[squid-users] Squid doesn't use domain name as a request URL in access.log when splice at step 3 occurs
rousskov at measurement-factory.com
Fri Nov 4 20:15:40 UTC 2016
On 11/04/2016 08:06 AM, Garri Djavadyan wrote:
> On Fri, 2016-11-04 at 17:43 +0500, Garri Djavadyan wrote:
>> I noticed that Squid doesn't use gathered domain name information for
>> %ru in access.log when splice action is performed at step 3 for
>> intercepted traffic.
%ru is about client/user actions. It should be filled with what the
client sent to Squid. In an intercepting and splicing configuration like
yours, %>ru (and deprecated %ru) should contain the intended destination
IP address (at step 1) and SNI, if any, at step 2+.
> %ru Request URL from client (historic, filtered for logging)
> %>ru Request URL from client
> %<ru Request URL sent to server or peer
According to the above, during step 3, %<ru should have SNI sent by
Squid to the server (if any) or the server IP (otherwise).
>> $ curl https://www.openssl.org/ > /dev/null
>> https_port 3129 intercept ssl-bump ..
>> logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt %ssl::>sni
>> at step 2:
>> 1478256091.609 1028 172.16.0.21 TAG_NONE/200 0 CONNECT 126.96.36.199:443 - HIER_NONE/- - www.openssl.org
>> 1478256091.609 1026 172.16.0.21 TCP_TUNNEL/200 9807 CONNECT www.openssl.org:443 - ORIGINAL_DST/188.8.131.52 - www.openssl.org
>> at step 3:
>> 1478256303.420 574 172.16.0.21 TCP_TUNNEL/200 6897 CONNECT 184.108.40.206:443 - ORIGINAL_DST/220.127.116.11 - www.openssl.org
Just one record? That in itself is probably a bug!
Please see whether trunk r14913 (or any later revision) improves or
fixes this. That revision contains important and potentially relevant
> It prevents domain name identification when SNI is not provided by a
> client. For example:
> $ echo -e "HEAD / HTTP/1.1\nHost: www.openssl.org\n\n" | openssl
> s_client -quiet -no_ign_eof -connect www.openssl.org:443
> 1478267428.070 347 172.16.0.21 TCP_TUNNEL/200 235 CONNECT 18.104.22.168:443 - ORIGINAL_DST/22.214.171.124 - -
IMO, the lack of a domain name is correct in this %ru case -- the client
did not send a domain name to Squid!
More information about the squid-users