Skip to main content
OCLC Support

EZproxy server file permissions

The following files can be used to secure your EZproxy server by assigning specific permissions and including the given configurations.

Before getting started

  • “EZproxy Server User” – the username you use to run EZproxy on your server (Windows, Linux, Solaris)
    • Don’t install as root (Linux & Solaris), no root owned files
    • Don’t install as administrator (Windows)
  • Use RunAs config.txt statement on Linux and Solaris if you must bind to reserved IP ports like 80 or 443

Limit access

General rule: Only the EZproxy Server User should have read/write access to all of the following files and directories; no other access.

Install Directory

Where you installed EZproxy, where the EZproxy binary/executable file is located

  1. ezproxy-linux.bin (Linux)
  2. ezproxy-solaris.bin (Solaris)
  3. ezproxy-windows.exe (Windows)

Other files

  1. messages.txt (EZproxy log file)
  2. user.txt (authentication definitions)
    • Minimize the number of EZproxy admin users
    • If this file is compromised, you most likely will have to change your EZproxy passwords
  3. config.txt (configure database stanzas and other)
  4. ezproxy.log (web access log)
    • Keep for at least 6 months
    • You can define log rotation via LogFile statement

audit directory

Subdirectory where EZproxy audit files are stored

  • Use at least Audit Most configuration
  • Private information is recorded in these files (usernames, login date/time/IP address, etc.)
  • Keep for at least 6 months - set by Audit Purge
  • info.usr will allow you to customize audit events in user.txt using Common conditions and actions
    • Example: IfCountry AS; Audit Denied Non-US Access; Deny - NoAudit deny.htm
    • To use this rule, the Location directive must be enabled so EZproxy can identify the user's country based on their IP addresses. This rule would have the following impact:
      Condition/Action Result
      IfCountry AS; If a user is coming from the country "AS" determined by their IP address
      Audit Denied Non-US Access; Record the username in the audit log with the message "Denied Non-US Access" in the "Other" column of the audit table
      Deny-NoAudit Deny access to the user, but do not add this to the table (the action above allows you to add a more specific message to identify why the user was denied access)
      deny.htm Send the user the deny.htm file saved in your EZproxy directory

      Sample Audit file data can be viewed at /Audit.

SSL directory

Subdirectory where EZproxy certificate files are kept

  • If the keys in this directory are compromised, your certificates must be replaced

docs directory and its subdirectories

Subdirectory where EZproxy html pages (login, logout, etc) are kept

 Note: Only EZproxy Server User should have read/write access to these files; others can have read access.

  • Was this article helpful?