[squid-users] Logging of https

Markey, Bruce bmarkey at steinmancommunications.com
Thu Apr 7 13:11:27 UTC 2016 

Ok thanks for that.  I think I have a slightly better understanding of what is going on.    That being said this is what I've come up with.  

No caching.  All sites allowed, peeking at all. 

I'm hoping this config will simply give me the logging that I'm looking for and nothing else.  And from that link you sent I don't have to install the client side cert?

Thanks

  1 #Access Lists
  2 acl internal src 192.168.200.0/21
  3 acl wireless src 192.168.100.0/23
  4 
  5 #Ports allowed through Squid
  6 acl Safe_ports port 80
  7 acl Safe_ports port 443
  8 acl SSL_ports port 443
  9 acl CONNECT method CONNECT
 10 
 11 #allow/deny
 12 http_access allow internal
 13 http_access allow wireless
 14 http_access deny !Safe_ports
 15 http_access deny CONNECT !SSL_ports
 16 http_access deny all
 17 
 18 #Bumping 
 19 acl step1 at_step SslBump1
 20 acl step2 at_step SslBump2
 21 acl step3 at_step SslBump3
 22 
 23 ssl_bump peek all
 24 ssl_bump splice all
 25 
 26 sslproxy_capath /etc/ssl/certs
 27 
 28 sslcrtd_program /usr/lib/squid3/ssl_crtd -s /opt/var/ssl_db -M 6MB
 29 sslcrtd_children 5
 30 
 31 #certs
 32 cert=/etc/squid3/certs/squid.pem
 33 cafile=/etc/squid3/certs/squid.pem
 34 key=/etc/squid3/certs/squid.pem generate-host-certificates=on dynamic_cert_mem_cache_size=6MB sslflags=NO_SESSION_REUSE
 35 
 36 logformat mine %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %ssl::>sni %ssl::>cert_subject %>Hs %<st %Ss:%Sh
 37 
 38 access_log syslog:daemon.info mine
 39 
 40 #intercept
 41 http_port 3128 intercept
 42 https_port 3129 intercept ssl-bump
 43 
 44 #nameservers
 45 dns_nameservers 192.168.201.1 8.8.8.8
 46 
 47 #WCCPv2 items
 48 wccp_version 2
 49 wccp2_router 192.168.200.73
 50 wccp2_forwarding_method gre
 51 wccp2_return_method gre
 52 wccp2_service standard 0 password=LNP1
 53 wccp2_service dynamic 70 password=LNP1
 54 wccp2_service_info 70 protocol=tcp flags=dst_ip_hash priority=240 ports=443
 55

Bruce Markey | Network Security Analyst
STEINMAN COMMUNICATIONS
717.291.8758 (o) | bmarkey at steinmancommunications.com
8 West King St | PO Box 1328, Lancaster, PA 17608-1328

-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of James Lay
Sent: Thursday, March 24, 2016 4:14 PM
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Logging of https

On 2016-03-24 13:41, Markey, Bruce wrote:
> I'm hoping this is a simple question, I've gotten/seen differing 
> answers and I'd just like a final answer.
> 
> With squid setup as a transparent proxy via wccp will there be any log 
> entries for https sites, even just the ip?  Just the initial get 
> request is what I'd expect.
> 
> ( I have no interest in breaking https, I'd simply like to get any 
> data I can without having to go down that road)
> 
> If yes then what needs to be done to make that happen. Currently 
> everything is working on the http side perfectly.  Oh the https side 
> as soon as I enable wccp redirection of 443 to squid it breaks https.
>  ( I'll add here that I've read all the peek and splice info and I 
> don't really understand it.)
> 
> Thanks
> 
> BRUCE MARKEY | Network Security Analyst
> 
> STEINMAN COMMUNICATIONS
> 
> 717.291.8758 (o) | bmarkey at steinmancommunications.com
> 
> 8 West King St | PO Box 1328, Lancaster, PA 17608-1328
> 
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users


Read this:

http://thread.gmane.org/gmane.comp.web.squid.general/114384/focus=114389

Sample messages:

allowed https:
Mar 24 14:02:11 gateway (squid-1): 192.168.1.101 - -
[24/Mar/2016:14:02:11 -0600] "CONNECT 209.59.180.48:443 HTTP/1.1" - -
200 5511 TCP_TUNNEL:ORIGINAL_DST

note the size, 5511, and the TCP_TUNNEL, this has no SNI

denied https:
Mar 24 13:36:01 gateway (squid-1): 192.168.1.101 - -
[24/Mar/2016:13:36:01 -0600] "CONNECT 54.171.35.38:443 HTTP/1.1" - - 200
0 TAG_NONE:ORIGINAL_DST

note the size, 0, and the TAG_NONE, and this also has no SNI

Mar 24 13:36:01 gateway (squid-1): 192.168.1.101 - -
[24/Mar/2016:13:36:01 -0600] "CONNECT 54.171.177.121:443 HTTP/1.1" 
track.appsflyer.com - 200 0 TAG_NONE:ORIGINAL_DST

again, size, and TAG_NONE, but we saw SNI for this one.

the above are the output when using the config info in the link.  Hope that helps.

James
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list