squdi access.log

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

squdi access.log

leomessi983@yahoo.com
.
.
Hi
Why do I see multiple different lines in access.log file?
Is every line a separate request?
I used ssl-bump , peek at_step sslbump1 and then based on my ACL,I bump them or splice them!
my squid.conf for log:
logformat squid2   %ts %{%Y %b %d %H:%M:%S}tl %>a %<a %<A %ru %>Hs %<Hs %ssl::bump_mode

For example for google.com I see multiple lines in access.log:
1563634658 2019 Jul 20 19:27:38  40.0.0.40 - - 216.58.208.67:443 200 - splice
1563634658 2019 Jul 20 19:27:38  40.0.0.40 - - 216.58.208.67:443 200 - splice
1563634659 2019 Jul 20 19:27:39  40.0.0.40 - - 172.217.18.130:443 200 - splice
1563634659 2019 Jul 20 19:27:39  40.0.0.40 - - 216.58.208.78:443 200 - splice
1563634659 2019 Jul 20 19:27:39  40.0.0.40 - - 172.217.18.130:443 200 - splice

where is https:// google.com in the this log?


If i denied google , access.log shows:
1563634748 2019 Jul 20 19:29:08  40.0.0.40 172.217.18.130 googleads.g.doubleclick.net googleads.g.doubleclick.net:443 200 - splice
1563634748 2019 Jul 20 19:29:08  40.0.0.40 216.58.208.78 apis.google.com apis.google.com:443 200 - splice
1563634748 2019 Jul 20 19:29:08  40.0.0.40 172.217.18.130 adservice.google.com adservice.google.com:443 200 - splice
1563634748 2019 Jul 20 19:29:08  40.0.0.40 216.58.208.67 ssl.gstatic.com ssl.gstatic.com:443 200 - splice
1563634748 2019 Jul 20 19:29:08  40.0.0.40 216.58.208.67 www.gstatic.com www.gstatic.com:443 200 - splice
1563634748 2019 Jul 20 19:29:08  40.0.0.40 172.217.18.132 www.google.com www.google.com:443 200 - splice
1563634748 2019 Jul 20 19:29:08  40.0.0.40 172.217.18.132 www.google.com www.google.com:443 200 - splice
1563634748 2019 Jul 20 19:29:08  40.0.0.40 172.217.18.132 172.217.18.132 172.217.18.132:443 200 - bump
1563634749 2019 Jul 20 19:29:09  40.0.0.40 134.0.216.195 detectportal.firefox.com http://detectportal.firefox.com/success.txt 200 200 -
1563634749 2019 Jul 20 19:29:09  40.0.0.40 - - 99.86.163.28:443 200 - splice


Thank you







_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squdi access.log

Alex Rousskov
On 7/20/19 11:07 AM, [hidden email] wrote:

> Why do I see multiple different lines in access.log file?

I believe the following wiki page answers that question. Search for the
word "log" in the Processing Steps section.

  https://wiki.squid-cache.org/Features/SslPeekAndSplice

> Is every line a separate request?

The answer depends what you consider a "request" to be in this context.
Please see above URL for logging details.


> I used ssl-bump , peek at_step sslbump1 and then based on my ACL,I bump
> them or splice them! my squid.conf for log:
> logformat squid2   %ts %{%Y %b %d %H:%M:%S}tl %>a %<a %<A %ru %>Hs %<Hs
> %ssl::bump_mode
>
> For example for google.com I see multiple lines in access.log:
> 1563634658 2019 Jul 20 19:27:38  40.0.0.40 - - 216.58.208.67:443 200 - splice
> 1563634658 2019 Jul 20 19:27:38  40.0.0.40 - - 216.58.208.67:443 200 - splice
> 1563634659 2019 Jul 20 19:27:39  40.0.0.40 - - 172.217.18.130:443 200 - splice
> 1563634659 2019 Jul 20 19:27:39  40.0.0.40 - - 216.58.208.78:443 200 - splice
> 1563634659 2019 Jul 20 19:27:39  40.0.0.40 - - 172.217.18.130:443 200 - splice
>
> where is https:// google.com in the this log?

At step1, Squid cannot see the URLs you expect. And Squid does not see
the HTTP request if you tell it to splice during step2. You can try
logging %ssl::>sni and %ssl::<cert_subject. See their documentation in
squid.conf.documented.

To see the HTTP request, Squid has to bump the connection.


> If i denied google , access.log shows:

If you deny access, Squid bumps the client connection and, if that
bumping is successful, receives the HTTP request.

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users