5

I have implemented a transparent squid3 proxy for logging purposes.

I won't be doing SSL bumping / HTTPS decryption, as this is too much to install a cert on every client.

However, I would like to log the CONNECT URL data passed to squid. For some reason, it doesn't log even the root domain on HTTPS requests, when these definitely hit squid.

Is there any way to do this?

My /squid.conf:

http_port 192.168.15.225:3128
http_port 127.0.0.1:3128 intercept
icp_port 0
dns_v4_first off
pid_filename /var/run/squid/squid.pid
cache_effective_user squid
cache_effective_group proxy
error_default_language en
icon_directory /usr/local/etc/squid/icons
visible_hostname localhost
cache_mgr admin@localhost
logformat squid %ts.%03tu %tr %>a %>eui %>Hs %<st %rm %ru %un %<A %mt 
access_log /var/squid/logs/access.mac.log squid
cache_log /var/squid/logs/cache.log
cache_store_log none
netdb_filename /var/squid/logs/netdb.state
pinger_enable on
pinger_program /usr/local/libexec/squid/pinger

logfile_rotate 0
debug_options rotate=0
shutdown_lifetime 3 seconds
acl localnet src  10.10.10.0/24 192.168.15.0/24
forwarded_for on
uri_whitespace strip

acl dynamic urlpath_regex cgi-bin \?
cache deny dynamic

cache_mem 64 MB
maximum_object_size_in_memory 256 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
minimum_object_size 0 KB
maximum_object_size 4 MB
cache_dir ufs /var/squid/cache 100 16 256
offline_mode off
cache_swap_low 90
cache_swap_high 95
cache allow all
refresh_pattern ^ftp:    1440  20%  10080
refresh_pattern ^gopher:  1440  0%  1440
refresh_pattern -i (/cgi-bin/|\?) 0  0%  0
refresh_pattern .    0  20%  4320

acl allsrc src all
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 3129 1025-65535 
acl sslports port 443 563  
acl purge method PURGE
acl connect method CONNECT

acl HTTP proto HTTP
acl HTTPS proto HTTPS
http_access allow manager localhost

http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports

request_body_max_size 0 KB
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
delay_access 1 allow allsrc

http_access allow localnet
http_access deny allsrc
dthree
  • 347
  • 1
  • 8
  • 24
  • How do you know the requests are hitting squid? – Michael Hampton Oct 06 '16 at 04:24
  • Squid is proxying them transparently - Squid is the gateway. – dthree Oct 06 '16 at 04:43
  • Again, why do you believe that Squid is actually proxying them? – Michael Hampton Oct 06 '16 at 04:43
  • Because I can browse and get to the internet, and my gateway is squid, which means the server needs to receive a packet and forward it, in both directions, or I would never receive an HTTP response. Unless I'm missing something basic. – dthree Oct 06 '16 at 04:44
  • 1
    I suspect you _are_ missing something basic, if you can't explain how the system you just set up works. This traffic is most likely _not_ being handled by squid. Start by looking at _exactly_ how (or whether) you are intercepting traffic, rather than simply routing it. – Michael Hampton Oct 06 '16 at 04:47
  • Thank you. Yes, I don't know what I am talking about. This is why I am asking you for help. – dthree Oct 06 '16 at 05:01
  • But you haven't even explained what you've done up to this point! – Michael Hampton Oct 06 '16 at 05:03
  • Okay, here's my squid.conf, hopefully that helps. – dthree Oct 06 '16 at 05:08
  • You need to show _everything_ you have done. – Michael Hampton Oct 06 '16 at 05:16
  • Your `squid.conf` doesn't help. What are you doing to intercept http traffic? Probably an iptables rule applied to port 80? Note how you probably don't have s similar rule for port 443? Instead your firewall is just routing the traffic like every other port/protocol. – Zoredache Oct 06 '16 at 06:35

1 Answers1

5

You cannot log CONNECT requests on a transparent cache. The connect request would only be sent to the squid server if your browser has been configured as a proxy. If the browser isn't configured to use squid as a proxy, it will attempt to negotiate a TLS connection directly with the destination.

If you redirected that TLS connection you would either require SSLBUMP, or you would get errors in your browser.

But lets say you configured your browsers to use squid. You will not get the URL. All you will see is the FQDN of the system that hosts the web site. The URL is part of the http requests, which is not sent until after the TLS connection has been established.

For some reason, it doesn't log even the root domain on HTTPS requests, when these definitely hit squid.

They are not hitting squid. Like I said above, it simply doesn't work like that. CONNECT isn't used unless your browsers are configured to use the proxy, and you seem to be claiming to be setup as a transparent proxy. This almost certainly means that your operating system is simply routing the request like any other traffic.

Zoredache
  • 128,755
  • 40
  • 271
  • 413