Re: [squid-users] Squid doesn't use domain name as a request URL in access.log when splice at step 3 occurs

Fri, 04 Nov 2016 13:16:36 -0700 

On 11/04/2016 08:06 AM, Garri Djavadyan wrote:
> On Fri, 2016-11-04 at 17:43 +0500, Garri Djavadyan wrote:
>> I noticed that Squid doesn't use gathered domain name information for
>> %ru in access.log when splice action is performed at step 3 for
>> intercepted traffic. 

%ru is about client/user actions. It should be filled with what the
client sent to Squid. In an intercepting and splicing configuration like
yours, %>ru (and deprecated %ru) should contain the intended destination
IP address (at step 1) and SNI, if any, at step 2+.

>  %ru  Request URL from client (historic, filtered for logging)
> %>ru  Request URL from client
> %<ru  Request URL sent to server or peer

According to the above, during step 3, %<ru should have SNI sent by
Squid to the server (if any) or the server IP (otherwise).


>> $ curl https://www.openssl.org/ > /dev/null

>> https_port 3129 intercept ssl-bump ..
>> logformat squid      %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a 
>> %mt %ssl::>sni


>> at step 2:

>> 1478256091.609   1028 172.16.0.21 TAG_NONE/200 0 CONNECT 104.124.119.14:443 
>> - HIER_NONE/- - www.openssl.org
>> 1478256091.609   1026 172.16.0.21 TCP_TUNNEL/200 9807 CONNECT 
>> www.openssl.org:443 - ORIGINAL_DST/104.124.119.14 - www.openssl.org

OK.


>> at step 3:

>> 1478256303.420    574 172.16.0.21 TCP_TUNNEL/200 6897 CONNECT 
>> 104.124.119.14:443 - ORIGINAL_DST/104.124.119.14 - www.openssl.org

Just one record? That in itself is probably a bug!

Please see whether trunk r14913 (or any later revision) improves or
fixes this. That revision contains important and potentially relevant
changes.


> It prevents domain name identification when SNI is not provided by a
> client. For example:
> 
> Request:
> $ echo -e "HEAD / HTTP/1.1\nHost: www.openssl.org\n\n" | openssl
> s_client -quiet -no_ign_eof -connect www.openssl.org:443
> 
> Result:
> 1478267428.070    347 172.16.0.21 TCP_TUNNEL/200 235 CONNECT 
> 104.124.119.14:443 - ORIGINAL_DST/104.124.119.14 - -

IMO, the lack of a domain name is correct in this %ru case -- the client
did not send a domain name to Squid!


Cheers,

Alex.

_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Reply via email to