[squid-users] connect with http and https protocols
Alex Rousskov
rousskov at measurement-factory.com
Tue Apr 29 13:50:09 UTC 2025
On 2025-04-29 02:54, Renzo Marengo wrote:
> When client uses CONNECT directive I understand that proxy establishes
> tunnel to destination host on specified port
Yes, the proxy establishes a TCP tunnel with the destination.
> 1. I don't understand if this occurs both in presence of http and https
> requests, The request (using CONNECT method) can be http or https ?
I do not know how _you_ define "http" and "https" in this context, but
CONNECT request may be received on a plain text connection (i.e. a
connection to an http_port), on an encrypted connection (i.e. a TLS
connection to an https_port), and even inside a bumped TLS connection
(on either port; e.g., a CONNECT request received inside a bumped
CONNECT tunnel)!
> 2. if In both cases CONNECT method is invoked but how I can discover
> protocol (http, https) looking for inside access.log ?
If you are not telling Squid to bump the corresponding CONNECT tunnel
using ssl_bump, then you cannot discover the protocol inside that
tunnel. Squid is just shoveling opaque bytes using TCP in that (default)
case.
If Squid successfully bumps the corresponding CONNECT tunnel, then the
protocol inside that tunnel is HTTPS or, more precise, TLS-encrypted
HTTP/0 or HTTP/1 transactions. You should see those decrypted
transactions in access.log, logged with the same
%transport::>connection_id as the CONNECT transaction.
If Squid attempts to bump the corresponding CONNECT tunnel, and that
tunnel starts with a TLS handshake, then you may be able to recover the
underlying protocol from ALPN extension in %>handshake.
See logformat directive for the above %code documentation:
https://www.squid-cache.org/Doc/config/logformat/
HTH,
Alex.
More information about the squid-users
mailing list