| Time |
Nick |
Message |
| 06:00 |
pinesol |
News from qatests: Testing Success <http://testing.evergreen-ils.org/~live> |
| 06:49 |
|
agoben joined #evergreen |
| 07:26 |
|
rjackson_isl_hom joined #evergreen |
| 07:44 |
|
rjackson_ISL joined #evergreen |
| 08:12 |
|
alynn26 joined #evergreen |
| 08:14 |
|
rfrasur joined #evergreen |
| 08:15 |
|
collum joined #evergreen |
| 08:53 |
|
mmorgan joined #evergreen |
| 08:53 |
|
mantis1 joined #evergreen |
| 08:55 |
|
nfBurton joined #evergreen |
| 09:05 |
|
dguarrac joined #evergreen |
| 09:12 |
|
terranm joined #evergreen |
| 09:12 |
|
mmorgan left #evergreen |
| 10:05 |
|
terranm joined #evergreen |
| 10:16 |
mantis1 |
This may be a very involved question. We're working on our 3.4 upgrade and currently figuring out what's wrong with our carousel. I'm using the instructions on how to use it with the Evergreen documentation. Anyway the main issue is we can't get it to display on our OPAC and we currently have a custom map as the main image. I'm unsure if that's going to prove to be an issue. Here's an example: ridgefield.biblio.org/eg/opac |
| 10:20 |
csharp |
mantis1: this is our homesearch.tt2 template that loads the carousels: https://git.evergreen-ils.org/?p=evergreen/pines.git;a=blob;f=Open-ILS/src/templates/opac/parts/homesearch.tt2;h=9c7bbc5dc5980683b38cb686ea12f0c5c112e230;hb=refs/heads/rel_3_4_1 |
| 10:21 |
|
jvwoolf1 joined #evergreen |
| 10:21 |
csharp |
mantis1: terranm (who is having internet trouble this morning) may be able to help too |
| 10:26 |
mantis1 |
csharp: thank you I'll give it a shot |
| 10:27 |
csharp |
mantis1: if you keep having trouble and can pastebin your templates and/or relevant DB rows, we can probably advise |
| 10:46 |
Bmagic |
this is worth reading: https://tidbits.com/2020/08/17/the-case-of-the-top-secret-ipod/ |
| 10:57 |
|
mantis1 left #evergreen |
| 11:00 |
|
mantis1 joined #evergreen |
| 11:05 |
|
sandbergja joined #evergreen |
| 11:05 |
|
collum_ joined #evergreen |
| 11:20 |
sandbergja |
gmcharlt: JBoyer: terranm: mmorgan: what do you think about adding bug 1517298 to the 3.6 roadmap, and targeting it to 3.6 in launchpad? |
| 11:20 |
pinesol |
Launchpad bug 1517298 in Evergreen "Catalogue should support Matomo, a privacy-sensitive alternative to Google Analytics" [Wishlist,New] https://launchpad.net/bugs/1517298 |
| 11:21 |
gmcharlt |
sandbergja: no objection |
| 11:37 |
|
collum joined #evergreen |
| 11:57 |
|
rjackson_isl_hom joined #evergreen |
| 11:58 |
|
rjackson_ISL joined #evergreen |
| 11:59 |
|
sandbergja joined #evergreen |
| 12:07 |
|
jihpringle joined #evergreen |
| 12:29 |
JBoyer |
sandbergja, +1 from me. Another +1 to your comments in the LP. |
| 12:30 |
|
mrisher joined #evergreen |
| 13:11 |
|
oleonard joined #evergreen |
| 13:16 |
|
collum joined #evergreen |
| 13:17 |
|
collum joined #evergreen |
| 13:17 |
|
khuckins joined #evergreen |
| 14:02 |
|
mmorgan joined #evergreen |
| 14:05 |
|
knesbit joined #evergreen |
| 14:54 |
sandbergja |
jeffdavis: I'm taking a look at bug 1850992 |
| 14:54 |
pinesol |
Launchpad bug 1850992 in Evergreen "Use RemoteAuth for EZProxy authentication" [Wishlist,New] https://launchpad.net/bugs/1850992 - Assigned to Jane Sandberg (sandbej) |
| 14:55 |
sandbergja |
And everything is working well until after Evergreen authenticates and bumps me back to EZProxy |
| 14:55 |
sandbergja |
Then EZProxy is complaining that it got sent an invalid URL |
| 14:55 |
sandbergja |
(which seems odd, since isn't EZProxy the one who created the URL in the first place?) |
| 14:56 |
sandbergja |
Do you happen to have an ezproxy config from your testing a few months ago? |
| 15:09 |
|
ddisbro joined #evergreen |
| 15:44 |
pastebot |
"jeffdavis" at 168.25.130.30 pasted "EZProxy config (I think)" (4 lines) at http://paste.evergreen-ils.org/10011 |
| 15:44 |
jeffdavis |
sandbergja: ^ I think that's the ezproxy config I was using |
| 15:44 |
sandbergja |
thanks! |
| 15:45 |
sandbergja |
let me give that a shot |
| 15:58 |
sandbergja |
hmmm, still not working for me. I just contacted EZProxy support; maybe they will have some ideas. Maybe we have some odd EZProxy config? |
| 15:59 |
jeff |
What's the actual error from EZproxy? Anything in messages.txt on the EZproxy host? |
| 15:59 |
jeff |
What version of EZproxy are you using? |
| 16:01 |
jeff |
also, you might already have it this way, but the config jeffdavis pasted goes in user.txt and the string <secret> needs to be replaced with your shared secret (and no < or > surrounding it). |
| 16:02 |
jeff |
unless local circumstances suggest otherwise, I recommend putting the config snippet at the end of user.txt |
| 16:02 |
jeff |
so that the last line of user.txt is: |
| 16:02 |
jeff |
/Ticket |
| 16:04 |
jeffdavis |
I'll double check the branch with our EZProxy, will need a little time to get it set up though |
| 16:05 |
pastebot |
"sandbergja" at 168.25.130.30 pasted "This URL starts with an unsupp" (3 lines) at http://paste.evergreen-ils.org/10012 |
| 16:05 |
jeff |
depending on how well your clocks are sync'd, you might need to add a TimeValid directive to the user block, but the default appears to be... 60 minutes. |
| 16:05 |
sandbergja |
^ that is the message I got |
| 16:05 |
sandbergja |
which has exactly one google search result, which was not very helpful |
| 16:05 |
sandbergja |
Nothing in messages.txt! |
| 16:06 |
* jeff |
looks at the branch |
| 16:06 |
sandbergja |
I had it at the start of user.txt; I can try it at the end |
| 16:06 |
sandbergja |
But jeffdavis' code doesn't modify the URL that ezproxy sends along in any way |
| 16:07 |
sandbergja |
It really seems like ezproxy is sending invalid URLs |
| 16:07 |
jeff |
what is OILSRemoteAuthEZProxyBaseURI set to in your apache config? |
| 16:07 |
|
mantis1 left #evergreen |
| 16:07 |
sandbergja |
lemme check |
| 16:08 |
sandbergja |
https://ezproxy.libweb.linnbenton.edu |
| 16:08 |
sandbergja |
As far as I can tell, that's not the URL that EZProxy is complaining about |
| 16:08 |
sandbergja |
it's the weird hashed version of the URL of the database that the user is trying to access |
| 16:09 |
sandbergja |
i.e. the ^R in ::CGI=http://auth.yourlib.org/ezpauth.cgi?url=^R |
| 16:09 |
jeff |
can you paste the bit of your user.txt file that starts with ::CGI and ends with /Ticket? |
| 16:09 |
sandbergja |
Oh, and we're on EZProxy 6.2.2 |
| 16:10 |
sandbergja |
yeah |
| 16:11 |
pastebot |
"sandbergja" at 168.25.130.30 pasted "::CGI=http://alb-lib-coursemat" (5 lines) at http://paste.evergreen-ils.org/10013 |
| 16:11 |
sandbergja |
(and various permutations of that) |
| 16:13 |
jeff |
i would recommend using https there... but that's probably not causing the current issue. |
| 16:13 |
jeff |
(arguably we should require https and refuse to auth over http for this) |
| 16:13 |
sandbergja |
true |
| 16:13 |
jeff |
what is the starting point URL you're using to begin the testing? the link that you're following which goes to EZproxy and then prompts auth, etc? |
| 16:14 |
sandbergja |
https://ezproxy.libweb.linnbenton.edu/login?url=https://search.ebscohost.com/login.aspx?authtype=ip,uid&profile=ehost&defaultdb=a9h |
| 16:14 |
sandbergja |
(which won't go to Evergreen atm, but I can switch it quickly if you want) |
| 16:15 |
sandbergja |
(just don't want users to end up on a non-working login page) |
| 16:15 |
sandbergja |
(but it's a slow day for Ezproxy today) :-) |
| 16:19 |
jeffdavis |
Is something rewriting https://ezproxy.libweb.linnbenton.edu/login to https://login.ezproxy.libweb.linnbenton.edu ? |
| 16:19 |
jeff |
ezproxy prefixes login. when using SSL |
| 16:20 |
jeff |
but still expects it to end in /login for the login |
| 16:20 |
jeff |
the prefixing of login is a workaround for if you have a wildcard-only cert that doesn't include the non-prefixed host. |
| 16:20 |
jeff |
(if your cert is for *.ezproxy.example.edu and doesn't ALSO include ezproxy.example.edu) |
| 16:22 |
jeff |
if you enable ticket auth and try to visit https://login.ezproxy.libweb.linnbenton.edu/menu in a fresh browser / incognito / etc do you log in and get to the ezproxy menu, or does it break somewhere? |
| 16:26 |
jeffdavis |
Incidentally it is ok to use your production wskey on a test server if you want to set up a separate EZProxy instance for testing purposes, per https://help.oclc.org/Library_Management/EZproxy/Install_and_update_EZproxy/EZproxy_WSKeys |
| 16:26 |
sandbergja |
jeffdavis: good to know |
| 16:26 |
* jeff |
nods |
| 16:26 |
jeffdavis |
probably overkill in this specific case, but maybe useful if there is other testing you want to do |
| 16:27 |
jeff |
depending on your environment it may not be possible to get certs and such. :-) |
| 16:29 |
sandbergja |
jeff: I get to log in, but still get that goofy "unsupported url" error |
| 16:36 |
jeff |
okay. are you in a position where you could use temporary test credentials and capture a HAR file and send it to me? |
| 16:39 |
jeff |
(new incognito window, open dev tools, make sure "Preserve log" is checked, go to https://login.ezproxy.libweb.linnbenton.edu/menu and log in via ezproxy ticket auth, and once that's done and you get your error, right click any of the requests in the Network tab and select "Save all as HAR with content" (note that the HAR file will contain all content, including your credentials -- which is why I |
| 16:39 |
jeff |
mentioned temporary test credentials) |
| 16:39 |
jeff |
(and you can change/invalidate the credentials before sending the HAR file) |
| 16:40 |
sandbergja |
sure |
| 16:40 |
sandbergja |
those aren't actually real credentials on the evergreen side anyway :-) |
| 16:52 |
jeff |
is it possible that OILSRemoteAuthEZProxyBaseURI is set to a value that ends in a forward slash character (/)? |
| 16:56 |
jeff |
it looks like you're being directed to https://ezproxy.libweb.linnbenton.edu//login?user=USER&ticket=TICKET&url= |
| 16:56 |
jeff |
(values redacted) |
| 16:56 |
jeff |
and that should be generated by return "$base_uri/login?user=$user&ticket=$ticket&url=$url"; |
| 16:56 |
sandbergja |
hahahahahahaha |
| 16:56 |
jeff |
and base_uri should be the value of OILSRemoteAuthEZProxyBaseURI: my $base_uri = $r->dir_config('OILSRemoteAuthEZProxyBaseURI'); |
| 16:56 |
sandbergja |
that's it completely |
| 16:56 |
sandbergja |
I'd updated the vhost file |
| 16:57 |
sandbergja |
but never got around to restarting httpd |
| 16:57 |
sandbergja |
jeff: thanks so much! |
| 16:57 |
jeff |
you're welcome! |
| 16:58 |
jeff |
we could document that you don't need/want a trailing slash in that variable, or we could strip it since we're going to be constructing a url with a / and we don't want //... |
| 16:59 |
jeff |
sandbergja++ testing! |
| 17:00 |
sandbergja |
documenting seems easy enough: just a comment above that line in the vhost config |
| 17:00 |
sandbergja |
jeff++ |
| 17:00 |
sandbergja |
jeffdavis++ |
| 17:01 |
sandbergja |
And now I know about HAR files, and way more about ezproxy than I did this morning |
| 17:01 |
jeffdavis |
yeesh |
| 17:01 |
jeffdavis |
jeff++ |
| 17:01 |
jeffdavis |
sandbergja++ |
| 17:05 |
|
mmorgan left #evergreen |
| 17:14 |
* jeff |
checks to see if the secret in use was actually "secret"... |
| 17:14 |
jeff |
...and it was! :-) |
| 17:15 |
jeff |
(not recommended for production) :-) |
| 17:19 |
sandbergja |
yeah... |
| 17:23 |
jeff |
(not trying to give you grief, sorry!) |
| 17:25 |
sandbergja |
you have relieved a lot of grief today, actually! |
| 17:35 |
|
rjackson_isl_hom joined #evergreen |
| 17:40 |
jeffdavis |
I'm tempted to say that if someone figures out how to use a known secret to generate an EZProxy ticket and access journal articles, they've kind of earned it |
| 17:40 |
jeffdavis |
no doubt I would feel differently if I were in charge of licensing :) |
| 17:41 |
sandbergja |
it's certainly a lot more sophisticated than just going to sci-hub |
| 17:41 |
jeff |
it's also a patron privacy thing, since you can log in to a patron account with one of the proxied resources and see things like reading history, email addresses, etc. |
| 17:43 |
jeffdavis |
that is a problem for sure |
| 17:44 |
jeff |
also... where do you think scihub gets their data? i'd guess at least some of their scraping is via weak secrets and not just weak credentials. ;-) |
| 17:45 |
jeffdavis |
arguably that falls under earning it :) |
| 17:45 |
jeffdavis |
(for the record we do not use a weak secret and I am not advocating doing so) |
| 18:01 |
pinesol |
News from qatests: Testing Success <http://testing.evergreen-ils.org/~live> |
| 19:08 |
|
rjackson_isl_hom joined #evergreen |
| 20:45 |
|
mrisher joined #evergreen |
| 21:12 |
|
sandbergja joined #evergreen |
| 21:12 |
|
sandbergja_ joined #evergreen |
| 21:36 |
|
sandbergja joined #evergreen |
| 22:01 |
|
sandbergja_ joined #evergreen |
| 22:12 |
|
sandbergja_ joined #evergreen |
| 22:19 |
|
sandbergja_ joined #evergreen |
| 22:51 |
|
sandbergja_ joined #evergreen |
| 23:30 |
|
sandbergja_ joined #evergreen |
| 23:40 |
|
sandbergja_ joined #evergreen |
| 23:47 |
|
sandbergja__ joined #evergreen |
