[squid-users] Squid doesn't use domain name as a request URL in access.log when splice at step 3 occurs

Alex Rousskov rousskov at measurement-factory.com
Fri Nov 4 20:15:40 UTC 2016

On 11/04/2016 08:06 AM, Garri Djavadyan wrote:
> On Fri, 2016-11-04 at 17:43 +0500, Garri Djavadyan wrote:
>> I noticed that Squid doesn't use gathered domain name information for
>> %ru in access.log when splice action is performed at step 3 for
>> intercepted traffic. 

%ru is about client/user actions. It should be filled with what the
client sent to Squid. In an intercepting and splicing configuration like
yours, %>ru (and deprecated %ru) should contain the intended destination
IP address (at step 1) and SNI, if any, at step 2+.

>  %ru  Request URL from client (historic, filtered for logging)
> %>ru  Request URL from client
> %<ru  Request URL sent to server or peer

According to the above, during step 3, %<ru should have SNI sent by
Squid to the server (if any) or the server IP (otherwise).

>> $ curl https://www.openssl.org/ > /dev/null

>> https_port 3129 intercept ssl-bump ..
>> logformat squid      %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt %ssl::>sni

>> at step 2:

>> 1478256091.609   1028 TAG_NONE/200 0 CONNECT - HIER_NONE/- - www.openssl.org
>> 1478256091.609   1026 TCP_TUNNEL/200 9807 CONNECT www.openssl.org:443 - ORIGINAL_DST/ - www.openssl.org


>> at step 3:

>> 1478256303.420    574 TCP_TUNNEL/200 6897 CONNECT - ORIGINAL_DST/ - www.openssl.org

Just one record? That in itself is probably a bug!

Please see whether trunk r14913 (or any later revision) improves or
fixes this. That revision contains important and potentially relevant

> It prevents domain name identification when SNI is not provided by a
> client. For example:
> Request:
> $ echo -e "HEAD / HTTP/1.1\nHost: www.openssl.org\n\n" | openssl
> s_client -quiet -no_ign_eof -connect www.openssl.org:443
> Result:
> 1478267428.070    347 TCP_TUNNEL/200 235 CONNECT - ORIGINAL_DST/ - -

IMO, the lack of a domain name is correct in this %ru case -- the client
did not send a domain name to Squid!



More information about the squid-users mailing list