[squid-users] squdi access.log

Alex Rousskov rousskov at measurement-factory.com
Sat Jul 20 19:47:53 UTC 2019


On 7/20/19 11:07 AM, leomessi983 at yahoo.com wrote:

> Why do I see multiple different lines in access.log file?

I believe the following wiki page answers that question. Search for the
word "log" in the Processing Steps section.

  https://wiki.squid-cache.org/Features/SslPeekAndSplice

> Is every line a separate request?

The answer depends what you consider a "request" to be in this context.
Please see above URL for logging details.


> I used ssl-bump , peek at_step sslbump1 and then based on my ACL,I bump
> them or splice them! my squid.conf for log:
> logformat squid2   %ts %{%Y %b %d %H:%M:%S}tl %>a %<a %<A %ru %>Hs %<Hs
> %ssl::bump_mode
> 
> For example for google.com I see multiple lines in access.log:
> 1563634658 2019 Jul 20 19:27:38  40.0.0.40 - - 216.58.208.67:443 200 - splice
> 1563634658 2019 Jul 20 19:27:38  40.0.0.40 - - 216.58.208.67:443 200 - splice
> 1563634659 2019 Jul 20 19:27:39  40.0.0.40 - - 172.217.18.130:443 200 - splice
> 1563634659 2019 Jul 20 19:27:39  40.0.0.40 - - 216.58.208.78:443 200 - splice
> 1563634659 2019 Jul 20 19:27:39  40.0.0.40 - - 172.217.18.130:443 200 - splice
> 
> where is https:// google.com in the this log?

At step1, Squid cannot see the URLs you expect. And Squid does not see
the HTTP request if you tell it to splice during step2. You can try
logging %ssl::>sni and %ssl::<cert_subject. See their documentation in
squid.conf.documented.

To see the HTTP request, Squid has to bump the connection.


> If i denied google , access.log shows:

If you deny access, Squid bumps the client connection and, if that
bumping is successful, receives the HTTP request.

Alex.


More information about the squid-users mailing list