Re: Proxy by hostname and SSL

> Are you saying that if we use http://login.proxy.yourlib.org as our
> calling URL rather than http://proxy.yourlib.org/login the user will see
> fewer security alert screens?  This would make sense to me since the
> primary DNS entry *.proxy.yourlib.org has now been satisfied.

In proxy by hostname, you can use http://proxy.yourlib.org and 
http://login.proxy.yourlib.org interchangeably.

The difference appears when you use https, in which case you want to use 
https://proxy.yourlib.org if you are use a normal certificate, or 
https://login.proxy.yourlib.org with a wildcard certificate.

Chris

--

-- 
Chris Zagar <zagar <at> usefulutilities.com>
Useful Utilities <http://www.usefulutilities.com>

---
You are currently subscribed to ezproxy as: gee-ezproxy <at> gmane.org
To unsubscribe send a blank email to leave-ezproxy-58098R <at> ls.suny.edu

Re: Revisiting Transfer limits

> Quite a while back there was discussion regarding Transfer Limits being
> implemented starting about Ezproxy version 3.0.  Was this ever done and
> is does it work? I believe it was going to be ip based. It would limit
> the amount of data that could be downloaded by an ip per day.

The new features were scheduled to go out in 3.2, but they ended up being 
held for inclusion in the next release.  If you are interested in 
participating in beta testing of these features, please contact me 
off-list.

Chris

--

-- 
Chris Zagar <zagar <at> usefulutilities.com>
Useful Utilities <http://www.usefulutilities.com>

---
You are currently subscribed to ezproxy as: gee-ezproxy <at> gmane.org
To unsubscribe send a blank email to leave-ezproxy-58098R <at> ls.suny.edu

Re: Proxy by hostname and SSL

Hi Chris,

Just so I understand these starting point URLs correctly...

Let's assume we're using proxy by hostname and want a secure login using 
SSL. If we're connecting to a site which doesn't require SSL support, 
would the the starting point URL be:

http://login.ezproxy.yourlib.org?url=http://www.somedb.com/
OR
https://login.ezproxy.yourlib.org?url=http://www.somedb.com/

Conversely, if the site we were connecting to required SSL support what 
would the login URL look like?

I think I may be getting the EZProxy login process mixed up with the 
referred site's SSL requirements.

Thanks,
Gord.

Chris Zagar wrote:

>> Are you saying that if we use http://login.proxy.yourlib.org as our
>> calling URL rather than http://proxy.yourlib.org/login the user will see
>> fewer security alert screens?  This would make sense to me since the
>> primary DNS entry *.proxy.yourlib.org has now been satisfied.
> 
> 
> In proxy by hostname, you can use http://proxy.yourlib.org and 

Re: Proxy by hostname and SSL

> Just so I understand these starting point URLs correctly...
>
> Let's assume we're using proxy by hostname and want a secure login using SSL. 
> If we're connecting to a site which doesn't require SSL support, would the 
> the starting point URL be:
>
> http://login.ezproxy.yourlib.org?url=http://www.somedb.com/
> OR
> https://login.ezproxy.yourlib.org?url=http://www.somedb.com/

My recommendation is that you match the protocol used for EZproxy with the 
protocol used for the remote database.  Assuming proxy by hostname, the 
preferred choices are:

http://ezproxy.yourlib.org/login?url=http://www.somedb.com/

https://login.ezproxy.yourlib.org/login?url=https://www.somedb.com/

The reason I suggest matching protocols is that it avoids a browser 
warning for your local users when EZproxy detects them and reroutes them 
to the real database URL.  You can use mismatched protocols, such as:

http://ezproxy.yourlib.org/login?url=https://www.somedb.com/
https://login.ezproxy.yourlib.org/login?url=http://www.somedb.com/

but this causes your local users to either get a security upgrade warning 
(first one) or a security downgrade warning (second choice).

Your remote users are more likely to run into a security upgrade or 
downgrade warning if they have to move through the login process.  You 

Re: Proxy by hostname and SSL

Thanks again Chris,

If I may, I have one more question before I pack it in for the evening 
out here on the east coast :)

If we match the protocol used for EZproxy with the protocol used for the 
remote database, will remote users always get a browser warning when 
moving through the logon process?

Gord.

Chris Zagar wrote:

  > Your remote users are more likely to run into a security upgrade or
> downgrade warning if they have to move through the login process.  You 
> should test the remote scenario to see the relevant warnings.  None of 
> these prevent access.  It is a question of making choices that minimize 
> browser warnings, and deciding whether to favor local users or remote 
> users when minimizing those warnings.
> 
> Chris
> 

---
You are currently subscribed to ezproxy as: gee-ezproxy <at> gmane.org
To unsubscribe send a blank email to leave-ezproxy-58098R <at> ls.suny.edu

Re: Proxy by hostname and SSL

> If we match the protocol used for EZproxy with the protocol used for the 
> remote database, will remote users always get a browser warning when moving 
> through the logon process?

If you match the protocols in the starting point URL, remote users will 
still see browser warnings if:

1. The starting point URL uses http, the user has not yet authenticated,
    and you have "Option ForceHTTPSLogin" in ezproxy.cfg, since this
    option tells EZproxy to redirect to https before presenting the
    login page.  This warning is an http to https warning.

2. The starting point URL uses https, the user is going through the
    login process, has entered the right username/password, and the
    destination of the login form is https, either due to the upgraded
    scenario of (1) or the form action of the login form points to the
    secure version of EZproxy.  This warning is an https to http warning.

Note that these particular warnings are things that the user may have 
chosen to suppress in their browser settings, so even in these scenarios, 
the remote user may not actually see any browser warning at all.

Chris

--

-- 
Chris Zagar <zagar <at> usefulutilities.com>
Useful Utilities <http://www.usefulutilities.com>

---
You are currently subscribed to ezproxy as: gee-ezproxy <at> gmane.org

how many virtual hosts?

Re: how many virtual hosts?

> We have a large number of library databases and e-journals and the MV 
> actually is set to 500 but it's not enough: is there a max limit that is 
> better not to exceed (ex.1000 MV)?
> Are there hardware requirements of the server we have to respect in function 
> of this number (CPU, RAM)?

Having MaxVirtualHosts at 1000 is relatively common.  As this parameter 
increases, if you are using proxy by port, you may want to consider 
switching to proxy by hostname.  The use of proxy by hostname reduces the
amount of resources required to operate EZproxy.

Proxy by hostname configuration is discussed in:

 	http://www.usefulutilities.com/support/cfg/proxybyhostname.html

Chris

--

-- 
Chris Zagar <zagar <at> usefulutilities.com>
Useful Utilities <http://www.usefulutilities.com>

---
You are currently subscribed to ezproxy as: gee-ezproxy <at> gmane.org
To unsubscribe send a blank email to leave-ezproxy-58098R <at> ls.suny.edu

EZproxy 3.2b released

EZproxy 3.2b GA (2005-04-03) has been released.  Most sites that are using
EZproxy 3.2a will not need to this update.

This release corrects an issue with EZproxy 3.2a that prevented referring 
URL authentication from working if the user was sent to EZproxy without a 
destination database (e.g. http://ezproxy.yourlib.org:2048/login would 
present the login page instead of the database menu page).

This update is available at:

 	http://www.usefulutilities.com/download/

Information on the changes in this and previous versions of EZproxy is 
available at:

 	http://www.usefulutilities.com/support/changes.html

Chris

--

-- 
Chris Zagar <zagar <at> usefulutilities.com>
Useful Utilities <http://www.usefulutilities.com>

---
You are currently subscribed to ezproxy as: gee-ezproxy <at> gmane.org
To unsubscribe send a blank email to leave-ezproxy-58098R <at> ls.suny.edu

how to use the IgnoreWildcardCertificate option?

Hello,

Due to users requests, we've been trying to find ways to avoid the 
domain name mismatch warnings in IE6 and Firefox. We're using a trusted 
wildcard certificate from Entrust, and we're using SSL over port 443. 
We've upgraded to EZproxy 3.2a last weekend and I've added the line 
'Option IgnoreWildcardCertificate' somewhere at the start of 
ezproxy.cfg, but unfortunately users still experience the mismatch 
warnings in IE and in Firefox. Can anybody (Chris?) explain how this 
option exactly works?

FYI, our certificate applies to: *.server.proxy-ub.rug.nl
our proxied url's start with:  
http://server.proxy-ub.rug.nl/login?url=http://www.somehost.com

thanks in advance,
cheers, peter

---
You are currently subscribed to ezproxy as: gee-ezproxy <at> gmane.org
To unsubscribe send a blank email to leave-ezproxy-58098R <at> ls.suny.edu