Re: [squid-users] Squid 3.1.6 and transparent mode: HTTPS

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 12 Oct 2010 23:06:22 +1300

On 12/10/10 19:44, Boniforti Flavio wrote:
> Woooops... I thought I already replied, but instead my mail was in the
> drafts folder :-/ So here I go:
>
> Hello Amos and thanks for your reply.
>
> [cut]
>
>>> 3) would I completely miss the traffic done in HTTPS in my
>> webalizer
>>> stats, if there'd be no way to have transparently proxied HTTPS
>>> requests?
>>
>> This is only a problems due to the "transparent".
>>
>> If you can discard the "transparent" part of the setup the
>> client browsers will send their HTTPS requests to Squid using
>> CONNECT method, which gives webalizer all the client IP and
>> destination domain details along with traffic sent/received
>> there. All thats missing is the particular files being fetched.
>
> OK, I've played around with this: I configured my own browser to use the
> proxy and watched the access.log file. I saw those CONNECT connections,
> and the fact that I'd miss the files being fetched, would be 100% ok for
> me.
>
>> Alternatives are to use firewall traffic accounting which can
>> just as easily be gathered. Such as which client IP is using
>> port 443 (HTTPS) to contact which external IPs and how much
>> traffic they sent/received.
>
> Of course, but then I would have the problem to "add" that info to my
> webalizer logs. Would there be any way to "sum it up" to all the proxied
> traffic?

In Linux the xtables-addons iptables stuff has some interesting looking
accounting modules. Though I have yet to hear of any products that make
it easy to use.

RADIUS I've heard has its own traffic accounting systems if you can find
and/or pay for them.

>
>>> Ah, BTW: as I *do not* intend to cache HTTPS
>> traffic/requests, would it
>>> be easier to set up this sort of "logging/filtering"?
>>
>> What is easier depends on your network setup.
>
> I manage many different customer networks and there my primary goal is
> to avoid users being able to bypass my proxy (which I use to filter
> sites based on URLs).
> By using transparent mode, I have full control over network traffic: I
> can configure iptables and squid to do what I want them to. Actually, my
> users have discovered how to change proxy settings (even if configured
> by Windows Group Policies, because many are using alternative browsers
> like Firefox, Opera, and so on). So my countermeasure would be to use
> the transparent mode.

Ouch. Yes interception can be a useful backup. Just so long as you know
that it has limits and can actually bypass Squid security ACL in the
right/wrong hands.

> My second goal (less important, but I want complete and precise data) is
> to have *all* the internet traffic showing up in webalizer reports: how
> to achieve both things?

Sadly I'm in the dark here too. I had to roll my own graphs with a
database of traffic logs.

>
> Kind regards and thanks for helping me out (and making me brainstorm a
> bit) ;-)
>

Welcome. And good luck.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.8
   Beta testers wanted for 3.2.0.2
Received on Tue Oct 12 2010 - 10:06:28 MDT

This archive was generated by hypermail 2.2.0 : Wed Oct 13 2010 - 12:00:03 MDT