Perfect. I'm totally fine without the full url. Thanks Bruce On Apr 7, 2016 11:34 AM, James Lay <jlay@xxxxxxxxxxxxxxxxxxx> wrote: That's correct....peek/stare don't require a cert on the client end. Just keep in mind you won't get a full URL in the logs with https sites...just the host/ip: Apr 7 09:30:31 gateway (squid-1): 192.168.1.106 - - [07/Apr/2016:09:30:31 -0600] "CONNECT 216.58.193.78:443 HTTP/1.1" safebrowsing.google.com - 200 871538 TCP_TUNNEL:ORIGINAL_DST James On 2016-04-07 07:11, Markey, Bruce wrote: > Ok thanks for that. I think I have a slightly better understanding of > what is going on. That being said this is what I've come up with. > > No caching. All sites allowed, peeking at all. > > I'm hoping this config will simply give me the logging that I'm > looking for and nothing else. And from that link you sent I don't > have to install the client side cert? > > Thanks > > 1 #Access Lists > 2 acl internal src 192.168.200.0/21 > 3 acl wireless src 192.168.100.0/23 > 4 > 5 #Ports allowed through Squid > 6 acl Safe_ports port 80 > 7 acl Safe_ports port 443 > 8 acl SSL_ports port 443 > 9 acl CONNECT method CONNECT > 10 > 11 #allow/deny > 12 http_access allow internal > 13 http_access allow wireless > 14 http_access deny !Safe_ports > 15 http_access deny CONNECT !SSL_ports > 16 http_access deny all > 17 > 18 #Bumping > 19 acl step1 at_step SslBump1 > 20 acl step2 at_step SslBump2 > 21 acl step3 at_step SslBump3 > 22 > 23 ssl_bump peek all > 24 ssl_bump splice all > 25 > 26 sslproxy_capath /etc/ssl/certs > 27 > 28 sslcrtd_program /usr/lib/squid3/ssl_crtd -s /opt/var/ssl_db -M 6MB > 29 sslcrtd_children 5 > 30 > 31 #certs > 32 cert=/etc/squid3/certs/squid.pem > 33 cafile=/etc/squid3/certs/squid.pem > 34 key=/etc/squid3/certs/squid.pem generate-host-certificates=on > dynamic_cert_mem_cache_size=6MB sslflags=NO_SESSION_REUSE > 35 > 36 logformat mine %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %ssl::>sni > %ssl::>cert_subject %>Hs %<st %Ss:%Sh > 37 > 38 access_log syslog:daemon.info mine > 39 > 40 #intercept > 41 http_port 3128 intercept > 42 https_port 3129 intercept ssl-bump > 43 > 44 #nameservers > 45 dns_nameservers 192.168.201.1 8.8.8.8 > 46 > 47 #WCCPv2 items > 48 wccp_version 2 > 49 wccp2_router 192.168.200.73 > 50 wccp2_forwarding_method gre > 51 wccp2_return_method gre > 52 wccp2_service standard 0 password=LNP1 > 53 wccp2_service dynamic 70 password=LNP1 > 54 wccp2_service_info 70 protocol=tcp flags=dst_ip_hash priority=240 > ports=443 > 55 > > Bruce Markey | Network Security Analyst > STEINMAN COMMUNICATIONS > 717.291.8758 (o) | bmarkey@xxxxxxxxxxxxxxxxxxxxxxxxxx > 8 West King St | PO Box 1328, Lancaster, PA 17608-1328 > > -----Original Message----- > From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] > On Behalf Of James Lay > Sent: Thursday, March 24, 2016 4:14 PM > To: squid-users@xxxxxxxxxxxxxxxxxxxxx > Subject: Re: Logging of https > > On 2016-03-24 13:41, Markey, Bruce wrote: >> I'm hoping this is a simple question, I've gotten/seen differing >> answers and I'd just like a final answer. >> >> With squid setup as a transparent proxy via wccp will there be any log >> entries for https sites, even just the ip? Just the initial get >> request is what I'd expect. >> >> ( I have no interest in breaking https, I'd simply like to get any >> data I can without having to go down that road) >> >> If yes then what needs to be done to make that happen. Currently >> everything is working on the http side perfectly. Oh the https side >> as soon as I enable wccp redirection of 443 to squid it breaks https. >> ( I'll add here that I've read all the peek and splice info and I >> don't really understand it.) >> >> Thanks >> >> BRUCE MARKEY | Network Security Analyst >> >> STEINMAN COMMUNICATIONS >> >> 717.291.8758 (o) | bmarkey@xxxxxxxxxxxxxxxxxxxxxxxxxx >> >> 8 West King St | PO Box 1328, Lancaster, PA 17608-1328 >> >> >> _______________________________________________ >> squid-users mailing list >> squid-users@xxxxxxxxxxxxxxxxxxxxx >> http://lists.squid-cache.org/listinfo/squid-users > > > Read this: > > http://thread.gmane.org/gmane.comp.web.squid.general/114384/focus=114389 > > Sample messages: > > allowed https: > Mar 24 14:02:11 gateway (squid-1): 192.168.1.101 - - > [24/Mar/2016:14:02:11 -0600] "CONNECT 209.59.180.48:443 HTTP/1.1" - - > 200 5511 TCP_TUNNEL:ORIGINAL_DST > > note the size, 5511, and the TCP_TUNNEL, this has no SNI > > denied https: > Mar 24 13:36:01 gateway (squid-1): 192.168.1.101 - - > [24/Mar/2016:13:36:01 -0600] "CONNECT 54.171.35.38:443 HTTP/1.1" - - > 200 > 0 TAG_NONE:ORIGINAL_DST > > note the size, 0, and the TAG_NONE, and this also has no SNI > > Mar 24 13:36:01 gateway (squid-1): 192.168.1.101 - - > [24/Mar/2016:13:36:01 -0600] "CONNECT 54.171.177.121:443 HTTP/1.1" > track.appsflyer.com - 200 0 TAG_NONE:ORIGINAL_DST > > again, size, and TAG_NONE, but we saw SNI for this one. > > the above are the output when using the config info in the link. Hope > that helps. > > James > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
