SSL configuration

The translation on this website may be generated by machine translation. The quality and accuracy of machine translation can vary significantly from one text to another. Read the page in original English here.

In order for EZproxy to give remote users access to resources with secure URLs, you must obtain, install, and configure an SSL Certificate.

Overview

Secure URLs begin with https instead of http. For example, a URL that would require an SSL certificate and configuration in EZproxy would look like this:

https://www.researchdb.com 

If you have any resources with URLs beginning with https, you will need to configure EZproxy to run with an SSL Certificate.

This page will guide you through the steps required to create an SSL certificate and activate it for use by EZproxy.

OpenSSL

These features of EZproxy use the OpenSSL Toolkit. The EZproxy program files contain the OpenSSL routines required by EZproxy; no separate library files need to be downloaded to provide this functionality.

Certificate renewal

If you are already using an SSL certificate with EZproxy and need to renew that certificate, refer to SSL Certificate Renewal for more information.

Watch a video

Using an SSL Certificate with EZproxy

Run time: 11:24

This video will help you understand SSL Certificates and your options for choosing what kind of SSL Certificate to use with EZproxy.

Choose your certificate

EZproxy allows you to generate self-signed certificates or to request certificates from a certificate authority such as VeriSign, Thawte, etc. You must decide whether you want to use a self-signed certificate or purchase a certificate from a certificate authority.

• A self-signed certificate is free, but will cause a browser warning when people access your EZproxy server. Users can choose to ignore the browser warning and move on to the resource.
• A certificate purchased from a Certificate Signing Authority will allow a user to access https URLs without browser warnings.

You must also determine whether to use a wildcard certificate.

• If you are using Proxy by Port, you do not need a wildcard certificate.
• If you are using Proxy by Hostname, a wildcard certificate will ensure your users do not see browser warnings during login or when proxying https web sites.

For more information on differences in browser behavior, consult SSL Certificate Options.

If you purchase a certificate, make certain that you are backing up your EZproxy installation, and particularly the ssl subdirectory because if you lose these files, you may have to pay to replace the certificate.

Clean up config.txt

Before you begin configuration, you will need to clean up config.txt.

Check config.txt to see if it contains the following directive:

Option IgnoreWildcardCertificate 

someuser:somepass:admin

Configure

The following instructions explain how to configure EZproxy to enable https support. In all of these examples, in any location where http://ezproxy.yourlib:2048 appears, you should substitute your own EZproxy server name and port.

If you are using proxy by hostname, or if you are using proxy by port and want to use https to encrypt user login processing, edit config.txt and add the line:

LoginPortSSL 443

443 is the preferred number as this is the standard port for use with https. If you already have a secure web server running on the same system as EZproxy, it will already be using port 443. In this case, you will need to either set up two separate IP addresses on your server, or you will need to pick an alternate number such as:

LoginPortSSL 2443

http://ezproxy.yourlib.org:2048/admin

1. Country: your two-letter country code
2. State or Province: your unabbreviated state or province (e.g. Ohio, not OH)
3. Organization: your organization
4. Administrator email: your email address

Wildcard Certificates and EZproxy V6.1 and Later

If EZproxy is configured to Proxy by Hostname and you are running EZproxy V6.1 or later, you will also see the following options.

• Certificate name: The name that will appear in the CN field of your certificate.
• Subject Alternate Name: The name(s) that will appear in the SAN field of your certificate.

The options you select in these fields will depend upon the requirements of your Certificate Signing Authority (CSA). For details about these fields and other optional fields, refer to your certificate authority's documentation. If your CSA requires you to enter your server's wildcard name in the SAN field, you must be running EZproxy V6.1 or later.

If you are generating a self-signed certificate, you can select any combination of entries for these fields because all self-signed certificates generate browser warnings.

Wildcard Certificates and EZproxy V6.0.8 and Earlier

If you are using EZproxy V6.0.8 or earlier, EZproxy will not use the SAN field when looking for domains. Your certificate must contain the following:

• Certificate name: Must be a wildcard entry containing "*.", for example, *.ezproxy.college.edu
• Subject Alternate Name: Must contain the non-wildcard domain, for example, if the wildcard domain looks as above, the SAN must be ezproxy.college.edu

All EZproxy URLs that are in websites or publicized to users must use the following syntax: http://ezproxy.college.edu/login?url=http://www.somedb.com

1. If you have decided to create a self-signed certificate, click Self-Signed Certificate. Once you see the Certificate Details page, skip to step 11.
2. If you have decided to purchase a certificate, click Certificate Signing Request. You will be taken to a page with Certificate Signing Request (CSR) Details.
3. EZproxy will display a Certificate Signing Request (CSR), which is a block of lines that looks like this:

-----BEGIN CERTIFICATE REQUEST----- MIIBxTCCAS4CAQAwgYQxHjAcBgNVBAMUFSouZXpwcm94eS55b3VybGliLm9yZzEL MAkGA1UEBhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExGTAXBgNVBAoTEFVzZWZ1bCBV -----END CERTIFICATE REQUEST-----

-----BEGIN CERTIFICATE----- MIIF5jCCBU+gAwIBAgIDAJAYMA0GCSqGSIb3DQEBBQUAMIGjMQswCQYDVQQGEwJF zESMBAGA1UECBMJQkFSQ0VMT05BMRIwEAYDVQQHEwlCQVJDRUxPTkExGTAXBgNV -----END CERTIFICATE-----

In addition to the certificate for your server, the certificate authority may also provide intermediate or chained certificates. At this point, you should only be working with the certificate that has been issued for your server. Once you receive your certificate, return to the SSL management page and click on your certificate signing request. Paste in all of the lines from BEGIN CERTIFICATE through END CERTIFICATE from the Certificate Signing Authority, including all the hyphens, into the certificate box, and click Save. EZproxy should accept the certificate. If it does not accept the certificate, ensure that you are copying the certificate for your server and not an intermediate certificate, then try pasting and saving again. Two common mistakes that could prevent you from saving a certificate

• create a CSR
• submit this original to your certificate authority
• delete the original request
• receive the certificate from your authority
• recreate the request
• try to apply the certificate from the original request to the recreated request
• get an error

• create a CSR
• try to apply an existing certificate that was create outside of EZproxy to that newly created CSR
• get an error

Option ForceHTTPSLogin

1. Back to top
2. • Secure your EZproxy server
   • Secure your EZproxy server

Recommended articles

1. Article type Topic Content type Product documentation
2. Tags
   1. SSL