EZproxy server file permissions

Last updated
Save as PDF

The following files can be used to secure your EZproxy server by assigning specific permissions and including the given configurations.

Before getting started

“EZproxy Server User” – the username you use to run EZproxy on your server (Windows, Linux)
- Don’t install as root (Linux), no root owned files
- Don’t install as administrator (Windows)
Use RunAs config.txt statement on Linux if you must bind to reserved IP ports like 80 or 443

Limit access

General rule: Only the EZproxy Server User should have read/write access to all of the following files and directories; no other access.

Install Directory

Where you installed EZproxy, where the EZproxy binary/executable file is located

ezproxy-linux.bin (Linux)
ezproxy-windows.exe (Windows)

Other files

messages.txt (EZproxy log file)
- Keep for at least 6 months
- You can define log rotation naming via MessagesFile statement (see the messages.txt tab under Log Files)
user.txt (authentication definitions)
- Minimize the number of EZproxy admin users
- If this file is compromised, you most likely will have to change your EZproxy passwords
config.txt (configure database stanzas and other)
- Consider using source control software to maintain a history of these files
ezproxy.log (web access log)
- Keep for at least 6 months
- You can define log rotation via LogFile statement

audit directory

Subdirectory where EZproxy audit files are stored

Use at least Audit Most configuration
Private information is recorded in these files (usernames, login date/time/IP address, etc.)
Keep for at least 6 months - set by Audit Purge

info.usr will allow you to customize audit events in user.txt using Common conditions and actions

Example: IfCountry AS; Audit Denied Non-US Access; Deny - NoAudit deny.htm

To use this rule, the Location directive must be enabled so EZproxy can identify the user's country based on their IP addresses. This rule would have the following impact:

Condition/Action	Result
IfCountry AS;	If a user is coming from the country "AS" determined by their IP address
Audit Denied Non-US Access;	Record the username in the audit log with the message "Denied Non-US Access" in the "Other" column of the audit table
Deny-NoAudit	Deny access to the user, but do not add this to the table (the action above allows you to add a more specific message to identify why the user was denied access)
deny.htm	Send the user the deny.htm file saved in your EZproxy directory

Sample Audit file data can be viewed at /Audit.

SSL directory

Subdirectory where EZproxy certificate files are kept

If the keys in this directory are compromised, your certificates must be replaced

docs directory and its subdirectories

Subdirectory where EZproxy html pages (login, logout, etc) are kept

Note: Only EZproxy Server User should have read/write access to these files; others can have read access.