[squid-users] What do the bytes and duration fields in squid log count for https (CONNECT)?
Amos Jeffries
squid3 at treenet.co.nz
Mon Jul 25 12:52:28 UTC 2016
On 26/07/2016 12:04 a.m., Henry S. Thompson wrote:
> Amos Jeffries writes:
>
>> On 25/07/2016 10:34 p.m., Henry S. Thompson wrote:
>>> Standard squid config only logs one CONNECT line for any https
>>> transaction. What is being counted/timed by the reported bytes and
>>> duration fields in that line?
>>>
>>> I'm guessing it's the total time taken and total bytes delivered to the
>>> client by any and all transactions in the course of the TLS connection
>>> established by that CONNECT, but I can't find anything in the log
>>> documentation which confirms that.
>>
>> Yes. There is no HTTPS or TLS as far as Squid is concerned. (In modern
>> traffic you are also very likely to be wrong about it being HTTPS or TLS
>> on port 443. The (browser?) URL saying "https://" does not make it HTTPS
>> inside the tunnel).
>
> Indeed, understood
>
>> An HTTP CONNECT message with opaque data is all Squid sees. Its duration
>> is how long it takes, and the opaque data is the size it is.
>
> Thanks for your reply, but this part leaves me confused. The CONNECT
> message itself is short, as is the likely reply, and presumably doesn't
> take long to process. But the times and sizes I'm seeing are long/big,
> so it doesn't seem likely that they are the time and size of the
> response to the CONNECT as such, which is what you appear to be saying
> above...
>
> That is, what is the 'it' you refer to in your final sentence?
Sorry, coudl have been clearer.
Unless you are using SSL-Bump or such to process the contents specially.
The duration is from the CONNECT message arriving to the time TCP close
is used to end the tunnel. The size should be the bytes sent to the
client (excluding the 200 reply message itself) during that time.
Amos
More information about the squid-users
mailing list