Release Date: 6 February 2024
EZproxy version 7.3 is an incremental release designed to improve the security of EZproxy and provide new functionality.
New features and enhancements
- Added Wiley to the pseudonymous identifier.
- Updated EZproxy with OpenSSL 3.0.11t. This version is the LTS (Long Term Support) version.
- Email notifications for security rules will now display the EZproxy server name. This will allow institutions that run multiple EZproxy servers to understand which server is sending the email notification.
- Cookie Filter directive has been enhanced. To allow more granular control over which cookies are passed to a website. The directive has been modified as follows:
The original directive applied globally once placed in the config.txt
The syntax has been modified for clarity
CookieFilter -global -block name
Three additional directives have been introduced to allow more granular control of cookie.
CookieFilter -global -forward name
Instructs EZproxy to forward the named cookie to all proxied websites with stanzas in the config.
CookieFilter -block name
Is position dependent and repeatable. Will affect only the resource that it is placed around. Can use a wildcard to block all cookies.
CookieFilter -forward name
Is position dependent and repeatable. Will affect only the resource that it is placed around. You can use a wildcard to block all cookies.
LDAP now supports StartTLS which allows an application to serialize secure and plain requests against an LDAP server on a single connection.
The following can be added to the LDAP block in the user.txt file to enable or disable StartTLS.
StartTLS [enabled or disabled]
Should appear above the URL directive.
When using ldap:// URLs with StartTLS:
disabled – will not attempt to negotiate TLS
enabled – will attempt to negotiate TLS over the connection and will block authentication if negotiation fails.
When using ldaps:// URLs the StartTLS directive will be ignored by EZproxy
For more details, please review the LDAP documentation here.
The following directives now support comma separated entry
The directives marked with * appear on the extended status page. Each value will appear as a separate line.
ExcludeIP 192.168.1.1-192.168.1.10, 192.168.2.1-192.168.2.10
RedirectSafe example.org, other.org
- Resolved an issue with security database migration command causing slow startup.
- Resolved an issue where EZproxy was not cleaning up temporary files that are created when EZproxy retrieves SAML metadata from a URL. If there is a failure retrieving the metadata, EZproxy may leave a temporary file named xl####.xml behind during each failure. EZproxy now cleans up these files.
- Resolved a bug that potentially caused EZproxy hosted on Linux to crash. Previously if there were no logged in users and a specific URL was used to access the server EZproxy would become unresponsive. This has been resolved.
- Remedied a vulnerability where EZproxy session identifiers were previously includeded int the URL’s presented on tables in the EZproxy admin status page. These values have been randomized to prevent identifying a user's specific session.
Potential for rules to trip if site uses Shibboleth authentication and usernames are not set in shibuser.txt.
If the EZproxy session variable login:loguser is not set in shibuser.txt, then the default username for all users using SAML authentication becomes “shibboleth.” Because groups rules are tripped at the username level, false trips of rules may occur.
Rules with longer watch periods will consume more disk space.
Watch periods of 60 minutes or longer will consume more disk space in the /security directory to store the required evidence in the security database. Please monitor the disk usage in the /security database.
Some of the default rules in EZproxy 7.1 contain monitoring periods longer than 60 minutes. If you have disk space constraints, consider commenting out those rules.