1

I saw in my Squid proxy log that I cannot log username in an HTTPS connection. Do you think this is my configuration error, or it is impossible due to the encryption? If the answer is the second one it means that HTTPS is always free to anonymous users?

This is my config:

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm MyDomain
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
authenticate_cache_garbage_interval 10 seconds
external_acl_type nt_group ttl=0 children=5 %LOGIN /usr/lib/squid/wbinfo_group.pl
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl to_localnet dst 10.0.0.0/8
acl to_localnet dst 172.16.0.0/12
acl to_localnet dst 192.168.0.0/16
acl loggedUser  proxy_auth REQUIRED
acl proxyUser external nt_group ProxyUsers
acl proxySuperUser external nt_group ProxySuperUsers
acl allowDomains dstdomain "/etc/squid/allowdomains.txt"
acl pornDomains dstdomain "/etc/squid/porndomains.txt"
acl proxyDomains dstdomain "/etc/squid/webproxydomains.txt"
acl denyDomains dstdomain "/etc/squid/denydomains.txt"
acl denyKeywords url_regex -i "/etc/squid/denykeywords.txt"
acl SSL_ports port 443-444  # https
acl Safe_ports port 80      # http
acl Safe_ports port 20 21   # ftp
acl Safe_ports port 443     # https
acl Safe_ports port 70      # gopher
acl Safe_ports port 210     # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280     # http-mgmt
acl Safe_ports port 488     # gss-http
acl Safe_ports port 591     # filemaker
acl Safe_ports port 777     # multiling http
acl Safe_ports port 631     # cups
acl Safe_ports port 873     # rsync
acl Safe_ports port 901     # SWAT
acl Ftp_ports port 20 21    # ftp
acl Ftp_ports port 1025-65535   # unregistered ports
acl purge method PURGE
acl CONNECT method CONNECT
acl authChallenge rep_header X-Squid-Error ERR_CACHE_ACCESS_DENIED
acl authChallenge2 rep_header X-Squid-Error ERR_ACCESS_DENIED
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access allow CONNECT Ftp_ports loggedUser
http_access deny CONNECT !SSL_ports
http_access deny !localnet
http_access allow to_localnet
http_access allow allowDomains
http_access deny !loggedUser
http_access deny pornDomains
http_access allow proxySuperUser
http_access deny proxyDomains
http_access deny denyDomains
http_access deny denyKeywords
http_access allow proxyUser
http_access deny all
icp_access allow localnet
icp_access deny all
http_port 8080
hierarchy_stoplist cgi-bin ?
logformat squid_mysql  %ts.%03tu %6tr %>a %Ss %03Hs %<st %rm %ru %un %Sh %<A %mt
access_log /var/log/squid/access.log squid
access_log daemon:/etc/squid/log_mysql_daemon.conf squid_mysql
log_access deny authChallenge
log_access deny authChallenge2
logfile_daemon /usr/lib/squid/log_mysql_daemon.pl
ftp_user anonymous@domain.com
ftp_passive on
refresh_pattern ^ftp:       1440    20% 10080
refresh_pattern ^gopher:    1440    0%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern (Release|Packages(.gz)*)$   0   20% 2880
refresh_pattern .       0   20% 4320
acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9]
upgrade_http0.9 deny shoutcast
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
extension_methods REPORT MERGE MKACTIVITY CHECKOUT
error_directory /var/www/proxy/pages
deny_info ERR_ACL_LOGGED loggedUser
deny_info ERR_ACL_PROXYUSER proxyUser
deny_info ERR_ACL_PORN pornDomains
deny_info ERR_ACL_PROXY proxyDomains
deny_info ERR_ACL_DOMAIN denyDomains
deny_info ERR_ACL_WORDS denyKeywords  
hosts_file /etc/hosts
coredump_dir /var/spool/squid
Bill the Lizard
  • 352
  • 1
  • 7
  • 15
Tobia
  • 1,272
  • 9
  • 41
  • 81
  • Proxu users should appear in the log file. May be is your problem with your configuration. Can you paste it? Specially the http_access lines. – Diego Woitasen Aug 29 '12 at 11:45
  • presume this is a non-transparent proxy - http & https proxies are set in the browser? – Tom Newton Aug 29 '12 at 12:22
  • Of course they're set, in http request I successfully log username. – Tobia Aug 29 '12 at 12:26
  • Sorry - just checking, transparent proxying is tricky with https. If you make a user-based acl does it apply properly to https? (this way we can check if it's auth or logging at fault) – Tom Newton Aug 29 '12 at 13:05
  • The trouble can be that "http_access deny CONNECT !SSL_ports" is before "http_access deny !loggedUser"? I saw that also in https the client login is done, but i can not find it in logs. – Tobia Aug 30 '12 at 08:36

1 Answers1

-1

The nature of HTTPS makes it impossible to snoop or intercept any data other than the connection's IP endpoint addresses and TCP ports.

See here for how Squid deals with HTTPS: http://wiki.squid-cache.org/Features/HTTPS

adaptr
  • 16,576
  • 23
  • 34