Search squid archive

Re: Facing issue in Internet explorer

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hai,

 

This is what i now use for the remote ip logging.

 

cat /etc/apache2/conf-custom/log-remote-ip.conf

 

<IfModule mod_remoteip.c>

    ## apache 2.4: mod_remoteip is by default available

    ## enable a2enmod remoteip && service apache2 restart

 

    # for remote proxy setup

    RemoteIPHeader X-Forwarded-For

    # for cluster setup

    #RemoteIPHeader X-Real-IP

 

    RemoteIPInternalProxy IP_PROXY_SERVER1

    RemoteIPInternalProxy IP_PROXY_SERVER2

    RemoteIPInternalProxy realhostname1.internal.domain.tld

    RemoteIPInternalProxy realhostname2.internal.domain.tld

 

    LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined_remoteip

    ##  ( optional with added vhostname at the end )

    #LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %v" combined_remoteip

 

</IfModule>

 

 

You dont need to change things in squid.

 

I did set in the vhosts.

 

    CustomLog ${APACHE_LOG_DIR}/test-access.log combined_remoteip

 

So in any vhost only thing i change now is : combined to combined_remoteip

 

 

Greetz,

 

Louis

 

 

Van: Prasad Desai [mailto:prasad.desai@xxxxxxxxxxxxxx]
Verzonden: vrijdag 4 maart 2016 14:00
Aan: L.P.H. van Belle
Onderwerp: Re: Facing issue in Internet explorer

 

Hi,

 

After so long i have emailed you, now i am facing one issue with access logs. Some of my websites are not recording in access logs. Do you have any suggestions.  

 

On Tue, Feb 16, 2016 at 1:56 PM, L.P.H. van Belle <belle@xxxxxxxxx> wrote:

Hai,

 

Have you tried also with only the TLS options enabled.  Enableing ssl2 and ssl3 is really a security leak.

But at least you got it working.

If you run a webserver with ssl also, just i hint, maybe you know already, maybe not.

 

Goto www.ssllabs.com test you ssl of the webserver, and try to adjust you setting to a compatible settting.

If you run an apache 2.4, you can mail me, i have a explained setup, with the things working and not.

I did about 30 tests on ssl labs to get al these settings.  ;-)

 

When this is done go test again with the proxy and try to exclude sslv2 and sslv3 in the clients.

Maybe this is also a squid adjustment, but that i dont know.

 

 

Greetz,

 

Louis

 

 

Van: Prasad Desai [mailto:prasad.desai@xxxxxxxxxxxxxx]
Verzonden: dinsdag 16 februari 2016 8:36
Aan: L.P.H. van Belle
Onderwerp: Re: Facing issue in Internet explorer

 

Hi, 

 

Thanks. It worked after making the changes in IE ( Default setting was only SSL3 and TLS 1.0  enabled ) as given in the URL.

 

 

On Fri, Feb 12, 2016 at 8:15 PM, Prasad Desai <prasad.desai@xxxxxxxxxxxxxx> wrote:

Hi, 

 

Even after in IE version 8 disabling SSL3 in advanced options and enable TLS1.0 we are getting same error.

 

On Fri, Feb 12, 2016 at 3:47 PM, L.P.H. van Belle <belle@xxxxxxxxx> wrote:

> For example, in IE version 8, getting an error given below,

 

You can try to disable SSL3 in advanced options and enable TLS1.0 and/or better

 

SSLV3 is absolete now.

 

 

Van: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] Namens Prasad Desai
Verzonden: vrijdag 12 februari 2016 9:08
Aan: squid-users@xxxxxxxxxxxxxxxxxxxxx
Onderwerp: Facing issue in Internet explorer

 

Hi,

 

I have successfully configured SSLBump Peek and Splice in my transparent proxy and it is working as expected except in Internet explorer.

 

For example, in IE version 8, getting an error given below,

 

(71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)

Handshake with SSL server failed: error:1409F07F:SSL routines:SSL3_WRITE_PENDING:bad write retry

 

Below is squid.conf,

 

visible_hostname mysite.com

httpd_suppress_version_string on

via off

forwarded_for delete

http_access allow lan

acl SSL_ports port 443

acl Safe_ports port 80        # http

acl Safe_ports port 21        # ftp

acl Safe_ports port 443        # https

acl Safe_ports port 70        # gopher

acl Safe_ports port 210        # wais

acl Safe_ports port 1025-65535    # unregistered ports

acl Safe_ports port 280        # http-mgmt

acl Safe_ports port 488        # gss-http

acl Safe_ports port 591        # filemaker

acl Safe_ports port 777        # multiling http

acl CONNECT method CONNECT

strip_query_terms off

http_access allow manager localhost

http_access deny manager

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access deny all

sslproxy_flags DONT_VERIFY_PEER DONT_VERIFY_DOMAIN

acl disable-ssl-bump ssl::server_name "/etc/squid/no-ssl-bump.acl"

acl BadSite ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH

sslproxy_cert_error allow BadSite

acl step1 at_step SSLBump1

acl step2 at_step SSLBump2

acl step3 at_step SSLBump3

ssl_bump peek step1 all

ssl_bump splice step2 disable-ssl-bump

ssl_bump stare step2 all

ssl_bump splice step3 disable-ssl-bump

ssl_bump bump step3 all

http_port 3130

http_port 3128 intercept

https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=8MB cert=/etc/squid/ssl_cert/myca.pem key=/etc/squid/ssl_cert/myca.pem

sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 8MB

sslcrtd_children 8 startup=1 idle=1

coredump_dir /var/spool/squid

refresh_pattern ^ftp:        1440    20%    10080

refresh_pattern ^gopher:    1440    0%    1440

refresh_pattern -i (/cgi-bin/|\?) 0    0%    0

refresh_pattern .        0    20%    4320

 

Any inputs to resolve this error will be much appreciated.

 

--

Best,

Prasad Desai

Systems Engineer

 

 

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users



 

--

Best,

Prasad Desai

 


 

--

Best,

Prasad Desai

 


 

--

Best,

Prasad Desai

 

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux