Secure your EZproxy server
EZproxy directives and configurations offer administrators multiple options for securing your server, monitoring security concerns, and identifying and neutralizing compromised accounts.
- SSL configuration
- In order for EZproxy to give remote users access to resources with secure URLs, you must obtain, install, and configure an SSL Certificate.
- Secure your EZproxy server
- The following lists provide general best practice suggestions for securing your EZproxy server.
- Export a Windows certificate
- If you are running EZproxy on a Windows server, your server may already have an SSL key that you would like to use with EZproxy. The following steps provide a way to export an SSL certificate from the Windows certificate store and import it into EZproxy.
- EZproxy cookie blocked
- After a user is authenticated by EZproxy, EZproxy sets a cookie in the user's browser to establish access to the user's session.
- Identify compromised credentials
- There are instances when a content provider contacts an EZproxy institution with details about a potential security breach. Normally, this is caused by credentials that have been stolen or compromised. These breaches often require action on the part of the institution to ensure continued access to the resource. If no action is taken, access to that resource can be suspended until the breach has been addressed. This documentation describes the steps that must be taken, both proactively and after
- Network address translation (NAT)
- With proper configuration, EZproxy can be used behind a firewall that employs Network Address Translation (NAT). In a typical NAT environment, your local machines are connected to the Internet through a firewall machine. Your local machines are typically assigned addresses that are valid in your local network, but that are masked by the firewall machine's address when you access machines that are external to your network.
- Options for securing your EZproxy server
- EZproxy config.txt directives can be entered in many combinations to secure your EZproxy server. The most common security configurations employ encryption settings, limits, and monitoring/logging directives to record and limit users’ activity. The following tables provide lists of commonly used security, monitoring, and logging directives available to secure your sever.
- Prepare a Windows certificate for EZproxy import
- If you are running EZproxy on a Windows server, your server may already have an SSL key that you would like to use with EZproxy. The following steps provide a way to import a Windows certificate into EZproxy.
- Renew your SSL certificate
- Discover how to renew an SSL certificate as a self-hosted EZproxy library. As you work through these renewal instructions, your server will continue to use its existing SSL certificate. When you reach the final point where you have a new certificate and it is ready for use, you will explicitly tell EZproxy to switch over to the new certificate.
- Sample secure EZproxy server
- The following example combines all of the directives listed in the overview, placing them in an order that would be appropriate for your config.txt file. The values shown in specific examples are meant as starting points and may not provide the appropriate balance for your server. Whenever changes are made to config.txt, you need to restart EZproxy.
- SSL certificate options
- To secure the login process or to proxy remote https web sites, you must use an SSL certificate. EZproxy allows you to create a self-signed certificate for no cost or to create a certificate signing request which you process through a certificate authority to purchase a certificate.