directive, it indicates that your EZproxy server may be using a wildcard certificate that was created outside of EZproxy and imported manually. This option can interfere with certificates created within EZproxy. If you find this directive and you are planning to create a certificate from within EZproxy, you should delete this directive.
Replace someuser and somepass with the username and password you will use to log in to EZproxy with administrative access. You will use these login credentials to enable your SSL certificate in EZproxy.
The following instructions explain how to configure EZproxy to enable https support. In all of these examples, in any location where http://ezproxy.yourlib.org:2048 appears, you should substitute your own EZproxy server name and port.
443 is the preferred number as this is the standard port for use with https. However, if you already have a secure web server running on the same system as EZproxy, it will already be using port 443. In this case, you will need to either setup two separate IP addresses on your server, or you will need to pick an alternate number such as:
If you use a firewall, you may also need to configure it to allow access to the port you select.
using the admin username and password entered in your config.txt. If you use CAS, CGI, or Shibboleth for user authentication, please consult EZproxy Administration for additional steps that are required to access the administration page.
If EZproxy is configured to Proxy by Hostname and you are running EZproxy V6.1 or later, you will also see the following options.
- Certificate name: The name that will appear in the CN field of your certificate.
- Subject Alternate Name: The name(s) that will appear in the SAN field of your certificate.
The options you select in these fields will depend upon the requirements of your Certificate Signing Authority (CSA). For details about these fields and other optional fields, refer to your certificate authority's documentation. If your CSA requires you to enter your server's wildcard name in the SAN field, you must be running EZproxy V6.1 or later.
If you are generating a self-signed certificate, you can select any combination of entries for these fields because all self-signed certificates generate browser warnings.
If you are using EZproxy V6.0.8 or earlier, EZproxy will not use the SAN field when looking for domains. Your certificate must contain the following:
- Certificate name: Must be a wildcard entry containing "*.", for example, *.ezproxy.college.edu
- Subject Alternate Name: Must contain the non-wildcard domain, for example, if the wildcard domain looks as above, the SAN must be ezproxy.college.edu
All EZproxy URLs that are in websites or publicized to users must use the following syntax: http://ezproxy.college.edu/login?url=http://www.somedb.com
You will need to submit this text to your certificate authority.
-----BEGIN CERTIFICATE REQUEST-----
-----END CERTIFICATE REQUEST-----
In addition to the certificate for your server, the certificate authority may also provide intermediate or chained certificates. At this point, you should only be working with the certificate that has been issued for your server.
|You will be unable to save a certificate if you:
||Why this is a problem
||A certificate is bound to a key that is created as part of the original CSR and cannot be applied to any other CSR. If you make this mistake, you will need to resubmit the new CSR to your certificate authority and ask them to use it to replace your certificate.|
||Again, certificates are bound to their original CSR, so this process will fail. If you have an existing certificate that was not requested using the EZproxy CSR request generator, click Import Existing SSL Certificate on the SSL management page to enter existing certificates.
This directive will redirect any requests for the login page to the secure, https URL for your EZproxy server. For more information about this directive see Option ForceHTTPSLogin.
This page last revised: September 23, 2015