[squid-users] Peek and Splice - Termination Log

[Eric Lackey]

Hello, we’re beginning to enable the Peek and Splice feature on Squid 3.5. Our ssl_bump configuration looks like below where we’re validating the request matches a domain in our allowed_sites file and then terminating the SSL connection if it does not. 

This is all working well except for the fact that we don’t have a good way to determine what is being blocked. In the configuration below, the only log we get is when Squid connects to the external server to get the SSL certificate and that is usually a 200 response. If the domain does not match our allowed list the connection is then terminated and no additional log is written. 

I know that we can see this in cache.log by enabling debugging (debug_options 28,4), but that’s a large amount of log data to try to process and report on and the structure of the log is not something that we can easily ingest into our logging platform. It would be great if we could get it into a JSON format similar to how we can with access_log. 

Does anyone else have a solution for this and if not, is this something that has been requested as a feature in the past?

Thanks in advance for any help.

======

# Define allowed sites
acl allowed_https_sites ssl::server_name_regex "/etc/squid/allowed_sites"

ssl_bump peek all
ssl_bump splice allowed_https_sites
ssl_bump terminate step3 all