Selective AutoLoginIP

Version requirement

The method described in this example only works as described in EZproxy 2.2c (2003-08-14) and later. If you use an earlier version of EZproxy, this will not work as described.

Overview

When using AutoLoginIP to provide transparent access for select users, it may be necessary to require users to authenticate when accessing other resources. To reliably intermix AutoLoginIP with forced authentication, it is necessary to place the databases that will require authentication into a separate group. The following demonstrates how to construct such a configuration.

Strategy

AutoLoginIP provides a way to have EZproxy provide automatic access without requiring authentication. The main use of this mechanism is to provide branch libraries with access to licensed resources that do not recognize the IP addresses of the branch location. In this example, AutoLoginIP is used to allow remote users to access the OPAC through EZproxy without the users being required to authenticate.

Groups can be used to allow different groups of users to have access to different groups of databases. In this example, groups are used to force remote users to authenticate when they try to access licensed databases.

config.txt/ezproxy.cfg

These sample lines from config.txt/ezproxy.cfg demonstrate how to place the resources that will require authentication into a separate group from the groups available through AutoLoginIP.

This configuration requires EZproxy 2.2c (2003-08-14) or later.

# Databases that require everyone to log in are best placed at the top of config.txt/ezproxy.cfg
# with their apperance coming before any AutoLoginIP or ExcludeIP directives
#
# This Group directive place creates an arbitrary group named MustLogin
# By placing this database into this group, both local and remote users will be forced to
# authenticate. Without it, local users who went to another database first would be
# transparently authenticated, so later access to this would be unblocked.

Group MustLogin
Title Some Database for which all must authenticate
URL http://www.somedb.com
Domain somedb.com
# Group directives that appear before AutoLoginIP statements determine which groups
# EZproxy will assign to users who are automatically logged in. This directive
# insures that users who log in automatically will be in only the Default group, and also
# causes the remaining databases to be assigned to that group.

Group Default
# This AutoLoginIP directive tells EZproxy that the specified IP addresses should
# be automatically logged in for local access.
AutoLoginIP 10.0.0.0-10.255.255.255
# This database will be transparently proxied for local users
Title Other Database with local users transparently proxied
URL http://www.somedb.com/

Domain somedb.com
# This ExcludeIP directive tells EZproxy that the specified IP address should
# not be proxied and instead should be redirected to the real URL.
ExcludeIP 10.0.0.0-10.255.255.255
Title Another Databases with local users redirected to real URL
URL http://www.anotherdb.com/
Domain anotherdb.com

user.txt/ezproxy.usr

For this configuration to work, you must configure EZproxy to associate users who log in with the special MustLogin group that was created above. If you are not using any other group logic in user.txt/ezproxy.usr, then simply make this the first line of your user.txt/ezproxy.usr file:

::group=+MustLogin

If you are using Groups with EZproxy, then you must insure your group logic also assigns your users into the MustLogin group.