Sorry, should have included squid version details in original post: Squid Cache: Version 3.5.20 Service Name: squid configure options: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--disable-strict-error-checking' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-eui' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,LDAP,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,SMB_LM,getpwnam' '--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-negotiate=kerberos' '--enable-external-acl-helpers=file_userip,LDAP_group,time_quota,session,unix_group,wbinfo_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl-crtd' '--enable-storeio=aufs,diskd,ufs' '--enable-wccpv2' '--enable-esi' '--enable-ecap' '--with-aio' '--with-default-user=squid' '--with-dl' '--with-openssl' '--with-pthreads' '--disable-arch-native' '--disable-icap-client' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fpie' 'LDFLAGS=-Wl,-z,relro -pie -Wl,-z,relro -Wl,-z,now' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fpie' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig’
Cheers Mark > On 31 Dec 2016, at 14:37, Mark Hoare <mark_sq...@finito.me.uk> wrote: > > Hi, > > I’m trying to setup policy based routing on a gateway device pointing at a > remote squid server to do transparent HTTP & HTTPS proxying with ssl_bump > (peek & splice) > > After quite a bit of pain getting policy based routing working on the gateway > and local port redirection on the squid server, everything appears to be > working except the access log still refers to the destination IP address in > the TCP_TUNNEL rather than the SNI/TLS server name. > > By increasing the debug level I can see that the SNI/TLS details are > definitely being obtained during the request processing but for some reason > they are not ending up in the access log. > > Extract from cache log: >> 2016/12/31 14:18:01.966 kid1| 83,7| bio.cc(1110) parseV3Hello: Found server >> name: www.ssllabs.com >> 2016/12/31 14:18:02.351 kid1| 83,5| support.cc(259) ssl_verify_cb: SSL >> Certificate signature OK: /C=US/ST=California/L=Redwood City/O=Qualys, >> Inc./CN=ssllabs.com >> 2016/12/31 14:18:02.351 kid1| 83,4| support.cc(213) check_domain: Verifying >> server domain www.ssllabs.com to certificate name/subjectAltName ssllabs.com >> 2016/12/31 14:18:02.351 kid1| 83,4| support.cc(213) check_domain: Verifying >> server domain www.ssllabs.com to certificate name/subjectAltName >> *.ssllabs.com >> 2016/12/31 14:18:02.383 kid1| 83,5| PeerConnector.cc(307) >> serverCertificateVerified: HTTPS server CN: ssllabs.com bumped: local=<squid >> IP removed>:57790 remote=64.41.200.100:443 FD 14 flags=1 > > Extract from access log: >> 1483193882.790 870 <local ip removed> TCP_TUNNEL/200 5620 CONNECT >> 64.41.200.100:443 - ORIGINAL_DST/64.41.200.100 - > > From the output above I would have expected some of the server name info to > get into the access log. > > Squid config below: >> debug_options ALL,7 >> >> http_port 3128 >> >> https_port 3130 intercept ssl-bump cert=/etc/squid/ssl_cert/squidCA.pem >> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB >> >> http_port 3131 intercept ssl-bump cert=/etc/squid/ssl_cert/squidCA.pem >> generate-host-certificates=on dynamic_cert_mem_cache_size=4MB >> >> cache_dir ufs /var/spool/squid 200 16 256 >> coredump_dir /var/spool/squid >> >> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network >> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network >> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network >> acl localnet src fc00::/7 # RFC 4193 local private network range >> acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) >> machines >> >> acl Safe_ports port 80 # http >> acl Safe_ports port 21 # ftp >> acl Safe_ports port 443 # https >> acl Safe_ports port 70 # gopher >> acl Safe_ports port 210 # wais >> acl Safe_ports port 1025-65535 # unregistered ports >> acl Safe_ports port 280 # http-mgmt >> acl Safe_ports port 488 # gss-http >> acl Safe_ports port 591 # filemaker >> acl Safe_ports port 777 # multiling http >> >> acl SSL_ports port 443 >> acl CONNECT method CONNECT >> >> http_access deny !Safe_ports >> http_access deny CONNECT !SSL_ports >> >> http_access allow localhost manager >> http_access deny manager >> >> refresh_pattern ^ftp: 1440 20% 10080 >> refresh_pattern ^gopher: 1440 0% 1440 >> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 >> refresh_pattern . 0 20% 4320 >> >> ssl_bump peek all >> ssl_bump splice all >> >> always_direct allow all >> >> http_access allow localnet >> http_access allow localhost >> >> http_access deny all > > > Any suggestions gratefully received. > > Thanks > > Mark _______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
