[squid-users] Logging of https
James Lay
jlay at slave-tothe-box.net
Thu Apr 7 15:34:22 UTC 2016
That's correct....peek/stare don't require a cert on the client end.
Just keep in mind you won't get a full URL in the logs with https
sites...just the host/ip:
Apr 7 09:30:31 gateway (squid-1): 192.168.1.106 - -
[07/Apr/2016:09:30:31 -0600] "CONNECT 216.58.193.78:443 HTTP/1.1"
safebrowsing.google.com - 200 871538 TCP_TUNNEL:ORIGINAL_DST
James
On 2016-04-07 07:11, Markey, Bruce wrote:
> Ok thanks for that. I think I have a slightly better understanding of
> what is going on. That being said this is what I've come up with.
>
> No caching. All sites allowed, peeking at all.
>
> I'm hoping this config will simply give me the logging that I'm
> looking for and nothing else. And from that link you sent I don't
> have to install the client side cert?
>
> Thanks
>
> 1 #Access Lists
> 2 acl internal src 192.168.200.0/21
> 3 acl wireless src 192.168.100.0/23
> 4
> 5 #Ports allowed through Squid
> 6 acl Safe_ports port 80
> 7 acl Safe_ports port 443
> 8 acl SSL_ports port 443
> 9 acl CONNECT method CONNECT
> 10
> 11 #allow/deny
> 12 http_access allow internal
> 13 http_access allow wireless
> 14 http_access deny !Safe_ports
> 15 http_access deny CONNECT !SSL_ports
> 16 http_access deny all
> 17
> 18 #Bumping
> 19 acl step1 at_step SslBump1
> 20 acl step2 at_step SslBump2
> 21 acl step3 at_step SslBump3
> 22
> 23 ssl_bump peek all
> 24 ssl_bump splice all
> 25
> 26 sslproxy_capath /etc/ssl/certs
> 27
> 28 sslcrtd_program /usr/lib/squid3/ssl_crtd -s /opt/var/ssl_db -M 6MB
> 29 sslcrtd_children 5
> 30
> 31 #certs
> 32 cert=/etc/squid3/certs/squid.pem
> 33 cafile=/etc/squid3/certs/squid.pem
> 34 key=/etc/squid3/certs/squid.pem generate-host-certificates=on
> dynamic_cert_mem_cache_size=6MB sslflags=NO_SESSION_REUSE
> 35
> 36 logformat mine %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %ssl::>sni
> %ssl::>cert_subject %>Hs %<st %Ss:%Sh
> 37
> 38 access_log syslog:daemon.info mine
> 39
> 40 #intercept
> 41 http_port 3128 intercept
> 42 https_port 3129 intercept ssl-bump
> 43
> 44 #nameservers
> 45 dns_nameservers 192.168.201.1 8.8.8.8
> 46
> 47 #WCCPv2 items
> 48 wccp_version 2
> 49 wccp2_router 192.168.200.73
> 50 wccp2_forwarding_method gre
> 51 wccp2_return_method gre
> 52 wccp2_service standard 0 password=LNP1
> 53 wccp2_service dynamic 70 password=LNP1
> 54 wccp2_service_info 70 protocol=tcp flags=dst_ip_hash priority=240
> ports=443
> 55
>
> Bruce Markey | Network Security Analyst
> STEINMAN COMMUNICATIONS
> 717.291.8758 (o) | bmarkey at steinmancommunications.com
> 8 West King St | PO Box 1328, Lancaster, PA 17608-1328
>
> -----Original Message-----
> From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org]
> On Behalf Of James Lay
> Sent: Thursday, March 24, 2016 4:14 PM
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] Logging of https
>
> On 2016-03-24 13:41, Markey, Bruce wrote:
>> I'm hoping this is a simple question, I've gotten/seen differing
>> answers and I'd just like a final answer.
>>
>> With squid setup as a transparent proxy via wccp will there be any log
>> entries for https sites, even just the ip? Just the initial get
>> request is what I'd expect.
>>
>> ( I have no interest in breaking https, I'd simply like to get any
>> data I can without having to go down that road)
>>
>> If yes then what needs to be done to make that happen. Currently
>> everything is working on the http side perfectly. Oh the https side
>> as soon as I enable wccp redirection of 443 to squid it breaks https.
>> ( I'll add here that I've read all the peek and splice info and I
>> don't really understand it.)
>>
>> Thanks
>>
>> BRUCE MARKEY | Network Security Analyst
>>
>> STEINMAN COMMUNICATIONS
>>
>> 717.291.8758 (o) | bmarkey at steinmancommunications.com
>>
>> 8 West King St | PO Box 1328, Lancaster, PA 17608-1328
>>
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>
>
> Read this:
>
> http://thread.gmane.org/gmane.comp.web.squid.general/114384/focus=114389
>
> Sample messages:
>
> allowed https:
> Mar 24 14:02:11 gateway (squid-1): 192.168.1.101 - -
> [24/Mar/2016:14:02:11 -0600] "CONNECT 209.59.180.48:443 HTTP/1.1" - -
> 200 5511 TCP_TUNNEL:ORIGINAL_DST
>
> note the size, 5511, and the TCP_TUNNEL, this has no SNI
>
> denied https:
> Mar 24 13:36:01 gateway (squid-1): 192.168.1.101 - -
> [24/Mar/2016:13:36:01 -0600] "CONNECT 54.171.35.38:443 HTTP/1.1" - -
> 200
> 0 TAG_NONE:ORIGINAL_DST
>
> note the size, 0, and the TAG_NONE, and this also has no SNI
>
> Mar 24 13:36:01 gateway (squid-1): 192.168.1.101 - -
> [24/Mar/2016:13:36:01 -0600] "CONNECT 54.171.177.121:443 HTTP/1.1"
> track.appsflyer.com - 200 0 TAG_NONE:ORIGINAL_DST
>
> again, size, and TAG_NONE, but we saw SNI for this one.
>
> the above are the output when using the config info in the link. Hope
> that helps.
>
> James
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list