Squid log https without SSL Bumping

I have implemented a transparent squid3 proxy for logging purposes.

I won't be doing SSL bumping / HTTPS decryption, as this is too much to install a cert on every client.

However, I would like to log the CONNECT URL data passed to squid. For some reason, it doesn't log even the root domain on HTTPS requests, when these definitely hit squid.

Is there any way to do this?

My /squid.conf:

http_port 192.168.15.225:3128
http_port 127.0.0.1:3128 intercept
icp_port 0
dns_v4_first off
pid_filename /var/run/squid/squid.pid
cache_effective_user squid
cache_effective_group proxy
error_default_language en
icon_directory /usr/local/etc/squid/icons
visible_hostname localhost
cache_mgr admin@localhost
logformat squid %ts.%03tu %tr %>a %>eui %>Hs %<st %rm %ru %un %<A %mt 
access_log /var/squid/logs/access.mac.log squid
cache_log /var/squid/logs/cache.log
cache_store_log none
netdb_filename /var/squid/logs/netdb.state
pinger_enable on
pinger_program /usr/local/libexec/squid/pinger

logfile_rotate 0
debug_options rotate=0
shutdown_lifetime 3 seconds
acl localnet src  10.10.10.0/24 192.168.15.0/24
forwarded_for on
uri_whitespace strip

acl dynamic urlpath_regex cgi-bin \?
cache deny dynamic

cache_mem 64 MB
maximum_object_size_in_memory 256 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
minimum_object_size 0 KB
maximum_object_size 4 MB
cache_dir ufs /var/squid/cache 100 16 256
offline_mode off
cache_swap_low 90
cache_swap_high 95
cache allow all
refresh_pattern ^ftp:    1440  20%  10080
refresh_pattern ^gopher:  1440  0%  1440
refresh_pattern -i (/cgi-bin/|\?) 0  0%  0
refresh_pattern .    0  20%  4320

acl allsrc src all
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 3129 1025-65535 
acl sslports port 443 563  
acl purge method PURGE
acl connect method CONNECT

acl HTTP proto HTTP
acl HTTPS proto HTTPS
http_access allow manager localhost

http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports

request_body_max_size 0 KB
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
delay_access 1 allow allsrc

http_access allow localnet
http_access deny allsrc

Best Answer

You cannot log CONNECT requests on a transparent cache. The connect request would only be sent to the squid server if your browser has been configured as a proxy. If the browser isn't configured to use squid as a proxy, it will attempt to negotiate a TLS connection directly with the destination.

If you redirected that TLS connection you would either require SSLBUMP, or you would get errors in your browser.

But lets say you configured your browsers to use squid. You will not get the URL. All you will see is the FQDN of the system that hosts the web site. The URL is part of the http requests, which is not sent until after the TLS connection has been established.

For some reason, it doesn't log even the root domain on HTTPS requests, when these definitely hit squid.

They are not hitting squid. Like I said above, it simply doesn't work like that. CONNECT isn't used unless your browsers are configured to use the proxy, and you seem to be claiming to be setup as a transparent proxy. This almost certainly means that your operating system is simply routing the request like any other traffic.

Best Answer

Related Solutions

Linux – Squid 2.7.STABLE3-4.1 as a transparent proxy on Ubuntu Server 9.04

Ubuntu 9.10 and Squid 2.7 Transparent Proxy TCP_DENIED

Related Topic