squid access.log

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

squid access.log

leomessi983
Well in my case for my single web request in first CONNECT log entry, the domain address is IP address of server and URL is IP:PORT of server and in second log entry domain is example.com and URL is example.com:443 .
but why? I dont undrestand it, this confuses me !!
I dont bump anything in this requests!
If I use ssl::server_name and specify IP address of server to bump https request, my https://example.com request will be blocked, I dont send requests in the example format of https://1.1.1.1 .but they will be blocked while I dont want to.

On Monday, April 20, 2020, 11:39:23 PM GMT+4:30, Alex Rousskov <[hidden email]> wrote:


On 4/20/20 2:04 PM, [hidden email] wrote:

> hi
> I have one question.
> why for each https request that squid do peek or bump or splice ,squid
> logs 2 lines?
> one with connect method and one with head method?


... because there are two HTTP[S] requests in those cases, one with the
CONNECT method and one with the HEAD method. There are other cases where
one bumped CONNECT tunnel carries hundreds or even thousands of
GET/HEAD/PUT/POST/CONNECT/etc. requests. And there are also cases where
a bumped CONNECT tunnel carries no requests at all.

In summary, one bumped CONNECT tunnel will (by default) result in one or
more access.log records, starting with the CONNECT record.

Alex.


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid access.log

Alex Rousskov
On 4/20/20 4:13 PM, [hidden email] wrote:
> Well in my case for my single web request in first CONNECT log entry,
> the domain address is IP address of server and URL is IP:PORT of server
> and in second log entry domain is example.com and URL is example.com:443 .

Yes, this is typical.

> but why?

You see IP addresses in CONNECT URIs because that is what the client
(e.g., a browser) sent to Squid or, if you are intercepting, that is how
Squid shows intercepted TCP connections.

Per protocol specification, A CONNECT request URI (or request target)
syntax differs from the syntax of other common request URIs (e.g.,
HEAD). For details, see request-target at
https://tools.ietf.org/html/rfc7230#section-3.1.1


> I dont bump anything in this requests!

I probably do not know what you mean by this remark. You other comments
indicate that you do bump CONNECT tunnels. If you use "ssl_bump bump" or
equivalent deprecated rules, then, for the purposes of this discussion,
you are probably bumping (i.e., decrypting) some CONNECT tunnels.


> If I use ssl::server_name and specify IP address of server to bump
> https request, my https://example.com request will be blocked, I dont
> send requests in the example format of https://1.1.1.1 .but they will be
> blocked while I dont want to.

Your http_access and ssl_bump rules have to match reality. There is no
way around that. In reality, CONNECT requests use different request
target than, say, HEAD requests inside those CONNECT tunnels.

If you can configure Wireshark or a similar packet inspection tool to
decrypt CONNECT tunnels and show you both CONNECT requests and the
requests inside the tunnel, all these details may become a bit easier to
grasp. Unfortunately, I do not have ready-to-use instructions on how to
configure Wireshark to decrypt to- and from-Squid communications.


HTH,

Alex.


> On Monday, April 20, 2020, 11:39:23 PM GMT+4:30, Alex Rousskov wrote:
>
>
> On 4/20/20 2:04 PM, [hidden email] <mailto:[hidden email]>
> wrote:
>
>> hi
>> I have one question.
>> why for each https request that squid do peek or bump or splice ,squid
>> logs 2 lines?
>> one with connect method and one with head method?
>
>
> ... because there are two HTTP[S] requests in those cases, one with the
> CONNECT method and one with the HEAD method. There are other cases where
> one bumped CONNECT tunnel carries hundreds or even thousands of
> GET/HEAD/PUT/POST/CONNECT/etc. requests. And there are also cases where
> a bumped CONNECT tunnel carries no requests at all.
>
> In summary, one bumped CONNECT tunnel will (by default) result in one or
> more access.log records, starting with the CONNECT record.
>
> Alex.
>
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users