[squid-users] access log without hostname

Alex Rousskov rousskov at measurement-factory.com
Thu Sep 19 15:00:45 UTC 2019


On 9/19/19 10:29 AM, sknz wrote:
> I'm using squid 3.5.3 to intercept https without issuing the client
> certificate.  
> 
> https_port 3127 intercept ssl-bump generate-host-certificates=off
> cert=certs/squid.pem
> ssl_bump none all

> So my squid access log is similar to this. Is there any way to make it more
> meaningful? perhaps hostname?

You can peek at step1 to get access to TLS client handshake information,
which may include TLS SNI. You can also peek at step2 to get access to
TLS server handshake information, which may include TLS server CN and
other details. IIRC, some of those details will be logged automatically
with the default logformat. Others can be logged using TLS-specific
logformat %codes.

  https://wiki.squid-cache.org/Features/SslPeekAndSplice


HTH,

Alex.


> ...............................
> 1568902948.817  65168 10.1.0.1 TCP_TUNNEL/200 891 CONNECT 157.240.16.63:443
> - ORIGINAL_DST/157.240.16.63 - 10.1.0.1
> 1568903081.342 240109 10.1.0.1 TCP_TUNNEL/200 458 CONNECT
> 172.217.163.132:443 - ORIGINAL_DST/172.217.163.132 - 10.1.0.1
> 1568903132.645 240133 10.1.0.1 TCP_TUNNEL/200 99047 CONNECT
> 172.217.31.214:443 - ORIGINAL_DST/172.217.31.214 - 10.1.0.1
> ...............................



More information about the squid-users mailing list