[squid-users] Logging of https
James Lay
jlay at slave-tothe-box.net
Thu Mar 24 20:13:50 UTC 2016
On 2016-03-24 13:41, Markey, Bruce wrote:
> I'm hoping this is a simple question, I've gotten/seen differing
> answers and I'd just like a final answer.
>
> With squid setup as a transparent proxy via wccp will there be any log
> entries for https sites, even just the ip? Just the initial get
> request is what I'd expect.
>
> ( I have no interest in breaking https, I'd simply like to get any
> data I can without having to go down that road)
>
> If yes then what needs to be done to make that happen. Currently
> everything is working on the http side perfectly. Oh the https side
> as soon as I enable wccp redirection of 443 to squid it breaks https.
> ( I'll add here that I've read all the peek and splice info and I
> don't really understand it.)
>
> Thanks
>
> BRUCE MARKEY | Network Security Analyst
>
> STEINMAN COMMUNICATIONS
>
> 717.291.8758 (o) | bmarkey at steinmancommunications.com
>
> 8 West King St | PO Box 1328, Lancaster, PA 17608-1328
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
Read this:
http://thread.gmane.org/gmane.comp.web.squid.general/114384/focus=114389
Sample messages:
allowed https:
Mar 24 14:02:11 gateway (squid-1): 192.168.1.101 - -
[24/Mar/2016:14:02:11 -0600] "CONNECT 209.59.180.48:443 HTTP/1.1" - -
200 5511 TCP_TUNNEL:ORIGINAL_DST
note the size, 5511, and the TCP_TUNNEL, this has no SNI
denied https:
Mar 24 13:36:01 gateway (squid-1): 192.168.1.101 - -
[24/Mar/2016:13:36:01 -0600] "CONNECT 54.171.35.38:443 HTTP/1.1" - - 200
0 TAG_NONE:ORIGINAL_DST
note the size, 0, and the TAG_NONE, and this also has no SNI
Mar 24 13:36:01 gateway (squid-1): 192.168.1.101 - -
[24/Mar/2016:13:36:01 -0600] "CONNECT 54.171.177.121:443 HTTP/1.1"
track.appsflyer.com - 200 0 TAG_NONE:ORIGINAL_DST
again, size, and TAG_NONE, but we saw SNI for this one.
the above are the output when using the config info in the link. Hope
that helps.
James
More information about the squid-users
mailing list