Release Date: January 2019
Operating system requirements
EZproxy v6.5 is supported under two different operating systems:
The supported versions of these operating systems along with their minimum hardware requirements can be found at Requirements.
For this release, we recommend that you review the following checklists and complete the relevant tasks. These checklists identify updates that we have determined as significant for most institutions. We encourage you to review all of the items in the release notes to determine whether there are other items that might require additional action or follow up by your institution.
GDPR Privacy Notice for EZproxy
When using EZproxy with certain authentication methods, EZproxy’s native login pages display. OCLC deploys a default page (login.htm) but always offers customers the opportunity to tailor that for their institution.
As you are no doubt aware, a new set of data regulations in European Union law, the General Data Protection Regulation (GDPR), came into force in May 2018. As part of your GDPR compliance efforts, you may want to include a GDPR privacy notice for your institution on your EZproxy login page and other HTML pages providing login failure and other information. To do so:
EZproxy hosted customers: please send OCLC Support a login.htm page to deploy which includes your privacy notice. The default login.htm page is available in a zip file for download. If you have already submitted a modified login page for your institution, please apply the GDPR privacy notice to that file and send it to us.
EZproxy stand-alone customers: please see our documentation on how to edit EZproxy html pages.
Please contact OCLC Support with any questions.
These items require immediate action or decisions.
If you are upgrading from an EZproxy version earlier than v6.0, you will need an EZproxy Web Services Key (WSKey). To obtain a WSKey, you will need to have a current, annual subscription. EZproxy moved to the annual subscription model in July 2013, so if you purchased your EZproxy subscription prior to that time, you will need to update.
To purchase an annual subscription, you can request a quote, and you will be provided with a quote and information about how too subscribe. If you are uncertain if your subscription is current, please email firstname.lastname@example.org.
If you have already upgraded to V6.x, your existing WSKey will work with this upgrade.
Review EZproxy and OpenSSL, especially if you are upgrading from a version older than V5.7.44. EZproxy V6.5 has many security updates that may make previous configurations in your config.txt file unnecessarily, and you can remove certain directives after installing V6.5.
New features and enhancements
New option to audit or block access from known pirate/hacker IP addresses
EZproxy has been enhanced with an option to perform real-time call out to a security API that will validate the IP address of the requester and audit or deny access if the IP address is a known pirate/hacker. This greatly reduces the time-consuming and manual process of scanning log files for hacked credentials.
The API call can be enabled to enhance IntruderIP by providing evasion during login attempts or with RejectIP to block access from matching addresses.
The main syntax is:
IntrusionAPI [-enforce] Evade|Reject
The Intrusion API is only consulted for public address that do not fall within a WhitelistIP range (see later). Private addresses (10.*, 172.16-31.*, 192.168.*) are never checked against the intrusion API.
When Evade is specified and the user accesses from a public, non-whitelisted address, the intrusion API will be consulted when a user presents a credential for authentication. If the IP is specified as BadIP (see audit event type below) and -enforce is present, the user will be told that their login failed without ever checking the credential provided.
When Reject is specified and the user accesses from a public, non-whitelisted address, the intrusion API will be consulted no matter how the user is accessing. If the IP is specified as BadIP and -enforce is present, the connection is either blocked, or if reject.htm exists, that file is sent to the user.
The new WhitelistIP directive has been created to allow any number of address ranges to be whitelisted to override the Intrusion API. Sample entries:
There is no need to whitelist private addresses.
When the intrusion API is consulted, an audit event is recorded with the outcome. The new audit events are:
- IntrusionAPI.BadIP: intrusion API indicates the address is associated with a known pirate/hacker
- IntrusionAPI.Error: an error occurred consulting the intrusion API (more information recorded in the Other field); includes scenario in which SSL connection fails validation
- IntrusionAPI.None: intrusion API responded that address is not in database (this event is not enabled by Audit Most and must be added explicitly such as Audit Most Intrusion API.None)
- IntrusionAPI.Whitelisted: intrusion API responded that address is whitelisted in their system (this event is NOT recorded if the address falls within a WhitelistIP range)
EZproxy now uses OpenSSL 1.0.2q
EZproxy 6.5 was built with the most current Long Term Support release of OpenSSL (1.0.2q), which was released on November 20, 2018.
For more information on the intrusion API, please see Intrusion API frequently asked questions.
More product information can be found at: http://www.oclc.org/ezproxy.en.html