[squid-users] squid access.log

Alex Rousskov rousskov at measurement-factory.com
Mon Apr 20 20:54:31 UTC 2020

On 4/20/20 4:13 PM, leomessi983 at yahoo.com wrote:
> Well in my case for my single web request in first CONNECT log entry,
> the domain address is IP address of server and URL is IP:PORT of server
> and in second log entry domain is example.com and URL is example.com:443 .

Yes, this is typical.

> but why?

You see IP addresses in CONNECT URIs because that is what the client
(e.g., a browser) sent to Squid or, if you are intercepting, that is how
Squid shows intercepted TCP connections.

Per protocol specification, A CONNECT request URI (or request target)
syntax differs from the syntax of other common request URIs (e.g.,
HEAD). For details, see request-target at

> I dont bump anything in this requests!

I probably do not know what you mean by this remark. You other comments
indicate that you do bump CONNECT tunnels. If you use "ssl_bump bump" or
equivalent deprecated rules, then, for the purposes of this discussion,
you are probably bumping (i.e., decrypting) some CONNECT tunnels.

> If I use ssl::server_name and specify IP address of server to bump
> https request, my https://example.com request will be blocked, I dont
> send requests in the example format of .but they will be
> blocked while I dont want to.

Your http_access and ssl_bump rules have to match reality. There is no
way around that. In reality, CONNECT requests use different request
target than, say, HEAD requests inside those CONNECT tunnels.

If you can configure Wireshark or a similar packet inspection tool to
decrypt CONNECT tunnels and show you both CONNECT requests and the
requests inside the tunnel, all these details may become a bit easier to
grasp. Unfortunately, I do not have ready-to-use instructions on how to
configure Wireshark to decrypt to- and from-Squid communications.



> On Monday, April 20, 2020, 11:39:23 PM GMT+4:30, Alex Rousskov wrote:
> On 4/20/20 2:04 PM, leomessi983 at yahoo.com <mailto:leomessi983 at yahoo.com>
> wrote:
>> hi
>> I have one question.
>> why for each https request that squid do peek or bump or splice ,squid
>> logs 2 lines?
>> one with connect method and one with head method?
> ... because there are two HTTP[S] requests in those cases, one with the
> CONNECT method and one with the HEAD method. There are other cases where
> one bumped CONNECT tunnel carries hundreds or even thousands of
> GET/HEAD/PUT/POST/CONNECT/etc. requests. And there are also cases where
> a bumped CONNECT tunnel carries no requests at all.
> In summary, one bumped CONNECT tunnel will (by default) result in one or
> more access.log records, starting with the CONNECT record.
> Alex.
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list