On 10/05/2016 8:31 p.m., alesironi wrote: > Hello everyone > > sorry if it's a stupid question but I'm a newbie of SQUID and PROXIES as > well. Well, firstly. Please dont shout :-P Seriously though; Some of the words you are upper-casing are trademarks or technical terms and the case used is relevant to what you are speaking about. (not picking on you specifically, others on the list have been getting very sloppy too recently - this message is a perfect example of the problem). SQUID and Squid are different things. Both used in networking. But thankfully SQUID is a layer-1 device not commonly spoken about around here so not much confusion. However; proxy and PROXY are also two different things. For extra difficulty both relate to things about Squid. PROXY (all upper case and no pluralisation) being one of the protocols that Squid can use nowdays. > > I have SQUID installed on UBUNTU, working fine, only authorized users can > use the proxy. Squid, Ubuntu, YouTube and GoogleVideo are trademarks with specific spelling when used outside of URLs. /rant > > Some users are watching youtube videos (I can see from the log files); our > rules are pretty simple and basic, youtube videos are allowed but only if > they are for working related purposes. > IN order to understand that I need to check from access.log which kind of > video they watch (we do this randomly, not for every video, for obvious > reasons). > > The problem is that on Squid log file (ACCESS.LOG) the URL I see is similar > to this: > > r10---sn-4g57knd7.googlevideo.com:443 > > ...which is not telling me anything about the content of the youtube video > (it does not work at all...). > The best explanation for the URI (not URL) if you really want to know why it looks like that (and why its not a URL) is in <http://tools.ietf.org/html/rfc7230#section-5.3>. The ":443" part means port 443 ... TLS encrypted traffic. That is all. To misquote The Matrix "there is no video". What your Squid is being asked to proxy is a two-way opaque stream of TLS encrypted data to/from that named server:port. The encrypted data on port 443 is supposed to contain a whole different layer of HTTP messages commonly referred to as HTTPS, and having https:// URLs. There may be one or more messages, there may (or not) be a video stream as one of those messages. So to be accurate; the stream may contain a video, but it also may not and even when it does there is more than the video happening in there. > Do you have any suggestion on how to understand the content of the video > starting from that URL? Or any suggestion on how to achieve my goal? What do you mean by "kind"? Your description implies that you mean the actual visual content of it. You will not be able to see that without downloading and viewing it yourself. The most you will ever be able to see from HTTP layer logs was that it was a video and the URL that it was stored at. Which is usually just a random unique character sequence for an ID. To even get that much information you will have to intercept and decrypt the users traffic. Please check with your companies legal department about whether you can do that encryption legally. There are some countries where doing so on any network is completely prohibited or requires a government license. Other places that policy you mention might be enough so long as your users have signed agreement to it. Once you know the legal situation look into <http://wiki.squid-cache.org/Features/SslPeekAndSplice>. You will also need to be using the latest Squid packages (3.5.19 or 4.0.10 today) and regularly updating. TLS interception is an arms race situation that is constantly changing both the security encryption and the attack methods to break into it. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
