[squid-users] Squid access.log

[Alex Rousskov]

On 1/16/20 3:39 PM, Kornexl, Anton wrote:

> Why are some https-requests logged with the correct hostname and no
> fake CONNECT https:443 and other requests are logged without correct
> domain but with fake CONNECT entries

For every specific log record, either there is a Squid bug or you are
dealing with some special traffic that you do not know about (e.g., see
Amos response regarding old redirectors causing such weird entries).

Your best bet may be to find out what exactly Squid receives when it
produces a specific unexpected log entry. You can try to do that using
%>handshake logformat code or, if that does not work, using
tcpdump/wireshark/etc. Once properly collected and shared, the folks
here can help you decode the binary handshake blob and, hopefully,
explain what you are seeing.

Alex.


> -----Ursprüngliche Nachricht-----
> Von: Alex Rousskov <rousskov at measurement-factory.com> 
> Gesendet: Donnerstag, 16. Januar 2020 15:08
> An: Kornexl, Anton <KORNEXL at ads.uni-passau.de>; 217.252.117.35
> Betreff: Re: [squid-users] Squid access.log
> 
> On 1/16/20 3:06 AM, Kornexl, Anton wrote::
> 
>> I see many requests with CONNECT https:443 in my access.log
> 
>> How are these entries triggered?
> 
> These records are logged when your Squid is done with an HTTP CONNECT
> tunnel or after Squid intercepts a TLS connection. In very broad terms,
> they are a sign that your Squid participates in HTTPS transactions.
> Normally, there should be more than "https:443" in those CONNECT records.
> 
> 
>> They produce errors in some accounting scripts
> 
> Consider either fixing the scripts or, if losing information about
> CONNECT tunnels is acceptable to your accounting, filtering CONNECT
> records out before giving the logs to the scripts.
> 
> You can also configure Squid to stop logging CONNECT transactions (using
> access_log ACLs), but I do not recommend hiding the truth that may be
> critical in a triage.
> 
> 
> HTH,
> 
> Alex.
>