Peek and Splice - Termination Log

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Peek and Splice - Termination Log

Eric Lackey-2
Hello, we’re beginning to enable the Peek and Splice feature on Squid 3.5. Our ssl_bump configuration looks like below where we’re validating the request matches a domain in our allowed_sites file and then terminating the SSL connection if it does not.

This is all working well except for the fact that we don’t have a good way to determine what is being blocked. In the configuration below, the only log we get is when Squid connects to the external server to get the SSL certificate and that is usually a 200 response. If the domain does not match our allowed list the connection is then terminated and no additional log is written.

I know that we can see this in cache.log by enabling debugging (debug_options 28,4), but that’s a large amount of log data to try to process and report on and the structure of the log is not something that we can easily ingest into our logging platform. It would be great if we could get it into a JSON format similar to how we can with access_log.

Does anyone else have a solution for this and if not, is this something that has been requested as a feature in the past?

Thanks in advance for any help.

======

# Define allowed sites
acl allowed_https_sites ssl::server_name_regex "/etc/squid/allowed_sites"

ssl_bump peek all
ssl_bump splice allowed_https_sites
ssl_bump terminate step3 all

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Peek and Splice - Termination Log

Alex Rousskov
On 09/22/2017 09:27 AM, Eric Lackey wrote:

> This is all working well except for the fact that we don’t have a
> good way to determine what is being blocked.

All transactions, including blocked ones, must be logged to access.log.
Squid had several bugs in this area. All known bugs (within this
discussion scope) should be fixed in the latest v5. I am not sure about
the latest v3, but I do see at least some of the fixes in v4. For
example:
https://github.com/squid-cache/squid/commit/da6dbcd110f7603f6d4cd9b3eef749311293fe77

Going forward:

* If something is not logged in the latest v3, then please consider
upgrading to v4. Filing a bug report in Bugzilla (see below) for v3
might motivate somebody to backport the fixes, but if the bug is fixed
in v4, then upgrading may be an overall better option, especially if you
use SslBump.

* If something is not logged in the latest v4 or v5, then please
consider filing a bug report in Bugzilla. Attaching an ALL,9 cache.log
while reproducing the issue using a single transaction on an otherwise
idle Squid will help developers triage your bug report.


Thank you,

Alex.
P.S. You do not need the "step3" ACL in the configuration below.

> acl allowed_https_sites ssl::server_name_regex "/etc/squid/allowed_sites"
>
> ssl_bump peek all
> ssl_bump splice allowed_https_sites
> ssl_bump terminate step3 all
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users