Hi all,
How are people logging browser HTTPS requests?
i’m using an SSID for guest access, ipfire is setup to use opendns but my concern is that the ipfire proxy log is only reporting http, how can i also log https requests?
Can anybody point me to a guide that can do this?
My concern is that at some point i would need to create a report on browsing history if something happens and i could not do this currently.
Thnaks for your time.
Squid (IPFire proxy) logs https requests as well as http. The logs are in the Web User Interface /Logs/Proxy Logs
Here a small example from my logs of HTTPS connections
16:41:58 10.1.4.6 - www.google.com:443
16:41:58 10.1.4.6 - www.gstatic.com:443
16:41:58 10.1.4.6 - play.google.com:443
16:41:59 10.1.4.6 - adservice.google.ch:443
16:42:00 10.1.4.6 - askubuntu.com:443
If you see only http connections in your logs, then you are not using the proxy for https. Possibly, you are using transparent proxy which will only work on unencrypted connections.
Thankyou for the quick (and helpful) reply!
It does indeed look like we are using transparent proxy
(There seems to be a firewall rule to allow HTTPs over my red interface (Which im guessing then hits opendns for content filtering)
I can see minimal 443 entries in the proxy log, eg. i can hit youtube.com but see not an entry but i see one or two proxy-safebrowsing.googleapis.com:443 but thats it.
Do you know of any way to log these requests when in the mode that im using?
As its a guest network I have no control over the clients so installing a MITM cert wouldn’t be viable but being able to see basic https browser hits would be so beneficial.
Thankyou again
if the port 443 encrypted traffic is not going through squid, then it exits directly through the firewall and therefore it is logged by the kernel of your IPFire machine. Probably you need to access the logs from the console and use the standard linux tools like tail and grep (or zgrep for compressed files) to search for the logs you are interested.
The kernel log is in /var/log/messages. Keep in mind that it is regularly rotated in compressed files (gzip) once per week, for 52 weeks (one year).
the transparent proxy automatically rewrite the incoming web traffic on port 80, therefore that traffic is always logged. You can choose to use squid by manually configuring a web browser to use the proxy server. If you did that for your own browser, then you would see also the encrypted traffic, because it will go through squid.
The correct way to deal with this kind of situations is to block the outbound traffic on port 443, so that the clients have to configure the proxy in their web browser, otherwise they can’t “go to internet”, but than you have to teach them how to do that.
EDIT: rephrased for clarity
