One of the reasons that EZProxy is so fast and resource-efficient is that
it is very lightweight. HTTPS to HTTP processing would require that
EZProzy, or another proxy layer behind it, provide an HTTPS endpoint.
Building this into EZProxy, I think, would not be a good fit for
their model.
I think that it would be simpler to just do everything in nginx, or
possibly node.
Cary
On Wednesday, June 18, 2014, Andrew Anderson <[log in to unmask]> wrote:
> On Jun 17, 2014, at 17:09, Stuart Yeates <[log in to unmask]
> <javascript:;>> wrote:
>
> > On 06/17/2014 08:49 AM, Galen Charlton wrote:
> >> On Sun, Jun 15, 2014 at 4:03 PM, Stuart Yeates <[log in to unmask]
> <javascript:;>> wrote:
> >>> As I read it, 'Freedom to Read' means that we have to take active
> steps to
> >>> protect that rights of our readers to read what they want and in
> private.
> >> [snip]
> >>> * building HTTPS Everywhere-like functionality into LMSs (such
> functionality
> >>> may already exist, I'm not sure)
> >>
> >> Many ILSs can be configured to require SSL to access their public
> >> interfaces, and I think it would be worthwhile to encourage that as a
> >> default expectation for discovery interfaces.
> >>
> >> However, I think that's only part of the picture for ILSs. Other
> >> parts would include:
> >>
> >> * staff training on handling patron and circulation data
> >> * ensuring that the ILS has the ability to control (and let users
> >> control) how much circulation and search history data gets retained
> >> * ensuring that the ILS backup policy strikes the correct balance
> >> between having enough for disaster recovery while not keeping
> >> individually identifiable circ history forever
> >> * ensuring that contracts with ILS hosting providers and services that
> >> access patron data from the ILS have appropriate language concerning
> >> data retention and notification of subpoenas.
> >
> > Compared to other contributors to this thread, I appear to be (a) less
> worried about state actors than our commercial partners and (b) keener to
> see relatively straight forward technical fixes that just work 'for free'
> across large classes of library systems. Things like:
> >
> > * An ILS module that pulls the HTTPS Everywhere ruleset from
> https://gitweb.torproject.org/https-everywhere.git/tree/HEAD:/src/chrome/content/rules
> and applies those rules as a standard data-cleanup step on all imported
> data (MARC, etc).
> >
> > * A plugin to the CMS that drives the library's websites / blogs /
> whatever and uses the same rulesets to default all links to HTTPS.
> >
> > * An EzProxy plugin (or howto) on silently redirectly users to HTTPS
> over HTTP sites.
> >
> > cheers
> > stuart
>
> This is something that I have been interested in as well, and I have been
> asking our content providers when they will make their content available
> via HTTPS, but so far with very little uptake. Perhaps if enough customers
> start asking, it will get enough exposure internally to drive adoption of
> HTTPS for the content side.
>
> I looked into what EZproxy offers for the user side, and that product does
> not currently have the ability to do HTTPS to HTTP proxying, even though
> there is no technical reason why it could not be done (look at how many
> HTTPS sites run Apache in a reverse proxy to HTTP servers internally for
> load balancing, etc.)
>
> EZproxy makes the assumption that a HTTP resource will always be accessed
> over HTTP, and you cannot configure a HTTPS entry point to HTTP services to
> at least secure the side of the communication channel that is going to
> contain more identifiable information about the user, before it becomes
> aggregated into the general proxy stream.
>
> --
> Andrew Anderson, Director of Development, Library and Information
> Resources Network, Inc.
> http://www.lirn.net/ | http://www.twitter.com/LIRNnotes |
> http://www.facebook.com/LIRNnotes
>
--
Cary Gordon
The Cherry Hill Company
http://chillco.com
|