I noticed that Squid doesn't use gathered domain name information for %ru in access.log when splice action is performed at step 3 for intercepted traffic. The format code ssl::>sni is available at both steps. Below are examples used to verify the behavior using Squid 3.5.22, but the results are same for Squid 4.0.16.
The request used on client: $ curl https://www.openssl.org/ > /dev/null The configuration for splice at step 2: # diff etc/squid.conf.default etc/squid.conf 73a74,78 > https_port 3129 intercept ssl-bump cert=etc/ssl_cert/myCA.pem generate-host-certificates > acl StepSplice at_step SslBump2 > ssl_bump splice StepSplice > ssl_bump peek all > logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt %ssl::>sni The result: 1478256091.609 1028 172.16.0.21 TAG_NONE/200 0 CONNECT 104.124.119.14:443 - HIER_NONE/- - www.openssl.org 1478256091.609 1026 172.16.0.21 TCP_TUNNEL/200 9807 CONNECT www.opens sl.org:443 - ORIGINAL_DST/104.124.119.14 - www.openssl.org ----- The configuration for splice at step 3: # diff etc/squid.conf.default etc/squid.conf 73a74,78 > https_port 3129 intercept ssl-bump cert=etc/ssl_cert/myCA.pem generate-host-certificates > acl StepSplice at_step SslBump3 > ssl_bump splice StepSplice > ssl_bump peek all > logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt %ssl::>sni The result: 1478256303.420 574 172.16.0.21 TCP_TUNNEL/200 6897 CONNECT 104.124.119.14:443 - ORIGINAL_DST/104.124.119.14 - www.openssl.org Is it a bug or intended behavior? Thanks. Garri _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
