[squid-users] Facing issue in Internet explorer

L.P.H. van Belle belle at bazuin.nl
Fri Mar 4 13:20:12 UTC 2016


Hai, 

 

This is what i now use for the remote ip logging. 

 

cat /etc/apache2/conf-custom/log-remote-ip.conf

 

<IfModule mod_remoteip.c>

    ## apache 2.4: mod_remoteip is by default available

    ## enable a2enmod remoteip && service apache2 restart

 

    # for remote proxy setup

    RemoteIPHeader X-Forwarded-For

    # for cluster setup

    #RemoteIPHeader X-Real-IP

 

    RemoteIPInternalProxy IP_PROXY_SERVER1

    RemoteIPInternalProxy IP_PROXY_SERVER2

    RemoteIPInternalProxy realhostname1.internal.domain.tld

    RemoteIPInternalProxy realhostname2.internal.domain.tld

 

    LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined_remoteip

    ##  ( optional with added vhostname at the end )

    #LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %v" combined_remoteip

 

</IfModule>

 

 

You dont need to change things in squid. 

 

I did set in the vhosts. 

 

    CustomLog ${APACHE_LOG_DIR}/test-access.log combined_remoteip

 

So in any vhost only thing i change now is : combined to combined_remoteip 

 

 

Greetz, 

 

Louis

 

 


Van: Prasad Desai [mailto:prasad.desai at shreshtait.com] 
Verzonden: vrijdag 4 maart 2016 14:00
Aan: L.P.H. van Belle
Onderwerp: Re: [squid-users] Facing issue in Internet explorer


 

Hi,

 


After so long i have emailed you, now i am facing one issue with access logs. Some of my websites are not recording in access logs. Do you have any suggestions.  


 

On Tue, Feb 16, 2016 at 1:56 PM, L.P.H. van Belle <belle at bazuin.nl> wrote:

Hai, 

 

Have you tried also with only the TLS options enabled.  Enableing ssl2 and ssl3 is really a security leak. 

But at least you got it working. 

If you run a webserver with ssl also, just i hint, maybe you know already, maybe not. 

 

Goto www.ssllabs.com test you ssl of the webserver, and try to adjust you setting to a compatible settting. 

If you run an apache 2.4, you can mail me, i have a explained setup, with the things working and not. 

I did about 30 tests on ssl labs to get al these settings.  ;-) 

 

When this is done go test again with the proxy and try to exclude sslv2 and sslv3 in the clients. 

Maybe this is also a squid adjustment, but that i dont know. 

 

 

Greetz, 

 

Louis

 

 


Van: Prasad Desai [mailto:prasad.desai at shreshtait.com] 
Verzonden: dinsdag 16 februari 2016 8:36
Aan: L.P.H. van Belle
Onderwerp: Re: [squid-users] Facing issue in Internet explorer


 

Hi, 

 


Thanks. It worked after making the changes in IE ( Default setting was only SSL3 and TLS 1.0  enabled ) as given in the URL.


 


http://i66.tinypic.com/141hy07.jpg



 

On Fri, Feb 12, 2016 at 8:15 PM, Prasad Desai <prasad.desai at shreshtait.com> wrote:

Hi, 

 


Even after in IE version 8 disabling SSL3 in advanced options and enable TLS1.0 we are getting same error.



 

On Fri, Feb 12, 2016 at 3:47 PM, L.P.H. van Belle <belle at bazuin.nl> wrote:



> For example, in IE version 8, getting an error given below,

 

You can try to disable SSL3 in advanced options and enable TLS1.0 and/or better 

 

SSLV3 is absolete now. 

 

 


Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Namens Prasad Desai
Verzonden: vrijdag 12 februari 2016 9:08
Aan: squid-users at lists.squid-cache.org
Onderwerp: [squid-users] Facing issue in Internet explorer


 

Hi,


 


I have successfully configured SSLBump Peek and Splice in my transparent proxy and it is working as expected except in Internet explorer.


 


For example, in IE version 8, getting an error given below,


 


(71) Protocol error (TLS code: SQUID_ERR_SSL_HANDSHAKE)


Handshake with SSL server failed: error:1409F07F:SSL routines:SSL3_WRITE_PENDING:bad write retry


 


Below is squid.conf,


 


visible_hostname mysite.com


httpd_suppress_version_string on


via off


forwarded_for delete


deny_info  MailScanner heeft een e-mail met mogelijk een poging tot fraude gevonden van "192.168.3.33" MailScanner warning: numerical links are often malicious: http://192.168.3.33/error.html blockfiles


acl lan src  MailScanner heeft een e-mail met mogelijk een poging tot fraude gevonden van "192.168.4.0" MailScanner warning: numerical links are often malicious: 192.168.4.0/24  MailScanner heeft een e-mail met mogelijk een poging tot fraude gevonden van "192.168.6.0" MailScanner warning: numerical links are often malicious: 192.168.6.0/24  MailScanner heeft een e-mail met mogelijk een poging tot fraude gevonden van "192.168.3.0" MailScanner warning: numerical links are often malicious: 192.168.3.0/24


http_access allow lan


acl SSL_ports port 443


acl Safe_ports port 80        # http


acl Safe_ports port 21        # ftp


acl Safe_ports port 443        # https


acl Safe_ports port 70        # gopher


acl Safe_ports port 210        # wais


acl Safe_ports port 1025-65535    # unregistered ports


acl Safe_ports port 280        # http-mgmt


acl Safe_ports port 488        # gss-http


acl Safe_ports port 591        # filemaker


acl Safe_ports port 777        # multiling http


acl CONNECT method CONNECT


strip_query_terms off


http_access allow manager localhost


http_access deny manager


http_access deny !Safe_ports


http_access deny CONNECT !SSL_ports


http_access deny all


sslproxy_flags DONT_VERIFY_PEER DONT_VERIFY_DOMAIN


acl disable-ssl-bump ssl::server_name "/etc/squid/no-ssl-bump.acl"


acl BadSite ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH


sslproxy_cert_error allow BadSite


acl step1 at_step SSLBump1


acl step2 at_step SSLBump2


acl step3 at_step SSLBump3


ssl_bump peek step1 all


ssl_bump splice step2 disable-ssl-bump


ssl_bump stare step2 all


ssl_bump splice step3 disable-ssl-bump


ssl_bump bump step3 all


http_port 3130


http_port 3128 intercept


https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=8MB cert=/etc/squid/ssl_cert/myca.pem key=/etc/squid/ssl_cert/myca.pem


sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 8MB


sslcrtd_children 8 startup=1 idle=1


coredump_dir /var/spool/squid


refresh_pattern ^ftp:        1440    20%    10080


refresh_pattern ^gopher:    1440    0%    1440


refresh_pattern -i (/cgi-bin/|\?) 0    0%    0


refresh_pattern .        0    20%    4320


 


Any inputs to resolve this error will be much appreciated.


 


-- 

Best,


Prasad Desai


Systems Engineer


 














 



_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users






 


-- 

Best,


Prasad Desai


 
















 


-- 

Best,


Prasad Desai


 





















 


-- 

Best,


Prasad Desai


 











-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160304/b0a30993/attachment-0001.html>


More information about the squid-users mailing list