On 07/04/18 00:48, Peter Viskup wrote:
> Amos,
> thank you for your helpful reply.
> Setup with use of %note is working. Both servers have same
> configuration from GIT. Added one include for the proxyNode note
> configuration with "GIT ignore" flag on that file.
> Realized the note can be used to track the ACL the transaction passed to.
> Proxy node ID:
> note proxyNode 10.x.y.a
> logformat ... proxyNode=%{proxyNode}note ...
> Passed via ACL:
> acl sslstep1 at_step SslBump1
> acl sslstep3 at_step SslBump3
> acl test_s src <some_ip>
> acl test_d dstdomain <some_domain>
> acl test_ssl ssl::server_name <some_domain>
> acl SSH_port port 22
> # splice at step1 for SSH connections
> note acl test_splice_ssh test_s test_d SSH_port
> ssl_bump splice sslstep1 test_s test_d SSH_port

dstdomain ACL type (test_d is not valid at ssl_bump processing time. The
HTTP request the domain comes from has not (yet or ever) been decrypted
from the crypted bytes.

> # splice at step3 for other TLS connections
> note acl test_splice_http test_s test_ssl
> ssl_bump splice sslstep3 test_s test_ssl
> logformat ... acl=%{acl}note ...

Well, yes for this - but take care. Since the 'note ...' directive is
ONLY evaluated right at logging time it may show the wrong thing if the
ACL state changes between the initial directive (ssl_bump) evaluation
and the logging at the end of the transaction.
For example;
* the ssl_server_name ACL state changes with each SSL-Bump step that
completes, and
* dstdomain uses DNS lookups when only a raw-IP exists (eg in ssl_bump
step 1). The DNS records may expire and be changed in the time it takes
to transfer all the data in a spliced tunnel, before note re-runs the
dstdomain test_d check for logging.

squid-users mailing list

Reply via email to