EZproxy server file permissions
The following files can be used to secure your EZproxy server by assigning specific permissions and including the given configurations.
Before getting started
- “EZproxy Server User” – the username you use to run EZproxy on your server (Windows, Linux)
- Don’t install as root (Linux), no root owned files
- Don’t install as administrator (Windows)
- Use RunAs config.txt statement on Linux if you must bind to reserved IP ports like 80 or 443
Limit access
General rule: Only the EZproxy Server User should have read/write access to all of the following files and directories; no other access.
Install Directory
Where you installed EZproxy, where the EZproxy binary/executable file is located
- ezproxy-linux.bin (Linux)
- ezproxy-windows.exe (Windows)
Other files
- messages.txt (EZproxy log file)
- Keep for at least 6 months
- You can define log rotation naming via MessagesFile statement (see the messages.txt tab under Log Files)
- user.txt (authentication definitions)
- Minimize the number of EZproxy admin users
- If this file is compromised, you most likely will have to change your EZproxy passwords
- config.txt (configure database stanzas and other)
- Consider using source control software to maintain a history of these files
- ezproxy.log (web access log)
- Keep for at least 6 months
- You can define log rotation via LogFile statement
audit directory
Subdirectory where EZproxy audit files are stored
- Use at least Audit Most configuration
- Private information is recorded in these files (usernames, login date/time/IP address, etc.)
- Keep for at least 6 months - set by Audit Purge
- info.usr will allow you to customize audit events in user.txt using Common conditions and actions
- Example: IfCountry AS; Audit Denied Non-US Access; Deny - NoAudit deny.htm
- To use this rule, the Location directive must be enabled so EZproxy can identify the user's country based on their IP addresses. This rule would have the following impact:
Condition/Action Result IfCountry AS; If a user is coming from the country "AS" determined by their IP address Audit Denied Non-US Access; Record the username in the audit log with the message "Denied Non-US Access" in the "Other" column of the audit table Deny-NoAudit Deny access to the user, but do not add this to the table (the action above allows you to add a more specific message to identify why the user was denied access) deny.htm Send the user the deny.htm file saved in your EZproxy directory Sample Audit file data can be viewed at /Audit.
SSL directory
Subdirectory where EZproxy certificate files are kept
- If the keys in this directory are compromised, your certificates must be replaced
docs directory and its subdirectories
Subdirectory where EZproxy html pages (login, logout, etc) are kept
Note: Only EZproxy Server User should have read/write access to these files; others can have read access.