[squid-users] SQUID does not insert server ip and port in logs for CONNECT method when the connection fails (error 503)

Troiano Alessio alessio.troiano at leonardocompany.com
Fri Sep 14 10:33:54 UTC 2018


Hello,
I'm seeing the problem as from subject. I'm interested in log fields %<a %<p %<lp. In HTTPS connections when the destination server does not answer (maybe blocked by our firewall because it is malicious) the destination ip is not logged. In this way we cannot find the source client IP related to the blocked connection logged by the firewall.
For GET method all works as expected.

Follow the squid.conf log settings and two logs of connection to http://sqm.telemetry.microsoft.com and https://sqm.telemetry.microsoft.com . The site is not reachable.

Squid.conf:
logformat custom_squid %%SQUID-4: %>a %>p [%tl] "%rm %ru HTTP/%rv" %<A %ui %un "%rp" %Hs %mt %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh %<a %<p %<lp
access_log /var/log/squid/rsa/access.log custom_squid

accesso.log:
%SQUID-4: 172.x.x.x 56371 [14/Sep/2018:05:04:51 -0500] "CONNECT sqm.telemetry.microsoft.com:443 HTTP/1.1" - - - "-" 503 - 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0" TAG_NONE:HIER_NONE - - -
%SQUID-4: 172.x.x.x 56490 [14/Sep/2018:05:14:42 -0500] "GET http://sqm.telemetry.microsoft.com/ HTTP/1.1" sqm.telemetry.microsoft.com - - "/" 502 text/html 5405 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0" TCP_MISS:HIER_DIRECT 65.55.252.93 80 60796

OS info and process:
[root at HUB-XX-XX-XX squid]# squid -v
Squid Cache: Version 3.5.20
Service Name: squid
configure options:  '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--disable-strict-error-checking' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-eui' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,LDAP,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,SMB_LM,getpwnam' '--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-negotiate=kerberos' '--enable-external-acl-helpers=file_userip,LDAP_group,time_quota,session,unix_group,wbinfo_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl-crtd' '--enable-storeio=aufs,diskd,rock,ufs' '--enable-wccpv2' '--enable-esi' '--enable-ecap' '--with-aio' '--with-default-user=squid' '--with-dl' '--with-openssl' '--with-pthreads' '--disable-arch-native' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic -fpie' 'LDFLAGS=-Wl,-z,relro  -pie -Wl,-z,relro -Wl,-z,now' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches   -m64 -mtune=generic -fpie' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
[root@ HUB-XX-XX-XX squid]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.4 (Maipo)

We are using the last stable release of squid for Red Hat.

Thank you, Best Regards.

Il presente messaggio e-mail e ogni suo allegato devono intendersi indirizzati esclusivamente al destinatario indicato e considerarsi dal contenuto strettamente riservato e confidenziale. Se non siete l'effettivo destinatario o avete ricevuto il messaggio e-mail per errore, siete pregati di avvertire immediatamente il mittente e di cancellare il suddetto messaggio e ogni suo allegato dal vostro sistema informatico. Qualsiasi utilizzo, diffusione, copia o archiviazione del presente messaggio da parte di chi non ne è il destinatario è strettamente proibito e può dar luogo a responsabilità di carattere civile e penale punibili ai sensi di legge.
Questa e-mail ha valore legale solo se firmata digitalmente ai sensi della normativa vigente.

The contents of this email message and any attachments are intended solely for the addressee(s) and contain confidential and/or privileged information.
If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately notify the sender and then delete this message and any attachments from your system. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited. Unauthorized disclosure and/or use of information contained in this email message may result in civil and criminal liability. “
This e-mail has legal value according to the applicable laws only if it is digitally signed by the sender


More information about the squid-users mailing list