Re: Logging of https

[James Lay <jlay@xxxxxxxxxxxxxxxxxxx>]

That's correct....peek/stare don't require a cert on the client end.  
Just keep in mind you won't get a full URL in the logs with https 
sites...just the host/ip:

Apr  7 09:30:31 gateway (squid-1): 192.168.1.106 - - 
[07/Apr/2016:09:30:31 -0600] "CONNECT 216.58.193.78:443 HTTP/1.1" 
safebrowsing.google.com - 200 871538 TCP_TUNNEL:ORIGINAL_DST

James

On 2016-04-07 07:11, Markey, Bruce wrote:
> Ok thanks for that.  I think I have a slightly better understanding of
> what is going on.    That being said this is what I've come up with.
>
> No caching.  All sites allowed, peeking at all.
>
> I'm hoping this config will simply give me the logging that I'm
> looking for and nothing else.  And from that link you sent I don't
> have to install the client side cert?
>
> Thanks
>
>   1 #Access Lists
>   2 acl internal src 192.168.200.0/21
>   3 acl wireless src 192.168.100.0/23
>   4
>   5 #Ports allowed through Squid
>   6 acl Safe_ports port 80
>   7 acl Safe_ports port 443
>   8 acl SSL_ports port 443
>   9 acl CONNECT method CONNECT
>  10
>  11 #allow/deny
>  12 http_access allow internal
>  13 http_access allow wireless
>  14 http_access deny !Safe_ports
>  15 http_access deny CONNECT !SSL_ports
>  16 http_access deny all
>  17
>  18 #Bumping
>  19 acl step1 at_step SslBump1
>  20 acl step2 at_step SslBump2
>  21 acl step3 at_step SslBump3
>  22
>  23 ssl_bump peek all
>  24 ssl_bump splice all
>  25
>  26 sslproxy_capath /etc/ssl/certs
>  27
>  28 sslcrtd_program /usr/lib/squid3/ssl_crtd -s /opt/var/ssl_db -M 6MB
>  29 sslcrtd_children 5
>  30
>  31 #certs
>  32 cert=/etc/squid3/certs/squid.pem
>  33 cafile=/etc/squid3/certs/squid.pem
>  34 key=/etc/squid3/certs/squid.pem generate-host-certificates=on
> dynamic_cert_mem_cache_size=6MB sslflags=NO_SESSION_REUSE
>  35
>  36 logformat mine %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %ssl::>sni
> %ssl::>cert_subject %>Hs %<st %Ss:%Sh
>  37
>  38 access_log syslog:daemon.info mine
>  39
>  40 #intercept
>  41 http_port 3128 intercept
>  42 https_port 3129 intercept ssl-bump
>  43
>  44 #nameservers
>  45 dns_nameservers 192.168.201.1 8.8.8.8
>  46
>  47 #WCCPv2 items
>  48 wccp_version 2
>  49 wccp2_router 192.168.200.73
>  50 wccp2_forwarding_method gre
>  51 wccp2_return_method gre
>  52 wccp2_service standard 0 password=LNP1
>  53 wccp2_service dynamic 70 password=LNP1
>  54 wccp2_service_info 70 protocol=tcp flags=dst_ip_hash priority=240 
> ports=443
>  55
>
> Bruce Markey | Network Security Analyst
> STEINMAN COMMUNICATIONS
> 717.291.8758 (o) | bmarkey@xxxxxxxxxxxxxxxxxxxxxxxxxx
> 8 West King St | PO Box 1328, Lancaster, PA 17608-1328
>
> -----Original Message-----
> From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx]
> On Behalf Of James Lay
> Sent: Thursday, March 24, 2016 4:14 PM
> To: squid-users@xxxxxxxxxxxxxxxxxxxxx
> Subject: Re:  Logging of https
>
> On 2016-03-24 13:41, Markey, Bruce wrote:
> > I'm hoping this is a simple question, I've gotten/seen differing
> > answers and I'd just like a final answer.
> >
> > With squid setup as a transparent proxy via wccp will there be any log
> > entries for https sites, even just the ip?  Just the initial get
> > request is what I'd expect.
> >
> > ( I have no interest in breaking https, I'd simply like to get any
> > data I can without having to go down that road)
> >
> > If yes then what needs to be done to make that happen. Currently
> > everything is working on the http side perfectly.  Oh the https side
> > as soon as I enable wccp redirection of 443 to squid it breaks https.
> >  ( I'll add here that I've read all the peek and splice info and I
> > don't really understand it.)
> >
> > Thanks
> >
> > BRUCE MARKEY | Network Security Analyst
> >
> > STEINMAN COMMUNICATIONS
> >
> > 717.291.8758 (o) | bmarkey@xxxxxxxxxxxxxxxxxxxxxxxxxx
> >
> > 8 West King St | PO Box 1328, Lancaster, PA 17608-1328
> >
> >
> > _______________________________________________
> > squid-users mailing list
> > squid-users@xxxxxxxxxxxxxxxxxxxxx
> > http://lists.squid-cache.org/listinfo/squid-users
>
>
> Read this:
>
> http://thread.gmane.org/gmane.comp.web.squid.general/114384/focus=114389
>
> Sample messages:
>
> allowed https:
> Mar 24 14:02:11 gateway (squid-1): 192.168.1.101 - -
> [24/Mar/2016:14:02:11 -0600] "CONNECT 209.59.180.48:443 HTTP/1.1" - -
> 200 5511 TCP_TUNNEL:ORIGINAL_DST
>
> note the size, 5511, and the TCP_TUNNEL, this has no SNI
>
> denied https:
> Mar 24 13:36:01 gateway (squid-1): 192.168.1.101 - -
> [24/Mar/2016:13:36:01 -0600] "CONNECT 54.171.35.38:443 HTTP/1.1" - - 
> 200
> 0 TAG_NONE:ORIGINAL_DST
>
> note the size, 0, and the TAG_NONE, and this also has no SNI
>
> Mar 24 13:36:01 gateway (squid-1): 192.168.1.101 - -
> [24/Mar/2016:13:36:01 -0600] "CONNECT 54.171.177.121:443 HTTP/1.1"
> track.appsflyer.com - 200 0 TAG_NONE:ORIGINAL_DST
>
> again, size, and TAG_NONE, but we saw SNI for this one.
>
> the above are the output when using the config info in the link.  Hope
> that helps.
>
> James
> _______________________________________________
> squid-users mailing list
> squid-users@xxxxxxxxxxxxxxxxxxxxx
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users