Release Date: May 17, 2022
EZproxy version 7.2 expands the previously released security features capabilities to allow real-time notifications for alert events. This release includes the following features:
EZproxy released new security rules in v7.1. This allowed many new capabilities to automate the security of the EZproxy server and created new events to monitor. With EZproxy v7.2, we are introducing real-time email alerts for the security rules events. This new capability allows EZproxy administrators to stay informed on security events without logging in to the EZproxy administration interface. The new email feature will:
EZproxy’s security rules provide a robust tool for mitigating compromised credentials. The new real-time email feature makes it easier to monitor security rule alert events, further allowing organizations to proactively mitigate potential issues.
Additional security rules have been introduced in v7.2 to allow better management of user sessions and user logins.
To add these new rules, edit or create a file called 000-default.txt in the security folder.
The status screen has been updated. The new interface provides a view that will allow you to end all sessions for a user in one location.
Users can log in multiple times which creates multiple sessions for the same user. Previously, to terminate all sessions for a single user, each session would have to be selected from the table and manually terminated one at a time. This process often requires scanning a large table for the repeated username.
The pseudonymous identifier has been enhanced with the following changes:
OpenSSL v1.1.1o is included in the latest version of EZproxy. This latest version of OpenSSL provides various security improvements and bug fixes.
EZproxy 7.2 tightened the TLS security requirements for incoming connections from browsers and outgoing connections to content providers. TLS 1.2 or above is now required by default in both directions.
Inbound connections from browsers support ECDHE-RSA-AES256-GCM-SHA384 and ECDHE-RSA-AES128-GCM-SHA256.
Outbound connections to content providers default to a more tolerant configuration of ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2:!RC4 . This change avoids breaking connectivity to content providers that may not have raised their minimum standards to EZproxy's new default.
The outbound requirements can be increased to match the new inbound default with the directive:
SSLCipherSuite -outbound ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256
Although this should no longer be necessary, if TLS 1.1 is required in either direction, it can be enabled with either or both of these directives:
SSLOpenSSLConfCmd -inbound MinProtocol TLSv1.1
SSLOpenSSLConfCmd -outbound MinProtocol TLSv1.1
Accessibility improvements to EZproxy’s administration pages include:
EZproxy has been updated to adhere to the SAML specification more closely. Two changes have been made:
In v6.6.2 the HTTPheader directives functionality was extended with the addition of the server flag. The intent was to allow EZproxy to pass a header for pages that EZproxy serves (i.e., login.htm, loginbu.htm, menu.htm etc).
The implementation in V6.6.2 through V7.1 erroneously passed the header along with content EZproxy proxied as well. This has been corrected in this version. More detail can be found here.
ExcludeIP will now use a 302 redirect instead of a 301 redirect.
The latest version of EZproxy now uses AllowIP instead of WhitelistIP. WhitelistIP will continue to work for compatibility. View the updated AllowIP documentation for more information.
If the EZproxy session variables login:loguser and login:user are not set in shibuser.txt, then the default username for all users using SAML authentication becomes “shibboleth.” Because rules are tripped at the username level, false trips of rules may occur.
Watch periods of 60 minutes or longer will consume more disk space in the /security directory to store the required evidence in the security database. Please monitor the disk usage in the /security database.
Some of the default rules in EZproxy 7.1 contain monitoring periods longer than 60 minutes. If you have disk space constraints, consider commenting out those rules.
Support information for this product and related products can be found at: