Ok thanks for that. I think I have a slightly better understanding of what is going on. That being said this is what I've come up with. No caching. All sites allowed, peeking at all. I'm hoping this config will simply give me the logging that I'm looking for and nothing else. And from that link you sent I don't have to install the client side cert? Thanks 1 #Access Lists 2 acl internal src 192.168.200.0/21 3 acl wireless src 192.168.100.0/23 4 5 #Ports allowed through Squid 6 acl Safe_ports port 80 7 acl Safe_ports port 443 8 acl SSL_ports port 443 9 acl CONNECT method CONNECT 10 11 #allow/deny 12 http_access allow internal 13 http_access allow wireless 14 http_access deny !Safe_ports 15 http_access deny CONNECT !SSL_ports 16 http_access deny all 17 18 #Bumping 19 acl step1 at_step SslBump1 20 acl step2 at_step SslBump2 21 acl step3 at_step SslBump3 22 23 ssl_bump peek all 24 ssl_bump splice all 25 26 sslproxy_capath /etc/ssl/certs 27 28 sslcrtd_program /usr/lib/squid3/ssl_crtd -s /opt/var/ssl_db -M 6MB 29 sslcrtd_children 5 30 31 #certs 32 cert=/etc/squid3/certs/squid.pem 33 cafile=/etc/squid3/certs/squid.pem 34 key=/etc/squid3/certs/squid.pem generate-host-certificates=on dynamic_cert_mem_cache_size=6MB sslflags=NO_SESSION_REUSE 35 36 logformat mine %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %ssl::>sni %ssl::>cert_subject %>Hs %<st %Ss:%Sh 37 38 access_log syslog:daemon.info mine 39 40 #intercept 41 http_port 3128 intercept 42 https_port 3129 intercept ssl-bump 43 44 #nameservers 45 dns_nameservers 192.168.201.1 8.8.8.8 46 47 #WCCPv2 items 48 wccp_version 2 49 wccp2_router 192.168.200.73 50 wccp2_forwarding_method gre 51 wccp2_return_method gre 52 wccp2_service standard 0 password=LNP1 53 wccp2_service dynamic 70 password=LNP1 54 wccp2_service_info 70 protocol=tcp flags=dst_ip_hash priority=240 ports=443 55 Bruce Markey | Network Security Analyst STEINMAN COMMUNICATIONS 717.291.8758 (o) | bmarkey@xxxxxxxxxxxxxxxxxxxxxxxxxx 8 West King St | PO Box 1328, Lancaster, PA 17608-1328 -----Original Message----- From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of James Lay Sent: Thursday, March 24, 2016 4:14 PM To: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: Logging of https On 2016-03-24 13:41, Markey, Bruce wrote: > I'm hoping this is a simple question, I've gotten/seen differing > answers and I'd just like a final answer. > > With squid setup as a transparent proxy via wccp will there be any log > entries for https sites, even just the ip? Just the initial get > request is what I'd expect. > > ( I have no interest in breaking https, I'd simply like to get any > data I can without having to go down that road) > > If yes then what needs to be done to make that happen. Currently > everything is working on the http side perfectly. Oh the https side > as soon as I enable wccp redirection of 443 to squid it breaks https. > ( I'll add here that I've read all the peek and splice info and I > don't really understand it.) > > Thanks > > BRUCE MARKEY | Network Security Analyst > > STEINMAN COMMUNICATIONS > > 717.291.8758 (o) | bmarkey@xxxxxxxxxxxxxxxxxxxxxxxxxx > > 8 West King St | PO Box 1328, Lancaster, PA 17608-1328 > > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users Read this: http://thread.gmane.org/gmane.comp.web.squid.general/114384/focus=114389 Sample messages: allowed https: Mar 24 14:02:11 gateway (squid-1): 192.168.1.101 - - [24/Mar/2016:14:02:11 -0600] "CONNECT 209.59.180.48:443 HTTP/1.1" - - 200 5511 TCP_TUNNEL:ORIGINAL_DST note the size, 5511, and the TCP_TUNNEL, this has no SNI denied https: Mar 24 13:36:01 gateway (squid-1): 192.168.1.101 - - [24/Mar/2016:13:36:01 -0600] "CONNECT 54.171.35.38:443 HTTP/1.1" - - 200 0 TAG_NONE:ORIGINAL_DST note the size, 0, and the TAG_NONE, and this also has no SNI Mar 24 13:36:01 gateway (squid-1): 192.168.1.101 - - [24/Mar/2016:13:36:01 -0600] "CONNECT 54.171.177.121:443 HTTP/1.1" track.appsflyer.com - 200 0 TAG_NONE:ORIGINAL_DST again, size, and TAG_NONE, but we saw SNI for this one. the above are the output when using the config info in the link. Hope that helps. James _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
