<div dir="ltr"><div>HI,</div><div><br></div><div>Thanks, will try and update.<br></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr">----<br><div style="color:rgb(0,114,177);font-stretch:normal;font-size:18px;font-family:'Trebuchet MS',Verdana;letter-spacing:1px">Helen Rai<br></div><div style="font-weight:bold;font-style:italic;font-stretch:normal;font-size:13px;font-family:Arial;color:rgb(32,32,32)">Platform operations, <span style="font-stretch:normal">Nepallink</span></div><a href="tel:44260822" style="color:rgb(84,84,84);text-decoration:none;font-size:12px" target="_blank">44260822</a> <span style="color:rgb(0,114,177);font-size:12px">||</span> <a href="tel:9841262275" style="color:rgb(84,84,84);text-decoration:none;font-size:12px" target="_blank">9841262275</a> <span style="color:rgb(0,114,177);font-size:12px">||</span> <a href="mailto:abuse@nepallink.net" style="color:rgb(84,84,84);text-decoration:none;font-size:12px" target="_blank">support@nepallink.net</a> <br><a href="http://www.nepallink.net/" style="color:rgb(84,84,84);text-decoration:none;font-size:12px" target="_blank">http://www.nepallink.net</a> <span style="color:rgb(0,114,177);font-size:12px">||</span> <span style="color:rgb(84,84,84);font-size:12px">Link Road, Khusibu</span> <div style="height:17px;padding-left:3px;vertical-align:bottom"><table cellspacing="0" cellpadding="0" border="0"><tbody><tr valign="top"><td style="vertical-align:bottom"><a href="http://www.facebook.com/pages/NepalLink-Network/334213043398796" style="color:rgb(17,85,204)" target="_blank"><img src="https://s3.amazonaws.com/images.wisestamp.com/icons/facebook.png" width="16" height="16"></a> <a href="http://twitter.com/nepallink" style="color:rgb(17,85,204)" target="_blank"><img src="https://s3.amazonaws.com/images.wisestamp.com/icons/twitter.png" width="16" height="16"></a> </td></tr></tbody></table></div></div></div></div></div></div>
<br><div class="gmail_quote">On Thu, Aug 2, 2018 at 4:29 PM, Amos Jeffries <span dir="ltr"><<a href="mailto:squid3@treenet.co.nz" target="_blank">squid3@treenet.co.nz</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 02/08/18 19:05, Helen Rai wrote:<br>
> Now what I want to do is log all the web traffic that is requested from<br>
> those devices which are using WiFi.<br>
> I have attached the configuration of squid and Mikrotik which I had done<br>
> for HTTP. (Please note that when I had done this for HTTP, the squid<br>
> wasn't configured with --enable-SSL or --enable-crtd)<br>
> <br>
<br>
</span>Yes, those options are required to handle the TLS which is part of<br>
HTTPS. HTTP is not encrypted. Or rather: --with-openssl is required<br>
<br>
Since you are rebuilding it with these extra options I recommend using<br>
the Squid-4 code from the Debian Sid repository if you can. It contains<br>
much better handling for HTTPS traffic which will be useful later to<br>
avoid non-HTTPS traffic arriving on port 443.<br>
<span class=""><br>
<br>
> I had referred some online sites to do for HTTPS but none of them<br>
> worked. Please help if anyone knows how to log all HTTPS request.<br>
> <br>
> I have attached document regarding the rules applied in Mikrotik and<br>
> squid3 configuration for HTTP.<br>
> <br>
<br>
</span>Okay. So first thing to do is fix some mistakes in your squid.conf<br>
<br>
* "transparent" has long ago been replaced by "intercept"<br>
<br>
http_port 3127 intercept<br>
<br>
* remove incomplete / broken config line<br>
<br>
#http_access deny<br>
<br>
* remove the first two of these repeated lines:<br>
<br>
http_access allow localhost<br>
...<br>
http_access allow localhost<br>
http_access allow localhost<br>
...<br>
<br>
* stop using "localhost" as the ACL name to represent Department-A.<br>
Localhost is a reserved term in networking with a very specific meaning<br>
(different to what you are using it for) which is also baked into Squid<br>
default configuration settings.<br>
<br>
Instead use an ACL which names the thing being matched. For example:<br>
<br>
acl Department-A src <a href="http://10.0.7.0/24" rel="noreferrer" target="_blank">10.0.7.0/24</a><br>
<br>
<br>
* move your custom setting down below the default security http_access<br>
rules. Those are the deny lines referring to SSL_ports and Safe_ports.<br>
<br>
Your http_access lines should now look nice and simple, like this:<br>
<br>
<br>
http_access deny !Safe_ports<br>
http_access deny CONNECT !SSL_ports<br>
<br>
acl test dstdomain "/etc/squid3/acl/test"<br>
http_access deny test<br>
<br>
acl Department-A src <a href="http://10.0.7.0/24" rel="noreferrer" target="_blank">10.0.7.0/24</a><br>
http_access allow Department-A<br>
<br>
http_access deny all<br>
<br>
<br>
*** Your HTTP traffic should still be fully operational and doing what<br>
you want after these changes. If not something is broken we need to fix<br>
before continuing.<br>
<br>
<br>
Second, add the pieces necessary for handling port 443 traffic to<br>
squid.conf.<br>
<br>
You *will* need to generate a self-signed CA certificate with the<br>
signing-cert (CA) and and HTTP server properties to use SSL-Bump features.<br>
But that will only need to be installed on clients machine *if* you go<br>
as far as decrypting the HTTPS traffic or producing errors for clients.<br>
This is where Squid-4 handles TLS far more cleanly than Squid-3.5.<br>
<br>
<br>
# A port to receive port 443 traffic from Mikrotik<br>
https_port 3129 intercept ssl-bump cert=/etc/squid3/your-CA.pem<br>
<br>
... note the 's' in that directive name. A typo there breaks HTTPS in<br>
confusing ways.<br>
<br>
<br>
# SSL-Bump rules to peek at details for logging, then relay the traffic<br>
acl step1 at_step SslBump1<br>
ssl_bump peek step1<br>
ssl_bump splice all<br>
<br>
# Squid-4 can pass any non-HTTPS through or omit the below line to<br>
deliver error pages signed by the your-CA.pem certificate.<br>
<br>
on_unsupported_protocol tunnel<br>
<br>
<br>
Thirdly, you need to add an entry to the Raspberry Pi NAT rules. Same as<br>
for the port 80 NAT rule that should also exist, but for port 443.<br>
<br>
** at this point you should be able to test the Raspberry PI is working<br>
for HTTPS by setting a test machine to have the R-Pi IP address as its<br>
gateway and requesting any https:// URL in a Browser, or wget, curl,<br>
squidclient etc.<br>
<br>
<br>
Lastly, when Squid is happily running with all that add to your Mikrotik<br>
config a second line identical to the first one in your attachment -<br>
except that it ends with "dst-port=443".<br>
<br>
As soon as that line is active in your router the HTTPS traffic should<br>
start arriving and being logged at the Squid.<br>
<br>
<br>
<br>
Please be aware of the following details:<br>
<br>
* Do expect to see at least half of HTTPS traffic being CONNECT with<br>
raw-IPs and 0 bytes transferred. That is from the first step of<br>
SSL-Bump'ing. They should be followed by another CONNECT with the TLS<br>
SNI domain name and correct size of data transferred (one-way, to client).<br>
<br>
<br>
* The SNI is only accurate for honest clients. It can be forged and the<br>
real HTTPS messages be using another domain name hosted on the same<br>
server/CDN network.<br>
However, to be properly sure that the traffic inside the TLS is going<br>
to the domain the SNI claimed you will have to fully decrypt the traffic<br>
(bump action) and that means installing your CA cert on all clients<br>
machines. Plus configuring dynamic cert generation on the https_port line.<br>
Start with getting the above non-decrypt setup working before going<br>
near bumping.<br>
<span class="HOEnZb"><font color="#888888"><br>
<br>
Amos<br>
</font></span></blockquote></div><br></div>