eCAP

Logging (Capturing) HTTP and HTTPs content

Asked by Ashwin

Hi,

I am using squid-3.3.2 with libecap-0.2.0. I would like to write an ecap adapter that can log/capture the HTTP and (decrypt and log/capture) HTTPs content that passes through my squid server. For this I have enabled sslbump with DynamicSslCert and BumpSslServerFirst.

For the adaptor I am using the adapter_passthru.cc file as a template. However I am not able to figure our on how to getting the plain text/binary header, body, and trailer from libecap::Message. I would also like to know if
1. the logging can be done in the start function of Adapter::Xaction::start in adapter_passthru.cc. If yes how do I convert the libecap::Message to text/binary.
     void Adapter::Xaction::start()
    {
         ....
        libecap::shared_ptr<libecap::Message> adapted = hostx->virgin().clone();
        ...
       // code to dump content comes here
    }
2. An ecap adaptor can receive HTTPs content in the clear from the squid proxy?

Regards,
Ashwin

Question information

Language:
English Edit question
Status:
Answered
For:
eCAP Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Alex Rousskov (rousskov) said : 		#1

Look at the modifying adapter sample. It shows how to work with headers and body of the virgin message. ClamAV adapter has more examples. Hint: While the headers are available immediately, the [possibly large] body will be "streamed" through your adapter transaction using several transaction methods.

Yes, logging should work at any time. Once you know how to get to message headers and body you will, hopefully, know how to log them (they are all Areas and std::strings).

Your HTTPs content question is Squid-specific, but yes, bumped HTTP transactions are available to Squid eCAP adapters after SSL decoding. Please direct future Squid-specific questions at Squid support forums.

Please ask one question at a time so that others have more chances of finding the answers they are looking for.

Can you help with this problem?

Provide an answer of your own, or ask Ashwin for more information if necessary.

To post a message you must log in.