On 4/20/20 4:13 PM, leomessi983@xxxxxxxxx wrote: > Well in my case for my single web request in first CONNECT log entry, > the domain address is IP address of server and URL is IP:PORT of server > and in second log entry domain is example.com and URL is example.com:443 . Yes, this is typical. > but why? You see IP addresses in CONNECT URIs because that is what the client (e.g., a browser) sent to Squid or, if you are intercepting, that is how Squid shows intercepted TCP connections. Per protocol specification, A CONNECT request URI (or request target) syntax differs from the syntax of other common request URIs (e.g., HEAD). For details, see request-target at https://tools.ietf.org/html/rfc7230#section-3.1.1 > I dont bump anything in this requests! I probably do not know what you mean by this remark. You other comments indicate that you do bump CONNECT tunnels. If you use "ssl_bump bump" or equivalent deprecated rules, then, for the purposes of this discussion, you are probably bumping (i.e., decrypting) some CONNECT tunnels. > If I use ssl::server_name and specify IP address of server to bump > https request, my https://example.com request will be blocked, I dont > send requests in the example format of https://1.1.1.1 .but they will be > blocked while I dont want to. Your http_access and ssl_bump rules have to match reality. There is no way around that. In reality, CONNECT requests use different request target than, say, HEAD requests inside those CONNECT tunnels. If you can configure Wireshark or a similar packet inspection tool to decrypt CONNECT tunnels and show you both CONNECT requests and the requests inside the tunnel, all these details may become a bit easier to grasp. Unfortunately, I do not have ready-to-use instructions on how to configure Wireshark to decrypt to- and from-Squid communications. HTH, Alex. > On Monday, April 20, 2020, 11:39:23 PM GMT+4:30, Alex Rousskov wrote: > > > On 4/20/20 2:04 PM, leomessi983@xxxxxxxxx <mailto:leomessi983@xxxxxxxxx> > wrote: > >> hi >> I have one question. >> why for each https request that squid do peek or bump or splice ,squid >> logs 2 lines? >> one with connect method and one with head method? > > > ... because there are two HTTP[S] requests in those cases, one with the > CONNECT method and one with the HEAD method. There are other cases where > one bumped CONNECT tunnel carries hundreds or even thousands of > GET/HEAD/PUT/POST/CONNECT/etc. requests. And there are also cases where > a bumped CONNECT tunnel carries no requests at all. > > In summary, one bumped CONNECT tunnel will (by default) result in one or > more access.log records, starting with the CONNECT record. > > Alex. > > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users > _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users