On 9/19/19 10:29 AM, sknz wrote: > I'm using squid 3.5.3 to intercept https without issuing the client > certificate. > > https_port 3127 intercept ssl-bump generate-host-certificates=off > cert=certs/squid.pem > ssl_bump none all > So my squid access log is similar to this. Is there any way to make it more > meaningful? perhaps hostname? You can peek at step1 to get access to TLS client handshake information, which may include TLS SNI. You can also peek at step2 to get access to TLS server handshake information, which may include TLS server CN and other details. IIRC, some of those details will be logged automatically with the default logformat. Others can be logged using TLS-specific logformat %codes. https://wiki.squid-cache.org/Features/SslPeekAndSplice HTH, Alex. > ............................... > 1568902948.817 65168 10.1.0.1 TCP_TUNNEL/200 891 CONNECT 157.240.16.63:443 > - ORIGINAL_DST/157.240.16.63 - 10.1.0.1 > 1568903081.342 240109 10.1.0.1 TCP_TUNNEL/200 458 CONNECT > 172.217.163.132:443 - ORIGINAL_DST/172.217.163.132 - 10.1.0.1 > 1568903132.645 240133 10.1.0.1 TCP_TUNNEL/200 99047 CONNECT > 172.217.31.214:443 - ORIGINAL_DST/172.217.31.214 - 10.1.0.1 > ............................... _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
