[squid-users] Gather POST request on HTTPS traffic?

[Amos Jeffries]

On 17/11/20 12:14 pm, roee klinger wrote:
> Hello everyone,
> 
> I work at a digital agency that has quite a few machines that are 
> managing some Instagram accounts, they are all running in the same LAN 
> and we are using Squid as a proxy to log and analyze some usage 
> statistics and to make sure the machines are only used for Instagram.
> 
> We had an idea to use Squid to capture the POST data of users on the 
> proxy level, for example, likes, follows, comments, etc so we can log 
> and analyze everything in a convenient central way, so we can analyze it 
> and even send out clients a monthly report of all the actions their 
> accounts made (who they followed, what they liked, etc).
> 
> I can easily see the requests that I want to capture inside the 
> "network" tab in Chrome but the problem is that Instagram uses HTTPS, so 
> I can't seem to be able to capture this data.
> 
> 
> Is there any way for me to log this data via Squid using the POST data 
> or any other way?
> 

Access to HTTPS transactions for a domain you do not own requires the 
SSL-Bump feature to decrypt ("bump") the TLS layer.
  see <https://wiki.squid-cache.org/Features/SslPeekAndSplice>.

You could use cache.log with "debug_options ALL,1 11,2" configured to 
log the transactions. However an ICAP service or eCAP module that does 
both the record and analyze for you is probably better.


> 
> Note: We are aware of the legal issues, all machines connected to the 
> network are company property, and all the accounts are client accounts 
> that allow us to gather statistics. No personal account data will be 
> gathered.


Please be aware:
   That statement conflicts with the stated purpose(s) of your plan.

Personal data *will* be part of the messages you are decrypting and 
recording for analysis. Further, to perform targeted reports such as 
described you must also associate the data with accounts somehow.


Amos