EZproxy configuration

Owned by Logan Cox
Last updated: Mar 22, 2023 by Michael Malahy
2 min read

ezproxy-alpha.prod.nor.internal 10.254.210.73

 

Stakeholders

  • OU Student, Staff, and Faculty researchers all potentially make use of EZproxy.

  • DAD is the primary EZproxy application owner.

  • CID supports DAD by managing the OS level, the EZproxy install, some related systems and services. CID will work through through DAD for configuration changes inside the EZproxy application, including changes required for our CAS and ILLiad integrations.

Installation

Service files reside in /srv/ezproxy

The 129.15.14.45 is used for ip-based authentication with our vendors and must be maintained.

Systemd service definition is provided by legacy init script at /etc/rc.d/init.d/ezproxy

SSL

Key is imported in to the EZproxy app.

https://oulibraries.atlassian.net/l/c/oyJ07R16

https://oulibraries.atlassian.net/l/c/aS3Fkduq

OCLC WSkey Information

With locally-hosted EZproxy installations like ours, OCLC requires a WSkey when performing fresh installations.

 

If we feel that our WSKey information has been compromised, ask someone with OCLC profile privileges for our site to initiate a key reissue at https://platform.worldcat.org/wskey/. Fred Reiss currently manages OCLC accounts for various personnel and can perform this task.

Log Rotation & Permissions

We’re currently keeping 30 days worth of log files /srv/ezproxy/log.

These are rotated by a script at /srv/ezproxy/bin/ezproxy-log-rotate.sh, managed in cron.

EZproxy creates logs as user “ezproxy”, so we also have a permissions script that can be run on an adhoc basis to allow access to those files by application administrators. This lives at /srv/ezproxy/bin/ezproxy-log-perms.sh and run when access to files is needed.

Firewall

Since this IP is exposed to the outside world, we’re running a basic firewall config to prevent access on unauthorized ports using iptables. The configured rules shouldn’t impact the easy proxy service since we accept all incoming http and https traffic.

EZproxy + CAS

EZproxy relies on CAS for authentication

https://oulibraries.atlassian.net/l/c/N8iZ1RH2

EZproxy + ILLiad

ILLiad relies on EZproxy for authentication. The current authentication method matches recommendations/specifications from OCLC in their ILLiad and EZproxy documentation.

 

https://help.oclc.org/Resource_Sharing/ILLiad/Get_started/Integrate_ILLiad_with_your_local_authentication_system_via_EZproxy

Lean Library SFTP

Used to allow Lean Library to populate an up-to-date list of our proxied resources.

See https://oulibraries.atlassian.net/l/c/7X2BEn8A for details.

 

Chrony and ESXi Time Synchronization settings

Time synchronization in EZproxy-alpha is managed via Chrony following the configuration outlined here, in which time synchronization for is disabled in VMware to prevent conflicts between services.

The Chrony configuration file and logs may be found in the following locations.

/etc/chrony.conf
/var/log/chrony/