How do I use EZproxy in combination with the HTTPS-only web browser security setting

Symptom

The user attempts to access a Start Point URL with a HTTP-based destination URL such as:

https://ezproxy.abclib.org/login?url=http://www.sciencedb.com/journals

Depending on web browser security settings, this can lead to a security warning which differs per browser:

• Google Chrome:   www.sciencedb.com.ezproxy.abclib.org doesn't support a secure connection
• Firefox: Secure Site Not Available
• Edge: Your connection to this site isn't secure

And in the web browser address bar you will see a URL with dots instead dashes as follows:

www.sciencedb.com.ezproxy.abclib.org

Applies to

• EZproxy Hosted
• EZproxy Standalone

Resolutions

1) Adjust the HTTPS-only setting in your browser

Most modern web browsers have settings or features that will enforce the use of HTTPS for secure browsing. However, these settings are not compatible with EZproxy when addressing http in a Start Point URL:

1. Google Chrome: In Google Chrome, you may have enabled the HTTPS only feature, which automatically upgrades HTTP to HTTPS for websites that support it. You can find this setting by going to Chrome Settings > Privacy and Security > Security > Advanced > Always use secure connections
2. Mozilla Firefox: Firefox also has a feature called "HTTPS-Only Mode" that can be enabled to ensure that the browser always connects to websites using HTTPS. You can find this setting by going to Firefox Preferences > Privacy & Security > HTTPS-Only Mode.
3. Microsoft Edge: Microsoft Edge has a setting called "Always Use HTTPS" that you can enable to force the browser to use HTTPS whenever possible. You can find this setting by going to Edge Settings > Privacy, search, and services > Security > Always use secure connections.

Note: The location of these settings may differ between browser versions, and are sometimes managed at the organisation level
 

2) Adjust the destination in the Start Point URL from HTTP to HTTPS

For example:   https://ezproxy.abclib.org/login?url=https://www.sciencedb.com/journals

If your organisation browser policy settings require the HTTPS only mode to be enabled, then this is likely the best workaround.

Note: this will only work if the resource provider themselves support the https:// protocol. If your organisation policies dictate exclusive use of HTTPS, and the resource provider only supports HTTP then this would be an issue to raise with the resource provider.
 

3) Check for other 3rd party tools

In addition there are 3rd party tools and web browser plugins that can force the browser over to HTTPS. For example the "HTTPS Everywhere" browser plugin implements a security feature that forces websites to use a secure HTTPS connection whenever possible. When enabled, HTTPS Everywhere automatically switches the website URL from HTTP to HTTPS if it believes that the website supports it, since it's attempting to ensure a more secure browsing experience.
 

Additional information

EZproxy will usually re-write dots to dashes in the re-written hostname when accessing a secure site. It does this to ensure that the hostname is compatible with the EZproxy wildcard certificates (for example: *.ezproxy.abclib.org).

For example:

However, the HTTPS-only mode in modern browsers will force the browser onto the HTTPS protocol whenever it notices the user attempting to access a HTTP-based address. Therefore, in the "Non-Secure Site" example above the browser will intervene when it spots that the user is attempting to access:

     http://www.sciencedb.com.ezproxy.abclib.org/journals

And it will simpy change http:// to https:// which results in the following URL:

     https://www.sciencedb.com.ezproxy.abclib.org

However, this URL is not compatible with the EZproxy wildcard certificates (in this case: *.ezproxy.abclib.org) which therefore leads to the web browser security warning. 

The switch from HTTP to HTTPS is forcibly done by the web browser before EZproxy has any chance to intervene and instruct the browser to re-write the dots to dashes.

Page ID