Skip to main content
OCLC Support

HSTS and EZproxy

  1. Last updated
  2. Save as PDF
Symptom

Users experience connection errors when attempting to access HTTP-only databases through EZproxy.

Common browser error messages include NET::ERR_CERT_COMMON_NAME_INVALID or strict transport security warnings. You may also occasionally see a 401 Unauthorised error.

 

 

Applies to

EZproxy sites that have enabled HTTP Strict Transport Security (HSTS) on their EZproxy domain.

How to check if HSTS is enabled on your domain:

  1. Open Google Chrome and navigate to chrome://net-internals/#hsts.
  2. Enter your EZproxy domain name in the Query HSTS/PKP domain search field.
  3. Click Query.
  4. If the result returns "Found" followed by output data, HSTS is active on your site.
Resolution

EZproxy is compatible with HTTP Strict Transport Security (HSTS). However, errors occur because of the proxied content,

If an HSTS policy is applied globally, it forces all traffic to use HTTPS. If a proxied vendor site only supports HTTP, EZproxy cannot force it to become HTTPS, resulting in connection errors. It is not possible to selectively disable an HSTS policy for specific proxied content.

 

Secure EZproxy pages
To apply HSTS and other security headers exclusively to files served directly by EZproxy (such as login.htm), add the following lines to your config.txt file:

HTTPHeader -server Cache-Control "no-store, no-cache, must-revalidate"
HTTPHeader -server Cache-Control "post-check=0, pre-check=0"
HTTPHeader -server Expires "0"
HTTPHeader -server Strict-Transport-Security "max-age=31536000"
HTTPHeader -server X-Content-Type-Options "nosniff"

 

Solutions for Proxied Content
If you choose to apply HSTS across your entire EZproxy domain, you must manage your HTTP-only resources carefully:

  • Update all links to HTTPS: Ensure all links in your discovery service, library website, and config.txt are updated to HTTPS.
  • Do not use includeSubDomains: If you still have HTTP-only resources in your configuration, do not use the includeSubDomains option in your HSTS header. If you do, these HTTP sites will no longer be accessible.
  • Use ProxyHostnameEdit for HTTP-only sites: For resources that completely lack HTTPS support, adding a line like the following to your config.txt may help bypass the issue:
    ProxyHostnameEdit apps.example.com$ apps.example.com

Refer to: https://help-de.oclc.org/Library_Management/EZproxy/Configure_resources/ProxyHostnameEdit for more information.

 

 

Page ID
47246