Skip to main content
OCLC Support

HSTS and EZproxy

  1. Last updated
  2. Save as PDF
Symptom
  • 401 Unauthorized error
  • You are getting NET:ERR_CERT_Common_name_invalid on all databases that have HTTP links. Refer to the screenshot:

 

Applies to
  • Sites that have enabled HSTS on their EZproxy domain. How to check if the site has enabled HSTS:
  • In order to verify that paste the proxy prefix in chrome://net-internals/#hsts
  • Input a domain name to query the current HSTS/PKP set:
  • Click on query
  • If you get "Found" followed by output then this test verifies that the site is using HSTS.
Resolution

HSTS is not supported by EZproxy. EZproxy works with vendors who have the right to keep their sites secure or unsecured. The URL and the HJ lines in the stanzas can be HTTP or HTTPS. Forcing traffic as HTTPS through a proxy can create issues as EZproxy is already handling the HTTP-HTTPS translations. Self-hosted sites have the liberty to enable HSTS on their EZproxy domain and when they do that they get error messages on all the HTTP websites. We can offer the following solutions to those sites:

  1. Check for the HSTS header present in the EZproxy domain (https://gf.dev/hsts-test). Ask them to remove the "includeSubDomains" option from the Strict-Transport-Security header. That way, the EZproxy domain would be allowed to continue using HTTP.
  2. Change all the links to HTTPS (change these links everywhere including WC Discovery, the online library page, and config.txt)
  3. There are some resources like Brepolis that will not support HTTPS. In that case, a line like this might help to fix the issue:
    ProxyHostnameEdit apps.brepolis.net$ apps.brepolis.net

    Refer to: https://help-nl.oclc.org/Library_Management/EZproxy/Configure_resources/ProxyHostnameEdit for more information.

If there are sites in your EZproxy configuration that are still accessible only via HTTP, do not use the "includeSubDomains" option.
Otherwise, these sites would no longer be available through your EZproxy.

To enable the header without includeSubDomains, add this to your config.txt:

HTTPHeader -server Strict-Transport-Security "max-age=31536000"

If you are sure that you have no more HTTP-only resources, and won't add any in the future, you can add "includeSubDomains":

HTTPHeader -server Strict-Transport-Security "max-age=31536000;includeSubDomains;"
Page ID
47246