Exclude site from proxy log

sky7176 · 23 October 2023 10:52

Good morning, the DPO, Data Protection Officer, asked one of my clients to tell him if it is possible to exclude certain sites from the firewall log they have, which is not IPFire.

Specifically, my client is a municipality, the DPO does not want it to be traced if any employee connects to the site to report administrative violations.

Is it possible to do something like this with IP-Fire without completely disabling the proxy log?

You could think of a kind of whitelist in which to include sites that should not be registered in the log

The proxy log, as indicated here, only tracks the FQDN as everything now runs in HTTPS, but the DPO doesn’t even want this.

Thank you
Giuseppe

cfusco · 23 October 2023 11:34

To exclude specific clients from Squid logs while keeping the logs active for others on IPFire, I think these steps would accomplish your goal:

SSH into your IPFire machine.
Edit the custom Squid ACL file: /var/ipfire/proxy/advanced/acls/include.acl.
Add an ACL to specify IPs for exclusion, e.g., to exclude 192.168.0.2:
```
acl exclude_logging src 192.168.0.2
```
Add the access_log directive using the ACL:
```
access_log /var/log/squid/access.log combined !exclude_logging
```
The !exclude_logging excludes logging for specified IPs.
Save the file and exit.
Restart Squid:
```
/etc/init.d/squid restart
```

Further details: IPFire Proxy Logging Documentation

sky7176 · 23 October 2023 11:36

Thank you,
but I have to exclude the remote site, for example google.com, not the local IP.

Or does what you indicated work for both local IPs and remote FQDNs?

cfusco · 23 October 2023 11:40

ACLs are cool.

acl exclude_domain_logging dstdomain .example.com

access_log /var/log/squid/access.log combined !exclude_domain_logging

EDIT: the preceding dot in .example.com means that the ACL will apply to any subdomain of example.com, including www.example.com, whatever.example.com, and so on. It also applies to requests directly to example.com.

sky7176 · 23 October 2023 11:44

Many thanks
I looked at the log with:
tail -f /var/log/squid/access.log | perl -pe ‘s/^\d+.\d+/localtime($&)/e;’
but I only see http requests and not https is this correct?

I know I have a lot to learn, I have the proxy set to transparent.

Anyway, thanks, I’ll “play” with the ACLs and make a big mess, I already know HI

cfusco · 23 October 2023 15:30

In a transparent proxy setup on IPFire, only HTTP traffic gets automatically directed to Squid. HTTPS traffic is not captured in this manner because IPFire has removed the capability to terminate HTTPS tunnels for security reasons. To have HTTPS traffic logged, clients must manually configure their browsers to use the IPFire machine as a proxy. If they do, Squid will forward the encrypted HTTPS traffic without terminating or inspecting the tunnel, but the connection will be logged.

EDIT: If HTTPS connections are missing from the logs, it likely means that clients are either using a different proxy or no proxy at all for encrypted traffic. To centralize traffic through IPFire, you could block outbound traffic on port 443. This would require clients to configure their browsers to use IPFire for HTTPS. Note that Squid will not cache this HTTPS traffic; it will merely relay it.