HSTS and EZproxy
Symptom
- 401 Unauthorized error
- You are getting NET:ERR_CERT_Common_name_invalid on all databases that have HTTP links. Refer to the screenshot:
Applies to
- Sites that have enabled HSTS on their EZproxy domain. How to check if the site has enabled HSTS:
- In order to verify that paste the proxy prefix in chrome://net-internals/#hsts
- Input a domain name to query the current HSTS/PKP set:
- Click on query
- If you get "Found" followed by output then this test verifies that the site is using HSTS.
Resolution
HSTS is not supported by EZproxy. EZproxy works with vendors who have the right to keep their sites secure or unsecured. The URL and the HJ lines in the stanzas can be HTTP or HTTPS. Forcing traffic as HTTPS through a proxy can create issues as EZproxy is already handling the HTTP-HTTPS translations. Self-hosted sites have the liberty to enable HSTS on their EZproxy domain and when they do that they get error messages on all the HTTP websites. We can offer the following solutions to those sites:
- Check for the HSTS header present in the EZproxy domain (https://gf.dev/hsts-test). Ask them to remove the "includeSubDomains" option from the Strict-Transport-Security header. That way, the EZproxy domain would be allowed to continue using HTTP.
- Ask the user to change all the links to HTTPS (they have to change these links everywhere including WC Discovery, the online library page, and config.txt)
- There are some resources like Brepolis that will not support HTTPS. In that case, a line like this might help to fix the issue:
ProxyHostnameEdit apps.brepolis.net$ apps.brepolis.net
Refer to: https://help.oclc.org/Library_Management/EZproxy/Configure_resources/ProxyHostnameEdit for more information.