How to log https contents with squid in pfsense? - ssl

I setup the squid with "HTTPS/SSL Interception" in pfsense and install the ca for all clients. Now it can log all the https request to access.log file. But it can only log the URLs of https requests, i wanna get to know if it can log the web content of request and response? Thanks.

You can refer squid log format directive. It controls the log format and if something which you want is not available there, you can apply patch
http://www.squid-cache.org/Doc/config/logformat/

Related

How to log a specific cookie to the Traefik access log?

In traefik 2.6 it is possible to choose which HTTP headers are logged. Is it also possible to log a specific cookie value as with Apache and NGINX?

Apache HTTPS reverse proxy to HTTP

I can't find the solution to my request, here is what I want to do :
The HTTPS stream arrives on my server from my client's site (of which I do not have the certificate): https://clientwebsite.com
Afterwards I want to send this HTTPS stream to a website that doesn't accept HTTPS. So I send it in HTTP : http://api-website.com
My problem is... I don't know and I don't find how I can do that with Apache on Centos 7
Could someone help me please ?
I'm very happy with Pound as my reverse HTTPS/HTTP proxy

How to setup authorization for proxy request a-la x-sendfile?

In a setting of apache + mod_wsgi and nginx + uwsgi, what could be the way to setup web-server to proxy big "intranet" files requests?
What I am thinking about is a way a la x-sendfile, but where the wsgi application points to a file URL "intranet" location in its response, web-server downloads and uploads the file to the original requester without revealing it's "intranet" location. Of course, nothing happens if there is no authentication and access rights check on wsgi application side.
It's very hard to find this kind of setup by googling, not even sure what term to use.
By "intranet" I mean files, accessible via HTTPS requests from the proxy server, which may have its own credentials to them, but not from public internet or by local filesystem (like is the use case with x-sendfile)
If using mod_wsgi in daemon mode, you can return an empty HTTP 200 response with Location response header and when that is seen by the Apache process proxying to the mod_wsgi daemon process, it will evaluate that as a sub request. The path in that could be mapped to a new URL handler in Apache configuration which is actually a proxy setup which sends the request to another downstream backend server. The response from that will then be proxied back to the client. If you don't want that secondary URL handler to be visible outside, ie., someone can't request it direct if they work out the URL path, you need to use a mod_rewrite rule to reject any request if it isn't a sub request.
So you might have something like:
RewriteCond %{IS_SUBREQ} false
RewriteRule ^/hidden/stuff/ - [F]
ProxyPass /hidden/stuff/ http://backend.example.com/
The WGSI response would then be empty HTTP 200 response with Location header of:
Location: /hidden/stuff/some-file-name
The sub request request would end up being:
http://backend.example.com/some-file-name
against backend server with response proxied back to client.

Does configuring a web server with SSL break regular HTTP

I'm in the process of getting a SSL certificate for my website which i'm running of a VPS. My website also serves as a web service for some ios/android applications to fetch data from. I'm just wondering if installing and configuring a SSL Certificate in Apache will force everyone to contact the web server over HTTPS and refuse regular HTTP calls. Hince will my applications break until I've released an update making all server calls to HTTPS?
Cheers
Apache can handle both http and https at the same time.
Normally you setup your http site under something like httpd.conf which includes a line (might be commented out) something like:
Include extra/httpd-ssl.conf
which tells apache to load additional configuration for the httpd-ssl.conf file located in the 'extra' directory.
if you did a standard install of apache then the httpd-ssl.conf file is already there with a generic template for the HTTPS site, just modify it as necessary and (if needed) uncomment the Include line above in httpd.conf.

Listen port 843 and server crossdomain.xml from httpd.conf

is it possible to configure the httpd.conf which listens the port 843 and serves crossdomain policy tags or file when there is a socket connection? (not for http request, needed it for socket connection from flash)
thank you
Check out this apache module, which will load the necessary socket policy files alongside any other standard crossdomain.xml configurations you need to host on port 80 - http://www.beamartyr.net/articles/adobepolicyfileserver.html
No, it's not.
httpd.conf configures Apache which is a webserver, so expects to receive HTTP requests over the socket. Adobe in their infinite wisdom decided that the Flash security policy file should be served over a home-brew protocol where the first string from the client is "\0".
Since Apache won't recognise that, it can't serve the requested file.
I could have a long rant here about the bogus-ness of this - it would have been (IMO) just as easy for Flash to have sent a "GET /policyfile" request which would have allowed Apache to serve the file, but there we go.
Your only option is to run a different server specifically to serve the policy file - Adobe provide some sample code in Python and other languages that does the job.