What firewall rules are needed for a self-hosted EZproxy server?
Applies to
- EZproxy (self-hosted), all supported versions (6.x / 7.x)
Answer
In proxy by hostname, EZproxy uses one to three pre-identified ports for all processing: one for http processing, an optional one for https processing, and an optional one to allow old URLs to work if you move from using port 2048 to using port 80 for http
The following firewall rules are required for a standard self-hosted EZproxy server to function correctly:
| Direction | Port(s) | Source / Destination | Purpose |
|---|---|---|---|
| Inbound | 80/TCP + 443/TCP | Internet → EZproxy Server | User access (HTTP + HTTPS). Port 80 is optional if only LoginPortSSL 443 is configured. |
| Outbound | 80/TCP + 443/TCP | EZproxy Server → Internet (or via upstream proxy) | WSKey license validation to OCLC + outbound connections to e-resource provider hosts defined in config.txt |
| Outbound | Depending on user.txt configuration | EZproxy Server → Authentication system | Authenticate users |
Note:
Upstream proxy: If your EZproxy server routes traffic through an internal upstream proxy (via the Proxy directive in config.txt), ensure the EZproxy server can reach that proxy on its configured port (e.g., 3128/TCP), and that the upstream proxy permits outbound 80/443 to the internet.