Logging HTTPS Web Sites
-
We need to log HTTPS websites, along with HTTP websites, that our clients browse to. We do not desire to log traffic after the secured communications have been established, nor do we wish to set up a "man in the middle".
We are using pfSense 2.1 with Squid 3 pkg 3.1.20 and Dansguardian pkg 2.12.0.3 . We have also tried Squid 2.7.9 .
We have tried both explicit and transparent HTTP proxy configurations. HTTP traffic is being logged into the Squid log, however, HTTPS is not.
Is there a way to record the HTTPS websites our clients browse to?
-
You can't just get "some" of the HTTPS in that way. The channel is encrypted before the site request is ever made, and you can't always guess the site by secondary characteristics like the server IP or DNS lookups. You have to see inside the encrypted communication, which is impossible without proxying their traffic explicitly or performing a man-in-the-middle attack on their SSL connection.
In most cases, you have to have the clients set their browser's proxy settings to the firewall in order to see any HTTPS.
I believe the squid3-dev and/or dansguardian packages can intercept HTTPS transparently but you still have to install a trusted root cert of your own creation on the clients.
