[squid-users] Squid doesn't use domain name as a request URL in access.log when splice at step 3 occurs

Garri Djavadyan garryd at comnet.uz
Fri Nov 4 14:06:22 UTC 2016


On Fri, 2016-11-04 at 17:43 +0500, Garri Djavadyan wrote:
> I noticed that Squid doesn't use gathered domain name information for
> %ru in access.log when splice action is performed at step 3 for
> intercepted traffic. The format code ssl::>sni is available at both
> steps. Below are examples used to verify the behavior using Squid
> 3.5.22, but the results are same for Squid 4.0.16.
> 
> The request used on client:
> 
> $ curl https://www.openssl.org/ > /dev/null
> 
> 
> The configuration for splice at step 2:
> 
> # diff etc/squid.conf.default etc/squid.conf
> 73a74,78
> > 
> > https_port 3129 intercept ssl-bump cert=etc/ssl_cert/myCA.pem
> generate-host-certificates
> > 
> > acl StepSplice at_step SslBump2
> > ssl_bump splice StepSplice
> > ssl_bump peek all
> > logformat squid      %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru
> > %[un
> %Sh/%<a %mt %ssl::>sni
> 
> 
> The result:
> 
> 1478256091.609   1028 172.16.0.21 TAG_NONE/200 0 CONNECT
> 104.124.119.14:443 - HIER_NONE/- - www.openssl.org
> 1478256091.609   1026 172.16.0.21 TCP_TUNNEL/200 9807 CONNECT www.ope
> ns
> sl.org:443 - ORIGINAL_DST/104.124.119.14 - www.openssl.org
> 
> 
> -----
> The configuration for splice at step 3:
> 
> # diff etc/squid.conf.default etc/squid.conf
> 73a74,78
> > 
> > https_port 3129 intercept ssl-bump cert=etc/ssl_cert/myCA.pem
> generate-host-certificates
> > 
> > acl StepSplice at_step SslBump3
> > ssl_bump splice StepSplice
> > ssl_bump peek all
> > logformat squid      %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru
> > %[un
> %Sh/%<a %mt %ssl::>sni
> 
> 
> The result:
> 1478256303.420    574 172.16.0.21 TCP_TUNNEL/200 6897 CONNECT
> 104.124.119.14:443 - ORIGINAL_DST/104.124.119.14 - www.openssl.org
> 
> 
> Is it a bug or intended behavior? Thanks.
> 
> Garri

It prevents domain name identification when SNI is not provided by a
client. For example:

Request:
$ echo -e "HEAD / HTTP/1.1\nHost: www.openssl.org\n\n" | openssl
s_client -quiet -no_ign_eof -connect www.openssl.org:443

Config:
# diff etc/squid.conf.default etc/squid.conf
73a74,78
> https_port 3129 intercept ssl-bump cert=etc/ssl_cert/myCA.pem
generate-host-certificates
> acl StepSplice at_step SslBump3
> ssl_bump splice StepSplice
> ssl_bump peek all
> logformat squid      %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un
%Sh/%<a %mt %ssl::>sni

Result:
1478267428.070    347 172.16.0.21 TCP_TUNNEL/200 235 CONNECT
104.124.119.14:443 - ORIGINAL_DST/104.124.119.14 - -


More information about the squid-users mailing list