Securing Your EZproxy Server

EZproxy config.txt directives can be entered in many combinations to secure your EZproxy server. The most common security configurations employ encryption settings, limits, and monitoring/logging directives to record and limit users’ activity. The following tables provide lists of commonly used security, monitoring, and logging directives available to secure your sever.

Login Encryption

One step you can take to increase the security of your users’ credentials and limit the potential for illicit logins with legitimate credentials is to encrypt communication between your users and your EZproxy server. The following directives will allow you to create a secure login page using https and an SSL port. This means, for example, that whenever a user logs in to your EZproxy server, their username and password will be encrypted before transmission instead of being sent in clear text, making it more difficult for those credentials to be stolen.

Before using these directives, you must create an SSL certificate and apply it to your EZproxy server. For more details on how to do this, please see SSL Configuration.

Directive Description
LoginPortSSL This directive enables you to specify the port on which EZproxy should listen for incoming login, menu, and administration requests using https. This directive is necessary if you want to require your users to login using https as defined by the Option ForceHTTPSLogin directive.
Option ForceHTTPSLogin When present, this directive will specify that the user login page always be presented using https, making it a more secure page for logins. Any attempts to access the page using http will be redirected to the https page.
Option ForceHTTPSAdmin When present, this directive will specify that the admin login page always be presented using https, making it a more secure page for logins. Any attempts to access the admin page using http will be redirected to the https page.

Additional Encryption Options

Secure Socket Layer (SSL) is a cryptographic security protocol used to encrypt network information transmissions. SSL has generally been replaced with Transport Layer Security (TLS). EZproxy can support two SSL security options--SSL 2 and SSL 3; however, you can disable these weaker protocols so that only TLS is used. For more details about what version of TLS is currently supported, please see the Release Notes.

Note: In all versions of EZproxy 5.7.44 and greater, SSL 3 is disabled by default.

When entered in your config.txt file, any Option DisableSSL directives that you enter must come before the LoginPortSSL directive.

Directive Description
Option DisableSSL40bit Disables the use of SSL encryption algorithms that use only 40-bits. This directive also disables SSL 2.
Option DisableSSL56bit Disables the use of SSL encryption algorithms that use only 56-bits.
Option DisableSSLv2 Disables the use of SSL 2 handshakes.
SSLCipherSuite This directive allows you to define security settings using SSL Cipher Suite strings.

For more details about each of these security options, please see EZproxy Security FAQ.

Additional Limits Configuration Options

The following directives provide additional security for your EZproxy server, not related to encryption.

Note: Each of the directives below is defined in terms of security. For a more complete definition and discussion of how these directives work for both security and other purposes, please click on the name of the directive.

Directive Description
MaxLifetime This directive closes sessions that remain inactive for longer than a given period of time. This can help minimize the likelihood that a valid session left open on a public computer be taken over by an illegitimate user.
MaxSessions This directive limits the maximum number of EZproxy sessions that can exist at one time. This helps protect against denial of service attacks that could overwhelm your EZproxy server with traffic and shut it down. Setting a limit appropriate to your server will also help maintain your server’s health.
Option BlockCountryChange Using the Location directive as a reference, this directive disconnects any user whose IP address changes from one country to another during a session.  
UMask This directive provides a numeric value that controls the permissions on files created by the Linux and Solaris versions of EZproxy, using the same syntax and the Linux and Solaris command umask.

Monitoring Security

Once you have configured the above options, OCLC suggests you input the following options in your config.txt to monitor use of your EZproxy resources and help you deal with security breaches if they occur. Monitoring security and your security settings are directly related to log configuration. The list below provides a brief overview of log-related directives that can be useful in monitoring your EZproxy server’s security. For a more detailed discussion of EZproxy log options, please see Log Files Overview and the related directives pages linked there.

Note: Each of the directives below is defined in terms of security. For a more complete definition and discussion of how these directives work for both security and other purposes, please click on the name of the directive.

Directive Description
Audit Most This directive enables you to access use details from your admin page and identify potential problem users.
IntruderIPAttempts This directive allows you to identify and automatically block users who repeatedly attempt to access your EZproxy server from a specific IP address with invalid credentials. A record of each failed attempt will be recorded in your Audit log if you have Audit Most configured.
IntruderUserAttempts This directive allows you to identify and automatically block users who repeatedly attempt to access your EZproxy server with an invalid password for a given username. A record of each failed attempt will be recorded in your Audit log if you have Audit Most configured.
Location When used in combination with Audit Most, this directive enables you to determine where your users are located based on their IP address. This can be useful information in identifying problem use and users.
Option StatusUser This directive causes EZproxy to display the username associated with a login session on the Server Status page, accessible from the admin page. This makes it easier to determine if the same username is being used by many users to gain access to your server.
Option LogSession This directive causes EZproxy to record the session identifier as part of entries in the ezproxy.log or spu.log file when %u is entered as a qualifier with LogFormat or LogSPU. This allows you to cross-reference a user with a user’s browsing activity if needed. The link between user and session is stored in the audit file; this link is automatically broken after the number of days specified in AuditPurge, when the audit file is deleted.
Option LogUser This directive causes EZproxy to record the username as part of entries in the ezproxy.log or spu.log file when %u is entered as a qualifier with LogFormat or LogSPU. This allows you to quickly identify the username used to initiate a problem-session and follow up with the appropriate steps necessary to limit that users’ access to resources.

Note: Special configurations in LogFormat and LogSPU are necessary to record BOTH session ID and username. For more information see the Fields to Customize Log Data table on the LogFormat directive page.

UsageLimit This directive provides multiple options for monitoring and then enforcing limits on usage. When entered as UsageLimit Global, this directive allows you to watch users’ activity and see how much data is being transferred to them, which can be helpful in identifying potentially problematic users. Adding additional options to the directive can allow you to enforce specific content transfer limits for specific periods of time.
 

The following example combines all of the directives listed in the overview, placing them in an order that would be appropriate for your config.txt file. The values shown in specific examples are meant as starting points and may not provide the appropriate balance for your server. Whenever changes are made to config.txt, you need to restart EZproxy.

Note: The lines below the directives, beginning with the #, are comments to explain the directive above. These can be deleted or included in your config.txt file as they will not impact your settings. They are meant only to explain the directive.

MaxLifetime 120
#A session idle for 120 minutes is automatically logged out.
Max Sessions 500
#A maximum of 500 sessions may be active at any given time.
UMask 0077
#In Linux & Solaris, access to files is limited to the account used to run EZproxy.
Option DisableSSL40bit
#Disables 40-bit SSL encryption algorithms and SSL 2.
Option DisableSSL56bit
#Disables 56-bit SSL encryption algorithms.
Option DisableSSLv2
#Disables use of SSL 2 handshakes.
LoginPortSSL 443
#Specifies that EZproxy listen for https requests on port 443.
Option ForceHTTPSLogin
#Forces the use of a secure, https login page.
Option FOrceHTTPSAdmin
#Forces the use of a secure, https admin page.
Audit Most
#Records a designated set of Audit events in the Audit log.
AuditPurge 180
#Deletes Audit logs older than 180 days.
Option StatusUser
#Displays the username associated with a session on the Server Status page.
Option LogSession
#Records session identifier in ezproxy.log or spu.log files.
Option LogUser
#Records the username in ezproxy.log or spu.log files.
IntruderIPAttempts -interval=5 -expires=15 20
#Causes EZproxy to block login attempts from an IP address if invalid credentials are entered more than 20 times in a 5 minute interval.
IntruderUserAttempts -interval=5 -expires=15 10
#Causes EZproxy to block login attempts from a username that enters the incorrect password more than 10 times within a 5 minute period.
UsageLimit Global
#Records usage, but does not enforce limits. Usage can be viewed on the View Usage Limits and Clear Suspensions page from the /admin webpage.

LogFile -strftime /log/ezlogs/ezp%Y%m%d.log
#Creates daily ezproxy log files.
LogFormat %h %l %u %t "%r" %s %b
#Records information specified by the % options. More detail on the LogFormat page.
LogSPU -strftime /log/spulogs/spu%Y%m%d.log %h %l %u %t “%r” %s %b
#Creates daily spu logs, and records same basic information as LogFormat directive based on % options.

Location -File=GeoLiteCity.dat.gz
#Adds location data to audit logs by relating user’s IP address to the location identified by the GeoLiteCity.dat file.
Option BlockCountryChange
#Blocks users whose country changes (based on Location directive information) in the middle of a session.
 

This page last revised: April 17, 2015