EZproxy

EZproxy provides secure remote access to e-resources. Users authenticate and then they can access licensed online resources from off-campus.
     
PALS hosts and supports EZproxy for about 40 libraries in Minnesota. Most use LDAP authentication.

Remember that there are three parts needed for a database to work with the proxy:

1. A current stanza for the vendor in your config.txt file
2. The vendor needs your proxy prefix and proxy IP address on their end
3. A correctly constructed link

Learn more about our EZproxy Statistics.
 

Once EZproxy is set up, construct your links by putting your proxy prefix in front of the database link.

Your proxy prefix will look something like this:

https://testproxy.mnpals.net/login?url=

You can get the database links for the ELM databases here.

A good database link will look something like this:

https://testproxy.mnpals.net/login?url=https://search.ebscohost.com/login.aspx?authtype=ip,uid&profile=ehost&defaultdb=rzh

If you are sharing specific content such as an article or video, do not just grab the url from the address bar at the top of your browser. Look for a link in an area marked Share. It might also be called permalink or persistent link.

Remember that open access resources do not need to be proxied, so you would not include the proxy prefix for open access resources.

• If you add a database, please tell us via a ticket so we can add the stanza for you.
• Being sure your links are right is probably your first priority.
• If you do not have information to log in to the Admin interface of EZproxy, please put in a ticket.
• The Troubleshooting tab of this guide has a bunch of suggestions. Checking the audit events and messages can give useful information.
• For most user login problems, they need to reset their password and/or they are not entering the right password.
• There can be issues with high schools students and also with staff and students who are affiliated with more than one institution (put in a ticket for these).

• Introduction
• Starting point URLs and config.txt
• Introduction to database stanza directives
• The current database stanzas

Update your Config File - Quick example video (3 minutes) which covers:

• Check for a database conflict
• Download your config
• Update a stanza by putting in the IncludeFile
• Upload your file
• Restart Ezproxy

Transcript of video

Handout

Please note that if you make a mistake and put in an IncludeFile that does not exist, your EZProxy will fail to restart. 

• This means we want to be careful about any typos. The stanzas are updated frequently and you can look in your Databases folder to verify that what you want is there. 
• Remember, to Restart your EZproxy in the Admin interface after you have made changes to your config.txt.

A bit more discussion . . . The advantage of using the IncludeFile is that your stanza is updated automatically for you ongoing. Of course, if you need to customize your stanza or a separate file doesn't exist for that publisher, you want to keep the full stanza in your config.txt. Lastly, you do not want both the IncludeFile and the full stanza in your config.txt. That will cause database definition conflicts.

Several vendors are using the cookielaw stanza now. If you haven't already, place it at the top of your databases section in your config file.

Not to be confused with this technique . . .

For vendors who use Atypon, we should add these lines around the vendor stanza:

Option DomainCookieOnly 
Option Cookie 

Do this for each of these vendors where you have subscriptions

 

Thinking about updating soon? A few things to know about these three login pages.
 

If you haven't yet updated your EZproxy links to https, please begin updating them. This includes links on your website and in research guides. Please also communicate with your instructors that they should update their links in D2L. (Primo is done, so don't worry about that! And if you use SubjectsPlus, we will be sure to do this for you as you move to the new version.)
 
More details . . .
 
What we are focused on here is your proxy prefix, so for our test library, we change this:

http://testproxy.mnpals.net/login?url=
 
To:

https://testproxy.mnpals.net/login?url=

We do have settings in EZproxy to force the use of https and this works for most people. There are some Comcast/Xfinity users who are barred from access before the redirect can kick in. If needed, these users might want to disable Advanced Security until this transition to https is complete. Instructions are here.
 
Ideally, we do want both parts of our database links using https like this:



Most of the major vendors are using https now. Some of the smaller providers might not have made the switch yet.
 
Please also keep your stanzas current if you are maintaining EZproxy yourself. Remember that you can use the IncludeFile. 

For those who have asked PALS to maintain EZproxy for you, don't worry about your stanzas, we will do this for you.
 
Of course, if you have a problem, please put in a ticket.

Due to COVID-19, many institutions are relying more heavily on off-campus access to online resources and EZproxy should be fine. If PALS is hosting your EZproxy instance, be assured that the server hardware and network can handle the increase to traffic.
 
That said, you might want to tweak your configuration a bit, for example, raising the default settings such as MaxSessions, MaxConcurrentTransfers, and MaxVirtualHosts.
 
More details here: 

• COVID-19 and OCLC Services  
• Set limits for your institution 
• Review default values

For those institutions who have said that they want PALS to maintain their EZproxy for them, we raised the raised the limits proactively.
 

Monitor and Adjust your Limits
 
If you want to monitor this yourself:

• Log into your EZproxy Administration  
• Choose View server status > Miscellaneous

You will see something like this:

Peak sessions active/limit: 4/1000
Peak concurrent transfers active/limit: 4/400
Peak virtual hosts/limit: 1305/7500
 
Which corresponds to these lines in your config.txt:

MaxSessions 1000
MaxConcurrentTransfers 400
MaxVirtualHosts 7500
 
If you are getting close to a limit, simply increase it in your config.txt and Restart your EZproxy.
 
A bit more background explanation . . . you might also see these settings abbreviated as MS, MC and MV. For example, a lot of people have some version of MaxVirtualHosts in their config.txt that looks something like this: MV 1000. Many people have not previously set MaxSessions and MaxConcurrentTransfers in their config.txt, but it makes sense to raise the limits from the defaults now that we expect more people to be working remotely.

If you haven't done it already, remember to update your links with the changes to ELM databases. Find the current links here.

One special case is the new elementary school resources from Capstone. Capstone offers custom links for each library. Please put in a ticket if you would like to get the Capstone links for your library.
 
Learn more about these Capstone resources and new features.
 

• Have the user try an incognito/private browser window
• Have the user try more than one browser and device
• Are they using old software (browser and/or operating system)?
• Get the link that was clicked and where it was from (Primo, D2L, Database A-Z list, etc)
• Get the exact error shown – a screenshot is good and a quick video is ideal
• Happening to only 1 user? Can you replicate the problem?
• Is it happening on and off campus?
• VPN - if it is on, try with it off and vice versa.
• Firewall and/or anti-virus software can cause problems
• Browser security settings in the browser can cause problems

• Type your StarID and password into Notepad
• Then copy and paste those into D2L, so it is clear it is working
• Then copy and paste those into the proxy login to be sure there are no typos or caps lock

• A screenshot of the error including an exact date and time
• StarID and name of the person having trouble

Concurrent students can be especially tricky, so don't hesitate to put in a ticket for these issues.

Audit events - Look up the username here with a reasonable timeframe such as 30 days. You might see they have logged in successfully. You might see they haven't tried to log in to EZproxy (maybe it was Primo). You might see wronglibrary.htm, which means they don't have the right permissions coming from the Starid LDAP server.

Messages - Look up the username here. Result 0 means success. Result 49 usually means password problems. 

Log File - Successful use shows as a bunch of related calls like this::

There are browser changes coming that could affect how EZproxy works. Read more here.
 

There is a potential problem for patrons using EZProxy when connected to your campus VPN. The problem will exist if your VPN is configured to only handle traffic going to your campus network. This is referred to as "split tunneling." Under split tunneling, when you are accessing an on-campus resource, the connection has one IP address (from your VPN range), but when you go to off-campus resources, the off-campus resource sees an off-campus address (the IP address assigned to you by your ISP).

If this is the case, what happens is that your proxy server sees the VPN address, and thinking you are "on campus" passes you off to the e-resource. In the middle of that, the VPN-using-split-tunneling says "they are going off campus, time to route them to their off-campus IP address." And the e-resource sees the incoming connection as coming from your ISP and says "You don't have access to this resource. Log in for access."

How to tell if your VPN uses split tunneling
1. Make sure you are NOT logged into the VPN.
2. Google "What is my IP."
3. Log into your VPN.
4. Again, Google "What is my IP."
5. If the addresses are the same, then your institution is using split tunneling.

What to do if your VPN uses split tunneling
1. Contact your IT and ask them to provide you with the range of IP addresses that is assigned to your campus VPN.
2. Use the IncludeIP directive to add that IP range to your EZproxy config.txt. (For example: IncludeIP 0.0.0.0-255.255.255.255). This will treat VPN users as off campus and should fix the problem caused by split tunneling. (More info here.)
3. If you need help making these changes put in a support ticket.
 

Implement this fix.

• Troubleshooting
• Known issues

"This web property is not accessible via this address."

If you see an error like this with Cloudflare down at the bottom, contact the vendor. They might adjust their Cloudflare settings or they could add your proxy IP address to the safelist.

If you are able to log in through EZproxy, but you then get an IP error or a login screen, the problem is likely on the vendor side. Perhaps the subscription isn't current or the vendor needs to tweak something on their end.

1) ERR_SSL_PROTOCOL_ERROR  
Have the patron clear cache and cookies.

You can have them try using a private or incognito window first, it often accomplishes the same thing without having to lose all the cache and cookies. 

There are some more ideas here:

• https://www.thesslstore.com/blog/fix-err-ssl-protocol-error/
• https://kinsta.com/knowledgebase/err_ssl_protocol_error/

2) SSL_ERROR_RX_RECORD_TOO_LONG 
To solve this problem, we have disabled TLS versions 1.0 and 1.1.

Please note that this will mean people using older software will not have access until they update to a current version of their browser and/or operating system.

If you see the Blocked Access error message or safebrowse.io at the beginning of the url, it comes from a protected browsing setting from the internet service provider. 

Possible workarounds:

• Use vpn or remote desktop
• Use a different isp (eg. Use a phone via data not wifi, go to a coffee shop/library, etc.)
• Turn off Advanced Security in Comcast/Xfinity as discussed here.

 

EZproxy version 7.1 offers new security features.

• OCLC did a pilot project – listen to the panel discussion here
• Read about the Default security rules halfway down the page here
• Read about how to monitor what rules have been tripped in your Admin interface

The Security Rules screen is cleared every other Wednesday as you can see under the table.