[squid-users] Logging of https
Markey, Bruce
bmarkey at steinmancommunications.com
Thu Apr 7 13:11:27 UTC 2016
Ok thanks for that. I think I have a slightly better understanding of what is going on. That being said this is what I've come up with.
No caching. All sites allowed, peeking at all.
I'm hoping this config will simply give me the logging that I'm looking for and nothing else. And from that link you sent I don't have to install the client side cert?
Thanks
1 #Access Lists
2 acl internal src 192.168.200.0/21
3 acl wireless src 192.168.100.0/23
4
5 #Ports allowed through Squid
6 acl Safe_ports port 80
7 acl Safe_ports port 443
8 acl SSL_ports port 443
9 acl CONNECT method CONNECT
10
11 #allow/deny
12 http_access allow internal
13 http_access allow wireless
14 http_access deny !Safe_ports
15 http_access deny CONNECT !SSL_ports
16 http_access deny all
17
18 #Bumping
19 acl step1 at_step SslBump1
20 acl step2 at_step SslBump2
21 acl step3 at_step SslBump3
22
23 ssl_bump peek all
24 ssl_bump splice all
25
26 sslproxy_capath /etc/ssl/certs
27
28 sslcrtd_program /usr/lib/squid3/ssl_crtd -s /opt/var/ssl_db -M 6MB
29 sslcrtd_children 5
30
31 #certs
32 cert=/etc/squid3/certs/squid.pem
33 cafile=/etc/squid3/certs/squid.pem
34 key=/etc/squid3/certs/squid.pem generate-host-certificates=on dynamic_cert_mem_cache_size=6MB sslflags=NO_SESSION_REUSE
35
36 logformat mine %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %ssl::>sni %ssl::>cert_subject %>Hs %<st %Ss:%Sh
37
38 access_log syslog:daemon.info mine
39
40 #intercept
41 http_port 3128 intercept
42 https_port 3129 intercept ssl-bump
43
44 #nameservers
45 dns_nameservers 192.168.201.1 8.8.8.8
46
47 #WCCPv2 items
48 wccp_version 2
49 wccp2_router 192.168.200.73
50 wccp2_forwarding_method gre
51 wccp2_return_method gre
52 wccp2_service standard 0 password=LNP1
53 wccp2_service dynamic 70 password=LNP1
54 wccp2_service_info 70 protocol=tcp flags=dst_ip_hash priority=240 ports=443
55
Bruce Markey | Network Security Analyst
STEINMAN COMMUNICATIONS
717.291.8758 (o) | bmarkey at steinmancommunications.com
8 West King St | PO Box 1328, Lancaster, PA 17608-1328
-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of James Lay
Sent: Thursday, March 24, 2016 4:14 PM
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Logging of https
On 2016-03-24 13:41, Markey, Bruce wrote:
> I'm hoping this is a simple question, I've gotten/seen differing
> answers and I'd just like a final answer.
>
> With squid setup as a transparent proxy via wccp will there be any log
> entries for https sites, even just the ip? Just the initial get
> request is what I'd expect.
>
> ( I have no interest in breaking https, I'd simply like to get any
> data I can without having to go down that road)
>
> If yes then what needs to be done to make that happen. Currently
> everything is working on the http side perfectly. Oh the https side
> as soon as I enable wccp redirection of 443 to squid it breaks https.
> ( I'll add here that I've read all the peek and splice info and I
> don't really understand it.)
>
> Thanks
>
> BRUCE MARKEY | Network Security Analyst
>
> STEINMAN COMMUNICATIONS
>
> 717.291.8758 (o) | bmarkey at steinmancommunications.com
>
> 8 West King St | PO Box 1328, Lancaster, PA 17608-1328
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
Read this:
http://thread.gmane.org/gmane.comp.web.squid.general/114384/focus=114389
Sample messages:
allowed https:
Mar 24 14:02:11 gateway (squid-1): 192.168.1.101 - -
[24/Mar/2016:14:02:11 -0600] "CONNECT 209.59.180.48:443 HTTP/1.1" - -
200 5511 TCP_TUNNEL:ORIGINAL_DST
note the size, 5511, and the TCP_TUNNEL, this has no SNI
denied https:
Mar 24 13:36:01 gateway (squid-1): 192.168.1.101 - -
[24/Mar/2016:13:36:01 -0600] "CONNECT 54.171.35.38:443 HTTP/1.1" - - 200
0 TAG_NONE:ORIGINAL_DST
note the size, 0, and the TAG_NONE, and this also has no SNI
Mar 24 13:36:01 gateway (squid-1): 192.168.1.101 - -
[24/Mar/2016:13:36:01 -0600] "CONNECT 54.171.177.121:443 HTTP/1.1"
track.appsflyer.com - 200 0 TAG_NONE:ORIGINAL_DST
again, size, and TAG_NONE, but we saw SNI for this one.
the above are the output when using the config info in the link. Hope that helps.
James
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list