[squid-users] Understand GOOGLEVIDEO Url from access.log

Amos Jeffries squid3 at treenet.co.nz
Tue May 10 09:52:32 UTC 2016

On 10/05/2016 8:31 p.m., alesironi wrote:
> Hello everyone
> sorry if it's a stupid question but I'm a newbie of SQUID and PROXIES as
> well.

Well, firstly. Please dont shout :-P

Seriously though; Some of the words you are upper-casing are trademarks
or technical terms and the case used is relevant to what you are
speaking about.
(not picking on you specifically, others on the list have been getting
very sloppy too recently - this message is a perfect example of the

 SQUID and Squid are different things. Both used in networking. But
thankfully SQUID is a layer-1 device not commonly spoken about around
here so not much confusion.

However; proxy and PROXY are also two different things. For extra
difficulty both relate to things about Squid. PROXY (all upper case and
no pluralisation) being one of the protocols that Squid can use nowdays.

> I have SQUID installed on UBUNTU, working fine, only authorized users can
> use the proxy.

Squid, Ubuntu, YouTube and GoogleVideo are trademarks with specific
spelling when used outside of URLs.


> Some users are watching youtube videos (I can see from the log files); our
> rules are pretty simple and basic, youtube videos are allowed but only if
> they are for working related purposes.
> IN order to understand that I need to check from access.log which kind of
> video they watch (we do this randomly, not for every video, for obvious
> reasons).
> The problem is that on Squid log file (ACCESS.LOG) the URL I see is similar
> to this:
> r10---sn-4g57knd7.googlevideo.com:443
> ...which is not telling me anything about the content of the youtube video
> (it does not work at all...).

The best explanation for the URI (not URL) if you really want to know
why it looks like that (and why its not a URL) is in

The ":443" part means port 443 ... TLS encrypted traffic. That is all.

To misquote The Matrix "there is no video". What your Squid is being
asked to proxy is a two-way opaque stream of TLS encrypted data to/from
that named server:port.

The encrypted data on port 443 is supposed to contain a whole different
layer of HTTP messages commonly referred to as HTTPS, and having
https:// URLs. There may be one or more messages, there may (or not) be
a video stream as one of those messages.

So to be accurate; the stream may contain a video, but it also may not
and even when it does there is more than the video happening in there.

> Do you have any suggestion on how to understand the content of the video
> starting from that URL? Or any suggestion on how to achieve my goal?

What do you mean by "kind"? Your description implies that you mean the
actual visual content of it. You will not be able to see that without
downloading and viewing it yourself.

The most you will ever be able to see from HTTP layer logs was that it
was a video and the URL that it was stored at. Which is usually just a
random unique character sequence for an ID. To even get that much
information you will have to intercept and decrypt the users traffic.

Please check with your companies legal department about whether you can
do that encryption legally. There are some countries where doing so on
any network is completely prohibited or requires a government license.
Other places that policy you mention might be enough so long as your
users have signed agreement to it.

Once you know the legal situation look into
<http://wiki.squid-cache.org/Features/SslPeekAndSplice>. You will also
need to be using the latest Squid packages (3.5.19 or 4.0.10 today) and
regularly updating. TLS interception is an arms race situation that is
constantly changing both the security encryption and the attack methods
to break into it.


More information about the squid-users mailing list