Thanks Eliezer, I'm aiming for a configuration which logs all HTTP and HTTPS connections without performing any full ssl_bumping, which would need me to get devices to trust my CA cert.
I have something similar with pfsense (which does log SNI/server name rather than IP & port) but I'm getting some strange behaviour so wanted to build an equivalent standalone squid server, with a more up to date version of squid. Will have another look at my pfsense ssl_bump config as there are some slight differences, but I think these are hangovers from earlier syntax (ssl_bump server-first all) which shouldn't be required under 3.5. Cheers Mark > On 3 Jan 2017, at 22:41, Eliezer Croitoru <elie...@ngtech.co.il> wrote: > > Hey Mark, > > Squid in intercept or tproxy mode will know one thing about the > tunnel\connection: IP+port. > Since you are using: >> ssl_bump peek all >> ssl_bump splice all > > The connections will always be spliced and you will never see any url.(are > you expecting only the SNI or also the url?) > I do not know but there might be a code that can report the SNI if exists in > the logs. > Alex is better then me in this but I believe it should be possible as an > addition to the IP+PORT and not replacing them. > > Eliezer > > ---- > Eliezer Croitoru > Linux System Administrator > Mobile: +972-5-28704261 > Email: elie...@ngtech.co.il > > > -----Original Message----- > From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On > Behalf Of Mark Hoare > Sent: Saturday, December 31, 2016 4:38 PM > To: squid-users@lists.squid-cache.org > Subject: [squid-users] ssl_bump - peek & splice logging IP rather than server > name > > Hi, > > I’m trying to setup policy based routing on a gateway device pointing at a > remote squid server to do transparent HTTP & HTTPS proxying with ssl_bump > (peek & splice) > > After quite a bit of pain getting policy based routing working on the gateway > and local port redirection on the squid server, everything appears to be > working except the access log still refers to the destination IP address in > the TCP_TUNNEL rather than the SNI/TLS server name. > > By increasing the debug level I can see that the SNI/TLS details are > definitely being obtained during the request processing but for some reason > they are not ending up in the access log. > > Extract from cache log: >> 2016/12/31 14:18:01.966 kid1| 83,7| bio.cc(1110) parseV3Hello: Found server >> name: www.ssllabs.com >> 2016/12/31 14:18:02.351 kid1| 83,5| support.cc(259) ssl_verify_cb: SSL >> Certificate signature OK: /C=US/ST=California/L=Redwood City/O=Qualys, >> Inc./CN=ssllabs.com >> 2016/12/31 14:18:02.351 kid1| 83,4| support.cc(213) check_domain: Verifying >> server domain www.ssllabs.com to certificate name/subjectAltName ssllabs.com >> 2016/12/31 14:18:02.351 kid1| 83,4| support.cc(213) check_domain: Verifying >> server domain www.ssllabs.com to certificate name/subjectAltName >> *.ssllabs.com >> 2016/12/31 14:18:02.383 kid1| 83,5| PeerConnector.cc(307) >> serverCertificateVerified: HTTPS server CN: ssllabs.com bumped: local=<squid >> IP removed>:57790 remote=64.41.200.100:443 FD 14 flags=1 > > Extract from access log: >> 1483193882.790 870 <local ip removed> TCP_TUNNEL/200 5620 CONNECT >> 64.41.200.100:443 - ORIGINAL_DST/64.41.200.100 - > > From the output above I would have expected some of the server name info to > get into the access log. > > Squid config below: >> debug_options ALL,7 >> >> http_port 3128 >> >> https_port 3130 intercept ssl-bump cert=/etc/squid/ssl_cert/squidCA.pem >> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB >> >> http_port 3131 intercept ssl-bump cert=/etc/squid/ssl_cert/squidCA.pem >> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB >> >> cache_dir ufs /var/spool/squid 200 16 256 >> coredump_dir /var/spool/squid >> >> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network >> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network >> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network >> acl localnet src fc00::/7 # RFC 4193 local private network range >> acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) >> machines >> >> acl Safe_ports port 80 # http >> acl Safe_ports port 21 # ftp >> acl Safe_ports port 443 # https >> acl Safe_ports port 70 # gopher >> acl Safe_ports port 210 # wais >> acl Safe_ports port 1025-65535 # unregistered ports >> acl Safe_ports port 280 # http-mgmt >> acl Safe_ports port 488 # gss-http >> acl Safe_ports port 591 # filemaker >> acl Safe_ports port 777 # multiling http >> >> acl SSL_ports port 443 >> acl CONNECT method CONNECT >> >> http_access deny !Safe_ports >> http_access deny CONNECT !SSL_ports >> >> http_access allow localhost manager >> http_access deny manager >> >> refresh_pattern ^ftp: 1440 20% 10080 >> refresh_pattern ^gopher: 1440 0% 1440 >> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 >> refresh_pattern . 0 20% 4320 >> >> ssl_bump peek all >> ssl_bump splice all >> >> always_direct allow all >> >> http_access allow localnet >> http_access allow localhost >> >> http_access deny all > > > Any suggestions gratefully received. > > Thanks > > Mark > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
