[squid-users] Squid access.log

Kornexl, Anton Anton.Kornexl at uni-passau.de
Thu Jan 16 20:39:02 UTC 2020 

I use squid 4.9 on  OpenSuse 15.1
Almost all https-Requests are logged with https:443

1579204357.578      1 1.2.3.4 NONE/503 0 CONNECT https:443 - HIER_NONE/- -
1579204358.623      0 1.2.3.4 NONE/503 0 CONNECT https:443 - HIER_NONE/- -
1579204358.672      1 1.2.3.4 NONE/503 0 CONNECT https:443 - HIER_NONE/- -
1579204358.677      0 1.2.3.4 NONE/503 0 CONNECT https:443 - HIER_NONE/- -
1579204358.680      0 1.2.3.4 NONE/503 0 CONNECT https:443 - HIER_NONE/- -
1579204359.261      0 1.2.3.4 NONE/503 0 CONNECT https:443 - HIER_NONE/- -
1579204360.227   8766 1.2.3.4 TCP_TUNNEL/200 47056 CONNECT 3c.web.de:443 - HIER_DIRECT/217.72.196.68 -
1579204363.236      0 1.2.3.4 NONE/503 0 CONNECT https:443 - HIER_NONE/- -
1579204377.895  16489 1.2.3.4 TCP_TUNNEL/200 3851 CONNECT t.uimserv.net:443 - HIER_DIRECT/195.20.250.183 -
1579204381.210      0 1.2.3.4 NONE/503 0 CONNECT https:443 - HIER_NONE/- -
1579204381.960      0 1.2.3.4 NONE/503 0 CONNECT https:443 - HIER_NONE/- -
1579204383.712   8416 1.2.3.4 TCP_TUNNEL/200 8409 CONNECT 3c.web.de:443 - HIER_DIRECT/217.72.196.68 -
1579204396.847  45930 1.2.3.4 TCP_TUNNEL/200 77063 CONNECT adimg.uimserv.net:443 - HIER_DIRECT/23.210.249.45 -

Only some https-Requests get logged with a useful line
I don't use SSLBump

I have logged the traffic in a haproxy in front of this squid:
These requests
2020-01-16T20:59:28+01:00 Jufi haproxy[1796]: 1.2.3.4:20711 [16/Jan/2020:20:59:28.656] squid squidservers/squidserver1 0/0/0/3/3 503 4252 - - ---- 12/12/11/3/0 0/0 "CONNECT incoming.telemetry.mozilla.org:443 HTTP/1.1"
2020-01-16T20:59:34+01:00 Jufi haproxy[1796]: 1.2.3.4:30065 [16/Jan/2020:20:59:34.226] squid squidservers/squidserver1 0/0/0/1/1 503 4252 - - ---- 13/13/12/3/0 0/0 "CONNECT incoming.telemetry.mozilla.org:443 HTTP/1.1"
2020-01-16T21:01:14+01:00 Jufi haproxy[1796]: 1.2.3.4:19521 [16/Jan/2020:21:01:14.892] squid squidservers/squidserver1 0/0/0/2/2 503 4252 - - ---- 22/22/19/9/0 0/0 "CONNECT incoming.telemetry.mozilla.org:443 HTTP/1.1"
2020-01-16T21:01:15+01:00 Jufi haproxy[1796]: 1.2.3.4:31880 [16/Jan/2020:21:01:15.901] squid squidservers/squidserver1 0/0/0/0/0 503 4252 - - ---- 22/22/19/9/0 0/0 "CONNECT incoming.telemetry.mozilla.org:443 HTTP/1.1"

don't show up in access.log (squid)

These requests are logged (with time at the start of the line converted to human readable)
Thu Jan 16 20:59:28 2020      2 1.2.3.4 NONE/503 0 CONNECT https:443 - HIER_NONE/- -
Thu Jan 16 20:59:34 2020      0 1.2.3.4 NONE/503 0 CONNECT https:443 - HIER_NONE/- -
Thu Jan 16 21:01:14 2020      1 1.2.3.4 NONE/503 0 CONNECT https:443 - HIER_NONE/- -
Thu Jan 16 21:01:15 2020      0 1.2.3.4 NONE/503 0 CONNECT https:443 - HIER_NONE/- -

Why are some https-requests logged with the correct hostname and no fake CONNECT https:443 and other requests are logged without  correct domain but with fake CONNECT entries

On another system i have squid 3.5.27 (Ubuntu 18.04) 
There are no CONNECT https:443 log lines and all https-requests are logged with CONNECT <hostname>:443 entries. 

Anton Kornexl

-----Ursprüngliche Nachricht-----
Von: Alex Rousskov <rousskov at measurement-factory.com> 
Gesendet: Donnerstag, 16. Januar 2020 15:08
An: Kornexl, Anton <KORNEXL at ads.uni-passau.de>; 217.252.117.35
Betreff: Re: [squid-users] Squid access.log

On 1/16/20 3:06 AM, Kornexl, Anton wrote::

> I see many requests with CONNECT https:443 in my access.log

> How are these entries triggered?

These records are logged when your Squid is done with an HTTP CONNECT
tunnel or after Squid intercepts a TLS connection. In very broad terms,
they are a sign that your Squid participates in HTTPS transactions.
Normally, there should be more than "https:443" in those CONNECT records.


> They produce errors in some accounting scripts

Consider either fixing the scripts or, if losing information about
CONNECT tunnels is acceptable to your accounting, filtering CONNECT
records out before giving the logs to the scripts.

You can also configure Squid to stop logging CONNECT transactions (using
access_log ACLs), but I do not recommend hiding the truth that may be
critical in a triage.


HTH,

Alex.

More information about the squid-users mailing list