I use squid 4.9 on OpenSuse 15.1 Almost all https-Requests are logged with https:443 1579204357.578 1 1.2.3.4 NONE/503 0 CONNECT https:443 - HIER_NONE/- - 1579204358.623 0 1.2.3.4 NONE/503 0 CONNECT https:443 - HIER_NONE/- - 1579204358.672 1 1.2.3.4 NONE/503 0 CONNECT https:443 - HIER_NONE/- - 1579204358.677 0 1.2.3.4 NONE/503 0 CONNECT https:443 - HIER_NONE/- - 1579204358.680 0 1.2.3.4 NONE/503 0 CONNECT https:443 - HIER_NONE/- - 1579204359.261 0 1.2.3.4 NONE/503 0 CONNECT https:443 - HIER_NONE/- - 1579204360.227 8766 1.2.3.4 TCP_TUNNEL/200 47056 CONNECT 3c.web.de:443 - HIER_DIRECT/217.72.196.68 - 1579204363.236 0 1.2.3.4 NONE/503 0 CONNECT https:443 - HIER_NONE/- - 1579204377.895 16489 1.2.3.4 TCP_TUNNEL/200 3851 CONNECT t.uimserv.net:443 - HIER_DIRECT/195.20.250.183 - 1579204381.210 0 1.2.3.4 NONE/503 0 CONNECT https:443 - HIER_NONE/- - 1579204381.960 0 1.2.3.4 NONE/503 0 CONNECT https:443 - HIER_NONE/- - 1579204383.712 8416 1.2.3.4 TCP_TUNNEL/200 8409 CONNECT 3c.web.de:443 - HIER_DIRECT/217.72.196.68 - 1579204396.847 45930 1.2.3.4 TCP_TUNNEL/200 77063 CONNECT adimg.uimserv.net:443 - HIER_DIRECT/23.210.249.45 - Only some https-Requests get logged with a useful line I don't use SSLBump I have logged the traffic in a haproxy in front of this squid: These requests 2020-01-16T20:59:28+01:00 Jufi haproxy[1796]: 1.2.3.4:20711 [16/Jan/2020:20:59:28.656] squid squidservers/squidserver1 0/0/0/3/3 503 4252 - - ---- 12/12/11/3/0 0/0 "CONNECT incoming.telemetry.mozilla.org:443 HTTP/1.1" 2020-01-16T20:59:34+01:00 Jufi haproxy[1796]: 1.2.3.4:30065 [16/Jan/2020:20:59:34.226] squid squidservers/squidserver1 0/0/0/1/1 503 4252 - - ---- 13/13/12/3/0 0/0 "CONNECT incoming.telemetry.mozilla.org:443 HTTP/1.1" 2020-01-16T21:01:14+01:00 Jufi haproxy[1796]: 1.2.3.4:19521 [16/Jan/2020:21:01:14.892] squid squidservers/squidserver1 0/0/0/2/2 503 4252 - - ---- 22/22/19/9/0 0/0 "CONNECT incoming.telemetry.mozilla.org:443 HTTP/1.1" 2020-01-16T21:01:15+01:00 Jufi haproxy[1796]: 1.2.3.4:31880 [16/Jan/2020:21:01:15.901] squid squidservers/squidserver1 0/0/0/0/0 503 4252 - - ---- 22/22/19/9/0 0/0 "CONNECT incoming.telemetry.mozilla.org:443 HTTP/1.1" don't show up in access.log (squid) These requests are logged (with time at the start of the line converted to human readable) Thu Jan 16 20:59:28 2020 2 1.2.3.4 NONE/503 0 CONNECT https:443 - HIER_NONE/- - Thu Jan 16 20:59:34 2020 0 1.2.3.4 NONE/503 0 CONNECT https:443 - HIER_NONE/- - Thu Jan 16 21:01:14 2020 1 1.2.3.4 NONE/503 0 CONNECT https:443 - HIER_NONE/- - Thu Jan 16 21:01:15 2020 0 1.2.3.4 NONE/503 0 CONNECT https:443 - HIER_NONE/- - Why are some https-requests logged with the correct hostname and no fake CONNECT https:443 and other requests are logged without correct domain but with fake CONNECT entries On another system i have squid 3.5.27 (Ubuntu 18.04) There are no CONNECT https:443 log lines and all https-requests are logged with CONNECT <hostname>:443 entries. Anton Kornexl -----Ursprüngliche Nachricht----- Von: Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> Gesendet: Donnerstag, 16. Januar 2020 15:08 An: Kornexl, Anton <KORNEXL@xxxxxxxxxxxxxxxxx>; 217.252.117.35 Betreff: Re: Squid access.log On 1/16/20 3:06 AM, Kornexl, Anton wrote:: > I see many requests with CONNECT https:443 in my access.log > How are these entries triggered? These records are logged when your Squid is done with an HTTP CONNECT tunnel or after Squid intercepts a TLS connection. In very broad terms, they are a sign that your Squid participates in HTTPS transactions. Normally, there should be more than "https:443" in those CONNECT records. > They produce errors in some accounting scripts Consider either fixing the scripts or, if losing information about CONNECT tunnels is acceptable to your accounting, filtering CONNECT records out before giving the logs to the scripts. You can also configure Squid to stop logging CONNECT transactions (using access_log ACLs), but I do not recommend hiding the truth that may be critical in a triage. HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
